Course Syllabus

Certified Cloud Security Professional (CCSP)

Instructor Name: Graham Wicas Course Creation Date: 4/30/2021

Instructor Contact: Graham Wicas

Course Description and Goals

Course Description: This course will cover the material for the ISC^2 Certified Cloud Security
Professional (CCSP) certification. The CCSP is a vendor neutral certification focused on cloud
security. The exam consists of 125 multiple choice questions administered over four hours. The
certification covers materials from six domains:
● Domain 1 – Cloud Concepts, Architecture, and Design
● Domain 2 – Cloud Data Security
● Domain 3 – Cloud Platform and Infrastructure Security.
● Domain 4 – Cloud Application Security.
● Domain 5 – Cloud Security Operations.
● Domain 6 – Legal, Risk, and Compliance.

In addition to covering the material necessary to take the certification exam, each topic will be
supplemented with real world examples to enable students to apply the certification topics
professionally. The certification covers the fundamental deployment models, cloud offerings,
important cloud technologies, cloud security architecture, cloud infrastructure security, cloud
application security, cloud operations, and legal/compliance risks associated with cloud
computing.

Target audience: This course is intended for: information security professionals with cloud
computing experience who are looking for a holistic view of the threats, vulnerabilities, and risk
associated with cloud computing; IT professions with cloud experience who want a better
understanding of securing and protecting information in the cloud; cybersecurity leaders looking
to better understand the security, operational, and legal risk associated with cloud deployment
models.

Prerequisites: A fundamental understanding of computer networks is required. Strong

understanding of core security concepts is needed. In order to hold the CCSP after passing the

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
1
.

exam, ISC^2 requires a minimum of five years of IT experience, with three years of information
security experience, and at least one year of experience in one of the six cloud security
domains.

Supplementary Materials:
NIST definition of cloud computing
CSA Security Guidance v4.0
OWASP top 10
ENISA Cloud Computing Information Assurance Framework
The Treacherous 12
NIST risk management

Course Goals: By the end of this course, students should be able to:

❏ Understand the foundational cloud technologies, service models, and deployment

models
❏ Demonstrate knowledge of the risk and responsibilities associated with protecting data in
the cloud.
❏ Demonstrate knowledge of the threats, vulnerabilities, and risks associated with security
cloud infrastructure.
❏ Demonstrate knowledge of the threats, vulnerabilities, and risks associated with cloud-
based applications.
❏ Demonstrate knowledge of the legal and compliance risks that come with cloud
computing.

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
2
.

 Course Outline

Module 1 | Cloud Concepts, Architecture, and Design

Lesson 1.1: Intro to CCSP
Lesson 1.2: Domain 1: Cloud Concepts Architecture and Design
Lesson 1.3: What is Cloud Computing and What Are Its Key Characteristics?
Lesson 1.4: What Are the Different Roles in Cloud Computing
Lesson 1.5: Cloud Security Concepts
Lesson 1.6: What Are the Cloud Service Models?
Lesson 1.7: Infrastructure as a Service (IaaS)
Lesson 1.8: Infrastructure as a Service (IaaS) Risks
Lesson 1.9: Platform as a Service (PaaS)
Lesson 1.10: Platform as a Service (PaaS) Risks
Lesson 1.11: Software as a Service (SaaS)
Lesson 1.12: Software as a Service (SaaS) Risks
Lesson 1.13: Virtualization Risks
Lesson 1.14: Cloud Deployment Models
Lesson 1.15: Public Cloud Deployments
Lesson 1.16: Public Cloud Deployments Risks
Lesson 1.17: Vendor Lock-in
Lesson 1.18: Vendor Lock-out
Lesson 1.19: Multi-tenant Environment Risks
Lesson 1.20: Private Cloud Deployments
Lesson 1.21: Private Cloud Deployments Risks
Lesson 1.22: Community Cloud Deployments
Lesson 1.23: Community Cloud Deployments Risks
Lesson 1.24: Cloud Security Process
Lesson 1.25: Security Responsibility by Service Model
Lesson 1.26: Defense in Depth
Lesson 1.27: Cloud Security Frameworks and Standards
Lesson 1.28: Cost Benefit Analysis
Lesson 1.29: Developing Business Requirements
Lesson 1.30: Business Impact Analysis
Lesson 1.31: Developing Security Requirements
Lesson 1.32: Domain 1 Summary

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
3
.

Module 2 | Cloud Data Security

Lesson 2.1: Domain 2: Cloud Data Security & Data Classification
Lesson 2.2: Data Classification
Lesson 2.3: Data Roles
Lesson 2.4: Cloud Data Lifecycle
Lesson 2.5: Data Discovery
Lesson 2.6: Cloud Data Security Strategy
Lesson 2.7: Encrypting Data
Lesson 2.8: Encrypting Types
Lesson 2.9: Encryption and Key Management
Lesson 2.10: Federal Information Processing Standard (FIPS PUB140-2)
Lesson 2.11: Hardening Devices
Lesson 2.12: Jurisdiction Requirements
Lesson 2.13: Protecting Data in Transit
Lesson 2.14: Data Storage Architecture
Lesson 2.15: Data Retention Policy
Lesson 2.16: Data Destruction Methods
Lesson 2.17: Auditing
Lesson 2.18: Data Audit Policy
Lesson 2.19: Data Privacy
Lesson 2.20: Privacy Safeguards
Lesson 2.21: Data Obfuscation
Lesson 2.22: Data Masking
Lesson 2.23: Tokenization
Lesson 2.24: Information Rights Management (IRM)
Lesson 2.25: Information Rights Implementation
Lesson 2.26: Information Rights Challenges
Lesson 2.27: Intellectual Property (US)
Lesson 2.28: Data Egress
Lesson 2.29: Domain 2 Summary

Module 3 | Cloud Platform and Infrastructure Security

Lesson 3.1: Domain 3: Cloud Platform and Infrastructure Security
Lesson 3.2: Cloud Infrastructure Components
Lesson 3.3: The Management Plane
Lesson 3.4: Administering Middleware
Lesson 3.5: Virtualization
Lesson 3.6: Data Access

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
4
.

 Lesson 3.7: Secure Networking

Lesson 3.8: Network Security
Lesson 3.9: System Information and Event Management (SIEM)
Lesson 3.10: Cloud Provider Responsibility for Physical Plant
Lesson 3.11: Power Redundancy
Lesson 3.12: Other Redundancy and Safety Considerations
Lesson 3.13: Data Center Tiers
Lesson 3.14: Cloud Threats Part 1
Lesson 3.15: Cloud Threats Part 2
Lesson 3.16: Protecting against Cloud Threats Part 1
Lesson 3.17: Protecting against Cloud Threats Part 2
Lesson 3.18: Shared Responsibility for Cloud Platform Oversight
Lesson 3.19: Cloud-based Business Continuity and Disaster Recovery
Lesson 3.20:Disaster Declaration
Lesson 3.21: Disaster Recovery Criteria
Lesson 3.22: Disaster Recovery Testing
Lesson 3.23: Domain 3 Summary

Module 4 | Cloud Application Security

Lesson 4.1: Domain 4: Cloud Application Security
Lesson 4.2: Challenges of Cloud Application Deployment
Lesson 4.3: Training and Awareness
Lesson 4.4: Cloud Software Development Lifecycle (SDLC)
Lesson 4.5: Secure Software Development Lifecycle (SSDL)
Lesson 4.6: Application Security Standards (ISO/IEC) 27034-1
Lesson 4.7: Identity and Access Management (IAM)
Lesson 4.8: Multi Factor Authentication (MFA)
Lesson 4.9: Single Sign-on and Federated Identity Management
Lesson 4.10: Federation Standards
Lesson 4.11: Application Programming Interfaces (APIs)
Lesson 4.12: API Approval and Management
Lesson 4.13: Open-Source Software
Lesson 4.14: Sandboxing
Lesson 4.15: Cloud Application Security Testing Concepts and Methods
Lesson 4.16: OWASP Top 10 Overview
Lesson 4.17: OWASP Top 10 Part 1: Code Injection
Lesson 4.18: OWASP Top 10 Part 2: Broken Authentication

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
5
.

 Lesson 4.19: OWASP Top 10 Part 3: Sensitive Data Exposure

Lesson 4.20: OWASP Top 10 Part 4: XML external entities (XXE)
Lesson 4.21: OWASP Top 10 Part 5: Broken Access Control
Lesson 4.22: OWASP Top 10 Part 6: Security Misconfiguration
Lesson 4.23: OWASP Top 10 Part 7: Cross-Site Scripting (XSS)
Lesson 4.24: OWASP Top 10 Part 8: Insure Deserialization
Lesson 4.25: OWASP Top 10 Part 9: Using Components with Known Vulnerabilities
Lesson 4.26: OWASP Top 10 Part 10: Insufficient Logging and Monitoring
Lesson 4.27: STRIDE
Lesson 4.28: Application Security Testing Approaches Part 1
Lesson 4.29: Application Security Testing Approaches Part 2
Lesson 4.30: Domain 4 Summary

Module 5: | Cloud Security Operations

Lesson 5.1: Domain 5: Cloud Security Operations
Lesson 5.2: Change and Configuration Management
Lesson 5.3: Change Management
Lesson 5.4: Security Operations Center (SOC)
Lesson 5.5: Log Review Challenges
Lesson 5.6: Incident Response
Lesson 5.7: Treacherous 12 Overview
Lesson 5.8: Treacherous 12 Part 1
Lesson 5.9: Treacherous 12 Part 2
Lesson 5.10: Treacherous 12 Part 3
Lesson 5.11: Treacherous 12 Part 4
Lesson 5.12:Treacherous 12 Part 5
Lesson 5.13: Treacherous 12 Part 6
Lesson 5.14: Treacherous 12 Part 7
Lesson 5.15: Treacherous 12 Part 8
Lesson 5.16: Treacherous 12 Part 9
Lesson 5.17: Treacherous 12 Part 10
Lesson 5.18: Treacherous 12 Part 11
Lesson 5.19: Treacherous 12 Part 12
Lesson 5.20: Domain 5 Summary

Module 6 | Legal, Risk, and Compliance

Lesson 6.1: Domain 6: Legal, Risk, and Compliance
Lesson 6.2: Legal Risks of Cloud Computing

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
6
.

 Lesson 6.3: Due Diligence and Due Care

Lesson 6.4: Legal and Compliance Terms
Lesson 6.5: US Laws and Regulations
Lesson 6.6: Sarbanes-Oxley (SOX)
Lesson 6.7: Graham-Leach-Bliley Act (GLBA)
Lesson 6.8: Health Information Portability and Accountability Act (HIPAA)
Lesson 6.9: Payment Card Industry (PCI)
Lesson 6.10: General Data Protection Regulation (GDPR)
Lesson 6.11: General Data Protection Regulation Privacy Principles
Lesson 6.12: Risk Management
Lesson 6.13: Risk Management Frameworks
Lesson 6.14: Vendor Management
Lesson 6.15: Statement on Standards for Attestation Engagements (SSAE-18)
Lesson 6.16: Domain 6 Summary

Brought to you by:

Develop your team with the fastest growing catalog in the

cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and
competency analytics
7
.