ISC2 CCSP - Certified Cloud Security Professional

- Definitions of cloud computing
- Roles in cloud computing (e.g. cloud service customer, cloud service provider, cloud service partner, cloud service broker)
- Key features of cloud computing (e.g. self-service on demand, wide network access, multi-tenancy, rapid elasticity and scaling, resource pooling, metered service)
- Building block technologies (e.g. virtualization, storage, networking, databases, orchestration)
- 1.2 Describe Cloud Reference Architecture Activities with cloud computing
- Cloud service functionalities (e.g. application feature types, platform feature types, infrastructure feature types)
- Cloud service categories (e.g. software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS))
- Cloud deployment models (e.g. public, private, hybrid, community)
- Common cloud considerations (eg interoperability, portability, reversibility, availability, security, privacy, robustness, performance, governance, maintenance and versioning, service levels and service level agreements (SLA), auditing, regulation)
- Impact of related technologies (e.g. machine learning, artificial intelligence, blockchain, internet of things (IoT), containers, quantum computing)
- 1.3 Understand security concepts relevant to cloud computing
- Cryptography and key management
- Access control
- Sanitization of data and media (e.g. overwriting, cryptographic erasure)
- Network security (eg network security groups)
- Virtualization security (e.g. hypervisor security, container security)
- Common threats
- 1.4 Understand design principles for secure cloud computing
- Cloud Secure Data Lifecycle
- Cloud based Disaster Recovery (DR) and Business Continuity (BC) planning
- Cost/benefit assessment
- Functional security requirements (e.g. portability, interoperability, vendor lock-in)
- Security considerations for different cloud categories (e.g. Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
- 1.5 Evaluate cloud service providers
- Verification against criteria (e.g. International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))
- System/sub-system products

- Phases of cloud data life cycle phases
- Data dissemination
- 2.1 Design and implement architectures for cloud data storage
- Storage types (e.g. long-term, ephemeral, raw disk)
- Threats to storage types
- 2.2 Design and apply data security technology and strategies
- Encryption and key management
- Hashing
- Maybe
- Tokenization
- Data Loss Prevention (DLP)
- Data Obfuscation
- Data de-identification (e.g. anonymisation)
- 2.3 Implement data discovery > Structured data
- Structured data
- Unstructured data
- 2.4 Implement data classification
- Mapping
- Marking
- Sensitive Data (e.g. Protected Health Information (PHI), Personally Identifiable Information (PII), Cardholder Data)
- 2.5 Design and information rights management (IRM)
- Objectives (e.g. data rights, provisioning, access models)
- Appropriate tools (e.g. issuance and revocation of certificates)
- 2.6 Plan and implement policies for data retention, deletion and archiving
- Data retention policies
- Data deletion procedures and mechanisms
- Data archiving procedures and mechanisms
- Legal team
- 2.7 Define and implement auditability, traceability and accountability for data events
- Definition of event sources and requirements for identity attribution
- Logging, storage and analysis of data events
- Chain control and non-judgment

- Physical environment
- Network and communications
- Calculations
- Virtualization
- Storage
- Management plan
- 3.1 Design a secure data center
- Logical design (e.g. tenant partitioning, access control)
- Physical design (e.g. location, purchase or build)
- Environmental design (e.g. heating, ventilation and air conditioning (HVAC), connection with multi-vendors)
- 3.2 Analyze risks associated with cloud infrastructure
- Risk assessment and analysis
- Cloud vulnerabilities, threats and attacks
- Virtualization risks
- Counter strategies
- 3.3 Design and plan security controls
- Physical and environmental protection (e.g. on-site)
- System and communication protection
- Protection of virtualization systems
- Identification, authentication and authorization in cloud infrastructure
- Audit mechanisms (e.g. log collection, packet collection)
- 3.4 Plan emergency plans (DR) and business continuity (BC)
- Risks related to the cloud environment
- Business requirements (e.g. restore time objective (RTO), restore point objective (RPO), restore service level (RSL))
- Business continuity/disaster plan strategy
- Creation, implementation and testing of plan

- Basics in cloud development
- Common pitfalls
- Common cloud vulnerabilities
- 4.1 Describe the secure software development life cycle (SDLC) process
- Business requirements
- Phases and methods
- 4.2 Apply the Secure Software Development Life Cycle (SDLC)
- Avoid common vulnerabilities during development
- Risks specific to the cloud
- Quality assurance
- Threat modeling
- Software configuration management and versioning
- 4.3 Use software security and validation
- Function test
- Security testing methods
- 4.4 Use verified secure software
- Approved Application Programming Interfaces (API)
- Supply chain management
- Third party software management
- Validated open source software
- 4.5 Understand specific to cloud application architecture
- Additional security components (e.g. Web Application Firewall (WAF), Database Activity Monitoring (DAM), Extensible Markup Language (XML) firewall, Application Programming Interface (API) gateway)
- Encryption
- Sand box
- Application virtualization and orchestration
- 4.6 Design appropriate identity and access management (IAM) solutions
- Federal identity
- Identity providers
- Single sign-on (SSO)
- Multi-factor authentication
- Cloud Access Security Broker (CASB)

- Hardware specific security configuration requirements (e.g. Basic Input Output System (BIOS), virtualization and Trusted Platform Module (TPM) settings, storage management, network management)
- Installation and configuration of virtualization management tools
- Specific security configuration requirements for virtual hardware (eg network, storage, memory, central processing unit (CPU))
- Installation of guest operating system (OS) virtualization toolkit
- 5.1 Operation physical and logical infrastructure for cloud environment
- Configure access control for local and remote access (eg Secure Keyboard Video Mouse (KVM), console-based access mechanism, Remote Desktop Protocol (RDP))
- Secure network configuration (e.g. Virtual Local Area Networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Virtual Private Network (VPN))
- Guest operating system (OS) provisioning through the use of bases (eg Windows, Linux, VMware)
- Availability of stand-alone hosts
- Availability of cluster hosts (eg Distributed Resource Scheduling (DRS), Dynamic Optimization (DO), Storage Cluster, Maintenance Mode, High Availability)
- Availability of guest operating system (OS)
- 5.2 Manage physical and logical infrastructure for cloud environment
- Access control for remote access (e.g. Remote Desktop Protocol (RDP), secure terminal access, Secure Shell (SSH))
- Basic operating system (OS) compliance checks and patches
- Patch Management
- Performance and capacity monitoring (e.g. network, compute, storage, response time)
- Hardware monitoring (eg disk, central processing unit (CPU), fan speed, temperature)
- Configuration of host and guest operating system (OS) backup and restore functions
- Network security controls (eg firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)
- Management plan (e.g. planning, orchestration, maintenance)
- 5.3 Implement operator controls and standards (e.g. information technology infrastructure library (ITIL), International organization for standardization/International electrotechnical commission (ISO/IEC) 2000-1)
- Change management
- Continuity management
- Information security management
- Continuous service improvement management
- Incident management
- Problem management
- Broadcast management
- Configuration management
- Service level management
- Availability management
- Capacity management
- 5.4 Support digital rhetoric
- Forensic data collection methods
- Evidence management
- Collection, acquisition and preservation of digital evidence
- 5.5 Manage communication with relevant parties
- Supplier
- Customers
- Partners
- Regulators
- Other stakeholders
- 5.6 Manage security operations
- Security Operations Center (SOC)
- Monitoring security controls (e.g. firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, vulnerability assessments, network security groups)
- Logging and analysis (e.g. Security Information and Event Management (SIEM), logging management)
- Handling of incidents

- Contradictions in international law
- Evaluation of legal risks specific to cloud computing
- Legal and guidance frameworks
- eDiscovery (e.g. International Organization for Standardization / International Electrotechnical Commission (ISO / IEC) 27050, Cloud Security Alliance (CSA) guidance)
- Forensic requirements
- 6.1 Understand personal data issues
- Difference between contractual and regulatory private data (e.g. protected health information (PHI), personally identifiable information (PII)) - Country-specific legislation on private data (e.g. protected health information (PHI), personally identifiable information (PII))
- Legal differences in data protection
- Standard privacy requirements (e.g. International Organization for Standardization / International Electrotechnical Commission (ISO / IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR))
- 6.2 Understand the audit process, methods and required adaptation to a cloud environment
- Internal and external audit controls
- Effects of audit requirements
- Identifying support issues regarding virtualization and cloud
- Types of audit reports (e.g. Statement on Standards for Attestation Engagements (SSAE), Security Operations Center (SOC), International Standard on Assurance Engagements (ISAE))
- Limitations of audit scope opinions (e.g. Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))
- Salary analysis
- Audit planning
- Internal information security management (ISMS)
- Internal information security control system
- Policies (e.g. organization, function, cloud computing)
- Identification and involvement of relevant stakeholders
- Special compliance requirements for highly regulated industries (e.g. North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC / CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))
- Impact of information and technology (IT) distribution model (e.g. different geographical locations and crossing legal jurisdictions)
- 6.3 Understand the implications of the cloud for the company's risk management
- Assess suppliers' risk management programs (e.g. controls, methods, policies)
- Difference between data owner / controller vs. data keeper / processor (e.g. risk profile, risk threshold, responsibility)
- Regulatory transparency requirements (e.g. breach notification, Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR))
- Risk management (ie avoid, modify, share, retain)
- Different risk frameworks
- Metrics for risk management
- Assessment of risk environment (e.g. service, supplier, infrastructure)
- 6.4 Understand outsourcing and cloud contract design
- Business requirements (e.g. service agreement (SLA), master service agreement (MSA), description of work (SOW))
- Supplier management
- Contract management (e.g. right to audit, metrics, definitions, termination, litigation, security, compliance, access to cloud / data, cyber risk insurance)
- Supply chain management (e.g. International Organization for Standardization / International Electrotechnical Commission (ISO / IEC) 27036)