Remote access, increased collaboration capabilities, automatic software updates, potential for cost savings – organizations increasingly are drawn to these and other major benefits of leveraging cloud services.
While the upside is evident, cloud migrations and the resulting reliance on third-party vendors also present substantial security, data management and compliance risks – many of which can be addressed through cloud audits.
In a recent LinkedIn Live session, Daniele Catteddu, Chief Technology Officer with the Cloud Security Alliance (CSA), and Paul Phillips, IT risk professional practices lead with ISACA, discussed the new Certificate of Cloud Auditing Knowledge (CCAK), a joint credential from CSA and ISACA.
CCAK fills a need for vendor-neutral technical training and credentialing in cloud auditing, Catteddu and Phillips said. The new credential prepares IT professionals to:
- Ensure the right controls are in place for confidentiality, integrity and accessibility
- Mitigate risks and costs of cloud audit management and penalties for non-compliance
- Lead their organization through successful cloud implementation while retaining customer trust
Phillips noted that although cloud services have been around for several years, many organizations are relatively immature in their understanding of cloud capabilities and the corresponding risk landscape.
“There tends to be a lack of internal knowledge and effective auditing because it’s still kind of new to the organization,” Phillips said. “Enterprises need to understand those hurdles as they attempt to migrate to the cloud in order to obtain the right skill sets and human resources to ensure these hurdles are adequately addressed.”
Cloud best practices often misunderstood
In recent survey data from Sungard Availability Services, 56% of respondents cite a lack of understanding of cloud security and compliance best practices. Statistics like that show how much progress many organizations need to make in leveraging the cloud effectively.
“I would argue that without being in the position to provide the right visibility, the right transparency, and without being in the position to cope with the complexity and the interdependencies of the cloud services and the cloud supply chain, it’s impossible to be successful in the cloud space,” Catteddu said.
Organizations, Catteddu said, need “not just tools but the right skills and expertise” when it comes to managing their cloud investments.
The CCAK curriculum covers topics such as:
- Building and executing a cloud audit plan and applying auditing as an assurance tool
- Impact of cloud automation, native development and integration models on auditing and compliance
- Key concepts and tools of cloud governance and risk management
- Designing and building a cloud compliance program
- Compliance requirements, control objectives and frameworks, certification, attestation and authorizations
Complementing the CISA and CCSK credentials
In the question and answer portion of the LinkedIn Live session, some attendees asked how the new CCAK certificate compares to existing credentials such as ISACA’s Certified Information Systems Auditor® (CISA®) and CSA’s Certificate of Cloud Security Knowledge (CCSK™).
“The idea of the CCAK is certainly not to replace the CISA certification or any other [standards or credentials],” Catteddu said. “It’s meant to build on top of them in order to provide those individuals that have either some vertical experience in information security management systems under ISO or have experience auditing within federal requirements or have general information systems auditing knowledge coming from CISA, and build on top of them, adding a cloud-specific layer in order to empower you to operate better in the cloud space.”
Added Phillips: “The CISA certification is general audit knowledge that requires ongoing CPE to maintain. The CCAK is a certificate, which is a knowledge-based exam, that focuses on cloud and builds on the CISA, and does not require CPE.”
The CCAK exam is now available, as is the CCAK study guide to help candidates prepare for the exam. Other training materials are in development and will be released in the coming months, including an online course, virtual instructor-led course and study games with sample questions. For more information, visit http://4p9w.lixubing.com/credentialing/certificate-of-cloud-auditing-knowledge.
