Adam Gordon - The Official (ISC)2 Guide to the CCSP CBK

EVERY DAY AROUND THE WORLD , organizations are taking steps to leverage cloud infrastructure, software, and services. This is a substantial undertaking that also heightens the complexity of protecting and securing data. As powerful as cloud computing is to organizations, its essential to have qualified people who understand information security risks and mitigation strategies for the cloud. As the largest not-for-profit membership body of certified information security professionals worldwide, (ISC)2 recognizes the need to identify and validate information security competency in securing cloud services.

To help facilitate the knowledge you need to ensure strong information security in the cloud, Im pleased to present the Official (ISC)2 Guide to the CCSP CBK. Drawing from a comprehensive, up-to-date global body of knowledge, the CCSP CBK ensures that you have the right information security knowledge and skills to be successful and prepares you to achieve the Certified Cloud Security Professional (CCSP) credential.

(ISC)2 is proud to collaborate with the Cloud Security Alliance (CSA) to build a unique credential that reflects the most current and comprehensive best practices for securing and optimizing cloud computing environments. To attain CCSP certification, candidates must have a minimum of five years experience in IT, of which three years must be in information security and one year in cloud computing. All CCSP candidates must be able to demonstrate capabilities found in each of the six Common Body of Knowledge (CBK) domains:

• Architectural Concepts and Design Requirements
• Cloud Data Security
• Cloud Platform and Infrastructure Security
• Cloud Application Security
• Operations
• Legal and Compliance

The CCSP credential represents advanced knowledge and competency in cloud security design, implementation, architecture, operations, controls, and immediate and long-term responses.

Cloud computing has emerged as a critical area within IT that requires further security considerations. According to the 2015 (ISC)2 Global Information Security Workforce Study, cloud computing is identified as the top area for information security, with a growing demand for education and training within the next three years. In correlation to the demand for education and training, 73 percent of more than 13,000 survey respondents believe that cloud computing will require information security professionals to develop new skills.

If you are ready to take control of the cloud, The Official (ISC)2 Guide to the CCSP CBK prepares you to securely implement and manage cloud services within your organizations information technology (IT) strategy and governance requirements. CCSP credential holders will achieve the highest standard for cloud security expertisemanaging the power of cloud computing while keeping sensitive data secure.

The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CCSP with all the benefits of (ISC)2 membership, you would join a global network of more than 110,000 certified professionals who are working to inspire a safe and secure cyber world.

Qualified people are the key to cloud security. This is your opportunity to gain the knowledge and skills you need to protect and secure data in the cloud.

Regards,

David P. Shearer

CEO

(ISC)2

THERE ARE TWO MAIN requirements that must be met to achieve the status of Certified Cloud Security Professional (CCSP); one must take and pass the certification exam and be able to demonstrate a minimum of five years of cumulative paid full-time information technology experience, of which three years must be in information security and one year must be in one of the six domains of the CCSP examination. A firm understanding of what the six domains of the CCSP Common Body of Knowledge (CBK) are and how they relate to the landscape of business is a vital element in successfully being able to meet both requirements and claim the CCSP credential. The mapping of the six domains of the CCSP CBK to the job responsibilities of the information security professional in todays world can take many paths based on a variety of factors, such as industry vertical, regulatory oversight and compliance, geography, and public versus private versus military as the overarching framework for employment in the first place. In addition, considerations such as cultural practices and differences in language and meaning can play a substantive role in the interpretation of what aspects of the CBK will mean and how they will be implemented in any given workplace.

It is not the purpose of this book to attempt to address all these issues or provide a definitive prescription as to the path forward in all areas. Rather, it is to provide the official guide to the CCSP CBK and, in so doing, to lay out the information necessary to understand what the CBK is and how it is used to build the foundation for the CCSP and its role in business today. Being able to map the CCSP CBK to your knowledge, experience, and understanding is the way that you will be able to translate the CBK into actionable and tangible elements for both the business and its users that you represent.

1. The Architectural Concepts and Design Requirements domain focuses on the building blocks of cloud-based systems. The CCSP needs an understanding of cloud computing concepts such as definitions based on the ISO/IEC 17788 standard; roles like the cloud service customer, provider, and partner; characteristics such as multitenancy, measured services, and rapid elasticity and scalability; and building block technologies of the cloud such as virtualization, storage, and networking. The cloud reference architecture will need to be described and understood, focusing on areas such as cloud computing activities (as described in ISO/IEC 17789), clause 9, cloud service capabilities, categories, deployment models, and the cross-cutting aspects of cloud platform architecture and design, such as interoperability, portability, governance, service levels, and performance. In addition, the CCSP should have a clear understanding of the relevant security and design principles for cloud computing, such as cryptography, access control, virtualization security, functional security requirements like vendor lock-in and interoperability, what a secure data life cycle is for cloud-based data, and how to carry out a cost-benefit analysis of cloud-based systems. The ability to identify what a trusted cloud service is and what role certification against criteria plays in that identificationusing standards such as the Common Criteria and FIPS 140-2are further areas of focus for this domain.
2. The Cloud Data Security domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems (OSs), equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability. The CCSP needs to understand and implement data discovery and classification technologies pertinent to cloud platforms, as well as be able to design and implement relevant jurisdictional data protections for personally identifiable information (PII), such as data privacy acts and the ability to map and define controls within the cloud. Designing and implementing digital rights management (DRM) solutions with the appropriate tools and planning for the implementation of data retention, deletion, and archiving policies are activities that a CCSP will need to understand how to undertake.