Security: The Great Cloud Inhibitor

As with all game-changing technologies, cloud computing is actually delivering on its promise:
dramatically improved business and systems flexibility, increased availability, and increased efficiency –
all at a reduced cost.

According to a recent 2015 survey among more than 1,000 IT professionals and executives1, concern
about information security is the biggest inhibitor to more rapid and expanded cloud adoption. More than
90% of organizations using or planning to use cloud services have security concerns about ‘the cloud.’

The concern is legitimate. While many long-standing information security best practices are appropriate,
managing and utilizing cloud computing introduces new complexities and challenges that cannot be addressed
with traditional information security approaches. For example, cloud computing uses multiple layers of automated,
virtualized computing. With the physical infrastructure dynamically divorced from the server, application and
networking functions, security practices must adjust.

Clearly, the industry needs professionals who understand and can apply effective security measures to cloud environments.
How do you find them?

CCSP: Securing the Power of the Cloud

Recognizing the need to identify and validate information security professionals’ competency in securing cloud services, the
two leading membership organizations focused on cloud and information security, the Cloud Security Alliance® (CSA) and
(ISC)2®, joined together to develop an international cloud security credential that reflects the most current and comprehensive
best practices for securing and optimizing cloud computing environments. Result: The Certified Cloud Security Professional
(CCSPSM) credential.

CCSP brought to you by and ¨

(ISC)2 and CSA developed the CCSP to meet a critical market need to ensure that cloud security professionals have the
required knowledge, skills, and abilities to audit, assess, and secure cloud infrastructures. It complements and builds upon
existing credentials and educational programs, including (ISC)2’s Certified Information Systems Security Professional (CISSP®)
and CSA’s Certificate of Cloud Security Knowledge (CCSKTM).

The CCSP credential reflects deeper knowledge derived from hands-on information security and cloud computing experience.
It validates practical know-how applicable to those professionals whose day-to-day responsibilities involve cloud security
architecture, design, operations, and service orchestration.

CCSP defines the qualifications and experience necessary to competently secure cloud services. Ultimately, it provides a
new benchmark for cloud security knowledge and competence, and is viewed as the most reliable indicator of overall
proficiency in cloud security.

“Securing cloud environments is a complex and challenging task. The CCSP can
help security professionals understand the fundamental concepts of cloud security.
Employers will know that those who have earned the CCSP have the necessary skills
and experience to identify and implement security controls in cloud environments.”
Chris Simpson, CISSP, CCSK
CEO, Bright Moon Security

1
Cloud Security Spotlight Report, 2015, Information Security Community on LinkedIn

1
 WHY BECOME A CCSPSM

The CCSP Helps You:

• Demonstrate not just cloud knowledge, but competence gained through hands-on
experience in addressing the unique information security demands intrinsic to cloud
environments.
• Enhance your credibility and marketability for the most desirable cloud security opportunities;
bolster your standing and provide a career differentiator.
• Affirm your commitment to understanding and applying security best practices to cloud
environments – today and in the future.
• As a member of (ISC)2, gain access to valuable career resources, such as networking and exchanging
ideas with peers.

The CCSP Helps Employers:

• Secure and optimize the organization’s use of cloud computing infrastructure and services with qualified
professionals who have demonstrated their cloud security competence.
• Ensure the organization is applying the proper cloud security controls not only internally, but also with
third-parties by reinforcing risk and legal requirements through cloud contract and SLAs with cloud service
providers.
• Know that with the two leading stewards of information security and cloud security knowledge – (ISC)2 & CSA –
organizations can be confident that CCSP reflects the most current best practices.
• Increase organizational integrity in the eyes of clients and other stakeholders.
• Ensure their teams stay current on evolving cloud technologies, threats, and mitigation strategies by meeting the
(ISC)2 continuing professional education requirements.

WHO SHOULD OBTAIN THE CCSP

CCSP is most appropriate for those whose day-to-day responsibilities involve procuring, securing, and managing cloud
environments or purchased cloud services.

o Enterprise Architect o Security Architect o Security Manager

o Security Administrator o Security Consultant o Systems Architect

o Systems Engineer o Security Engineer

THE CCSP CBK®

The CCSP domains are drawn from various information security topics within the (ISC)2 CBK. Updated regularly, the
domains reflect the most up-to-date best practices worldwide, while establishing a common framework of terms and
principles to discuss, debate, and resolve matters pertaining to the profession.

The CCSP CBK consists of the following six domains:

• Architectural Concepts & Design Requirements – Cloud computing concepts & definitions based on the ISO/IEC
17788 standard; security concepts and principles relevant to secure cloud computing.

• Understand Cloud Computing Concepts • Understand Design Principles of Secure

• Describe Cloud Reference Architecture Cloud Computing
• Understand Security Concepts Relevant to • Identify Trusted Cloud Services
Cloud Computing

2
• Cloud Data Security – Concepts, principles, structures, and standards used to design,
implement, monitor, and secure operating systems, equipment, networks, applications,
and those controls used to enforce various levels of confidentiality, integrity, and
availability in cloud environments.
• Understand Cloud Data Lifecycle • Design and Implement Relevant
• Design and Implement Cloud Data Storage Jurisdictional Data Protections
Architectures for Personally Identifiable
• Design and Apply Data Security Strategies Information (PII)
• Understand and Implement Data Discovery and • Plan and Implement Data Retention,
Classification Technologies Deletion, and Archiving Policies
• Design and Implement Data Rights • Design and Implement Auditability,
Management Traceability, and Accountability of Data Events

• Cloud Platform & Infrastructure Security – Knowledge of the cloud infrastructure components, both the
physical and virtual, existing threats, and mitigating and developing plans to deal with those threats.
• Comprehend Cloud Infrastructure Components • Design and Plan Security Controls
• Analyze Risks Associated to Cloud • Plan Disaster Recovery and Business Continuity
Infrastructure Management

• Cloud Application Security – Processes involved with cloud software assurance and validation; and the use of
verified secure software.
• Recognize the Need for Training and Awareness • Apply the Secure Software Development
in Application Security Life-Cycle
• Understand Cloud Software Assurance and • Comprehend the Specifics of Cloud
Validation Application Architecture
• Use Verified Secure Software • Design Appropriate Identity and Access
• Comprehend the Software Development Life- Management (IAM) Solutions
Cycle (SDLC) Process

• Operations – Identifying critical information and the execution of selected measures that eliminate or reduce adversary
exploitation of it; requirements of cloud architecture to running and managing that infrastructure; definition of controls
over hardware, media, and the operators with access privileges as well as the auditing and monitoring are the mechanisms,
tools and facilities.
• Support the Planning Process for the Data • Manage Logical Infrastructure for
Center Design Cloud Environment
• Implement and Build Physical Infrastructure • Ensure Compliance with Regulations and
for Cloud Environment Controls (e.g., ITIL, ISO/IEC 20000-1)
• Run Physical Infrastructure for • Conduct Risk Assessment to Logical and
Cloud Environment Physical Infrastructure
• Manage Physical Infrastructure for • Understand the Collection, Acquisition and
Cloud Environment Preservation of Digital Evidence
• Build Logical Infrastructure for • Manage Communication with
Cloud Environment Relevant Parties
• Run Logical Infrastructure for
Cloud Environment

• Legal & Compliance – Addresses ethical behavior and compliance with regulatory frameworks. Includes investigative
measures and techniques; gathering evidence (e.g., Legal Controls, eDiscovery, and Forensics); privacy issues and audit
processes and methodologies; implications of cloud environments in relation to enterprise risk management.
• Understand Legal Requirements and Unique • Understand Implications of Cloud to
Risks within the Cloud Environment Enterprise Risk Management
• Understand Privacy Issues, Including • Understand Outsourcing and Cloud
Jurisdictional Variation Contract Design
• Understand Audit Process, Methodologies, and • Execute Vendor Management
Required Adaptions for a Cloud Environment

Download a copy of the CCSP Exam Outline at www.isc2.org/exam-outline.

3
 QUALIFICATIONS
For the CCSPSM certification, candidates must have a minimum of five (5) years of cumulative, paid, full-time information technology
experience, of which three (3) years must be in information security and one (1) year in one of the six (6) domains of the CCSP
examination. Earning CSA’s CCSKTM certificate can be substituted for one (1) year of experience in one of the six (6) domains of
the CCSP examination. Earning (ISC)2’s CISSP credential can be substituted for the entire CCSP experience requirement. For more
information on CCSK, visit cloudsecurityalliance.org/education/ccsk. For more information on CISSP, visit www.isc2.org/cissp.

As a mid to advanced level professional credential, the CCSP requires: a) passing the exam; b) legal commitment to code of ethics;
c) endorsement from an appropriate certified professional; and d) commitment to continuing professional education – all of which
demonstrate that CCSPs are qualified and committed to tackling the cloud security challenges of today and tomorrow.

EDUCATION DELIVERED YOUR WAY

Official (ISC)2® CCSP CBK® Training Seminar

This official training seminar is the most comprehensive, complete review of information systems security concepts and industry
best practices, and is the only training course endorsed by (ISC)2. As your exclusive way to review and refresh your knowledge of
the domains and sub-domains of the CCSP CBK, the seminar will help you identify areas you need to study, and includes:
• Official (ISC)2 courseware • Collaboration with classmates
• Taught by an (ISC)2 authorized instructor • Real-world learning activities and scenarios
• Student handbook

© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved.
The Official CCSP CBK Training Seminar is taught in the following formats
• Classroom Delivered in a multi-day, classroom setting. Course material focuses on the six CCSP
domains. Available throughout the world at (ISC)2 facilities and (ISC)2 Official Training Providers.
• Private On-site Host your own Training Seminar on- or off-site. Available for larger groups, this option
saves employee travel time and expenses. Group pricing is also available to organizations with 15 or more
employees planning to sit for the exam.
• Live OnLine Educate yourself from the convenience of your computer. Live OnLine brings you the same
award-winning course content as the classroom-based or private on-site seminars and the benefit of an
(ISC)² authorized instructor.

Visit www.isc2.org/ccsp-training for more information or to register.

Maintain the certification with required Continuing Professional Education

credits (CPEs) and Annual Maintenance Fees (AMFs).

Formed in 1989, (ISC)2® is the largest not-for-profit membership body of certified information and software security professionals
worldwide, with over 100,000 members in more than 160 countries. Globally recognized as the Gold Standard, (ISC)2 issues the
Certified Information Systems Security Professional (CISSP®) and related concentrations, as well as the Certified Secure Software
Lifecycle Professional (CSSLP®), the Certified Cyber Forensics Professional (CCFP®), the Certified Cloud Security Professional
(CCSPSM), Certified Authorization Professional (CAP®), HealthCare Information Security and Privacy Practitioner (HCISPPSM), and
Systems Security Certified Practitioner (SSCP®) credentials to qualifying candidates. (ISC)2’s certifications are among the first
information technology credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark for
assessing and certifying personnel. (ISC)2 also offers education programs and services based on its CBK®, a compendium of

information and software security topics. More information is available at www.isc2.org.

CIS.0
4 (04/15)