You are previewing The Official (ISC)2 Guide to the CCSP CBK.
O'Reilly logo
The Official (ISC)2 Guide to the CCSP CBK

Book Description

Globally recognized and backed by the Cloud Security Alliance (CSA) and the (ISC)2 the CCSP credential is the ideal way to match marketability and credibility to your cloud security skill set. The Official (ISC)2® Guide to the CCSPSM CBK® is your ticket for expert insight through the 6 CCSP domains. You will find step-by-step guidance through real-life scenarios, illustrated examples, tables, best practices, and more. Sample questions help you reinforce what you have learned and prepare smarter. Easy-to-follow content guides you through

•          Major topics and subtopics within the 6 domains
•          Detailed description of exam format
•          Exam registration and administration policies

Reviewed by cloud security experts, and developed by (ISC)2, this is your study guide to fully preparing for the CCSP and reaffirming your unique cloud security skills. Get ready for the next step in your career with Official (ISC)2 Guide to the CCSP CBK.

 

Table of Contents

  1. Introduction
  2. Domain 1: Architectural Concepts and Design Requirements Domain
    1. Cloud Computing Definitions
    2. Cloud Computing Roles
    3. Key Cloud Computing Characteristics
    4. Cloud Transition Scenario
    5. Building Blocks
    6. Cloud Computing Activities
    7. Cloud Service Categories
    8. Cloud Deployment Models
    9. Cloud Cross-Cutting Aspects
    10. Network Security and Perimeter
    11. Cryptography
    12. IAM and Access Control
    13. Data and Media Sanitization
    14. Virtualization Security
    15. Common Threats
    16. Security Considerations for Different Cloud Categories
    17. Open Web Application Security Project (OWASP) Top Ten Security Threats
    18. Cloud Secure Data Lifecycle
    19. Information/Data Governance Types
    20. Business Continuity/Disaster Recovery Planning
    21. Cost-Benefit Analysis
    22. Certification Against Criteria
    23. System/Subsystem Product Certification
    24. Summary
    25. Review Questions
    26. Notes
  3. Domain 2: Cloud Data Security Domain
    1. The Cloud Data Lifecycle Phases
    2. Location and Access of Data
    3. Functions, Actors, and Controls of the Data
    4. Cloud Services, Products, and Solutions
    5. Data Storage
    6. Relevant Data Security Technologies
    7. Application of Security Strategy Technologies
    8. Emerging Technologies
    9. Data Discovery
    10. Data Classification
    11. Data Privacy Acts
    12. Typical Meanings for Common Privacy Terms
    13. Privacy Roles for Customers and Service Providers
    14. Responsibility Depending on the Type of Cloud Services
    15. Implementation of Data Discovery
    16. Classification of Discovered Sensitive Data
    17. Mapping and Definition of Controls
    18. Privacy Level Agreement (PLA)
    19. PLAs vs. Essential P&DP Requirements Activity
    20. Application of Defined Controls for Personally Identifiable Information (PII)
    21. Data Rights Management Objectives
    22. Data-Protection Policies
    23. Events
    24. Supporting Continuous Operations
    25. Chain of Custody and Non-Repudiation
    26. Summary
    27. Review Questions
    28. Notes
  4. Domain 3: Cloud Platform and Infrastructure Security Domain
    1. Network and Communications in the Cloud
    2. The Compute Parameters of a Cloud Server
    3. Storage Issues in the Cloud
    4. Management of Cloud Computing Risks
    5. Countermeasure Strategies Across the Cloud
    6. Physical and Environmental Protections
    7. System and Communication Protections
    8. Virtualization Systems Controls
    9. Managing Identification, Authentication, and Authorization in the Cloud Infrastructure
    10. Risk Audit Mechanisms
    11. Understanding the Cloud Environment Related to BCDR
    12. Understanding the Business Requirements Related to BCDR
    13. Understanding the BCDR Risks
    14. BCDR Strategies
    15. Creating the BCDR Plan
    16. Summary
    17. Review Questions
    18. Notes
  5. Domain 4: Cloud Application Security
    1. Determining Data Sensitivity and Importance
    2. Understanding the Application Programming Interfaces (APIs)
    3. Common Pitfalls of Cloud Security Application Deployment
    4. Awareness of Encryption Dependencies
    5. Understanding the Software Development Lifecycle (SDLC) Process for a Cloud Environment
    6. Assessing Common Vulnerabilities
    7. Cloud-Specific Risks
    8. Threat Modeling
    9. Identity and Access Management (IAM)
    10. Federated Identity Management
    11. Multi-Factor Authentication
    12. Supplemental Security Devices
    13. Cryptography
    14. Tokenization
    15. Data Masking
    16. Sandboxing
    17. Application Virtualization
    18. Cloud-Based Functional Data
    19. Cloud-Secure Development Lifecycle
    20. Application Security Testing
    21. Summary
    22. Review Questions
    23. Notes
  6. Domain 5: Operations Domain
    1. Modern Datacenters and Cloud Service Offerings
    2. Factors That Impact Datacenter Design
    3. Enterprise Operations
    4. Secure Configuration of Hardware: Specific Requirements
    5. Installation and Configuration of Virtualization Management Tools for the Host
    6. Securing the Network Configuration
    7. Identifying and Understanding Server Threats
    8. Using Stand-Alone Hosts
    9. Using Clustered Hosts
    10. Accounting for Dynamic Operation
    11. Using Storage Clusters
    12. Using Maintenance Mode
    13. Providing High Availability on the Cloud
    14. The Physical Infrastructure for Cloud Environments
    15. Configuring Access Control for Remote Access
    16. Performing Patch Management
    17. Performance Monitoring
    18. Backing Up and Restoring the Host Configuration
    19. Implementing Network Security Controls: Defense in Depth
    20. Developing a Management Plan
    21. Building a Logical Infrastructure for Cloud Environments
    22. Running a Logical Infrastructure for Cloud Environments
    23. Managing the Logical Infrastructure for Cloud Environments
    24. Implementation of Network Security Controls
    25. Using an IT Service Management (ITSM) Solution
    26. Considerations for Shadow IT
    27. Operations Management
    28. Managing Risk in Logical and Physical Infrastructures
    29. The Risk-Management Process Overview
    30. Understanding the Collection and Preservation of Digital Evidence
    31. Managing Communications with Relevant Parties
    32. Wrap Up: Data Breach Example
    33. Summary
    34. Review Questions
    35. Notes
  7. Domain 6: Legal and Compliance Domain
    1. International Legislation Conflicts
    2. Legislative Concepts
    3. Frameworks and Guidelines Relevant to Cloud Computing
    4. Common Legal Requirements
    5. Legal Controls and Cloud Providers
    6. eDiscovery
    7. Cloud Forensics and ISO/IEC 27050-1
    8. Protecting Personal Information in the Cloud
    9. Auditing in the Cloud
    10. Standard Privacy Requirements (ISO/IEC 27018)
    11. Generally Accepted Privacy Principles (GAPP)
    12. Internal Information Security Management System (ISMS)
    13. Implementing Policies
    14. Identifying and Involving the Relevant Stakeholders
    15. Impact of Distributed IT Models
    16. Understanding the Implications of the Cloud to Enterprise Risk Management
    17. Risk Mitigation
    18. Understanding Outsourcing and Contract Design
    19. Business Requirements
    20. Vendor Management
    21. Cloud Computing Certification: CCSL and CCSM
    22. Contract Management
    23. Supply Chain Management
    24. Summary
    25. Review Questions
    26. Notes
  8. Appendix A: Answers to Review Questions
    1. Domain 1: Architectural Concepts and Design Requirements
    2. Domain 2: Cloud Data Security
    3. Domain 3: Cloud Platform and Infrastructure Security
    4. Domain 4: Cloud Application Security
    5. Domain 5: Operations
    6. Domain 6: Legal and Compliance Issues
    7. Notes
  9. Appendix B: Glossary
  10. Appendix C: Helpful Resources and Links
  11. Titlepage
  12. Copyright
  13. Credits
  14. About the Editor
  15. Foreword
  16. Introduction
  17. End-User License Agreement