attribution2.8.2 Logging, storage, and analysis of data events2.8.3 Chain of custody and non-repudiationDomain 3 Cloud Platform and Infrastructure Security3.1 Comprehend cloud infrastructure components3.1.1 Physical environment3.1.2 Network and communications3.1.3 Compute3.1.4 Virtualization3.1.5 Storage3.1.6 Management plane3.2 Design a secure data center3.2.1 Logical design (e.g., tenant partitioning, access control)3.2.2 Physical design (e.g., location, buy or build)3.2.3 Environmental design (e.g., Heating, Ventilation, and Air Conditioning (HVAC), multi-vendor pathway connectivity)3.3 Analyze risks associated with cloud infrastructure3.3.1 Risk assessment and analysis3.3.2 Cloud vulnerabilities, threats, and attacks3.3.3 Virtualization risks3.3.4 Counter-measure strategies3.4 Design and plan security controls3.4.1 Physical and environmental protection (e.g., on-premise)3.4.2 System and communication protection3.4.3 Virtualization systems protection3.4.4 Identification, authentication, and authorization in cloud infrastructure3.4.5 Audit mechanisms (e.g., log collection, packet capture)3.5 Plan Disaster Recovery (DR) and Business Continuity (BC)3.5.1 Risks related to the cloud environment3.5.2 Business requirements (e.g., Recovery Time Objective (RTO), Recovery Point Objective (RPO), Recovery Service Level(RSL))3.5.3 Business Continuity/Disaster Recovery strategy3.5.4 Creation, implementation, and testing of planDomain 4 Cloud Application Security4.1 Advocate training and awareness for application security4.1.1 Cloud development basics4.1.2 Common pitfalls4.1.3 Common cloud vulnerabilities4.2 Describe the Secure Software Development Lifecycle (SDLC) process4.2.1 Business requirements4.2.2 Phases and methodologies4.3 Apply the Secure Software Development Lifecycle (SDLC)4.3.1 Avoid common vulnerabilities during development4.3.2 Cloud-specific risks4.3.3 Quality Assurance4.3.4 Threat modeling4.3.5 Software configuration management and versioning4.4 Apply cloud software assurance and validation4.4.1 Functional testing4.4.2 Security testing methodologies4.5 Use verified secure software4.5.1 Approved Application Programming Interfaces (API)4.5.2 Supply-chain management4.5.3 Third-party software management4.5.4 Validated open source software4.6 Comprehend the specifics of cloud application architecture4.6.1 Supplemental security components (e.g., Web Application Firewall (WAF), Database Activity Monitoring (DAM), Extensible Markup Language (XML) firewalls, Application Programming Interface (API) gateway)4.6.2 Cryptography4.6.3 Sandboxing4.6.4 Application virtualization and orchestration4.7 Design appropriate Identity and Access Management (IAM) solutions4.7.1 Federated identity4.7.2 Identity providers4.7.3 Single Sign-On (SSO)4.7.4 Multi-factor authentication4.7.5 Cloud Access Security Broker (CASB)Domain 5 Cloud Security Operations5.1 Implement and build physical and logical infrastructure for cloud environment5.1.1 Hardware-specific security configuration requirements (e.g., Basic Input Output System (BIOS) settings for virtualization and Trusted Platform Module (TPM), storage controllers, network controllers)5.1.2 Installation and configuration of virtualization management tools5.1.3 Virtual hardware-specific security configuration requirements (e.g., network, storage, memory, Central Processing Unit (CPU))5.1.4 Installation of guest Operating System (OS) virtualization toolsets5.2 Operate physical and logical infrastructure for cloud environment5.2.1 Configure access control for local and remote access (e.g., Secure Keyboard Video Mouse (KVM), Console-based access mechanisms, Remote Desktop Protocol (RDP))5.2.2 Secure network configuration (e.g., Virtual Local Area Networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Virtual Private Network (VPN))5.2.3 Operating System (OS) hardening through the application of baselines (e.g., Windows, Linux, VMware)5.2.4 Availability of stand-alone hosts5.2.5 Availability of clustered hosts (e.g., Distributed Resource Scheduling (DRS), Dynamic Optimization (DO), storage clusters, maintenance mode, high availability)5.2.6 Availability of guest Operating System (OS)5.3 Manage physical and logical infrastructure for cloud environment5.3.1 Access controls for remote access (e.g., Remote Desktop Protocol (RDP), Secure Terminal Access, Secure Shell (SSH))5.3.2 Operating System (OS) baseline compliance monitoring and remediation5.3.3 Patch management5.3.4 Performance and capacity monitoring (e.g., network, compute, storage, response time)5.3.5 Hardware monitoring (e.g., disk, Central Processing Unit (CPU), fan speed, temperature)5.3.6 Configuration of host and guest Operating System (OS) backup and restore functions5.3.7 Network security controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS),honeypots, vulnerability assessments, network security groups)5.3.8 Management plane (e.g., scheduling, orchestration, maintenance)5.4 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)5.4.1 Change management5.4.2 Continuity management5.4.3 Information security management5.4.4 Continual service improvement management5.4.5 Incident management5.4.6 Problem management5.4.7 Release management5.4.8 Deployment management5.4.9 Configuration management5.4.10 Service level management5.4.11 Availability management5.4.12 Capacity management5.5 Support digital forensics5.5.1 Forensic data collection methodologies5.5.2 Evidence management5.5.3 Collect, acquire, and preserve digital evidence5.6 Manage communication with relevant parties5.6.1 Vendors5.6.2 Customers5.6.3 Partners5.6.4 Regulators5.6.5 Other stakeholders5.7 Manage security operations5.7.1 Security Operations Center (SOC)5.7.2 Monitoring of security controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)5.7.3 Log capture and analysis (e.g., Security Information and Event Management (SIEM), log management)5.7.4 Incident managementDomain 6 Legal, Risk, and Compliance6.1 Articulate legal requirements and unique risks within the cloud environment6.1.1 Conflicting international legislation6.1.2 Evaluation of legal risks specific to cloud computing6.1.3 Legal frameworks and guidelines6.1.4 eDiscovery (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)6.1.5 Forensics requirements6.2 Understand privacy issues6.2.1 Difference between contractual and regulated private data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))6.2.2 Country-specific legislation related to private data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))6.2.3 Jurisdictional differences in data privacy6.2.4 Standard privacy requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR))6.3 Understand audit process, methodologies, and required adaptations for a cloud environment6.3.1 Internal and external audit controls6.3.2 Impact of audit requirements6.3.3 Identify assurance challenges of virtualization and cloud6.3.4 Types of audit reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Security Operations Center(SOC), International Standard on Assurance Engagements (ISAE))6.3.5 Restrictions of audit scope statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))6.3.6 Gap analysis6.3.7 Audit planning6.3.8 Internal Information Security Management System (ISMS)6.3.9 Internal information security controls system6.3.10 Policies (e.g., organizational, functional, cloud computing)6.3.11 Identification and involvement of relevant stakeholders6.3.12 Specialized compliance requirements for highly-regulated industries (e.g., North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))6.3.13 Impact of distributed Information Technology (IT) model (e.g., diverse geographical locations and crossing over legal jurisdictions)6.4 Understand implications of cloud to enterprise risk management6.4.1 Assess providers risk management programs (e.g., controls, methodologies, policies)6.4.2 Difference between data owner/controller vs. data custodian/processor (e.g., risk profile, risk appetite, responsibility)6.4.3 Regulatory transparency requirements (e.g., breach notification, Sarbanes-Oxley SOX, General Data Protection Regulation (GDPR))6.4.4 Risk treatment (i.e., avoid, modify, share, retain)6.4.5 Different risk frameworks6.4.6 Metrics for risk management6.4.7 Assessment of risk environment (e.g., service, vendor, infrastructure)6.5 Understand outsourcing and cloud contract design6.5.1 Business requirements (e.g., Service Level Agreement (SLA), Master Service Agreement (MSA), Statement of Work (SOW))6.5.2 Vendor management6.5.3 Contract management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data, cyber risk insurance)6.5.4 Supply-chain management (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036)
Online Test Bank
To practice in an online testing setting of the same questions, visit
