CCSP international registered cloud security experts set up examination rooms in China

CCSP(Certified Cloud Security Professional) International registered cloud security expert
2022 year 8 month 1 The day begins , Set up an examination center in Beijing, Shanghai and Guangzhou in China , Friends who need exams don't need to go abroad for exams , Believe that with this message , There will be an upsurge of learning cloud security in China .

About CCSP authentication

CCSP, Cloud security expert certification , By (ISC)² To launch the , Designed to ensure that cloud security professionals in cloud security design 、 Realization 、 framework 、 operating 、 Knowledge required to control and comply with regulatory requirements 、 Skills and abilities .CCSP Certification applies information security expertise to cloud computing environments , It shows cloud security professionals in cloud security architecture 、 Design 、 Ability in operation and service arrangement . This professional ability is measured by a globally recognized knowledge system .

CCSP Public knowledge system

CCSP Public knowledge system of （CBK） The topics contained in ensure the relevance of all principles in the field of cloud security . The candidates who passed the certification showed their abilities in the following six knowledge areas ：

• Cloud concept 、 Architecture and Design

• Cloud data security

• Cloud platform and infrastructure security

• Cloud application security

• Cloud security operations

• law 、 Risk and compliance

Experience requirements

Applicants should have at least five years of accumulation IT Paid work experience in the industry , Among them, there must be three years of information security related experience and CCSP CBK One year experience in one or more of the six knowledge areas . Get the cloud security alliance CCSK Certificates can be substituted in CCSP CBK One year experience in one or more of the six knowledge areas . get (ISC)² Of CISSP certificate , Substitutable CCSP Work experience requirements for certification application . Not satisfied CCSP Candidates with required work experience , If you can pass CCSP Examinations can become (ISC)² Associate members of （ namely Associate）.(ISC)² Our associate members can use the following 6 Five years of work experience required . To learn more about CCSP Work experience requirements and how to calculate part-time work and internship experience , Please visit www.isc2.org/Certifications/CCSP/experience-requirements.

authentication

CCSP Certification meets ANSI/ISO/IEC 17024 The strict requirements of the standard .

Task analysis (JTA)

(ISC)² Has the obligation to maintain its membership CCSP Relevance of certification . Analyze work tasks regularly （JTA） It is a systematic and critical process , To determine to engage in CCSP Tasks performed by safety professionals in the defined professional field .JTA The results of the analysis will be used to update the exam . This process ensures that the test questions of candidates are closely related to the roles and responsibilities of information security professionals currently engaged in cloud technology .

CCSP Test information

The length of the exam : 4 Hours
Number of questions : 150 Examination form : Single choice question passing line : 1000 Score 700 branch
Test language ： English 、 chinese

CCSP Examination content

CCSP Examination scope

Certified cloud security expert (CCSP) The exam covers the following areas cloud concepts 、 Architecture and Design (17%) Cloud data security (20%) Cloud platform and infrastructure security (17%) Cloud application security (17%) Cloud security operations (16%) law 、 Risk and compliance (13%) For more information, please refer to 2022/8/1 CCSP Certification examination outline

field 1: Cloud concept 、 Architecture and Design

• Understand the concept of cloud computing cloud computing definition
  Cloud computing roles and responsibilities （ for example , Cloud service customers 、 Cloud service provider 、 Cloud service partners 、 Cloud service agent 、 Regulatory body ）
  Key features of Cloud Computing （ for example , Self service on demand 、 Extensive network access 、 multi-tenancy 、 Fast elasticity and scalability 、 Pooling resources 、 Measurable Services ）
  Building block technology （ for example , virtualization 、 Storage 、 Connected to the Internet 、 database 、 layout ）

• Describe the cloud computing reference architecture

• Understand the security concepts related to Cloud Computing

• Understand the design principles of secure Cloud Computing
  » Cloud security data lifecycle
  » Cloud based business Continuity (BC) And disaster recovery (DR) plan
  » Business impact analysis (BIA)（ for example , Cost benefit analysis 、 Return on investment (ROI)）» Functional safety requirements （ for example , Portability 、 Interoperability 、 Supplier lock up ）
  » Security considerations and responsibilities of different cloud categories （ for example , Software as a service (SaaS)、 Infrastructure as a service (IaaS)、 Platform as a service (PaaS)）
  » Cloud design patterns （ for example ,SANS Safety principles 、 Well structured framework 、 Cloud Security Alliance (CSA) The enterprise architecture ）
  » DevOps Security

• Evaluate cloud service providers
  » Verify according to the standard （ for example , International standards organization / International Electronic Technology Commission (ISO/IEC) 27017、 Payment card industry data security standards (PCI DSS)）
  » System / Subsystem product certification （ for example , General standards (CC)、 Federal Information Processing Standards (FIPS) 140-2）

field 2: Cloud data security

Describe cloud data concepts

» Cloud data lifecycle stage » Scattered data » Data flow

Design and implement cloud data storage architecture

» Storage type （ for example , long-term 、 temporary 、 Raw storage ）» Threats to storage types

Design and apply data security technologies and strategies

Realize data discovery

» Structured data » Unstructured data » Semi-structured data » Data location

Plan and implement data classification

Design and implement information authority management (IRM)

» The goal is （ for example , Data access 、 visit 、 Access model ）» Appropriate tools （ for example , Issue and revoke certificates ）» Encryption and key management » hash » Data confusion （ for example , shielding 、 Anonymity ）» Tokenization » Data loss protection (DLP)» secret key 、 Confidentiality and certificate management » Data classification strategy » Data mapping » Data tags

Plan and implement data retention 、 Delete and archive policies

» Data retention policy » Data deletion procedures and mechanisms » Data archiving procedures and mechanisms » Retained by law

Design and implement auditability of data events 、 Traceability and accountability

» Definition of event source and requirements of event attributes （ for example , identity 、 Internet Protocol (IP) Address 、 Location ）» Logging of data events 、 Storage and Analysis » Chain of custody and non repudiation
For more information, please refer to 2022/8/1 CCSP Certification examination outline

field 3： Cloud platform and infrastructure security

Understand cloud infrastructure and platform components

» Physical environment » Network and communication » Calculation » virtualization » Storage » Management plane

Design a secure data center

» logic design （ for example , Tenant partition 、 Access control ）
» physical design （ for example , Location 、 Buy or build ）
» environmental design （ for example , Heating 、 Ventilation and air conditioning (HVAC)、 Multi supplier channel connection ）
» Design flexibility

Analyze the risks associated with cloud infrastructure and platforms

» risk assessment （ for example , distinguish 、 analysis ）» Cloud vulnerabilities 、 Threats and attacks » Risk mitigation strategies

Plan and implement safety control

» Physical and environmental protection （ for example , Internal deployment ）» System 、 Storage and communication protection » Recognition in cloud environment 、 Certification and authorization » Audit mechanism （ for example , Log collection 、 relation 、 Packet capture ）

Plan business continuity (BC) And disaster recovery (DR)

» continuity of business (BC) / disaster recovery (DR) Strategy
» Business needs （ for example , Recovery time objectives (RTO)、 Recovery point objectives (RPO)、 Restore service levels ）
» Plan creation 、 Implementation and testing

field 4: Cloud application security

Advocate training and awareness of application security

» Cloud Development Foundation » Common pitfalls » Common cloud vulnerabilities （ for example , Open network application security project (OWASP) 10 Big risk 、SANS front 25 The most dangerous software error ）

Describe the safety software development lifecycle (SDLC) technological process

» Business needs » Stages and methods （ for example , Design 、 code 、 test 、 maintain 、 Waterfall and agility ）

Application security software development lifecycle (SDLC)

» Cloud specific risks » Threat modeling （ for example , cheating 、 Tampering 、 Deny 、 Information disclosure 、 Denial of service and privilege escalation (STRIDE); disaster 、 Reproducibility 、 Availability 、 Affected users and discoverability (DREAD); framework 、 threat 、 Attack surface and mitigation measures (ATASM); Attack simulation and threat analysis process (PASTA))» Avoid common vulnerabilities in the development process » Security code （ for example , to open up web Application safety project (OWASP) Apply safety inspection standards (ASVS)、 Excellent code software assurance Forum (SAFECode)）» Software configuration management and version control

Application cloud Software Assurance and verification

» Functional and non functional tests » Safety test method （ for example , Black box 、 White box 、 static state 、 dynamic 、 Software composition analysis (SCA)、 Interactive application security testing (IAST)）» QA (QA)» Abuse case testing

Use proven security software

» Protect the application programming interface (API)» Supply chain management （ for example , Supplier evaluation ）» Third party software management （ for example , The license ）» Proven open source software

Understand the details of Cloud Application Architecture

» Add safety components （ for example ,web Application firewall (WAF)、 Database activity monitoring (DAM)、 Extensible markup language (XML) A firewall 、 Application programming interface (API) gateway ）» cryptography » Sandbox » Application virtualization and orchestration （ for example , Microservices 、 Containers ）

Design appropriate identity and access management (IAM) Solution

» United identity » Identity providers (IdP)» Single sign on (SSO)» Multi factor validation (MFA)» Cloud access security agent (CASB)» secret key / Credential management

Cloud security operations

Build and implement physical and logical infrastructure for cloud environments

» Hardware specific security configuration requirements （ for example , Hardware security module (HSM) And trusted platform module (TPM)）» Installation and configuration of management tools » Virtual hardware specific security configuration requirements （ for example , The Internet 、 Storage 、 Memory 、 a central processor (CPU)、Hypervisor type 1 and 2）» Install the guest operating system (OS) Virtualization toolset

Run and maintain the physical and logical infrastructure of the cloud environment

» Access control for local and remote access （ for example , Remote Desktop Protocol (RDP)、 Secure terminal access 、 Safety enclosure (SSH)、 Console based access mechanism 、 Springboard machine 、 Virtual client ）» Secure network configuration （ for example , fictitious LAN (VLAN)、 Transport layer security (TLS)、 Dynamic Host Configuration Protocol (DHCP)、 Domain name system security extension (DNSSEC)、 Virtual private network (VPN)）» Network security control （ For example, firewall 、 intrusion detection system (IDS)、 Intrusion prevention system (IPS)、 Honeypot 、 Vulnerability assessment 、 Network security group 、 Fortress host ）» By applying baselines 、 Monitor and repair to strengthen the operating system (OS)（ for example Windows、Linux、VMware）» Patch management » Infrastructure is code (IaC) Strategy » Availability of cluster hosts （ Such as distributed resource scheduling 、 Dynamic optimization 、 Storage cluster 、 Maintenance mode 、 High availability （HA）» Customer operating system (OS) The usability of » Performance and capacity monitoring （ for example , The Internet 、 Calculation 、 Storage 、 response time ）» Hardware monitoring （ for example , disk 、 a central processor (CPU)、 Fan speed 、 temperature ）» Host and guest operating systems (OS) Configuration of backup and recovery functions
» Management plane （ for example , Dispatch 、 layout 、 maintain

Implement operational controls and Standards （ for example , IT Infrastructure Library (ITIL)、 International standards organization / International Electronic Technology Commission

(ISO/IEC) 20000-1）» Change management » Continuity Management » Information security management » Continuous service improves management » Accident management » Problem management

Manage communication with interested parties

» supplier » Customer » partners » Regulatory body » Other stakeholders

Support digital forensics

» Evidence collection methods » Evidence management » collect 、 Obtain and preserve digital evidence

Manage safe operations

» Security operations center (SOC)» Intelligent monitoring of safety control （ for example , A firewall 、 intrusion detection system (IDS)、 Intrusion prevention system (IPS)、 Honeypot 、 Network security group 、 Artificial intelligence (AI)）» Log capture and analysis （ for example , Security information and incident management (SIEM)、 Log management ）» Accident management » Vulnerability assessment

field 6： law 、 Risk and compliance

Clarify the legal requirements and unique risks in the cloud environment

» International conflict of laws » Legal risk assessment unique to Cloud Computing » Legal framework and guidelines » eDiscovery（ for example , International standards organization / International Electronic Technology Commission (ISO/IEC) 27050、 Cloud Security Alliance (CSA) guide ）» Evidence collection requirements

Understand the audit process of cloud environment 、 Methods and necessary adjustments

» Internal and external audit controls » Impact of audit requirements » Identify virtualization and cloud assurance challenges » Type of audit report （ for example , Statement on certification business standards (SSAE)、 Service organization control (SOC)、 International Assurance Standards (ISAE)）» Limitation of audit scope statement （ for example , Statement on certification business standards (SSAE)、 International Assurance Standards (ISAE)）» Gap analysis （ for example , Control analysis 、 The baseline ）» Audit plan » Internal information security management system » Internal information security control system » Strategy （ for example , organization 、 function 、 Cloud computing ）» Identification and participation of relevant stakeholders » Special compliance requirements of the strictly regulated industry （ for example , North American power reliability company / Protection of critical infrastructure (NERC / CIP)、 Health insurance convenience and Liability Act (HIPAA)、 Economics and clinical healthcare information technology (HITECH) bill 、 Payment card industry (PCI))» Distributed information technology (IT) The impact of the model （ for example , Different geographical locations and across legal jurisdictions ）

Understand outsourcing and cloud contract design

» Business requirements （ for example , Service level agreement (SLA)、 Master service agreement (MSA)、 Work statement (SOW)）» Supplier management （ for example , Supplier evaluation 、 Supplier lock-in risk 、 Supplier viability 、 trusteeship ）» Contract management （ for example , Audit power 、 indicators 、 Definition 、 End 、 litigation 、 Guarantee 、 compliance 、 Visit the cloud / data 、 Network risk insurance ）» Supply chain management （ for example , International standards organization / International Electronic Technology Commission (ISO/IEC) 27036） For more information, please refer to 2022/8/1 CCSP Certification examination outline