CCSP For Dummies with Online Practice

Introduction

About this Book  

Foolish Assumptions  

Icons Used in This Book  

Beyond the Book  

Where to Go from Here  

Part 1: Starting Your CCSP Journey

Chapter 1: Familiarizing Yourself with (ISC)² and the CCSP Certification

• Appreciating (ISC)² and the CCSP Certification
• Knowing Why You Need to Get Certified
• Studying the Prerequisites for the CCSP
• Understanding the CCSP Domains
• Domain 1: Cloud Concepts, Architecture and Design
• Domain 2: Cloud Data Security
• Domain 3: Cloud Platform and Infrastructure Security
• Domain 4: Cloud Application Security
• Domain 5: Cloud Security Operations
• Domain 6: Legal, Risk and Compliance
• Preparing for the Exam
• Studying on your own
• Learning by doing
• Getting official (ISC)² CCSP training
• Attending other training courses
• Practice, practice, practice
• Ensuring you're ready for the exam
• Registering for the Exam
• Taking the Exam
• Identifying What to Do After the Exam

Chapter 2: Identifying Information Security Fundamentals

• Exploring the Pillars of Information Security
• Confidentiality
• Integrity
• Availability
• Threats, Vulnerabilities, and Risks...Oh My!
• Threats
• Vulnerabilities
• Risks
• Securing Information with Access Control
• Deciphering Cryptography
• Encryption and decryption
• Types of encryption
• Common uses of encryption
• Grasping Physical Security
• Realizing the Importance of Business Continuity and Disaster Recovery
• Implementing Incident Handling
• Preparing for incidents
• Detecting incidents
• Containing incidents
• Eradicating incidents
• Recovering from incidents
• Conducting a Post-Mortem
• Utilizing Defense-in-Depth

Part 2: Exploring the CCSP Certification Domains

Chapter 3: Domain 1: Cloud Concepts, Architecture and Design

• Knowing Cloud Computing Concepts
• Defining cloud computing terms
• Identifying cloud computing roles
• Recognizing key cloud computing characteristics
• Building block technologies
• Describing Cloud Reference Architecture
• Cloud computing activities
• Cloud service capabilities
• Cloud service categories
• Cloud deployment models
• Cloud shared considerations
• Impact of related technologies
• Identifying Security Concepts Relevant to Cloud Computing
• Cryptography and key management
• Access control
• Data and media sanitization
• Network security
• Virtualization security
• Common threats
• Comprehending Design Principles of Secure Cloud Computing
• Cloud Secure Data Lifecycle
• Cloud based disaster recovery (DR) and business continuity (BC) planning
• Cost benefit analysis
• Security considerations for different cloud categories
• Evaluating Cloud Service Providers
• Verifying against certification criteria
• Meeting system/subsystem product certifications

Chapter 4: Domain 2: Cloud Data Security

• Describing Cloud Data Concepts
• Cloud data lifecycle phases
• Data dispersion
• Designing and Implementing Cloud Data Storage Architectures
• Storage types
• Threats to storage types
• Designing and Implementing Data Security Technologies and Strategies
• Encryption and key management
• Hashing
• Data loss prevention (DLP)
• Data de-identification
• Implementing Data Discovery
• Structured data
• Unstructured data
• Implementing Data Classification
• Mapping
• Labeling
• Sensitive data
• Designing and Implementing Information Rights Management (IRM)
• Objectives
• Appropriate tools
• Planning and Implementing Data Retention, Deletion, and Archiving Policies
• Data retention policies
• Data deletion procedures and mechanisms
• Data archiving procedures and mechanisms
• Legal hold
• Designing and Implementing Auditability, Traceability and Accountability of Data Events
• Defining event sources and requirements of identity attribution
• Logging, storing, and analyzing data events
• Chain of custody and nonrepudiation

Chapter 5: Domain 3: Cloud Platform and Infrastructure Security

• Comprehending Cloud Infrastructure Components
• Physical environment
• Network and communications
• Compute
• Virtualization
• Storage
• Management plane
• Designing a Secure Data Center
• Logical design
• Physical design
• Environmental design
• Analyzing Risks Associated with Cloud Infrastructure
• Risk assessment and analysis
• Cloud vulnerabilities, threats, and attacks
• Virtualization risks
• Countermeasure strategies
• Designing and Planning Security Controls
• Physical and environmental protection
• System and communication protection
• Virtualization systems protection
• Identification, authentication, and authorization in cloud infrastructure
• Audit mechanisms
• Planning Business Continuity (BC) and Disaster Recovery (DR)
• Risks related to the cloud environment
• Business requirements
• Business continuity/disaster recovery strategy

Chapter 6: Domain 4: Cloud Application Security

• Advocating Training and Awareness for Application Security
• Cloud development basics
• Common pitfalls
• Common cloud vulnerabilities
• Describing the Secure Software Development Lifecycle (SDLC) Process
• Business requirements
• Phases
• Methodologies
• Applying the SDLC Process
• Common vulnerabilities during development
• Cloud-specific risks
• Quality Assurance (QA)
• Threat modeling
• Software configuration management and versioning
• Applying Cloud Software Assurance and Validation
• Functional testing
• Security testing methodologies
• Using Verified Secure Software
• Approved Application Programming Interfaces (API)
• Supply-chain management
• Third-party software management
• Validated open source software
• Comprehending the Specifics of Cloud Application Architecture
• Supplemental security components
• Cryptography
• Sandboxing
• Application virtualization and orchestration
• Designing Appropriate Identity and Access Management (IAM) Solutions
• Federated identity
• Identity providers
• Single sign-on (SSO)
• Multifactor authentication
• Cloud access security broker (CASB)

Chapter 7: Domain 5: Cloud Security Operations

• Implementing and Building a Physical and Logical Infrastructure for Cloud Environment
• Hardware specific security configuration requirements
• Installing and configuring virtualization management tools
• Virtual hardware specific security configuration requirements
• Installing guest operating system virtualization toolsets
• Operating Physical and Logical Infrastructure for a Cloud Environment
• Configuring access control for local and remote access
• Secure network configuration
• Hardening the operating system through the application of baselines
• Availability of standalone hosts
• Availability of clustered hosts
• Availability of guest operating system
• Managing Physical and Logical Infrastructure for a Cloud Environment
• Access controls for remote access
• Operating system baseline compliance monitoring and remediation
• Patch management
• Performance and capacity monitoring
• Hardware monitoring
• Configuring host and guest operating system backup and restore functions
• Network security controls
• Management plane
• Implementing Operational Controls and Standards
• Change management
• Continuity management
• Information security management
• Continual service improvement management
• Incident management
• Problem management
• Release and deployment management
• Configuration management
• Service level management
• Availability management
• Capacity management
• Supporting Digital Forensics
• Collecting, acquiring, and preserving digital evidence
• Evidence management
• Managing Communication with Relevant Parties
• Customers
• Vendors
• Partners
• Regulators
• Other stakeholders
• Managing Security Operations
• Security operations center (SOC)
• Monitoring of security controls

Chapter 8: Domain 6: Legal, Risk and Compliance

• Articulating Legal Requirements and Unique Risks within the Cloud Environment
• Conflicting international legislation
• Evaluating legal risks specific to cloud computing
• Legal framework and guidelines
• e-Discovery
• Forensics requirements
• Understanding Privacy Issues
• Difference between contractual and regulated private data
• Country-specific legislation related to private data
• Jurisdictional differences in data privacy
• Standard privacy requirements
• Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment
• Internal and external audit controls
• Impact of audit requirements
• Identifying assurance challenges of virtualization and cloud
• Types of audit reports
• Restrictions of audit scope statements
• Gap analysis
• Audit planning
• Internal information security management system (ISMS)
• Internal information security controls system
• Policies
• Identification and involvement of relevant stakeholders
• Specialized compliance requirements for highly regulated industries
• Impact of distributed Information Technology (IT) model
• Understanding the Implications of Cloud to Enterprise Risk Management
• Assessing providers' risk management programs
• Difference between data owner/controller versus data custodian/processor
• Regulatory transparency requirements
• Risk tolerance and risk profile
• Risk assessment
• Risk treatment
• Different risk frameworks
• Metrics for risk management
• Assessment of risk environment
• Understanding Outsourcing and Cloud Contract Design
• Business requirements
• Vendor management
• Contract management
• Supply-chain management

Part 3: The Part of Tens

Chapter 9: Ten (or So) Tips to Help You Prepare for the CCSP Exam

• Brush Up on the Prerequisites
• Register for the Exam
• Create a Study Plan
• Find a Study Buddy
• Take Practice Exams
• Get Hands-On
• Attend a CCSP Training Seminar
• Plan Your Exam Strategy
• Get Some Rest and Relaxation

Chapter 10: Ten Keys to Success on Exam Day

• Making Sure You Wake Up
• Dressing for the Occasion
• Eating a Great Meal
• Warming Up Your Brain
• Bringing Snacks and Drinks
• Planning Your Route
• Arriving Early
• Taking Breaks
• Staying Calm
• Remembering Your Strategy

Part 4: Appendixes

Appendix A: Glossary

Appendix B: Helpful Resources

• (ISC)² and CCSP Exam Resources
• Standards and Guidelines
• Technical References

Index