Professional Documents
Culture Documents
CCSP Exam Outline
CCSP Exam Outline
© 2013 International Information Systems Security Certification Consortium, Inc. All Rights
Aprilfor21,
Reserved. Duplication 2015 purposes is prohibited.
commercial
Effective Date: April 21, 2015
The compelling benefits of cloud computing are driving organizations to migrate IT infrastructure and applications
to ‘the cloud.’ At the same time, the information security industry recognizes that the accompanying complexity
and risk profile require new approaches suitable to secure cloud and hybrid environments – legacy approaches are
insufficient. They also require experienced professionals with the right cloud security knowledge and skills to be
successful.
(ISC)² and the Cloud Security Alliance (CSA) developed the Certified Cloud Security Professional (CCSP)
credential to meet this critical market need and ensure that cloud security professionals have the required
knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and
compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing
environment and demonstrates competence in cloud security architecture, design, operations, and service
orchestration. This professional competence is measured against a globally recognized body of knowledge. The
CCSP is a stand-alone credential that complements and builds upon existing credentials and educational programs,
including (ISC)²’s Certified Information Systems Security Professional (CISSP) and CSA’s Certificate of Cloud
Security Knowledge (CCSK).
In addition to successfully passing the exam, CCSP candidates must have a minimum of five (5) years of cumulative
paid full-time information technology experience, of which three (3) years must be in information security and one
(1) year in one of the six (6) domains of the CCSP examination. Earning the Cloud Security Alliance’s CCSK
certificate may be substituted for one (1) year of experience in one of the six (6) domains of the CCSP
examination. Earning the CISSP credential may be substituted for the entire CCSP experience requirement.
Candidates who do not meet these experience requirements may still choose to sit for the exam and become an
Associate of (ISC)².
Candidates must meet the following requirements prior to taking the examination:
Submit the examination fee
Understand the experience requirements discussed above as they relate to the endorsement process
Attest to the truth of his or her assertions regarding professional experience
Legally commit to abide by the (ISC)² Code of Ethics
Answer four prequalification questions regarding criminal history and related background
2
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
3
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
4
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
5
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
6
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
7
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
8
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
9
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
F.1 Supplemental Security Devices (e.g., WAF, DAM, XML firewalls, API gateway)
F.2 Cryptography (e.g. TLS, SSL, IPSEC)
F.3 Sandboxing
F.4 Application Virtualization
G. Design Appropriate Identity and Access Management (IAM) Solutions
G.1 Federated Identity
G.2 Federated Identity
G.3 Single Sign-On
G.4 Multi-factor Authentication
10
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Domain 5: Operations
Overview
The Operations domain is used to identify critical information and the execution of selected measures that
eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the
cloud architecture, from planning of the Data Center design and implementation of the physical and logical
infrastructure for the cloud environment, to running and managing that infrastructure. It includes the definition of
the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing
and monitoring are the mechanisms, tools and facilities that permit the identification of security events and
subsequent actions to identify the key elements and report the pertinent information to the appropriate
individual, group, or process. The need for compliance with regulations and controls through the applications of
frameworks such as ITIL, and ISO/IEC 20000 are also discussed. In addition, the importance of risk assessment
across both the logical and physical infrastructures and the management of communication with all relevant
parties is focused on. The candidate is expected to know the resources that must be protected, the privileges that
must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls,
and the principles of good practice.
11
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
D.5 Hardware Monitoring (e.g., disk I/O, CPU temperature, fan speed)
D.6 Backup and Restore of Host Configuration
D.7 Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots,
vulnerability assessments)
D.8 Log Capture and Analysis (e.g., SIEM, Log Management )
D.9 Management Plain (e.g., scheduling, orchestration, maintenance)
E. Build Logical Infrastructure for Cloud Environment
E.1 Secure Configuration of Virtual Hardware Specific Requirements (e.g., network, storage,
memory, CPU)
E.2 Installation of Guest O/S Virtualization Toolsets
F. Run Logical Infrastructure for Cloud Environment
F.1 Secure Network Configuration (e.g., VLAN’s, TLS, DHCP, DNS, IPSEC)
F.2 OS Hardening via Application of a Baseline (e.g., Windows, Linux, VMware )
F.3 Availability of the Guest OS
G. Manage Logical Infrastructure for Cloud Environment
G.1 Access Control for Remote Access (e.g., RDP)
G.2 OS Baseline Compliance Monitoring and Remediation
G.3 Patch Management
G.4 Performance Monitoring ( e.g., Network, Disk, Memory, CPU )
G.5 Backup and Restore of Guest OS Configuration ( e.g., Agent based, SnapShots, Agentless)
G.6 Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots,
vulnerability assessments)
G.7 Log Capture and Analysis ( e.g., SIEM, log management)
G.8 Management Plane (e.g., scheduling, orchestration, maintenance)
H. Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)
H.1 Change Management
H.2 Continuity Management
H.3 Information Security Management
H.4 Continual Service Improvement Management
H.5 Incident Management
H.6 Problem Management
H.7 Release Management
H.8 Deployment Management
H.9 Configuration Management
H.10 Service Level Management
12
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
13
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
14
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
C.11 Policies
C.12 Identification and Involvement of Relevant Stakeholders
C.13 Specialized Compliance Requirements for Highly Regulated Industries
C.14 Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal
jurisdictions)
D. Understand Implications of Cloud to Enterprise Risk Management
D.1 Access Providers Risk Management
D.2 Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile,
risk appetite, responsibility)
D.3 Provision of Regulatory Transparency Requirements
D.4 Risk Mitigation
D.5 Different Risk Frameworks
D.6 Metrics for Risk Management
D.7 Assessment of Risk Environment (e.g., service, vendor, ecosystem)
E. Understand Outsourcing and Cloud Contract Design
E.1 Business Requirements (e.g., SLA, GAAP)
E.2 Vendor Management (e.g., selection, common certification framework)
E.3 Contract Management (e.g., right to audit, metrics, definitions, termination, litigation,
assurance, compliance, access to cloud/data)
F. Execute Vendor Management
F.1 Supply-chain Management (e.g., ISO/IEC 27036)
15
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Suggested References
This reference list is not intended to be an all-inclusive collection representing the CCSP Common Body of
Knowledge (CBK). Its purpose is to provide candidates a starting point for their studies in domains which need
supplementary learning in order to complement their associated level of work and academic experience.
Candidates may also consider other references, which are not on this list but adequately cover domain content.
Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all references be acquired or
consulted. (ISC)2 does not imply nor guarantee that the study of these references will result in an examination pass.
Supplementary References
Challenging Security Requirements for US Government Cloud Computing Adoption, NIST Cloud Computing Public
Security Working Group NIST Cloud Computing Program Information Technology Laboratory December 9, 2010
CSA – Cloud Security Alliance - The Notorious Nine Cloud Computing Top Threats in 2013 -Top Threats Working
Group
ENISA Cloud Computing, Benefits, risks and recommendations for information security, ENISA, November 2009
ISO/IEC 17788:2014 Information technology -- Cloud computing -- Overview and vocabulary
ISO/IEC 17789:2014 Information technology -- Cloud computing -- Reference architecture
NIST Cloud Computing 5 Security Reference Architecture, NIST Special Publication 500-299, June 11, 2013
Quick Reference Guide to the Reference Architecture, TCI Trusted Cloud Initiative, 2011 Cloud Security Alliance
SecaaS Cat 1 IAM Implementation Guidance, Category 1 //Identity and Access Management, September 2012
SecaaS Cat 10 Network Security Implementation Guidance, Category 10 //Network Security, September 2012
SecaaS Cat 3 Web Security Implementation Guidance, Category 3 //Web Security, September 2012
SecaaS Cat 4 Email Security Implementation Guidance, Category 4 //Email Security, September 2012
SecaaS Cat 5 Security Assessments Implementation Guidance, Category 5 //Security Assessments, September 2012
SecaaS Cat 6 Intrusion Management Implementation Guidance, Category 6 //Intrusion Management, September 2012
SecaaS Cat 7 SIEM Implementation Guidance, Security Information and Event Management, October 2012
SecaaS Cat 8 Encryption Implementation Guidance, Category 8 //Encryption, September 2012
SecaaS Cat 9 BCDR Implementation Guidance, Category 9 //Business Continuity /Disaster Recovery, September 2012
SecaaS Implementation Guidance, Category 2 //Data Loss Prevention, September 2012
Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Could Security Alliance, 2011
TCI – Trusted Cloud Initiative – Reference Architecture, Version 2.0, 2011
TCI – Trusted Cloud Initiative, Quick Guide to Reference Architecture, CSA Cloud Security Alliance – White Paper,
October 18, 2011
The Cloud Security Alliance Security as a Service Implementation Guidance Documents
Top Threats Working Group, The Notorious Nine Cloud Computing Top Threats in 2013, February 2013
16
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
3. The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to
protect transmissions
(A) between the WAP gateway and the wireless device.
(B) between the web server and WAP gateway.
(C) from the web server to the wireless device.
(D) between the wireless device and the base station.
Answer – B
17
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Please note that your registration information will be transferred to (ISC)² and all communication about the testing
process from (ISC)² and Pearson VUE will be sent to you via email.
Fees
Visit the (ISC)² website for the exam registration fees.
At the Pearson Vue testing center, prior to starting the exam, all candidates are also required to read and accept
the (ISC)² non-disclosure agreement (NDA) within the allotted five (5) minutes prior to being presented with
exam questions. If the NDA is not accepted by the candidate or the candidate does not accept the NDA within
the time allotted, the exam will end, and the candidate will be asked to leave the test center. No refund of exam
fees will be given. For this reason, all candidates are strongly encouraged to review the non-disclosure agreement
prior to scheduling for, or taking the exam.
Requests for accommodations should be made to (ISC)² in advance of the desired testing appointment. Once
(ISC)² grants the accommodations request, the candidate may schedule the testing appointment using Pearson
VUE’s special accommodations number. From there, a Pearson VUE coordinator will handle all of the
arrangements.
18
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Please note: Candidates that request special accommodations should not schedule their appointment online or
call the main CBT registration line.
If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the discretion of the
testing center as to whether or not the candidate may still take the exam. If the test administrator at the testing
location is able to accommodate a late arriving candidate, without affecting subsequent candidates’ appointments,
he/she will let the candidate sit for the exam. However, if the schedule is such that the test center is not able to
accommodate a late arrival, the candidate will be turned away and his/her exam fees will be forfeited.
If a candidate fails to appear for a testing appointment, the test result will appear in the system as a no-show and
the candidate’s exam fees will be forfeited.
19
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Identification Requirements
(ISC)² requires two forms of identification, a primary and a secondary, when checking in for a CBT test
appointment at a Pearson VUE Test Center. All candidate identification documents must be valid (not expired)
and must be an original document (not a photocopy or a fax).
Primary IDs: Must contain a permanently affixed photo of the candidate, along with the candidate’s signature.
Secondary IDs: Must have the candidate’s signature.
20
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Testing Environment
Pearson VUE Professional Centers administer many types of examinations including some that require written
responses (essay-type). Pearson VUE Professional Centers have no control over typing noises made by candidates
sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized
testing environment, just as the noise of turning pages is a normal part of the paper and pencil testing
environment. Earplugs are available upon request.
If you believe there was an irregularity in the administration of your test, or the associated test conditions
adversely affected the outcome of your examination, you should notify the TA before you leave the test center.
Results Reporting
Candidates will receive their test result at the test center. The results will be handed out by the TA during the
checkout process. (ISC)² will then follow up with an official result via email.
In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of
the score data is conducted during every testing cycle before scores are released. A minimum number of
candidates are required to take the exam before this analysis can be completed. Depending upon the volume of
test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in
21
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
order to complete this critical process. Results will not be released over the phone. They will be sent via email
from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy, you should contact
(ISC)² prior to your examination.
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidate’s examination. If circumstances
arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts
longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment
without an additional fee.
If you choose to wait, but later change your mind at any time prior to beginning or restarting the
examination, you will be allowed to take exam at a later date, at no additional cost.
If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your
test results will be considered valid.
If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you
will be allowed to test at a later date at no additional charge. Every attempt will be made to contact
candidates if technical problems are identified prior to a scheduled appointment.
(ISC)² may at its sole discretion revoke any and all certifications a candidate may have earned and ban the
candidate from earning future (ISC)² certifications, and decline to score or cancel any Exam under any of the
circumstances listed in the (ISC)² Examination Agreement. Please refer to the (ISC)² Examination Agreement for
further details.
Recertification by Examination
Candidates and members may recertify by examination for the following reasons only:
The candidate has become decertified due to reaching the expiration of the time limit for endorsement.
The member has become decertified for not meeting the number of required continuing professional
education (CPE) credits.
22
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1
Effective Date: April 21, 2015
Contact Information
23
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 4.21.15, V1