Instructor Materials

CCSP Study Guide

Syllabus

Session 1

This session focuses on the concepts in the first half of Chapter 1 of the CCSP Study Guide:

  • Chapter 1: Architectural Concepts
  • Introduction: The CCSP is not an introductory certificate; it is for experienced practitioners.
  • Basic understanding of IT and security concepts is expected and assumed.
  • Understand Cloud Computing Concepts
  • Definitions (e.g., NIST)
  • Broad network access
  • On-demand services
  • Resource pooling
  • Metered service
  • Business Requirements
  • Tradeoff between security and operations
  • Functional vs. non-functional requirements
  • Gathering requirements
  • Interviewing functional managers
  • Interviewing users
  • Interviewing senior management
  • Customer response surveys
  • Network traffic collection
  • Asset inventory
  • Financial record collection
  • Insurance record collection
  • Marketing data collection
  • Regulatory mandates collection
  • Analyze requirements (the Business Impact Analysis (BIA))
  • Tangible and intangible assets
  • Processes
  • People

Session 2

This session focuses on the concepts in the second half of Chapter 1 of the CCSP Study Guide:

  • Chapter 1: Architectural Concepts (continued)
  • Considering cloud migration
  • Quantifying costs/benefits
  • Reduction in capital expenditures
  • Reduction in personnel costs
  • Reduction in operational costs
  • Transferring some regulatory costs
  • Introduce concepts: PII and SLA
  • Reduction in costs for data archival/backups
  • Intended impact
  • Vernacular
  • Elasticity
  • Scalability
  • Simplicity
  • Explaining: the difference between a “cloud customer” and a “cloud user”
  • Cloud computing service models
  • IaaS
  • PaaS
  • SaaS
  • Cloud deployment models
  • Public
  • Private
  • Community
  • Hybrid
  • Cloud computing roles and responsibilities
  • Cloud service provider
  • Cloud customer
  • Cloud access security broker
  • Regulators
  • Cloud computing definitions (review list in text)
  • Foundational concepts for cloud computing
  • Data sensitivity
  • Virtualization
  • Encryption
  • Auditing and compliance
  • Cloud service provider contracts

Session 3

This session focuses on the concepts in the first half of Chapter 2 of the CCSP Study Guide:

  • Chapter 2: Design Requirements
  • Inventory of all assets
  • Valuation of assets
  • Determination of criticality
  • Risk appetite
  • Risk management
  • Avoidance
  • Transfer
  • Mitigation
  • Residual risk
  • Acceptance
  • Health and human safety risks
  • Boundaries of cloud models
  • IaaS boundaries
  • PaaS boundaries
  • SaaS boundaries

Session 4

This session focuses on the concepts in the second half of Chapter 2 of the CCSP Study Guide:

  • Chapter 2: Design Requirements (continued)
  • Design principles for securing sensitive data
  • Hardening devices
  • All guest accounts are removed
  • All unused ports are closed
  • No default passwords remain
  • Strong password policies are in effect
  • Any admin accounts are significantly secured and logged
  • All unnecessary services are disabled
  • Physical access is severely limited and controlled
  • Systems are patched, maintained, and updated according to vendor guidance and industry best practices
  • Harden BYOD endpoints
  • Be protected with some form of antimalware/security software
  • Have remote wipe/remote lock capability in the event of loss/theft, with the user granting written permission to the organization to wipe/lock via a signed Authorized Use Policy
  • Utilize some form of local encryption
  • Be secured with strong access controls (a password, or perhaps a biometric, etc.) in a multifactor configuration
  • Have and properly employ VPN solutions for cloud access
  • Have some sort of data loss/leak prevention/protection (DLP) solution installed
  • Encryption
  • In the cloud data center, for
  • long-term storage/archiving
  • protecting near-term stored files, such as snapshots of virtualized instances
  • preventing unauthorized access to specific datasets by authorized personnel (for instance, securing fields in databases such that database admins can manage software but not modify/view content)
  • In communications between cloud providers and users, for
  • creating secure sessions
  • ensuring the integrity and confidentiality of data in transit
  • Homomorphic encryption
  • Layered defense

Session 5

This session focuses on the concepts in the first half of Chapter 3 of the CCSP Study Guide:

  • Chapter 3: Data Classification
  • Data inventory and discovery
  • Data ownership
  • The data lifecycle
  • Data categorization
  • Data classification
  • Data labeling
  • Data analytics
  • Introduction to jurisdictional requirements
  • United States
  • European Union
  • South/Central America
  • Australia/New Zealand

Session 6

This session focuses on the concepts in the second half of Chapter 3 of the CCSP Study Guide:

  • Chapter 3: Data Classification (continued)
  • Data rights management (DRM)
  • Intellectual property protections
  • Copyright
  • The DMCA
  • Trademarks
  • Patents
  • Trade secrets
  • DRM tool traits
  • Data control
  • Data retention
  • Data audit
  • Data destruction/disposal

Session 7

This session focuses on the concepts in the first half of Chapter 4 of the CCSP Study Guide:

  • Chapter 4: Cloud Data Security
  • Cloud data lifecycle
  • Create
  • Store
  • Use
  • Share
  • Archive
  • Destroy
  • Cloud data storage architectures
  • Volume storage
  • Object storage
  • Databases
  • Content-delivery networking (CDN)

Session 8

This session focuses on the concepts in the second half of Chapter 4 of the CCSP Study Guide:

  • Chapter 4: Cloud Data Security (continued)
  • Cloud data security foundational strategies
  • Encryption
  • Key management
  • Masking, obfuscation, anonymization, tokenization
  • SIEM/SEM/SIM
  • Egress monitoring (DLP)

Session 9

This session focuses on the concepts in the first half of Chapter 5 of the CCSP Study Guide:

  • Chapter 5: Security in the Cloud
  • Shared risks and ultimate liability
  • Risks by cloud platform
  • Private cloud
  • Community cloud
  • Public cloud
  • Hybrid cloud
  • Risks by cloud service model
  • IaaS
  • PaaS
  • SaaS

Session 10

This session focuses on the concepts in the second half of Chapter 5 of the CCSP Study Guide:

  • Chapter 5:Security in the Cloud (continued)
  • Threats by cloud model
  • Public/Private/Community/Hybrid
  • Applying countermeasures to specific threats
  • Business continuity/disaster recovery (BC/DR)
  • Business impact analysis (BIA) in the cloud
  • Shared BC/DR responsibilities (customer/provider)

Session 11

This session focuses on the concepts in the first half of Chapter 6 of the CCSP Study Guide:

  • Chapter 6: Responsibilities in the Cloud
  • Build/buy decisions for the data center
  • Provider responsibilities
  • Physical plant
  • Logical framework
  • Networking
  • Mapping and selecting controls

Session 12

This session focuses on the concepts in the second half of Chapter 6 of the CCSP Study Guide:

  • Chapter 6: Responsibilities in the Cloud(cont.)
  • Shared responsibilities by cloud model (IaaS, PaaS, SaaS)
  • Shared administration responsibilities (OS, applications, middleware)
  • OS baseline configuration and management
  • Shared responsibilities: data access
  • Customer challenges due to lack of physical access
  • audit
  • SOC reports
  • policy/governance
  • monitoring/testing

Session 13

This session focuses on the concepts in the first half of Chapter 7 of the CCSP Study Guide:

  • Chapter 7: Cloud Application Security
  • Awareness of cloud migration concerns
  • Common application migration pitfalls
  • Cloud secure software development lifecycle
  • ISO 27034: ONF vs. ANF
  • Identity and access management (IAM)
  • Identity repositories and directory services
  • Single sign-on (SSO)
  • Federation

Session 14

This session focuses on the concepts in the second half of Chapter 7 of the CCSP Study Guide:

  • Chapter 7: Cloud Application Security(cont.)
  • Multifactor authentication
  • Supplemental security devices
  • APIs
  • Tenancy separation
  • Cryptography
  • Sandboxing
  • Application virtualization
  • Threat modeling
  • STRIDE
  • OWASP Top Ten
  • Software security testing
  • SAST vs. DAST

Session 15

This session focuses on the concepts in the first half of Chapter 8 of the CCSP Study Guide:

  • Chapter 8: Operations Elements
  • Uptime/availability
  • Facilities and redundancy
  • power
  • communications
  • personnel
  • security
  • Uptime Institute Tier rating system

Session 16

This session focuses on the concepts in the second half of Chapter 8 of the CCSP Study Guide:

  • Chapter 8: Operations Elements (cont.)
  • Virtualization operations
  • personnel isolation
  • hypervisor hardening
  • instance isolation
  • host isolation
  • Storage operations
  • coupled/decoupled
  • volume vs. object storage
  • resiliency (RAID and data dispersion)
  • SAN vs. NAS
  • Physical/logical isolation of operations
  • secure KVM
  • Security training and awareness

Session 17

This session focuses on the concepts in the first half of Chapter 9 of the CCSP Study Guide:

  • Chapter 9: Operations Management
  • Monitoring
  • Capacity
  • Maintenance

Session 18

This session focuses on the concepts in the second half of Chapter 9 of the CCSP Study Guide:

  • Chapter 9: Operations Management (cont.)
  • Configuration/change management (CM)
  • baselines
  • deviations/exceptions
  • roles/process
  • BC/DR
  • roles
  • the BC/DR kit
  • relocation
  • power
  • testing

Session 19

This session focuses on the concepts in the first half of Chapter 10 of the CCSP Study Guide:

  • Chapter 10: Legal and Compliance Part 1
  • Legal concepts
  • criminal law
  • civil law
  • administrative law
  • intellectual property

Session 20

This session focuses on the concepts in the second half of Chapter 10 of the CCSP Study Guide:

  • Chapter 10: Legal and Compliance Part 1 (cont.)
  • US laws
  • International law
  • Laws, regulations, and standards
  • eDiscovery
  • Chain of custody
  • Forensics

Session 21

This session focuses on the concepts in Chapter 11 of the CCSP Study Guide:

  • Chapter 11: Legal and Compliance Part 2
  • The impact of multiple jurisdictions on cloud operations
  • Risk management frameworks
  • Contracts and Service-level agreements (SLAs)
  • Cloud certification (CSA STAR)
  • Supply chain risk and management

Ancillaries to accompany CCSP: Cloud Certified Security Professional Study Guide© Wiley Inc. 2017. All Rights Reserved.