CCSP Exam Outline

1
2013 International Information Systems Security Certification Consortium, Inc. All Rights
Aprilfor21,
2015 purposes is prohibited.
Reserved. Duplication
commercial
Effective Date: April 21, 2015
Impartiality Statement
(ISC) is committed to impartiality by promoting a bias and discrimination free environment for all members,
candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)s board of directors, management and
staff understand the importance of impartiality in carrying out its certification activities, manage conflict of interest
and ensure the objectivity of its certification. If you feel you have not received impartial treatment, please send an
email to notice@isc2.org or call +1.727.785.0189, so that we can investigate your claim.
Non-Discrimination Policy
(ISC) is an equal opportunity employer and does not allow, condone or support discrimination of any type within
its organization including, but not limited to, its activities, programs, practices, procedures, or vendor
relationships. This policy applies to (ISC) employees, members, candidates, and supporters.
Whether participating in an (ISC) official event or certification examination as an employee, candidate, member,
staff, volunteer, subcontractor, vendor, or client if you feel you have been discriminated against based on
nationality, religion, sexual orientation, race, gender, disability, age, marital status or military status, please send an
email to notice@isc2.org or call +1.727.785.0189, so that we can investigate your claim.
For any questions related to these polices, please contact the (ISC) Legal Department at legal@isc2.org.
2
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3

The compelling benefits of cloud computing are driving organizations to migrate IT infrastructure and applications
to the cloud. At the same time, the information security industry recognizes that the accompanying complexity
and risk profile require new approaches suitable to secure cloud and hybrid environments legacy approaches are
insufficient. They also require experienced professionals with the right cloud security knowledge and skills to be
successful.
(ISC) and the Cloud Security Alliance (CSA) developed the Certified Cloud Security Professional (CCSP)
credential to meet this critical market need and ensure that cloud security professionals have the required
knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and
compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing
environment and demonstrates competence in cloud security architecture, design, operations, and service
orchestration. This professional competence is measured against a globally recognized body of knowledge. The
CCSP is a stand-alone credential that complements and builds upon existing credentials and educational programs,
including (ISC)s Certified Information Systems Security Professional (CISSP) and CSAs Certificate of Cloud
Security Knowledge (CCSK).
In addition to successfully passing the exam, CCSP candidates must have a minimum of five (5) years of cumulative
paid full-time information technology experience, of which three (3) years must be in information security and one
(1) year in one of the six (6) domains of the CCSP examination. Earning the Cloud Security Alliances CCSK
certificate may be substituted for one (1) year of experience in one of the six (6) domains of the CCSP
examination. Earning the CISSP credential may be substituted for the entire CCSP experience requirement.
Candidates who do not meet these experience requirements may still choose to sit for the exam and become an
Associate of (ISC).
Candidates must meet the following requirements prior to taking the examination:
Submit the examination fee

Understand the experience requirements discussed above as they relate to the endorsement process
Attest to the truth of his or her assertions regarding professional experience
Legally commit to abide by the (ISC) Code of Ethics
Answer four prequalification questions regarding criminal history and related background
This Candidate Information Bulletin (Exam Outline) includes:

An Exam blueprint that defines the CCSP domains and the sub-topics within each
o Domain 1: Architectural Concepts and Design Requirements ................................................................. 4
o Domain 2: Cloud Data Security ......................................................................................................................... 6
o Domain 3: Cloud Platform and Infrastructure Security ............................................................................... 8
o Domain 4: Cloud Application Security ........................................................................................................... 10
o Domain 5: Operations ........................................................................................................................................ 12
o Domain 6: Legal and Compliance .................................................................................................................... 15
Suggested References ........................................................................................................................................................ 17
Sample Exam Questions.................................................................................................................................................... 18
Exam Policies and Procedures ......................................................................................................................................... 19
Contact Information .......................................................................................................................................................... 24
3
Domain 1: Architectural Concepts and Design

Requirements
Overview
The Architectural Concepts & Design Requirements domain focuses on the building blocks of cloud based
systems. The candidate will need to have an understanding of Cloud Computing concepts such as definitions
based on the ISO/IEC 17788 standard, roles like the Cloud Service Customer, Provider, and Partner,
characteristics such as multi-tenancy, measured services, and rapid elasticity and scalability, as well as building
block technologies of the cloud such as virtualization, storage, and networking. The Cloud Reference Architecture
will need to be described and understood by the candidate, with a focus on areas such as Cloud Computing
Activities as described in ISO/IEC 17789, Clause 9, Cloud Service Capabilities, Categories, Deployment Models,
and the Cross-Cutting Aspects of Cloud Platform architecture and design such as interoperability, portability,
governance, service levels, and performance. In addition, candidates will need to demonstrate a clear
understanding of the relevant security and design principles for Cloud Computing, such as cryptography, access
control, virtualization security, functional security requirements like vendor lock-in and interoperability, what a
secure data lifecycle is for cloud based data, and how to carry out a cost benefit analysis of cloud based systems.
The ability to identify what a trusted cloud service is, and what role certification against criteria plays in that
identification using standards such as the Common Criteria and FIPS 140-2 are also areas of focus for this domain.
Key Areas of Knowledge

A. Understand Cloud Computing Concepts
A.1
Cloud Computing Definitions (ISO/IEC 17788)
A.2
Cloud Computing Roles (i.e., Cloud Service Customer, Cloud Service Provider, and Cloud
Service Partner)
Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access,
multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)
Building Block Technologies (e.g., virtualization, storage, networking, databases)
A.3
A.4
B. Describe Cloud Reference Architecture

B.1
Cloud Computing Activities (ISO/IEC 17789, Clause 9)
B.2
B.3
Cloud Service Capabilities (i.e., application capability type, platform capability type,
infrastructure capability types)
Cloud Service Categories (e.g., SaaS, IaaS, PaaS, NaaS, CompaaS, DSaaS)
B.4
Cloud Deployment Models (e.g., public, private, hybrid, community)
B.5
Cloud Cross-Cutting Aspects (e.g., interoperability, portability, reversibility, availability,

security, privacy, resiliency, performance, governance, maintenance and versioning, service
levels and service level agreement, auditability, and regulatory)
C. Understand Security Concepts Relevant to Cloud Computing

C.1
Cryptography (e.g. encryption, in motion, at rest, key management)
C.2
Access Control
C.3
Data and Media Sanitization (e.g., overwriting, cryptographic erase)

4

C.4
Network security
C.5
Virtualization Security (e.g., hypervisor security)
C.6
Common Threats
C.7
Security Considerations for different Cloud Categories (e.g., SaaS, PaaS, *aaS)
D. Understand Design Principles of Secure Cloud Computing

D.1
Cloud Secure Data Lifecycle
D.2
Cloud Based Business Continuity/Disaster Recovery Planning
D.3
Cost Benefit Analysis
D.4
Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)
E. Identify Trusted Cloud Services

E.1
Certification Against Criteria
E.2
System/Subsystem Product Certifications (e.g., common criteria, FIPS 140-2)
5
Domain 2: Cloud Data Security

Overview
The Cloud Data Security domain contains the concepts, principles, structures, and standards used to design,
implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used
to enforce various levels of confidentiality, integrity, and availability. The candidate will need to understand and
implement Data Discovery and Classification Technologies pertinent to cloud platforms, as well as being able to
design and implement relevant jurisdictional data protections for Personally Identifiable Information (PII), such as
data privacy acts and the ability to map and define controls within the cloud. Designing and implementing Data
Rights Management (DRM) solutions with the appropriate tools and planning for the implementation of data
retention, deletion, and archiving policies are activities that a candidate will need to be able to be prepared to
undertake. The design and implementation of auditability, traceability, and accountability of data within cloud
based systems through the use of data event logging, chain of custody and non-repudiation, and the ability to store
and analyze data through the use of security information and event management (SIEM) systems are also discussed
within the Cloud Data Security domain.

A. Understand Cloud Data Lifecycle
A.1
Phases
A.2
Relevant Data Security Technologies
B. Design and Implement Cloud Data Storage Architectures

B.1
Storage Types (e.g. long term, ephemeral, raw-disk)
B.2
Threats to Storage Types (e.g., ISO/IEC 27040)
B.3
Technologies Available to Address Threats (e.g., encryption)
C. Design and Apply Data Security Strategies

C.1
Encryption
C.2
Key Management
C.3
Masking
C.4
Tokenization
C.5
Application of Technologies (e.g., time of storage vs. encryption needs)
C.6
Emerging Technologies (e.g., bit splitting, data obfuscation, homomorphic encryption)
D. Understand and Implement Data Discovery and Classification Technologies

D.1
Data Discovery
D.2
Classification
E. Design and Implement Relevant Jurisdictional Data Protections for Personally

Identifiable Information (PII)
6
F.
E.1
Data Privacy Acts
E.2
Implementation of Data Discovery
E.3
Classification of Discovered Sensitive Data
E.4
Mapping and Definition of Controls
E.5
Application of Defined Controls for PII (in consideration of customer's Data Privacy Acts)
Design and Implement Data Rights Management

F.1
Data Rights Objectives (e.g. provisioning, users and roles, role-based access)
F.2
Appropriate Tools (e.g., Issuing and replication of certificates)
G. Plan and Implement Data Retention, Deletion, and Archiving Policies

G.1
Data Retention Policies
G.2
Data Deletion Procedures and Mechanisms
G.3
Data Archiving Procedures and Mechanisms
H. Design and Implement Auditability, Traceability and Accountability of Data Events

H.1
Definition of Event Sources and Identity Attribution Requirement
H.2
Data Event Logging
H.3
Storage and Analysis of Data Events (e.g. security information and event management)
H.4
Continuous Optimizations (e.g. new events detected, add new rules, reductions of false
positives)
H.5
Chain of Custody and Non-repudiation
7
Domain 3: Cloud Platform and Infrastructure Security

Overview
The Cloud Platform and Infrastructure Security domain covers knowledge of the cloud infrastructure
components, both the physical and virtual, existing threats, and mitigating and developing plans to deal with those
threats. Risk management is the identification, measurement and control of loss associated with adverse events. It
includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis,
management decisions, safeguard implementation, and effectiveness review. The candidate is expected to
understand risk management including risk analysis, threats and vulnerabilities, asset identification and risk
management tools and techniques. In addition, the candidate will also need to understand how to design and plan
for the use of security controls such as audit mechanisms, physical and environmental protection, and the
management of Identification, Authentication and Authorization solutions within the cloud infrastructures they
manage. Business Continuity Planning (BCP) facilitates the rapid recovery of business operations to reduce the
overall impact of the disaster, through ensuring continuity of the critical business functions. Disaster Recovery
Planning (DRP) includes procedures for emergency response, extended backup operations and post-disaster
recovery when the computer installation suffers loss of computer resources and physical facilities. The candidate
is expected to understand how to prepare business continuity or disaster recovery plan, techniques and concepts,
identification of critical data and systems, and finally the recovery of the lost data within cloud infrastructures.

A. Comprehend Cloud Infrastructure Components
A.1
Physical Environment
A.2
Network and Communications
A.3
Compute
A.4
Virtualization
A.5
Storage
A.6
Management Plane
B. Analyze Risks Associated to Cloud Infrastructure

B.1
Risk Assessment/Analysis
B.2
Cloud Attack Vectors
B.3
Virtualization Rsks
B.4
Counter-Measure Strategies (e.g., access controls, design principles)
C.
Design and Plan Security Controls

C.1
Physical and Environmental Protection (e.g., on-premise)
C.2
System and Communication Protection
C.3
Virtualization Systems Protection
C.4
Management of Identification, Authentication and Authorization in Cloud Infrastructure
C.5
Audit Mechanisms
8

D.
Plan Disaster Recovery and Business Continuity Management
D.1
Understanding of the Cloud Environment
D.2
Understanding of the Business Requirements
D.3
Understanding of the Risks
D.4
Disaster Recovery/Business Continuity strategy
D.5
Creation of the Plan
D.6
Implementation of the Plan
9
Domain 4: Cloud Application Security

Overview
The Cloud Application Security domain focuses on issues to ensure that the candidate understands and recognizes
the need for training and awareness in application security, the processes involved with cloud software assurance
and validation, and the use of verified secure software. The domain refers to the controls that are included within
systems and applications software and the steps used in their development (e.g., SDLC). The candidate should
fully understand the security and controls of the development process, system life cycle, application controls,
change controls, program interfaces, and concepts used to ensure data and application integrity, security, and
availability. In addition, the need to understand how to design appropriate Identity and Access Management (IAM)
solutions for cloud based systems is important as well.

A. Recognize the need for Training and Awareness in Application Security
A.1
Cloud Development Basics (e.g., RESTful)
A.2
Common Pitfalls
A.3
Common Vulnerabilities (e.g. OWASP Top 10)
B. Understand Cloud Software Assurance and Validation

B.1
Cloud-based Functional Testing
B.2
Cloud Secure Development Lifecycle
B.3
Security Testing (e.g., SAST, DAST, Pen Testing)
C. Use Verified Secure Software

C.1
Approved API
C.2
Supply-Chain Management
C.3
Community Knowledge
D. Comprehend the Software Development Life-Cycle (SDLC) Process

D.1
Phases & Methodologies
D.2
Business Requirements
D.3
Software Configuration Management & Versioning
E. Apply the Secure Software Development Life-Cycle

E.1
E.2
Common Vulnerabilities (e.g., SQL Injection, XSS, XSRF, Direct Object Reference, Buffer
Overflow)
Cloud-Specific Risks
E.3
Quality of Service
E.4
Threat Modeling
F. Comprehend the Specifics of Cloud Application Architecture
10

F.1
Supplemental Security Devices (e.g., WAF, DAM, XML firewalls, API gateway)
F.2
Cryptography (e.g. TLS, SSL, IPSEC)
F.3
Sandboxing
F.4
Application Virtualization
G. Design Appropriate Identity and Access Management (IAM) Solutions

G.1
Federated Identity
G.2
Identity Providers
G.3
Single Sign-On
G.4
Multi-factor Authentication
11
Domain 5: Operations
Overview
The Operations domain is used to identify critical information and the execution of selected measures that
eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the
cloud architecture, from planning of the Data Center design and implementation of the physical and logical
infrastructure for the cloud environment, to running and managing that infrastructure. It includes the definition of
the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing
and monitoring are the mechanisms, tools and facilities that permit the identification of security events and
subsequent actions to identify the key elements and report the pertinent information to the appropriate
individual, group, or process. The need for compliance with regulations and controls through the applications of
frameworks such as ITIL, and ISO/IEC 20000 are also discussed. In addition, the importance of risk assessment
across both the logical and physical infrastructures and the management of communication with all relevant
parties is focused on. The candidate is expected to know the resources that must be protected, the privileges that
must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls,
and the principles of good practice.

A. Support the Planning Process for the Data Center Design
A.1
Logical Design (e.g., tenant partitioning, access control)
A.2
Physical Design (e.g., location, buy or build)
A.3
Environmental Design (e.g., HVAC, multi-vendor pathway connectivity)
B. Implement and Build Physical Infrastructure for Cloud Environment

B.1
B.2
Secure Configuration of Hardware Specific Requirements (e.g., BIOS settings for virtualization
and TPM, storage controllers, network controllers)
Installation and Configuration of Virtualization Management Tools for the Host
C. Run Physical Infrastructure for Cloud Environment

C.1
C.2
Configuration of Access Control for Local Access (e.g., Secure KVM, Console based access
mechanisms)
Securing Network Configuration (e.g., VLANs, TLS, DHCP, DNS, IPSEC)
C.3
OS Hardening via Application of Baseline (e.g., Windows, Linux, VMware)
C.4
Availability of Stand-Alone Hosts
C.5
Availability of Clustered Hosts (e.g., distributed resource scheduling (DRS), dynamic

optimization (DO), storage clusters, maintenance mode, high availability)
D. Manage Physical Infrastructure for Cloud Environment

D.1
Configuring Access Controls for Remote Access (e.g., RDP, Secure Terminal Access)
D.2
OS Baseline Compliance Monitoring and Remediation
D.3
Patch Management
D.4
Performance Monitoring ( e.g., network, disk, memory, CPU )

12

D.5
Hardware Monitoring (e.g., disk I/O, CPU temperature, fan speed)
D.6
Backup and Restore of Host Configuration
D.7
D.8
Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots,

vulnerability assessments)
Log Capture and Analysis (e.g., SIEM, Log Management )
D.9
Management Plain (e.g., scheduling, orchestration, maintenance)
E. Build Logical Infrastructure for Cloud Environment

E.1
E.2
Secure Configuration of Virtual Hardware Specific Requirements (e.g., network, storage,

memory, CPU)
Installation of Guest O/S Virtualization Toolsets
F. Run Logical Infrastructure for Cloud Environment

F.1
Secure Network Configuration (e.g., VLANs, TLS, DHCP, DNS, IPSEC)
F.2
OS Hardening via Application of a Baseline (e.g., Windows, Linux, VMware )
F.3
Availability of the Guest OS
G. Manage Logical Infrastructure for Cloud Environment

G.1
Access Control for Remote Access (e.g., RDP)
G.2
OS Baseline Compliance Monitoring and Remediation
G.3
Patch Management
G.4
Performance Monitoring ( e.g., Network, Disk, Memory, CPU )
G.5
Backup and Restore of Guest OS Configuration ( e.g., Agent based, SnapShots, Agentless)
G.6
G.7
Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots,

vulnerability assessments)
Log Capture and Analysis ( e.g., SIEM, log management)
G.8
Management Plane (e.g., scheduling, orchestration, maintenance)
H. Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)
H.1
Change Management
H.2
Continuity Management
H.3
Information Security Management
H.4
Continual Service Improvement Management
H.5
Incident Management
H.6
Problem Management
H.7
Release Management
H.8
Deployment Management
H.9
Configuration Management
H.10
Service Level Management

13

H.11
Availability Management
H.12
Capacity Management
Conduct Risk Assessment to Logical and Physical Infrastructure

J. Understand the Collection, Acquisition and Preservation of Digital Evidence
I.
J.1
Proper Methodologies for Forensic Collection of Data
J.2
Evidence Management
K. Manage Communication with Relevant Parties

K.1
Vendors
K.2
Customers
K.3
Partners
K.4
Regulators
K.5
Other Stakeholders
14
Domain 6: Legal and Compliance

Overview
The Legal and Compliance domain addresses ethical behavior and compliance with regulatory frameworks. It
includes the investigative measures and techniques that can be used to determine if a crime has been committed,
and methods used to gather evidence (e.g., Legal Controls, eDiscovery, and Forensics). This domain also includes
an understanding of privacy issues and audit process and methodologies required for a cloud environment, such as
internal and external audit controls, assurance issues associated with virtualization and the cloud, and the types of
audit reporting specific to the cloud (e.g., SAS, SSAE and ISAE). Further, examining and understanding the
implications that cloud environments have in relation to enterprise risk management and the impact of
outsourcing for design and hosting of these systems are also important considerations that many organizations
face today.

A. Understand Legal Requirements and Unique Risks within the Cloud Environment
A.1
International Legislation Conflicts
A.2
Appraisal of Legal Risks Specific to Cloud Computing
A.3
Legal Controls
A.4
eDiscovery (e.g., ISO/IEC 27050, CSA Guidance)
A.5
Forensics Requirements
B. Understand Privacy Issues, Including Jurisdictional Variation

B.1
Difference between Contractual and Regulated PII
B.2
Country-Specific Legislation Related to PII / Data Privacy
B.3
Difference Among Confidentiality, Integrity, Availability, and Privacy
C. Understand Audit Process, Methodologies, and Required Adaptions for a Cloud
Environment
C.1
Internal and External Audit Controls
C.2
Impact of Requirements Programs by the Use of Cloud
C.3
Assurance Challenges of Virtualization and Cloud
C.4
Types of Audit Reports (e.g., SAS, SSAE, ISAE)
C.5
Restrictions of Audit Scope Statements (e.g., SAS 70)
C.6
Gap Analysis
C.7
Audit Plan
C.8
Standards Requirements (e.g., ISO/IEC 27018, GAPP)
C.9
Internal Information Security Management System
C.10
Internal information Security Controls System

15

C.11
Policies
C.12
Identification and Involvement of Relevant Stakeholders
C.13
Specialized Compliance Requirements for Highly Regulated Industries
C.14
Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal
jurisdictions)
D. Understand Implications of Cloud to Enterprise Risk Management

D.1
Access Providers Risk Management
D.2
D.3
Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile,
risk appetite, responsibility)
Provision of Regulatory Transparency Requirements
D.4
Risk Mitigation
D.5
Different Risk Frameworks
D.6
Metrics for Risk Management
D.7
Assessment of Risk Environment (e.g., service, vendor, ecosystem)
E. Understand Outsourcing and Cloud Contract Design

E.1
Business Requirements (e.g., SLA, GAAP)
E.2
Vendor Management (e.g., selection, common certification framework)
E.3
Contract Management (e.g., right to audit, metrics, definitions, termination, litigation,

assurance, compliance, access to cloud/data)
F. Execute Vendor Management

F.1
Supply-chain Management (e.g., ISO/IEC 27036)
16
Suggested References
This reference list is not intended to be an all-inclusive collection representing the CCSP Common Body of
Knowledge (CBK). Its purpose is to provide candidates a starting point for their studies in domains which need
supplementary learning in order to complement their associated level of work and academic experience.
Candidates may also consider other references, which are not on this list but adequately cover domain content.
Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all references be acquired or
consulted. (ISC)2 does not imply nor guarantee that the study of these references will result in an examination pass.
Supplementary References
Challenging Security Requirements for US Government Cloud Computing Adoption, NIST Cloud Computing Public
Security Working Group NIST Cloud Computing Program Information Technology Laboratory December 9, 2010
CSA Cloud Security Alliance - The Notorious Nine Cloud Computing Top Threats in 2013 -Top Threats Working
Group
ENISA Cloud Computing, Benefits, risks and recommendations for information security, ENISA, November 2009
ISO/IEC 17788:2014 Information technology -- Cloud computing -- Overview and vocabulary
ISO/IEC 17789:2014 Information technology -- Cloud computing -- Reference architecture
NIST Cloud Computing 5 Security Reference Architecture, NIST Special Publication 500-299, June 11, 2013
Quick Reference Guide to the Reference Architecture, TCI Trusted Cloud Initiative, 2011 Cloud Security Alliance
SecaaS Cat 1 IAM Implementation Guidance, Category 1 //Identity and Access Management, September 2012
SecaaS Cat 10 Network Security Implementation Guidance, Category 10 //Network Security, September 2012
SecaaS Cat 3 Web Security Implementation Guidance, Category 3 //Web Security, September 2012
SecaaS Cat 4 Email Security Implementation Guidance, Category 4 //Email Security, September 2012
SecaaS Cat 5 Security Assessments Implementation Guidance, Category 5 //Security Assessments, September 2012
SecaaS Cat 6 Intrusion Management Implementation Guidance, Category 6 //Intrusion Management, September 2012
SecaaS Cat 7 SIEM Implementation Guidance, Security Information and Event Management, October 2012
SecaaS Cat 8 Encryption Implementation Guidance, Category 8 //Encryption, September 2012
SecaaS Cat 9 BCDR Implementation Guidance, Category 9 //Business Continuity /Disaster Recovery, September 2012
SecaaS Implementation Guidance, Category 2 //Data Loss Prevention, September 2012
Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Could Security Alliance, 2011
TCI Trusted Cloud Initiative Reference Architecture, Version 2.0, 2011
TCI Trusted Cloud Initiative, Quick Guide to Reference Architecture, CSA Cloud Security Alliance White Paper,
October 18, 2011
The Cloud Security Alliance Security as a Service Implementation Guidance Documents
Top Threats Working Group, The Notorious Nine Cloud Computing Top Threats in 2013, February 2013
17
Sample Exam Questions

1.
Which one of the following is the MOST important security consideration when selecting a new
computer facility?
(A)
Local law enforcement response times
(B)
Adjacent to competitors facilities
(C)
Aircraft flight paths
(D)
Utility infrastructure
Answer D
2.
Which one of the following describes a SYN flood attack?

(A)
Rapid transmission of Internet Relay Chat (IRC) messages
(B)
Creating a high number of half-open connections
(C)
Disabling the Domain Name Service (DNS) server
(D)
Excessive list linking of users and files
Answer B
3.
The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to
protect transmissions
(A)
between the WAP gateway and the wireless device.
(B)
between the web server and WAP gateway.
(C)
from the web server to the wireless device.
(D)
between the wireless device and the base station.
Answer B
18
Exam Policies and Procedures

Non-Discrimination Policy
(ISC) does not discriminate against candidates based on their nationality, gender, religion, race, ethnicity, sexual
orientation, age or disability. For additional information on (ISC)s non-discrimination and other candidate policies,
please visit https://www.isc2.org/legal-info-policies.aspx.
Registering for the Exam

The CCSP examination is administered at Pearson VUE Testing centers around the world. To register for the
exam:
1.
2.
3.
4.
5.
Go to www.pearsonvue.com/isc2 to register for an exam appointment

Select the most convenient test center
Select an appointment time
Pay for your exam appointment
Receive confirmation from Pearson VUE with the appointment details
Please note that your registration information will be transferred to (ISC) and all communication about the testing
process from (ISC) and Pearson VUE will be sent to you via email.
Fees
Visit the (ISC) website for the exam registration fees.
Examination Agreement and Non-Disclosure Agreement

All candidates must agree to the terms listed in the (ISC)2s Examination Agreement when registering for the
exam on the Pearson Vue website. The agreement can be found under the View Testing Policies link on the Exam
Details page.
At the Pearson Vue testing center, prior to starting the exam, all candidates are also required to read and accept
the (ISC) non-disclosure agreement (NDA) within the allotted five (5) minutes prior to being presented with
exam questions. If the NDA is not accepted by the candidate or the candidate does not accept the NDA within
the time allotted, the exam will end, and the candidate will be asked to leave the test center. No refund of exam
fees will be given. For this reason, all candidates are strongly encouraged to review the non-disclosure agreement
prior to scheduling for, or taking the exam.
Requesting Special Accommodations

Pearson VUE Professional Centers can accommodate a variety of candidates needs, as they are fully compliant
with the Americans with Disability Act (ADA), and the equivalent requirements in other countries.
Requests for accommodations should be made to (ISC) in advance of the desired testing appointment. Once
(ISC) grants the accommodations request, the candidate may schedule the testing appointment using Pearson
VUEs special accommodations number. From there, a Pearson VUE coordinator will handle all of the
arrangements.
19

Please note: Candidates that request special accommodations should not schedule their appointment online or
call the main CBT registration line.
Rescheduling or Cancellation of an Exam Appointment

If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at least 48 hours
before the exam date by contacting Pearson VUE at www.pearsonvue.com/isc2 or at least 24 hours prior to exam
appointment time by contacting Pearson VUE by phone. Please refer to Contact Information for more
information and local telephone numbers for your region. Canceling or rescheduling an exam appointment less
than 24 hours via phone notification, or less than 48 hours via online notification is subject to a forfeit of exam
fees. Exam fees are also forfeited for no-shows. Please note that Pearson VUE charges a 50 USD/35 /40 fee for
reschedules, and 100 USD/70 /80 fee for cancellations.
Late Arrivals or No Shows

If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he or she has technically
forfeited his or her assigned seat.
If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the discretion of the
testing center as to whether or not the candidate may still take the exam. If the test administrator at the testing
location is able to accommodate a late arriving candidate, without affecting subsequent candidates appointments,
he/she will let the candidate sit for the exam. However, if the schedule is such that the test center is not able to
accommodate a late arrival, the candidate will be turned away and his/her exam fees will be forfeited.
If a candidate fails to appear for a testing appointment, the test result will appear in the system as a no-show and
the candidates exam fees will be forfeited.
Pearson VUE Check-In Process

Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testing time. If you
arrive more than 15 minutes late to your scheduled appointment, you may lose your examination appointment.
For checking-in:
You will be required to present two acceptable forms of identification.

You will be asked to provide your signature, submit to a palm vein scan, and have your photograph taken.
Hats, scarves and coats may not be worn in the testing room, or while your photograph is being taken.
You will be required to leave your personal belongings outside the testing room. Secure storage will be
provided. Storage space is small, so candidates should plan appropriately. Pearson VUE Professional
Centers assume no responsibility for candidates personal belongings.
The Test Administrator (TA) will give you a short orientation, and then will escort you to a computer
terminal. You must remain in your seat during the examination, except when authorized to leave by test
center staff. You may not change your computer terminal unless a TA directs you to do so. During the
exam, you may raise your hand to notify the TA if you believe you have a problem with your computer,
need to change note boards, need to take a break, or need the TA for any reason.
20
Identification Requirements
(ISC) requires two forms of identification, a primary and a secondary, when checking in for a CBT test
appointment at a Pearson VUE Test Center. All candidate identification documents must be valid (not expired)
and must be an original document (not a photocopy or a fax).
Primary IDs: Must contain a permanently affixed photo of the candidate, along with the candidates signature.
Secondary IDs: Must have the candidates signature.
Accepted Primary ID (photograph and signature, not expired)
Government issued Drivers License or Identification Card

U.S. Dept. of State Drivers License
U.S. Learners Permit (card only with photo and signature)
National/State/Country Identification Card
Passport
Passport Cards
Military ID
Military ID for spouses and dependents
Alien Registration Card (Green Card, Permanent Resident Visa)
Government Issued local language ID (plastic card with photo and signature
Employee ID
School ID
Credit Card* (A credit card can be used as a primary form of ID only if it contains both a photo and a
signature and is not expired. Any credit card can be used as a secondary form of ID, as long as it contains
a signature and is not expired. This includes major credit cards, such as VISA, MasterCard, American
Express and Discover. It also includes department store and gasoline credit cards.
Accepted Secondary ID (contains signature, not expired)
U.S. Social Security Card

Debit/ATM Card
Credit Cards
Any form of ID on the primary list
Name Matching Policy

Candidates first and last name on the presented identification document must exactly match the first and last
name on the registration record with Pearson VUE. If the name the candidate has registered with does not match
the name on the identification document, proof of legal name change must be brought to the test center on the
day of the test. The only acceptable forms of legal documentation are marriage licenses, divorce decrees, or court
sanctioned legal name change documents. All documents presented at the test center must be original documents.
If a mistake is made with a name during the application process, candidates should contact (ISC) to correct the
information well in advance of the actual test date. Name changes cannot be made at the test center or on the
day of the exam. Candidates who do not meet the requirements presented in the name matching policy on the
day of the test may be subject to forfeiture of testing fees and asked to leave the testing center.
21
Testing Environment
Pearson VUE Professional Centers administer many types of examinations including some that require written
responses (essay-type). Pearson VUE Professional Centers have no control over typing noises made by candidates
sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized
testing environment, just as the noise of turning pages is a normal part of the paper and pencil testing
environment. Earplugs are available upon request.
Breaks During the Exam

You will have up to 4 hours to complete the CCSP examination. Total examination time includes any unscheduled
breaks you may take. All breaks count against your testing time. You must leave the testing room during your
break, but you may not leave the building or access any personal belongings unless absolutely necessary (e.g. for
retrieving medication). Additionally, when you take a break, you will be required to submit to a palm vein scan
before and after your break.
Examination Format and Scoring

The CCSP examination contains 125 multiple choice questions with four (4) choices each. There may be
scenario-based items which may have more than one multiple choice question associated with it.
The exam will contain 25 questions which are included for research purposes only. The research questions
are not identified; therefore, answer all questions to the best of your ability. There is no penalty for guessing,
so candidates should not leave any item unanswered. Results will be based only on the scored questions on
the examination. There are several versions of the examination. It is important that each candidate have an
equal opportunity to pass the examination, no matter which version is administered. Subject Matter Experts
(SMEs) have provided input as to the difficulty level of all questions used in the examinations. That
information is used to develop examination forms that have comparable difficulty levels. When there are
differences in the examination difficulty, a mathematical procedure called equating is used to make the
difficulty level of each test form equal. Because the number of questions required to pass the examination may
be different for each version, the scores are converted onto a reporting scale to ensure a common standard.
The passing grade required is a scale score of 700 out of a possible 1000 points on the grading scale.
Finishing the Exam

After you have finished the examination, raise your hand to summon the TA. The TA will collect and inventory all
note boards. The TA will dismiss you when all requirements are fulfilled.
If you believe there was an irregularity in the administration of your test, or the associated test conditions
adversely affected the outcome of your examination, you should notify the TA before you leave the test center.
Results Reporting
Candidates will receive their test result at the test center. The results will be handed out by the TA during the
checkout process. (ISC) will then follow up with an official result via email.
In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of
the score data is conducted during every testing cycle before scores are released. A minimum number of
candidates are required to take the exam before this analysis can be completed. Depending upon the volume of
test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in
22

order to complete this critical process. Results will not be released over the phone. They will be sent via email
from (ISC) as soon as the scores are finalized. If you have any questions regarding this policy, you should contact
(ISC) prior to your examination.
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidates examination. If circumstances
arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts
longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment
without an additional fee.
If you choose to wait, but later change your mind at any time prior to beginning or restarting the
examination, you will be allowed to take exam at a later date, at no additional cost.
If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your
test results will be considered valid.
If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you
will be allowed to test at a later date at no additional charge. Every attempt will be made to contact
candidates if technical problems are identified prior to a scheduled appointment.
Examination Retake Policy

Candidates who do not pass on their first attempt may not retake the exam for a period of 90 days from the date
of the first attempt. Candidates that fail a second time will need to wait an additional 90 days prior to sitting for
the exam again. In the unfortunate event that a candidate fails a third time, that candidate may not sit for the
exam for a period of 180 days after the most recent attempt. Candidates are eligible to sit for (ISC) exams a
maximum of 3 times within a calendar year.
Exam Irregularities and Test Invalidation

(ISC) exams are intended to be delivered under standardized conditions. If any irregularity or fraud is
encountered before, during, or after the administration of the exam, (ISC) will examine the situation and
determine whether action is warranted. If (ISC) determines that any testing irregularity or fraud has happened, it
may choose not to score the answer documents of the affected test taker(s), or it may choose to cancel the
scores of the affected test taker(s).
(ISC) may at its sole discretion revoke any and all certifications a candidate may have earned and ban the
candidate from earning future (ISC) certifications, and decline to score or cancel any Exam under any of the
circumstances listed in the (ISC) Examination Agreement. Please refer to the (ISC) Examination Agreement for
further details.
Recertification by Examination
Candidates and members may recertify by examination for the following reasons only:
The candidate has become decertified due to reaching the expiration of the time limit for endorsement.
The member has become decertified for not meeting the number of required continuing professional
education (CPE) credits.
23
Contact Information
Please direct any questions or comments to:
(ISC) Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759
Phone: 1.866.331.ISC2 (United States); +1.727.785.0189 (International)
Fax: 1.727.683.0785
membersupport@isc2.org
24

CCSP Exam Outline

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CCSP Exam Outline

Hochgeladen von

Copyright:

Verfügbare Formate

1

Effective Date: April 21, 2015

Effective Date: April 21, 2015

Submit the examination fee

This Candidate Information Bulletin (Exam Outline) includes:

Effective Date: April 21, 2015

Domain 1: Architectural Concepts and Design

Key Areas of Knowledge

Cloud Computing Definitions (ISO/IEC 17788)

B. Describe Cloud Reference Architecture

Cloud Computing Activities (ISO/IEC 17789, Clause 9)

Cloud Deployment Models (e.g., public, private, hybrid, community)

Cloud Cross-Cutting Aspects (e.g., interoperability, portability, reversibility, availability,

C. Understand Security Concepts Relevant to Cloud Computing

Cryptography (e.g. encryption, in motion, at rest, key management)

Data and Media Sanitization (e.g., overwriting, cryptographic erase)

Effective Date: April 21, 2015

Virtualization Security (e.g., hypervisor security)

D. Understand Design Principles of Secure Cloud Computing

Cloud Secure Data Lifecycle

Cloud Based Business Continuity/Disaster Recovery Planning

Cost Benefit Analysis

Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)

E. Identify Trusted Cloud Services

Certification Against Criteria

System/Subsystem Product Certifications (e.g., common criteria, FIPS 140-2)

Effective Date: April 21, 2015

Domain 2: Cloud Data Security

Key Areas of Knowledge

Relevant Data Security Technologies

B. Design and Implement Cloud Data Storage Architectures

Storage Types (e.g. long term, ephemeral, raw-disk)

Threats to Storage Types (e.g., ISO/IEC 27040)

Technologies Available to Address Threats (e.g., encryption)

C. Design and Apply Data Security Strategies

Application of Technologies (e.g., time of storage vs. encryption needs)

Emerging Technologies (e.g., bit splitting, data obfuscation, homomorphic encryption)

D. Understand and Implement Data Discovery and Classification Technologies

E. Design and Implement Relevant Jurisdictional Data Protections for Personally

Effective Date: April 21, 2015

Data Privacy Acts

Implementation of Data Discovery

Classification of Discovered Sensitive Data

Mapping and Definition of Controls

Design and Implement Data Rights Management

Appropriate Tools (e.g., Issuing and replication of certificates)

G. Plan and Implement Data Retention, Deletion, and Archiving Policies

Data Retention Policies

Data Deletion Procedures and Mechanisms

Data Archiving Procedures and Mechanisms

H. Design and Implement Auditability, Traceability and Accountability of Data Events

Definition of Event Sources and Identity Attribution Requirement

Data Event Logging

Chain of Custody and Non-repudiation

Effective Date: April 21, 2015

Domain 3: Cloud Platform and Infrastructure Security

Key Areas of Knowledge

Network and Communications

B. Analyze Risks Associated to Cloud Infrastructure

Cloud Attack Vectors

Counter-Measure Strategies (e.g., access controls, design principles)

Design and Plan Security Controls

Physical and Environmental Protection (e.g., on-premise)