Beruflich Dokumente
Kultur Dokumente
2013 International Information Systems Security Certification Consortium, Inc. All Rights
Aprilfor21,
2015 purposes is prohibited.
Reserved. Duplication
commercial
Impartiality Statement
(ISC) is committed to impartiality by promoting a bias and discrimination free environment for all members,
candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)s board of directors, management and
staff understand the importance of impartiality in carrying out its certification activities, manage conflict of interest
and ensure the objectivity of its certification. If you feel you have not received impartial treatment, please send an
email to notice@isc2.org or call +1.727.785.0189, so that we can investigate your claim.
Non-Discrimination Policy
(ISC) is an equal opportunity employer and does not allow, condone or support discrimination of any type within
its organization including, but not limited to, its activities, programs, practices, procedures, or vendor
relationships. This policy applies to (ISC) employees, members, candidates, and supporters.
Whether participating in an (ISC) official event or certification examination as an employee, candidate, member,
staff, volunteer, subcontractor, vendor, or client if you feel you have been discriminated against based on
nationality, religion, sexual orientation, race, gender, disability, age, marital status or military status, please send an
email to notice@isc2.org or call +1.727.785.0189, so that we can investigate your claim.
For any questions related to these polices, please contact the (ISC) Legal Department at legal@isc2.org.
2
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
(ISC) and the Cloud Security Alliance (CSA) developed the Certified Cloud Security Professional (CCSP)
credential to meet this critical market need and ensure that cloud security professionals have the required
knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and
compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing
environment and demonstrates competence in cloud security architecture, design, operations, and service
orchestration. This professional competence is measured against a globally recognized body of knowledge. The
CCSP is a stand-alone credential that complements and builds upon existing credentials and educational programs,
including (ISC)s Certified Information Systems Security Professional (CISSP) and CSAs Certificate of Cloud
Security Knowledge (CCSK).
In addition to successfully passing the exam, CCSP candidates must have a minimum of five (5) years of cumulative
paid full-time information technology experience, of which three (3) years must be in information security and one
(1) year in one of the six (6) domains of the CCSP examination. Earning the Cloud Security Alliances CCSK
certificate may be substituted for one (1) year of experience in one of the six (6) domains of the CCSP
examination. Earning the CISSP credential may be substituted for the entire CCSP experience requirement.
Candidates who do not meet these experience requirements may still choose to sit for the exam and become an
Associate of (ISC).
Candidates must meet the following requirements prior to taking the examination:
A.2
Cloud Computing Roles (i.e., Cloud Service Customer, Cloud Service Provider, and Cloud
Service Partner)
Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access,
multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)
Building Block Technologies (e.g., virtualization, storage, networking, databases)
A.3
A.4
B.2
B.3
Cloud Service Capabilities (i.e., application capability type, platform capability type,
infrastructure capability types)
Cloud Service Categories (e.g., SaaS, IaaS, PaaS, NaaS, CompaaS, DSaaS)
B.4
B.5
C.2
Access Control
C.3
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Network security
C.5
C.6
Common Threats
C.7
Security Considerations for different Cloud Categories (e.g., SaaS, PaaS, *aaS)
D.2
D.3
D.4
E.2
5
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Phases
A.2
B.2
B.3
Encryption
C.2
Key Management
C.3
Masking
C.4
Tokenization
C.5
C.6
Data Discovery
D.2
Classification
F.
E.1
E.2
E.3
E.4
E.5
Application of Defined Controls for PII (in consideration of customer's Data Privacy Acts)
Data Rights Objectives (e.g. provisioning, users and roles, role-based access)
F.2
G.2
G.3
H.2
H.3
Storage and Analysis of Data Events (e.g. security information and event management)
H.4
Continuous Optimizations (e.g. new events detected, add new rules, reductions of false
positives)
H.5
7
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Physical Environment
A.2
A.3
Compute
A.4
Virtualization
A.5
Storage
A.6
Management Plane
Risk Assessment/Analysis
B.2
B.3
Virtualization Rsks
B.4
C.
C.2
C.3
C.4
C.5
Audit Mechanisms
8
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
D.1
D.2
D.3
D.4
D.5
D.6
9
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
A.2
Common Pitfalls
A.3
B.2
B.3
Approved API
C.2
Supply-Chain Management
C.3
Community Knowledge
D.2
Business Requirements
D.3
Common Vulnerabilities (e.g., SQL Injection, XSS, XSRF, Direct Object Reference, Buffer
Overflow)
Cloud-Specific Risks
E.3
Quality of Service
E.4
Threat Modeling
10
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Supplemental Security Devices (e.g., WAF, DAM, XML firewalls, API gateway)
F.2
F.3
Sandboxing
F.4
Application Virtualization
Federated Identity
G.2
Identity Providers
G.3
Single Sign-On
G.4
Multi-factor Authentication
11
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Domain 5: Operations
Overview
The Operations domain is used to identify critical information and the execution of selected measures that
eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the
cloud architecture, from planning of the Data Center design and implementation of the physical and logical
infrastructure for the cloud environment, to running and managing that infrastructure. It includes the definition of
the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing
and monitoring are the mechanisms, tools and facilities that permit the identification of security events and
subsequent actions to identify the key elements and report the pertinent information to the appropriate
individual, group, or process. The need for compliance with regulations and controls through the applications of
frameworks such as ITIL, and ISO/IEC 20000 are also discussed. In addition, the importance of risk assessment
across both the logical and physical infrastructures and the management of communication with all relevant
parties is focused on. The candidate is expected to know the resources that must be protected, the privileges that
must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls,
and the principles of good practice.
A.2
A.3
Secure Configuration of Hardware Specific Requirements (e.g., BIOS settings for virtualization
and TPM, storage controllers, network controllers)
Installation and Configuration of Virtualization Management Tools for the Host
Configuration of Access Control for Local Access (e.g., Secure KVM, Console based access
mechanisms)
Securing Network Configuration (e.g., VLANs, TLS, DHCP, DNS, IPSEC)
C.3
C.4
C.5
Configuring Access Controls for Remote Access (e.g., RDP, Secure Terminal Access)
D.2
D.3
Patch Management
D.4
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
D.6
D.7
D.8
D.9
F.2
F.3
G.2
G.3
Patch Management
G.4
G.5
Backup and Restore of Guest OS Configuration ( e.g., Agent based, SnapShots, Agentless)
G.6
G.7
G.8
H. Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)
H.1
Change Management
H.2
Continuity Management
H.3
H.4
H.5
Incident Management
H.6
Problem Management
H.7
Release Management
H.8
Deployment Management
H.9
Configuration Management
H.10
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Availability Management
H.12
Capacity Management
J.1
J.2
Evidence Management
Vendors
K.2
Customers
K.3
Partners
K.4
Regulators
K.5
Other Stakeholders
14
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
A.2
A.3
Legal Controls
A.4
A.5
Forensics Requirements
B.2
B.3
Environment
C.1
C.2
C.3
C.4
C.5
C.6
Gap Analysis
C.7
Audit Plan
C.8
C.9
C.10
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Policies
C.12
C.13
C.14
Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal
jurisdictions)
D.2
D.3
Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile,
risk appetite, responsibility)
Provision of Regulatory Transparency Requirements
D.4
Risk Mitigation
D.5
D.6
D.7
E.2
E.3
16
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Suggested References
This reference list is not intended to be an all-inclusive collection representing the CCSP Common Body of
Knowledge (CBK). Its purpose is to provide candidates a starting point for their studies in domains which need
supplementary learning in order to complement their associated level of work and academic experience.
Candidates may also consider other references, which are not on this list but adequately cover domain content.
Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all references be acquired or
consulted. (ISC)2 does not imply nor guarantee that the study of these references will result in an examination pass.
Supplementary References
Challenging Security Requirements for US Government Cloud Computing Adoption, NIST Cloud Computing Public
Security Working Group NIST Cloud Computing Program Information Technology Laboratory December 9, 2010
CSA Cloud Security Alliance - The Notorious Nine Cloud Computing Top Threats in 2013 -Top Threats Working
Group
ENISA Cloud Computing, Benefits, risks and recommendations for information security, ENISA, November 2009
ISO/IEC 17788:2014 Information technology -- Cloud computing -- Overview and vocabulary
ISO/IEC 17789:2014 Information technology -- Cloud computing -- Reference architecture
NIST Cloud Computing 5 Security Reference Architecture, NIST Special Publication 500-299, June 11, 2013
Quick Reference Guide to the Reference Architecture, TCI Trusted Cloud Initiative, 2011 Cloud Security Alliance
SecaaS Cat 1 IAM Implementation Guidance, Category 1 //Identity and Access Management, September 2012
SecaaS Cat 10 Network Security Implementation Guidance, Category 10 //Network Security, September 2012
SecaaS Cat 3 Web Security Implementation Guidance, Category 3 //Web Security, September 2012
SecaaS Cat 4 Email Security Implementation Guidance, Category 4 //Email Security, September 2012
SecaaS Cat 5 Security Assessments Implementation Guidance, Category 5 //Security Assessments, September 2012
SecaaS Cat 6 Intrusion Management Implementation Guidance, Category 6 //Intrusion Management, September 2012
SecaaS Cat 7 SIEM Implementation Guidance, Security Information and Event Management, October 2012
SecaaS Cat 8 Encryption Implementation Guidance, Category 8 //Encryption, September 2012
SecaaS Cat 9 BCDR Implementation Guidance, Category 9 //Business Continuity /Disaster Recovery, September 2012
SecaaS Implementation Guidance, Category 2 //Data Loss Prevention, September 2012
Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Could Security Alliance, 2011
TCI Trusted Cloud Initiative Reference Architecture, Version 2.0, 2011
TCI Trusted Cloud Initiative, Quick Guide to Reference Architecture, CSA Cloud Security Alliance White Paper,
October 18, 2011
The Cloud Security Alliance Security as a Service Implementation Guidance Documents
Top Threats Working Group, The Notorious Nine Cloud Computing Top Threats in 2013, February 2013
17
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Which one of the following is the MOST important security consideration when selecting a new
computer facility?
(A)
(B)
(C)
(D)
Utility infrastructure
Answer D
2.
(B)
(C)
(D)
Answer B
3.
The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to
protect transmissions
(A)
(B)
(C)
(D)
Answer B
18
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Please note that your registration information will be transferred to (ISC) and all communication about the testing
process from (ISC) and Pearson VUE will be sent to you via email.
Fees
Visit the (ISC) website for the exam registration fees.
19
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
20
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Identification Requirements
(ISC) requires two forms of identification, a primary and a secondary, when checking in for a CBT test
appointment at a Pearson VUE Test Center. All candidate identification documents must be valid (not expired)
and must be an original document (not a photocopy or a fax).
Primary IDs: Must contain a permanently affixed photo of the candidate, along with the candidates signature.
Secondary IDs: Must have the candidates signature.
Accepted Primary ID (photograph and signature, not expired)
21
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Testing Environment
Pearson VUE Professional Centers administer many types of examinations including some that require written
responses (essay-type). Pearson VUE Professional Centers have no control over typing noises made by candidates
sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized
testing environment, just as the noise of turning pages is a normal part of the paper and pencil testing
environment. Earplugs are available upon request.
Results Reporting
Candidates will receive their test result at the test center. The results will be handed out by the TA during the
checkout process. (ISC) will then follow up with an official result via email.
In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of
the score data is conducted during every testing cycle before scores are released. A minimum number of
candidates are required to take the exam before this analysis can be completed. Depending upon the volume of
test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in
22
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidates examination. If circumstances
arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts
longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment
without an additional fee.
If you choose to wait, but later change your mind at any time prior to beginning or restarting the
examination, you will be allowed to take exam at a later date, at no additional cost.
If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your
test results will be considered valid.
If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you
will be allowed to test at a later date at no additional charge. Every attempt will be made to contact
candidates if technical problems are identified prior to a scheduled appointment.
Recertification by Examination
Candidates and members may recertify by examination for the following reasons only:
The candidate has become decertified due to reaching the expiration of the time limit for endorsement.
The member has become decertified for not meeting the number of required continuing professional
education (CPE) credits.
23
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3
Contact Information
Please direct any questions or comments to:
(ISC) Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759
Phone: 1.866.331.ISC2 (United States); +1.727.785.0189 (International)
Fax: 1.727.683.0785
membersupport@isc2.org
24
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.18.15, V3