| Introduction |
|
xiv | |
| Acknowledgments |
|
xv | |
|
Chapter 1 How to Obtain the CCSP and Introduction to Security |
|
|
1 | (16) |
|
|
|
1 | (1) |
|
|
|
2 | (1) |
|
|
|
2 | (8) |
|
Domain 1 Cloud Concepts, Architecture, and Design |
|
|
3 | (1) |
|
Domain 2 Cloud Data Security |
|
|
4 | (2) |
|
Domain 3 Cloud Platform and Infrastructure Security |
|
|
6 | (1) |
|
Domain 4 Cloud Application Security |
|
|
7 | (1) |
|
Domain 5 Cloud Security Operations |
|
|
8 | (1) |
|
Domain 6 Legal, Risk, and Compliance |
|
|
9 | (1) |
|
Introduction to IT Security |
|
|
10 | (6) |
|
|
|
10 | (5) |
|
|
|
15 | (1) |
|
Business Continuity and Disaster Recovery |
|
|
16 | (1) |
|
|
|
16 | (1) |
|
Chapter 2 Cloud Concepts, Architecture, and Design |
|
|
17 | (64) |
|
|
|
18 | (5) |
|
Cloud Computing Definitions |
|
|
18 | (1) |
|
|
|
19 | (1) |
|
Key Cloud Computing Characteristics |
|
|
20 | (3) |
|
Building-Block Technologies |
|
|
23 | (1) |
|
Cloud Reference Architecture |
|
|
23 | (1) |
|
Cloud Computing Activities |
|
|
23 | (17) |
|
Cloud Service Capabilities |
|
|
24 | (1) |
|
|
|
24 | (5) |
|
|
|
29 | (3) |
|
Cloud Shared Considerations |
|
|
32 | (4) |
|
Impact of Related Technologies |
|
|
36 | (4) |
|
Security Concepts Relevant to Cloud Computing |
|
|
40 | (18) |
|
|
|
40 | (3) |
|
|
|
43 | (3) |
|
Data and Media Sanitation |
|
|
46 | (1) |
|
|
|
47 | (1) |
|
|
|
48 | (1) |
|
|
|
49 | (4) |
|
Security Considerations for the Different Cloud Categories |
|
|
53 | (5) |
|
Design Principles of Secure Cloud Computing |
|
|
58 | (4) |
|
Cloud Secure Data Lifecycle |
|
|
58 | (1) |
|
Cloud-Based Business Continuity/Disaster Recovery Planning |
|
|
59 | (1) |
|
|
|
60 | (2) |
|
Identify Trusted Cloud Services |
|
|
62 | (5) |
|
Certification Against Criteria |
|
|
62 | (1) |
|
System/Subsystem Product Certifications |
|
|
62 | (5) |
|
Cloud Architecture Models |
|
|
67 | (2) |
|
Sherwood Applied Business Security Architecture (SABSA) |
|
|
68 | (1) |
|
IT Infrastructure Library (ITIL) |
|
|
68 | (1) |
|
The Open Group Architecture Framework (TOGAF) |
|
|
68 | (1) |
|
NIST Cloud Technology Roadmap |
|
|
69 | (1) |
|
|
|
69 | (1) |
|
|
|
69 | (12) |
|
|
|
70 | (3) |
|
|
|
73 | (8) |
|
Chapter 3 Cloud Data Security |
|
|
81 | (48) |
|
Describe Cloud Data Concepts |
|
|
81 | (3) |
|
Cloud Data Lifecycle Phases |
|
|
81 | (3) |
|
|
|
84 | (1) |
|
Design and Implement Cloud Data Storage Architectures |
|
|
84 | (3) |
|
|
|
84 | (2) |
|
|
|
86 | (1) |
|
Design and Apply Data Security Strategies |
|
|
87 | (9) |
|
|
|
87 | (2) |
|
|
|
89 | (1) |
|
|
|
89 | (2) |
|
|
|
91 | (1) |
|
|
|
91 | (2) |
|
|
|
93 | (1) |
|
Application of Technologies |
|
|
94 | (1) |
|
|
|
95 | (1) |
|
|
|
96 | (1) |
|
|
|
97 | (1) |
|
|
|
97 | (1) |
|
Implement Data Classification |
|
|
97 | (3) |
|
|
|
98 | (1) |
|
|
|
99 | (1) |
|
|
|
99 | (1) |
|
Relevant Jurisdictional Data Protections for Personally Identifiable Information |
|
|
100 | (4) |
|
|
|
100 | (1) |
|
Privacy Roles and Responsibilities |
|
|
101 | (1) |
|
Implementation of Data Discovery |
|
|
102 | (1) |
|
Classification of Discovered Sensitive Data |
|
|
102 | (1) |
|
Mapping and Definition of Controls |
|
|
103 | (1) |
|
Application of Defined Controls |
|
|
103 | (1) |
|
|
|
104 | (2) |
|
|
|
104 | (1) |
|
|
|
105 | (1) |
|
Data Retention, Deletion, and Archiving Policies |
|
|
106 | (4) |
|
|
|
106 | (1) |
|
|
|
107 | (1) |
|
|
|
107 | (2) |
|
|
|
109 | (1) |
|
Auditability, Traceability, and Accountability of Data Events |
|
|
110 | (9) |
|
Definition of Event Sources |
|
|
110 | (2) |
|
Identity Attribution Requirements |
|
|
112 | (2) |
|
|
|
114 | (1) |
|
Storage and Analysis of Data Events |
|
|
115 | (2) |
|
|
|
117 | (1) |
|
Chain of Custody and Nonrepudiation |
|
|
118 | (1) |
|
|
|
119 | (1) |
|
|
|
119 | (10) |
|
|
|
120 | (2) |
|
|
|
122 | (7) |
|
Chapter 4 Cloud Platform and Infrastructure Security |
|
|
129 | (36) |
|
Comprehend Cloud Infrastructure Components |
|
|
129 | (7) |
|
|
|
129 | (2) |
|
Network and Communications |
|
|
131 | (1) |
|
|
|
132 | (1) |
|
|
|
133 | (1) |
|
|
|
134 | (1) |
|
|
|
135 | (1) |
|
Analyze Risks Associated with Cloud Infrastructure |
|
|
136 | (3) |
|
Risk Assessment and Analysis |
|
|
136 | (1) |
|
|
|
137 | (2) |
|
Countermeasure Strategies |
|
|
139 | (1) |
|
Design and Plan Security Controls |
|
|
139 | (8) |
|
Physical and Environmental Protection |
|
|
139 | (1) |
|
System and Communication Protection |
|
|
140 | (1) |
|
Virtualization Systems Protection |
|
|
141 | (1) |
|
Identification, Authentication, and Authorization in a Cloud Infrastructure |
|
|
142 | (3) |
|
|
|
145 | (2) |
|
Disaster Recovery and Business Continuity Management Planning |
|
|
147 | (8) |
|
Understanding the Cloud Environment |
|
|
147 | (1) |
|
Understanding Business Requirements |
|
|
148 | (1) |
|
|
|
149 | (2) |
|
Disaster Recovery/Business Continuity Strategy |
|
|
151 | (4) |
|
|
|
155 | (1) |
|
|
|
155 | (10) |
|
|
|
155 | (3) |
|
|
|
158 | (7) |
|
Chapter 5 Cloud Application Security |
|
|
165 | (34) |
|
Advocate Training and Awareness for Application Security |
|
|
165 | (3) |
|
|
|
166 | (1) |
|
|
|
166 | (2) |
|
Describe the Secure Software Development Lifecycle (SDLC) Process |
|
|
168 | (2) |
|
|
|
168 | (1) |
|
|
|
168 | (2) |
|
Apply the Secure Software Development Lifecycle |
|
|
170 | (10) |
|
Avoid Common Vulnerabilities During Development |
|
|
171 | (3) |
|
|
|
174 | (2) |
|
|
|
176 | (1) |
|
|
|
176 | (3) |
|
Software Configuration Management and Versioning |
|
|
179 | (1) |
|
Cloud Software Assurance and Validation |
|
|
180 | (2) |
|
Cloud-Based Functional Testing |
|
|
180 | (1) |
|
Cloud Secure Development Lifecycle (CSDLC) |
|
|
180 | (1) |
|
|
|
181 | (1) |
|
|
|
182 | (1) |
|
|
|
182 | (1) |
|
|
|
182 | (1) |
|
|
|
183 | (1) |
|
Cloud Application Architecture |
|
|
183 | (4) |
|
Supplemental Security Devices |
|
|
184 | (1) |
|
|
|
185 | (1) |
|
|
|
186 | (1) |
|
Application Visualization |
|
|
186 | (1) |
|
Identity and Access Management (IAM) Solutions |
|
|
187 | (4) |
|
|
|
188 | (1) |
|
|
|
189 | (1) |
|
|
|
190 | (1) |
|
Multifactor Authentication |
|
|
190 | (1) |
|
|
|
191 | (1) |
|
|
|
191 | (8) |
|
|
|
192 | (2) |
|
|
|
194 | (5) |
|
Chapter 6 Cloud Security Operations |
|
|
199 | (52) |
|
Support the Planning Process for the Data Center Design |
|
|
199 | (7) |
|
|
|
200 | (1) |
|
|
|
201 | (4) |
|
|
|
205 | (1) |
|
Implement and Build the Physical Infrastructure for the Cloud Environment |
|
|
206 | (6) |
|
Secure Configuration of Hardware-Specific Requirements |
|
|
206 | (4) |
|
Installation and Configuration of Virtualization Management Tools |
|
|
210 | (1) |
|
Virtual Hardware Specific Security Configuration Requirements |
|
|
211 | (1) |
|
Installation of Guest Operating System Virtualization Toolsets |
|
|
212 | (1) |
|
Operate the Physical and Logical Infrastructure for the Cloud Environment |
|
|
212 | (9) |
|
Configuration of Access Control for Local and Remote Access |
|
|
213 | (1) |
|
Secure Network Configuration |
|
|
214 | (4) |
|
OS Hardening via Application of Baselines |
|
|
218 | (1) |
|
Availability of Standalone Hosts |
|
|
219 | (1) |
|
Availability of Clustered Hosts |
|
|
219 | (2) |
|
Availability of the Guest Operating System |
|
|
221 | (1) |
|
Manage the Physical and Logical Infrastructure for Cloud Environment |
|
|
221 | (11) |
|
Access Controls for Remote Access |
|
|
221 | (1) |
|
OS Baseline Compliance Monitoring and Remediation |
|
|
222 | (1) |
|
|
|
223 | (2) |
|
|
|
225 | (1) |
|
|
|
226 | (1) |
|
Backup and Restore Functions |
|
|
226 | (1) |
|
Network Security Controls |
|
|
227 | (4) |
|
|
|
231 | (1) |
|
Implement Operational Controls and Standards |
|
|
232 | (6) |
|
|
|
233 | (1) |
|
|
|
234 | (1) |
|
Information Security Management |
|
|
235 | (1) |
|
Continual Service Improvement Management |
|
|
235 | (1) |
|
|
|
235 | (1) |
|
|
|
236 | (1) |
|
Release and Deployment Management |
|
|
237 | (1) |
|
|
|
237 | (1) |
|
|
|
237 | (1) |
|
|
|
238 | (1) |
|
|
|
238 | (1) |
|
Support Digital Forensics |
|
|
238 | (2) |
|
Proper Methodologies for the Forensic Collection of Data |
|
|
238 | (2) |
|
|
|
240 | (1) |
|
Manage Communication with Relevant Parties |
|
|
240 | (2) |
|
|
|
240 | (1) |
|
|
|
241 | (1) |
|
|
|
241 | (1) |
|
|
|
241 | (1) |
|
|
|
242 | (1) |
|
Manage Security Operations |
|
|
242 | (2) |
|
Security Operations Center |
|
|
242 | (1) |
|
Monitoring of Security Controls |
|
|
242 | (1) |
|
|
|
242 | (2) |
|
|
|
244 | (1) |
|
|
|
244 | (7) |
|
|
|
245 | (2) |
|
|
|
247 | (4) |
|
Chapter 7 Legal, Risk, and Compliance |
|
|
251 | (39) |
|
Articulate Legal Requirements and Unique Risks Within the Cloud Environment |
|
|
251 | (7) |
|
Conflicting International Legislation |
|
|
251 | (1) |
|
Evaluation of Legal Risks Specific to Cloud Computing |
|
|
252 | (1) |
|
Legal Framework and Guidelines |
|
|
253 | (1) |
|
|
|
253 | (4) |
|
|
|
257 | (1) |
|
Understand Privacy Issues |
|
|
258 | (8) |
|
Difference Between Contractual and Regulated Personally Identifiable Information (PII) |
|
|
258 | (1) |
|
Country-Specific Legislation Related to PII and Data Privacy |
|
|
259 | (2) |
|
Differences Among Confidentiality, Integrity, Availability, and Privacy |
|
|
261 | (3) |
|
Standard Privacy Requirements |
|
|
264 | (2) |
|
Understand Audit Processes, Methodologies, and Required Adaptations for a Cloud Environment |
|
|
266 | (17) |
|
Internal and External Audit Controls |
|
|
266 | (1) |
|
Impact of Audit Requirements |
|
|
266 | (1) |
|
Identify Assurance Challenges of Virtualization and Cloud |
|
|
267 | (1) |
|
|
|
267 | (4) |
|
Restrictions of Audit Scope Statements |
|
|
271 | (2) |
|
|
|
273 | (1) |
|
|
|
273 | (5) |
|
Internal Information Security Management System (ISMS) |
|
|
278 | (1) |
|
Internal Information Security Controls System |
|
|
279 | (1) |
|
|
|
280 | (1) |
|
Identification and Involvement of Relevant Stakeholders |
|
|
280 | (1) |
|
Specialized Compliance Requirements for Highly Regulated Industries |
|
|
281 | (1) |
|
Impact of Distributed IT Model |
|
|
281 | (2) |
|
Understand Implications of Cloud to Enterprise Risk Management |
|
|
283 | (1) |
|
Assess Provider's Risk Management |
|
|
283 | (1) |
|
Difference Between Data Owner/Controller vs. Data Custodian/Processor |
|
|
283 | (1) |
|
|
|
284 | (4) |
|
Different Risk Frameworks |
|
|
288 | (1) |
|
Metrics for Risk Management |
|
|
289 | (1) |
|
Assessment of the Risk Environment |
|
|
289 | (1) |
|
Understand Outsourcing and Cloud Contract Design |
|
|
290 | (5) |
|
|
|
290 | (1) |
|
|
|
291 | (2) |
|
|
|
293 | (2) |
|
Executive Vendor Management |
|
|
295 | (1) |
|
|
|
295 | (1) |
|
|
|
295 | (1) |
|
|
|
296 | (7) |
|
|
|
296 | (2) |
|
|
|
298 | (5) |
|
Appendix A Exam Review Questions |
|
|
303 | (92) |
|
|
|
303 | (19) |
|
|
|
322 | (1) |
|
Questions and Comprehensive Answer Explanations |
|
|
323 | (72) |
|
Appendix B About the Online Content |
|
|
395 | (4) |
|
|
|
395 | (1) |
|
Your Total Seminars Training Hub Account |
|
|
395 | (1) |
|
|
|
395 | (1) |
|
Single User License Terms and Conditions |
|
|
395 | (2) |
|
|
|
397 | (1) |
|
|
|
397 | (2) |
| Glossary |
|
399 | (14) |
| Index |
|
413 | |
