CCSK Domain 2 Notes

1. Introduction

• Governance = alignment of IT/Cloud with business objectives.
• Defined by ISACA: evaluation of stakeholder needs, setting direction, monitoring performance.
• Cloud introduces multi-tenancy, shared responsibility, regulatory complexity, requiring strong governance.

2. Cloud Governance Key Points

• Drivers of cloud adoption: Cost efficiency (CapEx → OpEx), speed to market, innovation.
• Risks in cloud adoption: misconfigurations, supply chain issues, compliance challenges.
• Governance must balance speed vs. risk control.

Two major ways cloud impacts governance:

1. Shared Responsibility Model – CSP + CSC share responsibilities; compliance risk always with CSC.
2. Operational differences – multi-tenancy, data geography, failover, etc.

3. Complexities in Cloud Governance

• Loss of direct IT control.
• Multi-jurisdiction data & privacy compliance.
• Limited visibility/transparency from CSP.
• Accountability remains with CSC (cannot outsource responsibility).
• Standardized offerings may not fit unique needs.
• Chain of providers (e.g., SaaS on IaaS) complicates scoping.
• Hybrid cloud = unclear provider vs. customer boundaries.
• Reliance on third-party certifications instead of direct testing.
• Rapid CSP changes → governance must adapt.
• Need for specialized skills (cloud auditing, cloud security).

4. Governance Framework Components

Effective governance requires:

• Defining roles & responsibilities.
• Risk management.
• Data classification & ownership.
• Legal & regulatory compliance.
• Governance hierarchy.
• Cloud-specific frameworks.

5. Governance Hierarchy

Layers:

1. Risk Frameworks – assess cyber risk (e.g., NIST 800-30, ISO 27005).
2. Program Frameworks – define security program (e.g., NIST CSF, ISO 27001, COBIT).
3. Control Frameworks – technical/procedural controls (e.g., NIST 800-53, CIS CSC, CSA CCM).

Governance documents produced:

• Policies – high-level security requirements.
• Control Objectives – specific goals (e.g., MFA required).
• Control Specifications/Standards – technical enforcement (e.g., enable MFA in cloud).

6. Stakeholder Alignment

• Must consult with: IT, security, compliance/legal, finance, business leaders, DevOps, operations, vendors, end users.

7. Cloud Security Frameworks

• Provide structured approach to cloud security.
• Key frameworks:
  • CSA Cloud Controls Matrix (CCM)
  • ISO/IEC 27017:2015
  • BSI C5
  • NIST 800-53
  • PCI DSS Cloud Guidelines
  • NIST Cybersecurity Framework (CSF)
  • CSA Cloud Security Maturity Model (CSMM)

8. CSA CCM & STAR

• Cloud Controls Matrix (CCM):
  • Library of cloud control objectives, mapped to ISO, PCI, NIST, etc.
  • Tailored for multi-tenant, dynamic cloud systems.
  • Supports customization per IaaS, PaaS, SaaS.
  • Updated regularly.
• CAIQ (Consensus Assessment Initiative Questionnaire): checklist based on CCM.
• CSA STAR (Security, Trust, Assurance, Risk) Registry:
  • Public registry of CSP security/privacy controls.
  • STAR Certification → 3rd party cert against CCM + ISO 27001.
  • STAR Attestation → SOC 2 (AICPA) + CCM, done by CPAs.

9. Policies

• Top-level Information Security Policy → defines program direction.
• Supporting policies: acceptable use, data protection, identity management, mobile/endpoint security, cloud usage, 3rd-party risk.
• Should have executive sign-off.

✅ Exam Tip: Always tie governance hierarchy → frameworks → policies → control objectives → standards.

Governance = accountability stays with CSC even if CSP or third party provides services.

Flashcards: https://quizlet.com/in/1072373945/ccsk-domain-2-flash-cards/?i=4jehw4&x=1jqt