There is no magic formula for passing the CCSP certification exam. You can, however, prepare yourself for the challenge. This book is all about preparation.

We’ve included 1,000 questions related to the CCSP material in this book, which also includes access to the online databank (the same questions, but in a point-and-click format). They were created in accordance with the (ISC)² CCSP Common Body of Knowledge (CBK), the CCSP Training Guide, the CCSP Study Guide, and the CCSP Detailed Content Outline (DCO), which lists all the elements of practice that the candidate is expected to know for the certification.

How This Book Is Organized

The questions have been arranged in the order of the CBK, with varying amounts in proportion to (ISC)² published matrix describing how the exam is constructed, as shown in Table I.1.

There are six chapters, one for each of the CBK domains; each chapter contains a fraction of 750 practice questions, reflecting the percentage of questions from the respective domain on the exam (for example, Chapter 1 reflects Domain 1 of the CBK and has 143 questions). There are also two full-length practice exams, 125 questions each, at the end of the book (Chapters 7 and 8).

Who Should Read This Book

This book is intended for CCSP candidates. In order to earn the CCSP, you are expected to have professional experience in the field of information security/IT security, particularly experience related to cloud computing. The candidate will also need to provide evidence of their professional experience to (ISC)² in the event of passing the exam.

The author has drawn on his own experience studying for and passing the exam as well as years of teaching the CISSP and CCSP preparation courses for (ISC)². He also solicited feedback from colleagues and former students who have taken the prep course and the exam. The book should reflect the breadth and depth of question content you are likely to see on the exam. Some of the questions in this book are easier than what you will see on the exam; some of them may be harder. Hopefully, the book will prepare you for what you might encounter when you take the test.

The one thing we chose not to simulate in the book is the “interactive” questions; (ISC)² has stated that the current tests may go beyond the regular multiple-choice format and could include “matching” questions (a list of multiple answers and multiple terms, where the candidate has to arrange them all in order), drag-and-drop questions (where the candidate uses the mouse to arrange items on the screen), and “hot spot” questions (where the candidate puts the mouse on areas of the screen to indicate an answer). There will probably not be many of these on the exam you take, but they are weighted more in your score than the multiple-choice questions, so pay attention and be extra careful answering those.

Tools You Will Need

In addition to this book, we recommend the CCSP (ISC)² Certified Cloud Security Professional Official Study Guide (O’Hara, Malisow), also from Wiley (2017). There is, as stated in the introduction, no magic formula for passing the exam. No single particular book/source with all the answers to the exam exists. If someone claims to be able to provide you with such a product, please realize that they are mistaken or, worse, misleading you.

However, you can augment your studying by reviewing a significant portion of the likely sources used by the professionals who created the test. The following is a just a sampling of the possible professional resources the cloud practitioner should be familiar with:

• The Cloud Security Alliance’s Notorious Nine:

• https://downloads.cloudsecurityalliance.org/initiatives/top_threats/ The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

• The OWASP’s Top 10:

• https://www.owasp.org/index.php/Top_10_2013-Top_10

• The OWASP’s XSS (Cross-Site Scripting) Prevention Cheat Sheet:

• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

• The OWASP’s Testing Guide (v4):

• https://www.owasp.org/images/1/19/OTGv4.pdf

• NIST SP 500-292, NIST Cloud Computing Reference Architecture:

• http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505

• The CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing v3.0:

• https://downloads.cloudsecurityalliance.org/assets/research/ security-guidance/csaguide.v3.0.pdf

• ENISA’s Cloud Computing Benefits, Risks, and Recommendations for Information Security:

• https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment

• The Uptime Institute’s Tier Standard: Topology and Tier Standard: Operational Sustainability (the linked page includes download options for the documents):

• https://uptimeinstitute.com/publications

CCSP Certified Cloud Security Professional Objective Map

Domain 1: Architectural Concepts and Design Requirements

1. Understand Cloud Computing Concepts
   • A.1. Cloud Computing Definitions
   • A.2. Cloud Computing Roles
   • A.3. Key Cloud Computing Characteristics
   • A.4. Building Block Technologies
2. Describe Cloud Reference Architecture
   • B.1. Cloud Computing Activities
   • B.2. Cloud Service Capabilities
   • B.3. Cloud Service Categories
   • B.4. Cloud Deployment Models
   • B.5. Cloud Cross-Cutting Aspects
3. Understand Security Concepts Relevant to Cloud Computing
   • C.1. Cryptography
   • C.2. Access Control
   • C.3. Data and Media Sanitization
   • C.4. Network Security
   • C.5. Virtualization Security
   • C.6. Common Threats
   • C.7. Security Considerations for Different Cloud Categories
4. Understand Design Principles of Secure Cloud Computing
   • D.1. Cloud Secure Data Lifecycle
   • D.2. Cloud-Based Business Continuity/Disaster Recovery Planning
   • D.3. Cost/Benefit Analysis
   • D.4. Functional Security Requirements
5. Identify Trusted Cloud Sources
   • E.1. Certification Against Criteria
   • E.2. System/Subsystem Product Certifications

Domain 2: Cloud Data Security

1. Understand Cloud Data Lifecycle
   • A.1. Phases
   • A.2. Relevant Data Security Technologies
2. Design and Implement Cloud Data Storage Architectures
   • B.1. Storage Types
   • B.2. Threats to Storage Types
   • B.3. Technologies Available to Address Threats
3. Design and Apply Data Security Strategies
   • C.1. Encryption
   • C.2. Key Management
   • C.3. Masking
   • C.4. Tokenization
   • C.5. Application of Technologies
   • C.6. Emerging Technologies
4. Understand and Implement Data Discovery and Classification Technologies
   • D.1. Data Discovery
   • D.2. Classification
5. Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII)
   • E.1. Data Privacy Acts
   • E.2. Implementation of Data Discovery
   • E.3. Classification of Discovered Sensitive Data
   • E.4. Mapping and Definition of Controls
   • E.5. Application of Defined Controls for PII
6. Design and Implement Data Rights Management
   • F.1. Data Rights Objectives
   • F.2. Appropriate Tools
7. Plan and Implement Data Retention, Deletion, and Archiving Policies
   • G.1. Data Retention Policies
   • G.2. Data Deletion Procedures and Mechanisms
   • G.3. Data Archiving Procedures and Mechanisms
8. Design and Implement Auditability, Traceability and Accountability of Data Events
   • H.1. Definition of Event Sources and Identity Attribution Requirement
   • H.2. Data Event Logging
   • H.3. Storage and Analysis of Data Events
   • H.4. Continuous Optimizations
   • H.5. Chain of Custody and Non-repudiation

Domain 3: Cloud Platform and Infrastructure Security

1. Comprehend Cloud Infrastructure Components
   • A.1. Physical Environment
   • A.2. Network and Communications
   • A.3. Compute
   • A.4. Virtualization
   • A.5. Storage
   • A.6. Management Plan
2. Analyze Risks Associated to Cloud Infrastructure
   • B.1. Risk Assessment/Analysis
   • B.2. Cloud Attack Vectors
   • B.3. Virtualization Risks
   • B.4. Counter-Measure Strategies
3. Design and Plan Security Controls
   • C.1. Physical and Environmental Protection
   • C.2. System and Communication Protection
   • C.3. Virtualization Systems Protection
   • C.4. Management of Identification, Authentication and Authorization in Cloud Infrastructure
   • C.5. Audit Mechanisms
4. Plan Disaster Recovery and Business Continuity Management
   • D.1. Understanding of the Cloud Environment
   • D.2. Understanding of the Business Requirements
   • D.3. Understanding the Risks
   • D.4. Disaster Recovery/Business Continuity Strategy
   • D.5. Creation of the Plan
   • D.6. Implementation of the Plan

Domain 4: Cloud Application Security

1. Recognize the Need for Training and Awareness in Application Security
   • A.1. Cloud Development Basics
   • A.2. Common Pitfalls
   • A.3. Common Vulnerabilities
2. Understand Cloud Software Assurance and Validation
   • B.1. Cloud-based Functional Testing
   • B.2. Cloud Secure Development Lifecycle
   • B.3. Security Testing
3. Use Verified Secure Software
   • C.1. Approved API
   • C.2. Supply-Chain Management
   • C.3. Community Knowledge
4. Comprehend the System Development Lifecycle (SDLC) Process
   • D.1. Phases & Methodologies
   • D.2. Business Requirements
   • D.3. Software Configuration Management & Versioning
5. Apply the Secure Software Development Lifecycle
   • E.1. Common Vulnerabilities
   • E.2. Cloud-Specific Risks
   • E.3. Quality of Service
   • E.4. Threat Modeling
6. Comprehend the Specifics of Cloud Application Architecture
   • F.1. Supplemental Security Devices
   • F.2. Cryptography
   • F.3. Sandboxing
   • F.4. Application Virtualization
7. Design Appropriate Identity and Access Management (IAM) Solutions
   • G.1. Federated Identity
   • G.2. Identity Providers
   • G.3. Single Sign-On
   • G.4. Multi-factor Authentication

Domain 5: Operations

1. Support the Planning Process for the Data Center Design
   • A.1. Logical Design
   • A.2. Physical Design
   • A.3. Environmental Design
2. Implement and Build Physical Infrastructure for Cloud Environment
   • B.1. Secure Configuration of Hardware-Specific Requirements
   • B.2. Installation and Configuration of Virtualization Management Tools for the Host
3. Run Physical Infrastructure for Cloud Environment
   • C.1. Configuration of Access Control for Local Access
   • C.2. Securing Network Configuration
   • C.3. OS Hardening via Application of Baseline
   • C.4. Availability of Stand-Alone Hosts
   • C.5. Availability of Clustered Hosts
4. Manage Physical Infrastructure for Cloud Environment
   • D.1. Configuring Access Controls for Remote Access
   • D.2. OS Baseline Compliance Monitoring and Remediation
   • D.3. Patch Management
   • D.4. Performance Monitoring
   • D.5. Hardware Monitoring
   • D.6. Backup and Restore of Host Configuration
   • D.7. Implementation of Network Security Controls
   • D.8. Log Capture and Analysis
   • D.9. Management Plane
5. Build Logical Infrastructure for Cloud Environment
   • E.1. Secure Configuration of Virtual Hardware-Specific Requirements
   • E.2. Installation of Guest O/S Virtualization Toolsets
6. Run Logical Infrastructure for Cloud Environment
   • F.1. Secure Network Configuration
   • F.2. OS Hardening via Application of a Baseline
   • F.3. Availability of Guest OS
7. Manage Logical Infrastructure for Cloud Environment
   • G.1. Access Control for Remote Access
   • G.2. OS Baseline Compliance Monitoring and Remediation
   • G.3. Patch Management
   • G.4. Performance Monitoring
   • G.5. Backup and Restore of Guest OS Configuration
   • G.6. Implementation of Network Security Controls
   • G.7. Log Capture and Analysis
   • G.8. Management Plane
8. Ensure Compliance with Regulations and Controls
   • H.1. Change Management
   • H.2. Continuity Management
   • H.3. Information Security Management
   • H.4. Continual Service Improvement Management
   • H.5. Incident Management
   • H.6. Problem Management
   • H.7. Release Management
   • H.8. Deployment Management
   • H.9. Configuration Management
   • H.10. Service Level Management
   • H.11. Availability Management
   • H.12. Capacity Management
9. Conduct Risk Assessment to Logical and Physical Infrastructure
10. Understand the Collection, Acquisition and Preservation of Digital Evidence
    • J.1. Proper Methodologies for Forensic Collection of Data
    • J.2. Evidence Management
11. Manage Communication with Relevant Parties
    • K.1. Vendors
    • K.2. Customers
    • K.3. Partners
    • K.4. Regulators
    • K.5. Other Stakeholders

Domain 6: Legal and Compliance

1. Understand Legal Requirements and Unique Risks within the Cloud Environment
   • A.1. International Legislation Conflicts
   • A.2. Appraisal of Legal Risks Specific to Cloud Computing
   • A.3. Legal Controls
   • A.4. eDiscovery
   • A.5. Forensics Requirements
2. Understand Privacy Issues, Including Jurisdictional Variation
   • B.1. Difference between Contractual and Regulated PII
   • B.2. Country-Specific Legislation Related to PII/Data Privacy
   • B.3. Difference Among Confidentiality, Integrity, Availability, and Privacy
3. Understand Audit Process, Methodologies, and Required Adaptions for a Cloud Environment
   • C.1. Internal and External Audit Controls
   • C.2. Impact of Requirements Programs by the Use of Cloud
   • C.3. Assurance Challenges of Virtualization and Cloud
   • C.4. Types of Audit Reports
   • C.5. Restrictions of Audit Scope Statements
   • C.6. Gap Analysis
   • C.7. Audit Plan
   • C.8. Standards Requirements
   • C.9. Internal Information Security Management System
   • C.10. Internal Information Security Controls System
   • C.11. Policies
   • C.12. Identification and Involvement of Relevant Stakeholders
   • C.13. Specialized Compliance Requirements for Highly Regulated Industries
   • C.14. Impact of Distributed IT Model
4. Understand Implications of Cloud to Enterprise Risk Management
   • D.1. Assess Providers Risk Management
   • D.2. Difference between Data Owner/Controller vs. Data Custodian/Processor
   • D.3. Provision of Regulatory Transparency Requirements
   • D.4. Risk Mitigation
   • D.5. Different Risk Frameworks
   • D.6. Metrics for Risk Management
   • D.7. Assessment of Risk Environment
5. Understand Outsourcing and Cloud Contract Design
   • E.1. Business Requirements
   • E.2. Vendor Management
   • E.3. Contract Management
6. Execute Vendor Management
   • F.1. Supply-chain Management

Online Test Bank

To practice in an online testing version of the same questions, go to www.wiley.com/go/sybextestprep and register your book to get access to the Sybex Test Platform. Online you can mix questions from the domain chapters and practice exams, take timed tests, and have your answers graded.

Summary

As you go through the questions in this book, please remember the abbreviation RTFQ, which is short for “read the full question.” There is no better advice you can possibly receive than this. Read every word of every question. Read every possible answer before selecting the one you like. The exam is 125 questions over four hours. You have more than enough time to consider each question thoroughly. There is no cause for hurry. Make sure you understand what the question is asking before responding.

Good luck on the exam. We’re hoping this book helps you pass.