this candidate information bulletin provides the following · pdf filethe compelling benefits...

1

© 2013 International Information Systems Security Certification Consortium, Inc. All Rights

Reserved. Duplication for commercial purposes is prohibited.

April 21, 2015

2

© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial

purposes is prohibited. 5.18.15, V3

Effective Date: April 21, 2015

Impartiality Statement

(ISC)² is committed to impartiality by promoting a bias and discrimination free environment for all members,

candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)²’s board of directors, management and

staff understand the importance of impartiality in carrying out its certification activities, manage conflict of interest

and ensure the objectivity of its certification. If you feel you have not received impartial treatment, please send an

email to [email protected] or call +1.727.785.0189, so that we can investigate your claim.

Non-Discrimination Policy

(ISC)² is an equal opportunity employer and does not allow, condone or support discrimination of any type within

its organization including, but not limited to, its activities, programs, practices, procedures, or vendor

relationships. This policy applies to (ISC)² employees, members, candidates, and supporters.

Whether participating in an (ISC)² official event or certification examination as an employee, candidate, member,

staff, volunteer, subcontractor, vendor, or client if you feel you have been discriminated against based on

nationality, religion, sexual orientation, race, gender, disability, age, marital status or military status, please send an

email to [email protected] or call +1.727.785.0189, so that we can investigate your claim.

For any questions related to these polices, please contact the (ISC)² Legal Department at [email protected].

mailto:[email protected]



3




The compelling benefits of cloud computing are driving organizations to migrate IT infrastructure and applications

to ‘the cloud.’ At the same time, the information security industry recognizes that the accompanying complexity

and risk profile require new approaches suitable to secure cloud and hybrid environments – legacy approaches are

insufficient. They also require experienced professionals with the right cloud security knowledge and skills to be

successful.

(ISC)² and the Cloud Security Alliance (CSA) developed the Certified Cloud Security Professional (CCSP)

credential to meet this critical market need and ensure that cloud security professionals have the required

knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and

compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing

environment and demonstrates competence in cloud security architecture, design, operations, and service

orchestration. This professional competence is measured against a globally recognized body of knowledge. The

CCSP is a stand-alone credential that complements and builds upon existing credentials and educational programs,

including (ISC)²’s Certified Information Systems Security Professional (CISSP) and CSA’s Certificate of Cloud

Security Knowledge (CCSK).

In addition to successfully passing the exam, CCSP candidates must have a minimum of five (5) years of cumulative

paid full-time information technology experience, of which three (3) years must be in information security and one

(1) year in one of the six (6) domains of the CCSP examination. Earning the Cloud Security Alliance’s CCSK

certificate may be substituted for one (1) year of experience in one of the six (6) domains of the CCSP

examination. Earning the CISSP credential may be substituted for the entire CCSP experience requirement.

Candidates who do not meet these experience requirements may still choose to sit for the exam and become an

Associate of (ISC)².

Candidates must meet the following requirements prior to taking the examination:

Submit the examination fee

Understand the experience requirements discussed above as they relate to the endorsement process

Attest to the truth of his or her assertions regarding professional experience

Legally commit to abide by the (ISC)² Code of Ethics

Answer four prequalification questions regarding criminal history and related background

This Candidate Information Bulletin (Exam Outline) includes:

An Exam blueprint that defines the CCSP domains and the sub-topics within each

o Domain 1: Architectural Concepts and Design Requirements ................................................................. 4 o Domain 2: Cloud Data Security ......................................................................................................................... 6 o Domain 3: Cloud Platform and Infrastructure Security ............................................................................... 8 o Domain 4: Cloud Application Security ........................................................................................................... 10 o Domain 5: Operations ........................................................................................................................................ 12 o Domain 6: Legal and Compliance .................................................................................................................... 15

Suggested References ........................................................................................................................................................ 17 Sample Exam Questions .................................................................................................................................................... 18 Exam Policies and Procedures ......................................................................................................................................... 19 Contact Information .......................................................................................................................................................... 24

https://cloudsecurityalliance.org/education/ccsk/

https://cloudsecurityalliance.org/education/ccsk/

https://www.isc2.org/cissp/default.aspx

https://www.isc2.org/associates/default.aspx

https://www.isc2.org/uploadedfiles/certification_programs/exam_pricing.pdf

https://www.isc2.org/ethics/default.aspx

https://www.isc2.org/candidate-background.aspx

4




Domain 1: Architectural Concepts and Design

Requirements

Overview The Architectural Concepts & Design Requirements domain focuses on the building blocks of cloud based

systems. The candidate will need to have an understanding of Cloud Computing concepts such as definitions

based on the ISO/IEC 17788 standard, roles like the Cloud Service Customer, Provider, and Partner,

characteristics such as multi-tenancy, measured services, and rapid elasticity and scalability, as well as building

block technologies of the cloud such as virtualization, storage, and networking. The Cloud Reference Architecture

will need to be described and understood by the candidate, with a focus on areas such as Cloud Computing

Activities as described in ISO/IEC 17789, Clause 9, Cloud Service Capabilities, Categories, Deployment Models,

and the Cross-Cutting Aspects of Cloud Platform architecture and design such as interoperability, portability,

governance, service levels, and performance. In addition, candidates will need to demonstrate a clear

understanding of the relevant security and design principles for Cloud Computing, such as cryptography, access

control, virtualization security, functional security requirements like vendor lock-in and interoperability, what a

secure data lifecycle is for cloud based data, and how to carry out a cost benefit analysis of cloud based systems.

The ability to identify what a trusted cloud service is, and what role certification against criteria plays in that

identification using standards such as the Common Criteria and FIPS 140-2 are also areas of focus for this domain.

Key Areas of Knowledge

A. Understand Cloud Computing Concepts

A.1 Cloud Computing Definitions (ISO/IEC 17788)

A.2 Cloud Computing Roles (i.e., Cloud Service Customer, Cloud Service Provider, and Cloud

Service Partner)

A.3 Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access,

multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)

A.4 Building Block Technologies (e.g., virtualization, storage, networking, databases)

B. Describe Cloud Reference Architecture

B.1 Cloud Computing Activities (ISO/IEC 17789, Clause 9)

B.2 Cloud Service Capabilities (i.e., application capability type, platform capability type,

infrastructure capability types)

B.3 Cloud Service Categories (e.g., SaaS, IaaS, PaaS, NaaS, CompaaS, DSaaS)

B.4 Cloud Deployment Models (e.g., public, private, hybrid, community)

B.5 Cloud Cross-Cutting Aspects (e.g., interoperability, portability, reversibility, availability,

security, privacy, resiliency, performance, governance, maintenance and versioning, service

levels and service level agreement, auditability, and regulatory)

C. Understand Security Concepts Relevant to Cloud Computing

C.1 Cryptography (e.g. encryption, in motion, at rest, key management)

C.2 Access Control

C.3 Data and Media Sanitization (e.g., overwriting, cryptographic erase)

5




C.4 Network security

C.5 Virtualization Security (e.g., hypervisor security)

C.6 Common Threats

C.7 Security Considerations for different Cloud Categories (e.g., SaaS, PaaS, *aaS)

D. Understand Design Principles of Secure Cloud Computing

D.1 Cloud Secure Data Lifecycle

D.2 Cloud Based Business Continuity/Disaster Recovery Planning

D.3 Cost Benefit Analysis

D.4 Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)

E. Identify Trusted Cloud Services

E.1 Certification Against Criteria

E.2 System/Subsystem Product Certifications (e.g., common criteria, FIPS 140-2)

6




Domain 2: Cloud Data Security

Overview The Cloud Data Security domain contains the concepts, principles, structures, and standards used to design,

implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used

to enforce various levels of confidentiality, integrity, and availability. The candidate will need to understand and

implement Data Discovery and Classification Technologies pertinent to cloud platforms, as well as being able to

design and implement relevant jurisdictional data protections for Personally Identifiable Information (PII), such as

data privacy acts and the ability to map and define controls within the cloud. Designing and implementing Data

Rights Management (DRM) solutions with the appropriate tools and planning for the implementation of data

retention, deletion, and archiving policies are activities that a candidate will need to be able to be prepared to

undertake. The design and implementation of auditability, traceability, and accountability of data within cloud

based systems through the use of data event logging, chain of custody and non-repudiation, and the ability to store

and analyze data through the use of security information and event management (SIEM) systems are also discussed

within the Cloud Data Security domain.


A. Understand Cloud Data Lifecycle

A.1 Phases

A.2 Relevant Data Security Technologies

B. Design and Implement Cloud Data Storage Architectures

B.1 Storage Types (e.g. long term, ephemeral, raw-disk)

B.2 Threats to Storage Types (e.g., ISO/IEC 27040)

B.3 Technologies Available to Address Threats (e.g., encryption)

C. Design and Apply Data Security Strategies

C.1 Encryption

C.2 Key Management

C.3 Masking

C.4 Tokenization

C.5 Application of Technologies (e.g., time of storage vs. encryption needs)

C.6 Emerging Technologies (e.g., bit splitting, data obfuscation, homomorphic encryption)

D. Understand and Implement Data Discovery and Classification Technologies

D.1 Data Discovery

D.2 Classification

E. Design and Implement Relevant Jurisdictional Data Protections for Personally

Identifiable Information (PII)

7




E.1 Data Privacy Acts

E.2 Implementation of Data Discovery

E.3 Classification of Discovered Sensitive Data

E.4 Mapping and Definition of Controls

E.5 Application of Defined Controls for PII (in consideration of customer's Data Privacy Acts)

F. Design and Implement Data Rights Management

F.1 Data Rights Objectives (e.g. provisioning, users and roles, role-based access)

F.2 Appropriate Tools (e.g., Issuing and replication of certificates)

G. Plan and Implement Data Retention, Deletion, and Archiving Policies

G.1 Data Retention Policies

G.2 Data Deletion Procedures and Mechanisms

G.3 Data Archiving Procedures and Mechanisms

H. Design and Implement Auditability, Traceability and Accountability of Data Events

H.1 Definition of Event Sources and Identity Attribution Requirement

H.2 Data Event Logging

H.3 Storage and Analysis of Data Events (e.g. security information and event management)

H.4 Continuous Optimizations (e.g. new events detected, add new rules, reductions of false

positives)

H.5 Chain of Custody and Non-repudiation

8




Domain 3: Cloud Platform and Infrastructure Security

Overview

The Cloud Platform and Infrastructure Security domain covers knowledge of the cloud infrastructure

components, both the physical and virtual, existing threats, and mitigating and developing plans to deal with those

threats. Risk management is the identification, measurement and control of loss associated with adverse events. It

includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis,

management decisions, safeguard implementation, and effectiveness review. The candidate is expected to

understand risk management including risk analysis, threats and vulnerabilities, asset identification and risk

management tools and techniques. In addition, the candidate will also need to understand how to design and plan

for the use of security controls such as audit mechanisms, physical and environmental protection, and the

management of Identification, Authentication and Authorization solutions within the cloud infrastructures they

manage. Business Continuity Planning (BCP) facilitates the rapid recovery of business operations to reduce the

overall impact of the disaster, through ensuring continuity of the critical business functions. Disaster Recovery

Planning (DRP) includes procedures for emergency response, extended backup operations and post-disaster

recovery when the computer installation suffers loss of computer resources and physical facilities. The candidate

is expected to understand how to prepare business continuity or disaster recovery plan, techniques and concepts,

identification of critical data and systems, and finally the recovery of the lost data within cloud infrastructures.

Key Areas of Knowledge A. Comprehend Cloud Infrastructure Components

A.1 Physical Environment

A.2 Network and Communications

A.3 Compute

A.4 Virtualization

A.5 Storage

A.6 Management Plane

B. Analyze Risks Associated to Cloud Infrastructure

B.1 Risk Assessment/Analysis

B.2 Cloud Attack Vectors

B.3 Virtualization Rısks

B.4 Counter-Measure Strategies (e.g., access controls, design principles)

C. Design and Plan Security Controls

C.1 Physical and Environmental Protection (e.g., on-premise)

C.2 System and Communication Protection

C.3 Virtualization Systems Protection

C.4 Management of Identification, Authentication and Authorization in Cloud Infrastructure

C.5 Audit Mechanisms

9




D. Plan Disaster Recovery and Business Continuity Management

D.1 Understanding of the Cloud Environment

D.2 Understanding of the Business Requirements

D.3 Understanding of the Risks

D.4 Disaster Recovery/Business Continuity strategy

D.5 Creation of the Plan

D.6 Implementation of the Plan

10




Domain 4: Cloud Application Security

Overview The Cloud Application Security domain focuses on issues to ensure that the candidate understands and recognizes

the need for training and awareness in application security, the processes involved with cloud software assurance

and validation, and the use of verified secure software. The domain refers to the controls that are included within

systems and applications software and the steps used in their development (e.g., SDLC). The candidate should

fully understand the security and controls of the development process, system life cycle, application controls,

change controls, program interfaces, and concepts used to ensure data and application integrity, security, and

availability. In addition, the need to understand how to design appropriate Identity and Access Management (IAM)

solutions for cloud based systems is important as well.

Key Areas of Knowledge A. Recognize the need for Training and Awareness in Application Security

A.1 Cloud Development Basics (e.g., RESTful)

A.2 Common Pitfalls

A.3 Common Vulnerabilities (e.g. OWASP Top 10)

B. Understand Cloud Software Assurance and Validation

B.1 Cloud-based Functional Testing

B.2 Cloud Secure Development Lifecycle

B.3 Security Testing (e.g., SAST, DAST, Pen Testing)

C. Use Verified Secure Software

C.1 Approved API

C.2 Supply-Chain Management

C.3 Community Knowledge

D. Comprehend the Software Development Life-Cycle (SDLC) Process

D.1 Phases & Methodologies

D.2 Business Requirements

D.3 Software Configuration Management & Versioning

E. Apply the Secure Software Development Life-Cycle

E.1 Common Vulnerabilities (e.g., SQL Injection, XSS, XSRF, Direct Object Reference, Buffer

Overflow)

E.2 Cloud-Specific Risks

E.3 Quality of Service

E.4 Threat Modeling

F. Comprehend the Specifics of Cloud Application Architecture

11




F.1 Supplemental Security Devices (e.g., WAF, DAM, XML firewalls, API gateway)

F.2 Cryptography (e.g. TLS, SSL, IPSEC)

F.3 Sandboxing

F.4 Application Virtualization

G. Design Appropriate Identity and Access Management (IAM) Solutions

G.1 Federated Identity

G.2 Identity Providers

G.3 Single Sign-On

G.4 Multi-factor Authentication

12




Domain 5: Operations

Overview The Operations domain is used to identify critical information and the execution of selected measures that

eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the

cloud architecture, from planning of the Data Center design and implementation of the physical and logical

infrastructure for the cloud environment, to running and managing that infrastructure. It includes the definition of

the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing

and monitoring are the mechanisms, tools and facilities that permit the identification of security events and

subsequent actions to identify the key elements and report the pertinent information to the appropriate

individual, group, or process. The need for compliance with regulations and controls through the applications of

frameworks such as ITIL, and ISO/IEC 20000 are also discussed. In addition, the importance of risk assessment

across both the logical and physical infrastructures and the management of communication with all relevant

parties is focused on. The candidate is expected to know the resources that must be protected, the privileges that

must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls,

and the principles of good practice.

Key Areas of Knowledge A. Support the Planning Process for the Data Center Design

A.1 Logical Design (e.g., tenant partitioning, access control)

A.2 Physical Design (e.g., location, buy or build)

A.3 Environmental Design (e.g., HVAC, multi-vendor pathway connectivity)

B. Implement and Build Physical Infrastructure for Cloud Environment

B.1 Secure Configuration of Hardware Specific Requirements (e.g., BIOS settings for virtualization

and TPM, storage controllers, network controllers)

B.2 Installation and Configuration of Virtualization Management Tools for the Host

C. Run Physical Infrastructure for Cloud Environment

C.1 Configuration of Access Control for Local Access (e.g., Secure KVM, Console based access

mechanisms)

C.2 Securing Network Configuration (e.g., VLAN’s, TLS, DHCP, DNS, IPSEC)

C.3 OS Hardening via Application of Baseline (e.g., Windows, Linux, VMware)

C.4 Availability of Stand-Alone Hosts

C.5 Availability of Clustered Hosts (e.g., distributed resource scheduling (DRS), dynamic

optimization (DO), storage clusters, maintenance mode, high availability)

D. Manage Physical Infrastructure for Cloud Environment

D.1 Configuring Access Controls for Remote Access (e.g., RDP, Secure Terminal Access)

D.2 OS Baseline Compliance Monitoring and Remediation

D.3 Patch Management

D.4 Performance Monitoring ( e.g., network, disk, memory, CPU )

13




D.5 Hardware Monitoring (e.g., disk I/O, CPU temperature, fan speed)

D.6 Backup and Restore of Host Configuration

D.7 Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots,

vulnerability assessments)

D.8 Log Capture and Analysis (e.g., SIEM, Log Management )

D.9 Management Plain (e.g., scheduling, orchestration, maintenance)

E. Build Logical Infrastructure for Cloud Environment

E.1 Secure Configuration of Virtual Hardware Specific Requirements (e.g., network, storage,

memory, CPU)

E.2 Installation of Guest O/S Virtualization Toolsets

F. Run Logical Infrastructure for Cloud Environment

F.1 Secure Network Configuration (e.g., VLAN’s, TLS, DHCP, DNS, IPSEC)

F.2 OS Hardening via Application of a Baseline (e.g., Windows, Linux, VMware )

F.3 Availability of the Guest OS

G. Manage Logical Infrastructure for Cloud Environment

G.1 Access Control for Remote Access (e.g., RDP)

G.2 OS Baseline Compliance Monitoring and Remediation

G.3 Patch Management

G.4 Performance Monitoring ( e.g., Network, Disk, Memory, CPU )

G.5 Backup and Restore of Guest OS Configuration ( e.g., Agent based, SnapShots, Agentless)

G.6 Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots,

vulnerability assessments)

G.7 Log Capture and Analysis ( e.g., SIEM, log management)

G.8 Management Plane (e.g., scheduling, orchestration, maintenance)

H. Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1)

H.1 Change Management

H.2 Continuity Management

H.3 Information Security Management

H.4 Continual Service Improvement Management

H.5 Incident Management

H.6 Problem Management

H.7 Release Management

H.8 Deployment Management

H.9 Configuration Management

H.10 Service Level Management

14




H.11 Availability Management

H.12 Capacity Management

I. Conduct Risk Assessment to Logical and Physical Infrastructure

J. Understand the Collection, Acquisition and Preservation of Digital Evidence

J.1 Proper Methodologies for Forensic Collection of Data

J.2 Evidence Management

K. Manage Communication with Relevant Parties

K.1 Vendors

K.2 Customers

K.3 Partners

K.4 Regulators

K.5 Other Stakeholders

15




Domain 6: Legal and Compliance

Overview The Legal and Compliance domain addresses ethical behavior and compliance with regulatory frameworks. It

includes the investigative measures and techniques that can be used to determine if a crime has been committed,

and methods used to gather evidence (e.g., Legal Controls, eDiscovery, and Forensics). This domain also includes

an understanding of privacy issues and audit process and methodologies required for a cloud environment, such as

internal and external audit controls, assurance issues associated with virtualization and the cloud, and the types of

audit reporting specific to the cloud (e.g., SAS, SSAE and ISAE). Further, examining and understanding the

implications that cloud environments have in relation to enterprise risk management and the impact of

outsourcing for design and hosting of these systems are also important considerations that many organizations

face today.


A. Understand Legal Requirements and Unique Risks within the Cloud Environment

A.1 International Legislation Conflicts

A.2 Appraisal of Legal Risks Specific to Cloud Computing

A.3 Legal Controls

A.4 eDiscovery (e.g., ISO/IEC 27050, CSA Guidance)

A.5 Forensics Requirements

B. Understand Privacy Issues, Including Jurisdictional Variation

B.1 Difference between Contractual and Regulated PII

B.2 Country-Specific Legislation Related to PII / Data Privacy

B.3 Difference Among Confidentiality, Integrity, Availability, and Privacy

C. Understand Audit Process, Methodologies, and Required Adaptions for a Cloud

Environment C.1 Internal and External Audit Controls

C.2 Impact of Requirements Programs by the Use of Cloud

C.3 Assurance Challenges of Virtualization and Cloud

C.4 Types of Audit Reports (e.g., SAS, SSAE, ISAE)

C.5 Restrictions of Audit Scope Statements (e.g., SAS 70)

C.6 Gap Analysis

C.7 Audit Plan

C.8 Standards Requirements (e.g., ISO/IEC 27018, GAPP)

C.9 Internal Information Security Management System

C.10 Internal information Security Controls System

16




C.11 Policies

C.12 Identification and Involvement of Relevant Stakeholders

C.13 Specialized Compliance Requirements for Highly Regulated Industries

C.14 Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal

jurisdictions)

D. Understand Implications of Cloud to Enterprise Risk Management

D.1 Access Providers Risk Management

D.2 Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile,

risk appetite, responsibility)

D.3 Provision of Regulatory Transparency Requirements

D.4 Risk Mitigation

D.5 Different Risk Frameworks

D.6 Metrics for Risk Management

D.7 Assessment of Risk Environment (e.g., service, vendor, ecosystem)

E. Understand Outsourcing and Cloud Contract Design

E.1 Business Requirements (e.g., SLA, GAAP)

E.2 Vendor Management (e.g., selection, common certification framework)

E.3 Contract Management (e.g., right to audit, metrics, definitions, termination, litigation,

assurance, compliance, access to cloud/data)

F. Execute Vendor Management

F.1 Supply-chain Management (e.g., ISO/IEC 27036)

17




Suggested References This reference list is not intended to be an all-inclusive collection representing the CCSP Common Body of

Knowledge (CBK). Its purpose is to provide candidates a starting point for their studies in domains which need

supplementary learning in order to complement their associated level of work and academic experience.

Candidates may also consider other references, which are not on this list but adequately cover domain content.

Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all references be acquired or

consulted. (ISC)2 does not imply nor guarantee that the study of these references will result in an examination pass.

Supplementary References Challenging Security Requirements for US Government Cloud Computing Adoption, NIST Cloud Computing Public

Security Working Group NIST Cloud Computing Program Information Technology Laboratory December 9, 2010

CSA – Cloud Security Alliance - The Notorious Nine Cloud Computing Top Threats in 2013 -Top Threats Working

Group

ENISA Cloud Computing, Benefits, risks and recommendations for information security, ENISA, November 2009

ISO/IEC 17788:2014 Information technology -- Cloud computing -- Overview and vocabulary

ISO/IEC 17789:2014 Information technology -- Cloud computing -- Reference architecture

NIST Cloud Computing 5 Security Reference Architecture, NIST Special Publication 500-299, June 11, 2013

Quick Reference Guide to the Reference Architecture, TCI Trusted Cloud Initiative, 2011 Cloud Security Alliance

SecaaS Cat 1 IAM Implementation Guidance, Category 1 //Identity and Access Management, September 2012

SecaaS Cat 10 Network Security Implementation Guidance, Category 10 //Network Security, September 2012

SecaaS Cat 3 Web Security Implementation Guidance, Category 3 //Web Security, September 2012

SecaaS Cat 4 Email Security Implementation Guidance, Category 4 //Email Security, September 2012

SecaaS Cat 5 Security Assessments Implementation Guidance, Category 5 //Security Assessments, September 2012

SecaaS Cat 6 Intrusion Management Implementation Guidance, Category 6 //Intrusion Management, September 2012

SecaaS Cat 7 SIEM Implementation Guidance, Security Information and Event Management, October 2012

SecaaS Cat 8 Encryption Implementation Guidance, Category 8 //Encryption, September 2012

SecaaS Cat 9 BCDR Implementation Guidance, Category 9 //Business Continuity /Disaster Recovery, September 2012

SecaaS Implementation Guidance, Category 2 //Data Loss Prevention, September 2012

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Could Security Alliance, 2011

TCI – Trusted Cloud Initiative – Reference Architecture, Version 2.0, 2011

TCI – Trusted Cloud Initiative, Quick Guide to Reference Architecture, CSA Cloud Security Alliance – White Paper,

October 18, 2011

The Cloud Security Alliance Security as a Service Implementation Guidance Documents

Top Threats Working Group, The Notorious Nine Cloud Computing Top Threats in 2013, February 2013

https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

https://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

https://cloudsecurityalliance.org/research/secaas/?r=8#_downloads

https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

18




Sample Exam Questions

1. Which one of the following is the MOST important security consideration when selecting a new

computer facility?

(A) Local law enforcement response times

(B) Adjacent to competitors’ facilities

(C) Aircraft flight paths

(D) Utility infrastructure

Answer – D

2. Which one of the following describes a SYN flood attack?

(A) Rapid transmission of Internet Relay Chat (IRC) messages

(B) Creating a high number of half-open connections

(C) Disabling the Domain Name Service (DNS) server

(D) Excessive list linking of users and files

Answer – B

3. The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to

protect transmissions

(A) between the WAP gateway and the wireless device.

(B) between the web server and WAP gateway.

(C) from the web server to the wireless device.

(D) between the wireless device and the base station.

Answer – B

19




Exam Policies and Procedures

Non-Discrimination Policy (ISC)² does not discriminate against candidates based on their nationality, gender, religion, race, ethnicity, sexual

orientation, age or disability. For additional information on (ISC)²’s non-discrimination and other candidate policies,

please visit https://www.isc2.org/legal-info-policies.aspx.

Registering for the Exam The CCSP examination is administered at Pearson VUE Testing centers around the world. To register for the

exam:

1. Go to www.pearsonvue.com/isc2 to register for an exam appointment

2. Select the most convenient test center

3. Select an appointment time

4. Pay for your exam appointment

5. Receive confirmation from Pearson VUE with the appointment details

Please note that your registration information will be transferred to (ISC)² and all communication about the testing

process from (ISC)² and Pearson VUE will be sent to you via email.

Fees Visit the (ISC)² website for the exam registration fees.

Examination Agreement and Non-Disclosure Agreement All candidates must agree to the terms listed in the (ISC)2’s Examination Agreement when registering for the

exam on the Pearson Vue website. The agreement can be found under the View Testing Policies link on the Exam

Details page.

At the Pearson Vue testing center, prior to starting the exam, all candidates are also required to read and accept

the (ISC)² non-disclosure agreement (NDA) within the allotted five (5) minutes prior to being presented with

exam questions. If the NDA is not accepted by the candidate or the candidate does not accept the NDA within

the time allotted, the exam will end, and the candidate will be asked to leave the test center. No refund of exam

fees will be given. For this reason, all candidates are strongly encouraged to review the non-disclosure agreement

prior to scheduling for, or taking the exam.

Requesting Special Accommodations

Pearson VUE Professional Centers can accommodate a variety of candidates’ needs, as they are fully compliant

with the Americans with Disability Act (ADA), and the equivalent requirements in other countries.

Requests for accommodations should be made to (ISC)² in advance of the desired testing appointment. Once

(ISC)² grants the accommodations request, the candidate may schedule the testing appointment using Pearson

VUE’s special accommodations number. From there, a Pearson VUE coordinator will handle all of the

arrangements.

https://www.isc2.org/legal-info-policies.aspx

http://www.pearsonvue.com/isc2

https://www.isc2.org/uploadedfiles/certification_programs/exam_pricing.pdf

https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf

http://www.pearsonvue.com/isc2/isc2_nda.pdf

20




Please note: Candidates that request special accommodations should not schedule their appointment online or

call the main CBT registration line.

Rescheduling or Cancellation of an Exam Appointment If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at least 48 hours

before the exam date by contacting Pearson VUE at www.pearsonvue.com/isc2 or at least 24 hours prior to exam

appointment time by contacting Pearson VUE by phone. Please refer to ‘Contact Information’ for more

information and local telephone numbers for your region. Canceling or rescheduling an exam appointment less

than 24 hours via phone notification, or less than 48 hours via online notification is subject to a forfeit of exam

fees. Exam fees are also forfeited for no-shows. Please note that Pearson VUE charges a 50 USD/35 £/40 € fee for

reschedules, and 100 USD/70 £/80 € fee for cancellations.

Late Arrivals or No Shows If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he or she has technically

forfeited his or her assigned seat.

If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the discretion of the

testing center as to whether or not the candidate may still take the exam. If the test administrator at the testing

location is able to accommodate a late arriving candidate, without affecting subsequent candidates’ appointments,

he/she will let the candidate sit for the exam. However, if the schedule is such that the test center is not able to

accommodate a late arrival, the candidate will be turned away and his/her exam fees will be forfeited.

If a candidate fails to appear for a testing appointment, the test result will appear in the system as a no-show and

the candidate’s exam fees will be forfeited.

Pearson VUE Check-In Process Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testing time. If you

arrive more than 15 minutes late to your scheduled appointment, you may lose your examination appointment.

For checking-in:

You will be required to present two acceptable forms of identification.

You will be asked to provide your signature, submit to a palm vein scan, and have your photograph taken.

Hats, scarves and coats may not be worn in the testing room, or while your photograph is being taken.

You will be required to leave your personal belongings outside the testing room. Secure storage will be

provided. Storage space is small, so candidates should plan appropriately. Pearson VUE Professional

Centers assume no responsibility for candidates’ personal belongings.

The Test Administrator (TA) will give you a short orientation, and then will escort you to a computer

terminal. You must remain in your seat during the examination, except when authorized to leave by test

center staff. You may not change your computer terminal unless a TA directs you to do so. During the

exam, you may raise your hand to notify the TA if you believe you have a problem with your computer,

need to change note boards, need to take a break, or need the TA for any reason.

http://www.pearsonvue.com/isc2

21




Identification Requirements (ISC)² requires two forms of identification, a primary and a secondary, when checking in for a CBT test

appointment at a Pearson VUE Test Center. All candidate identification documents must be valid (not expired)

and must be an original document (not a photocopy or a fax).

Primary IDs: Must contain a permanently affixed photo of the candidate, along with the candidate’s signature.

Secondary IDs: Must have the candidate’s signature.

Accepted Primary ID (photograph and signature, not expired)

Government issued Driver’s License or Identification Card

U.S. Dept. of State Driver’s License

U.S. Learner’s Permit (card only with photo and signature)

National/State/Country Identification Card

Passport

Passport Cards

Military ID

Military ID for spouses and dependents

Alien Registration Card (Green Card, Permanent Resident Visa)

Government Issued local language ID (plastic card with photo and signature

Employee ID

School ID

Credit Card* (A credit card can be used as a primary form of ID only if it contains both a photo and a

signature and is not expired. Any credit card can be used as a secondary form of ID, as long as it contains

a signature and is not expired. This includes major credit cards, such as VISA, MasterCard, American

Express and Discover. It also includes department store and gasoline credit cards.

Accepted Secondary ID (contains signature, not expired)

U.S. Social Security Card

Debit/ATM Card

Credit Cards

Any form of ID on the primary list

Name Matching Policy Candidate’s first and last name on the presented identification document must exactly match the first and last

name on the registration record with Pearson VUE. If the name the candidate has registered with does not match

the name on the identification document, proof of legal name change must be brought to the test center on the

day of the test. The only acceptable forms of legal documentation are marriage licenses, divorce decrees, or court

sanctioned legal name change documents. All documents presented at the test center must be original documents.

If a mistake is made with a name during the application process, candidates should contact (ISC)² to correct the

information well in advance of the actual test date. Name changes cannot be made at the test center or on the

day of the exam. Candidates who do not meet the requirements presented in the name matching policy on the

day of the test may be subject to forfeiture of testing fees and asked to leave the testing center.

22




Testing Environment Pearson VUE Professional Centers administer many types of examinations including some that require written

responses (essay-type). Pearson VUE Professional Centers have no control over typing noises made by candidates

sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized

testing environment, just as the noise of turning pages is a normal part of the paper and pencil testing

environment. Earplugs are available upon request.

Breaks During the Exam You will have up to 4 hours to complete the CCSP examination. Total examination time includes any unscheduled

breaks you may take. All breaks count against your testing time. You must leave the testing room during your

break, but you may not leave the building or access any personal belongings unless absolutely necessary (e.g. for

retrieving medication). Additionally, when you take a break, you will be required to submit to a palm vein scan

before and after your break.

Examination Format and Scoring The CCSP examination contains 125 multiple choice questions with four (4) choices each. There may be

scenario-based items which may have more than one multiple choice question associated with it.

The exam will contain 25 questions which are included for research purposes only. The research questions

are not identified; therefore, answer all questions to the best of your ability. There is no penalty for guessing,

so candidates should not leave any item unanswered. Results will be based only on the scored questions on

the examination. There are several versions of the examination. It is important that each candidate have an

equal opportunity to pass the examination, no matter which version is administered. Subject Matter Experts

(SMEs) have provided input as to the difficulty level of all questions used in the examinations. That

information is used to develop examination forms that have comparable difficulty levels. When there are

differences in the examination difficulty, a mathematical procedure called equating is used to make the

difficulty level of each test form equal. Because the number of questions required to pass the examination may

be different for each version, the scores are converted onto a reporting scale to ensure a common standard.

The passing grade required is a scale score of 700 out of a possible 1000 points on the grading scale.

Finishing the Exam After you have finished the examination, raise your hand to summon the TA. The TA will collect and inventory all

note boards. The TA will dismiss you when all requirements are fulfilled.

If you believe there was an irregularity in the administration of your test, or the associated test conditions

adversely affected the outcome of your examination, you should notify the TA before you leave the test center.

Results Reporting Candidates will receive their test result at the test center. The results will be handed out by the TA during the

checkout process. (ISC)² will then follow up with an official result via email.

In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of

the score data is conducted during every testing cycle before scores are released. A minimum number of

candidates are required to take the exam before this analysis can be completed. Depending upon the volume of

test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in

23




order to complete this critical process. Results will not be released over the phone. They will be sent via email

from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy, you should contact

(ISC)² prior to your examination.

Technical Issues On rare occasions, technical problems may require rescheduling of a candidate’s examination. If circumstances

arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts

longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment

without an additional fee.

If you choose to wait, but later change your mind at any time prior to beginning or restarting the

examination, you will be allowed to take exam at a later date, at no additional cost.

If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your

test results will be considered valid.

If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you

will be allowed to test at a later date at no additional charge. Every attempt will be made to contact

candidates if technical problems are identified prior to a scheduled appointment.

Examination Retake Policy Candidates who do not pass on their first attempt may not retake the exam for a period of 90 days from the date

of the first attempt. Candidates that fail a second time will need to wait an additional 90 days prior to sitting for

the exam again. In the unfortunate event that a candidate fails a third time, that candidate may not sit for the

exam for a period of 180 days after the most recent attempt. Candidates are eligible to sit for (ISC)² exams a

maximum of 3 times within a calendar year.

Exam Irregularities and Test Invalidation (ISC)² exams are intended to be delivered under standardized conditions. If any irregularity or fraud is

encountered before, during, or after the administration of the exam, (ISC)² will examine the situation and

determine whether action is warranted. If (ISC)² determines that any testing irregularity or fraud has happened, it

may choose not to score the answer documents of the affected test taker(s), or it may choose to cancel the

scores of the affected test taker(s).

(ISC)² may at its sole discretion revoke any and all certifications a candidate may have earned and ban the

candidate from earning future (ISC)² certifications, and decline to score or cancel any Exam under any of the

circumstances listed in the (ISC)² Examination Agreement. Please refer to the (ISC)² Examination Agreement for

further details.

Recertification by Examination Candidates and members may recertify by examination for the following reasons only:

The candidate has become decertified due to reaching the expiration of the time limit for endorsement.

The member has become decertified for not meeting the number of required continuing professional

education (CPE) credits.

24




Contact Information

Please direct any questions or comments to:

(ISC)² Candidate Services

311 Park Place Blvd, Suite 400

Clearwater, FL 33759

Phone: 1.866.331.ISC2 (United States); +1.727.785.0189 (International)

Fax: 1.727.683.0785

[email protected]
