Overview of assessment

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the ability to:

identify, manage and implement cloud security controls according to legal and privacy requirements

integrate cloud security plans into the enterprise’s existing security plans

develop an ongoing performance measurement and evaluation review process.

Context of and specific resources for assessment

Assessment must ensure access to:

cloud information and communications technology (ICT) business specifications

cloud ICT security assurance specifications

management-related scenarios

a cloud focused security environment, including the threats to security that are, or are held to be, present in the environment

information on the security environment, including:

laws or legislation

existing enterprise security policies

enterprise expertise

risk analysis tools and methodologies currently used in industry

appropriate learning and assessment support when required

modified equipment for people with special needs.

Method of assessment

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

direct observation of candidate managing cloud-related networks and telecommunications security

direct observation of candidate managing cloud ICT security incidents

verbal or written questioning to assess candidate’s knowledge of enterprise policies and procedures that impact on cloud ICT security

review of documentation prepared by candidate, including programs to manage compliance, privacy and risk.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended, where appropriate.

Assessment processes and techniques must be culturally appropriate, and suitable to the communication skill level, language, literacy and numeracy capacity of the candidate and the work being performed.

Indigenous people and other people from a non-English speaking background may need additional support.

In cases where practical assessment is used it should be combined with targeted questioning to assess required knowledge.

Required skills

analytical skills to analyse security breaches

communication skills to:

communicate with peers and supervisors in relevant cloud computing technological areas

seek assistance and expert advice from relevant people in cloud computing industry area

literacy skills to interpret technical documentation, equipment manuals and specifications

research skills to locate appropriate sources of information regarding cloud computing solutions

technical skills to:

identify features of cloud computing solutions

test and evaluate cloud computing solutions

Required knowledge

business and commercial issues relating to the management of cloud security issues

legislation, organisational and jurisdictional policy and procedures that may impact on management areas:

cloud-related privacy issues

codes of ethics and conduct

equal employment opportunity, equity and diversity principles

financial management requirements

governance requirements

work health and safety (WHS) and environmental requirements

quality standards

management specifications and objectives

management tools and techniques suited to a range of complex projects activities

organisational and political context

systems development life cycle (SDLC)

techniques for critical analysis in a management context

Security issues may include:

applications security

data security

enterprise continuity

infrastructure security

platform security

virtualisation security.

Delivery models may include:

infrastructure as a service (IaaS)

platform as a service (PaaS)

software as a service (SaaS).

Deployment models may include:

community cloud

hybrid cloud

private cloud

public cloud.

Security responsibility may include:

clients:

applications (if not part of licence)

client employee access

data (if not part of licence)

physical client site security

enterprise (depending on licensing agreement):

data

identity management systems

infrastructure

physical enterprise site security

platform.

Security controls and measures may include:

security management, including:

corrective controls

detective controls

deterrent controls

preventative controls.

Compliance regulations may include:

international regulations

internet or web regulations

local regulations

regional regulations.

Business continuity may include:

undertaking analysis of:

business impact analysis

threat and risk analysis

impact scenarios

solution design

developing solution implementation strategies

testing and enterprise acceptance

implementing suitable maintenance options.

Data recovery may include:

logical damage recovery:

corrupt partitions

overwritten data

physical damage recovery

virus infections.

Legal, privacy and contractual issues may include:

critical data masked

digital identities protected

end-of-service: return of data and applications

intellectual property: ownership of data

liability of data loss

unauthorised on-selling of information.

Continuity of operations program may include:

COOP plan execution

COOP plan revision and updating

COOP program implementation

identification of functional requirements:

mission impact analysis

mitigation strategies and plan

plan design and development

project initiation

risk assessment

training, testing and drills.

Documentation may include:

applicable network-based documents

audits and management reviews

communications protocols

contingency plans and activities

evaluation reports

incident management program, processes and procedures

management reports

network security and telecommunications program

performance measurement program

reviews and improvements records

security classification and data management policies

security incident records.