2013 International Information Systems Security Certification Consortium, Inc. All Rights

Transcription

1 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication April for 21, commercial 2015 purposes is prohibited.

2 Impartiality Statement (ISC)² is committed to impartiality by promoting a bias and discrimination free environment for all members, candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)² s board of directors, management and staff understand the importance of impartiality in carrying out its certification activities, manage conflict of interest and ensure the objectivity of its certification. If you feel you have not received impartial treatment, please send an to notice@isc2.org or call , so that we can investigate your claim. Non-Discrimination Policy (ISC)² is an equal opportunity employer and does not allow, condone or support discrimination of any type within its organization including, but not limited to, its activities, programs, practices, procedures, or vendor relationships. This policy applies to (ISC)² employees, members, candidates, and supporters. Whether participating in an (ISC)² official event or certification examination as an employee, candidate, member, staff, volunteer, subcontractor, vendor, or client if you feel you have been discriminated against based on nationality, religion, sexual orientation, race, gender, disability, age, marital status or military status, please send an to notice@isc2.org or call , so that we can investigate your claim. For any questions related to these polices, please contact the (ISC)² Legal Department at legal@isc2.org. 2

3 The compelling benefits of cloud computing are driving organizations to migrate IT infrastructure and applications to the cloud. At the same time, the information security industry recognizes that the accompanying complexity and risk profile require new approaches suitable to secure cloud and hybrid environments legacy approaches are insufficient. They also require experienced professionals with the right cloud security knowledge and skills to be successful. (ISC)² and the Cloud Security Alliance (CSA) developed the Certified Cloud Security Professional (CCSP) credential to meet this critical market need and ensure that cloud security professionals have the required knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and compliance with regulatory frameworks. A CCSP applies information security expertise to a cloud computing environment and demonstrates competence in cloud security architecture, design, operations, and service orchestration. This professional competence is measured against a globally recognized body of knowledge. The CCSP is a stand-alone credential that complements and builds upon existing credentials and educational programs, including (ISC)² s Certified Information Systems Security Professional (CISSP) and CSA s Certificate of Cloud Security Knowledge (CCSK). In addition to successfully passing the exam, CCSP candidates must have a minimum of five (5) years of cumulative paid full-time information technology experience, of which three (3) years must be in information security and one (1) year in one of the six (6) domains of the CCSP examination. Earning the Cloud Security Alliance s CCSK certificate may be substituted for one (1) year of experience in one of the six (6) domains of the CCSP examination. Earning the CISSP credential may be substituted for the entire CCSP experience requirement. Candidates who do not meet these experience requirements may still choose to sit for the exam and become an Associate of (ISC)². Candidates must meet the following requirements prior to taking the examination: Submit the examination fee Understand the experience requirements discussed above as they relate to the endorsement process Attest to the truth of his or her assertions regarding professional experience Legally commit to abide by the (ISC)² Code of Ethics Answer four prequalification questions regarding criminal history and related background This Candidate Information Bulletin (Exam Outline) includes: An Exam blueprint that defines the CCSP domains and the sub-topics within each o Domain 1: Architectural Concepts and Design Requirements... 4 o Domain 2: Cloud Data Security... 6 o Domain 3: Cloud Platform and Infrastructure Security... 8 o Domain 4: Cloud Application Security o Domain 5: Operations o Domain 6: Legal and Compliance Suggested References Sample Exam Questions Exam Policies and Procedures Contact Information

4 Domain 1: Architectural Concepts and Design Requirements Effective Date: April 21, 2015 Overview The Architectural Concepts & Design Requirements domain focuses on the building blocks of cloud based systems. The candidate will need to have an understanding of Cloud Computing concepts such as definitions based on the ISO/IEC standard, roles like the Cloud Service Customer, Provider, and Partner, characteristics such as multi-tenancy, measured services, and rapid elasticity and scalability, as well as building block technologies of the cloud such as virtualization, storage, and networking. The Cloud Reference Architecture will need to be described and understood by the candidate, with a focus on areas such as Cloud Computing Activities as described in ISO/IEC 17789, Clause 9, Cloud Service Capabilities, Categories, Deployment Models, and the Cross-Cutting Aspects of Cloud Platform architecture and design such as interoperability, portability, governance, service levels, and performance. In addition, candidates will need to demonstrate a clear understanding of the relevant security and design principles for Cloud Computing, such as cryptography, access control, virtualization security, functional security requirements like vendor lock-in and interoperability, what a secure data lifecycle is for cloud based data, and how to carry out a cost benefit analysis of cloud based systems. The ability to identify what a trusted cloud service is, and what role certification against criteria plays in that identification using standards such as the Common Criteria and FIPS are also areas of focus for this domain. Key Areas of Knowledge A. Understand Cloud Computing Concepts A.1 Cloud Computing Definitions (ISO/IEC 17788) A.2 Cloud Computing Roles (i.e., Cloud Service Customer, Cloud Service Provider, and Cloud Service Partner) A.3 Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling, measured service) A.4 Building Block Technologies (e.g., virtualization, storage, networking, databases) B. Describe Cloud Reference Architecture B.1 Cloud Computing Activities (ISO/IEC 17789, Clause 9) B.2 Cloud Service Capabilities (i.e., application capability type, platform capability type, infrastructure capability types) B.3 Cloud Service Categories (e.g., SaaS, IaaS, PaaS, NaaS, CompaaS, DSaaS) B.4 Cloud Deployment Models (e.g., public, private, hybrid, community) B.5 Cloud Cross-Cutting Aspects (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and service level agreement, auditability, and regulatory) C. Understand Security Concepts Relevant to Cloud Computing C.1 Cryptography (e.g. encryption, in motion, at rest, key management) C.2 Access Control C.3 Data and Media Sanitization (e.g., overwriting, cryptographic erase) 4

5 C.4 Network security C.5 Virtualization Security (e.g., hypervisor security) C.6 Common Threats C.7 Security Considerations for different Cloud Categories (e.g., SaaS, PaaS, *aas) D. Understand Design Principles of Secure Cloud Computing D.1 Cloud Secure Data Lifecycle D.2 Cloud Based Business Continuity/Disaster Recovery Planning D.3 Cost Benefit Analysis D.4 Functional Security Requirements (e.g., portability, interoperability, vendor lock-in) E. Identify Trusted Cloud Services E.1 Certification Against Criteria E.2 System/Subsystem Product Certifications (e.g., common criteria, FIPS 140-2) 5

6 Domain 2: Cloud Data Security Overview The Cloud Data Security domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability. The candidate will need to understand and implement Data Discovery and Classification Technologies pertinent to cloud platforms, as well as being able to design and implement relevant jurisdictional data protections for Personally Identifiable Information (PII), such as data privacy acts and the ability to map and define controls within the cloud. Designing and implementing Data Rights Management (DRM) solutions with the appropriate tools and planning for the implementation of data retention, deletion, and archiving policies are activities that a candidate will need to be able to be prepared to undertake. The design and implementation of auditability, traceability, and accountability of data within cloud based systems through the use of data event logging, chain of custody and non-repudiation, and the ability to store and analyze data through the use of security information and event management (SIEM) systems are also discussed within the Cloud Data Security domain. Key Areas of Knowledge A. Understand Cloud Data Lifecycle A.1 Phases A.2 Relevant Data Security Technologies B. Design and Implement Cloud Data Storage Architectures B.1 Storage Types (e.g. long term, ephemeral, raw-disk) B.2 Threats to Storage Types (e.g., ISO/IEC 27040) B.3 Technologies Available to Address Threats (e.g., encryption) C. Design and Apply Data Security Strategies C.1 Encryption C.2 Key Management C.3 Masking C.4 Tokenization C.5 Application of Technologies (e.g., time of storage vs. encryption needs) C.6 Emerging Technologies (e.g., bit splitting, data obfuscation, homomorphic encryption) D. Understand and Implement Data Discovery and Classification Technologies D.1 Data Discovery D.2 Classification E. Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII) 6

7 E.1 Data Privacy Acts E.2 Implementation of Data Discovery E.3 Classification of Discovered Sensitive Data E.4 Mapping and Definition of Controls E.5 Application of Defined Controls for PII (in consideration of customer's Data Privacy Acts) F. Design and Implement Data Rights Management F.1 Data Rights Objectives (e.g. provisioning, users and roles, role-based access) F.2 Appropriate Tools (e.g., Issuing and replication of certificates) G. Plan and Implement Data Retention, Deletion, and Archiving Policies G.1 Data Retention Policies G.2 Data Deletion Procedures and Mechanisms G.3 Data Archiving Procedures and Mechanisms H. Design and Implement Auditability, Traceability and Accountability of Data Events H.1 Definition of Event Sources and Identity Attribution Requirement H.2 Data Event Logging H.3 Storage and Analysis of Data Events (e.g. security information and event management) H.4 Continuous Optimizations (e.g. new events detected, add new rules, reductions of false positives) H.5 Chain of Custody and Non-repudiation 7

8 Domain 3: Cloud Platform and Infrastructure Security Overview The Cloud Platform and Infrastructure Security domain covers knowledge of the cloud infrastructure components, both the physical and virtual, existing threats, and mitigating and developing plans to deal with those threats. Risk management is the identification, measurement and control of loss associated with adverse events. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decisions, safeguard implementation, and effectiveness review. The candidate is expected to understand risk management including risk analysis, threats and vulnerabilities, asset identification and risk management tools and techniques. In addition, the candidate will also need to understand how to design and plan for the use of security controls such as audit mechanisms, physical and environmental protection, and the management of Identification, Authentication and Authorization solutions within the cloud infrastructures they manage. Business Continuity Planning (BCP) facilitates the rapid recovery of business operations to reduce the overall impact of the disaster, through ensuring continuity of the critical business functions. Disaster Recovery Planning (DRP) includes procedures for emergency response, extended backup operations and post-disaster recovery when the computer installation suffers loss of computer resources and physical facilities. The candidate is expected to understand how to prepare business continuity or disaster recovery plan, techniques and concepts, identification of critical data and systems, and finally the recovery of the lost data within cloud infrastructures. Key Areas of Knowledge A. Comprehend Cloud Infrastructure Components A.1 Physical Environment A.2 Network and Communications A.3 Compute A.4 Virtualization A.5 Storage A.6 Management Plane B. Analyze Risks Associated to Cloud Infrastructure B.1 Risk Assessment/Analysis B.2 Cloud Attack Vectors B.3 Virtualization Rısks B.4 Counter-Measure Strategies (e.g., access controls, design principles) C. Design and Plan Security Controls C.1 Physical and Environmental Protection (e.g., on-premise) C.2 System and Communication Protection C.3 Virtualization Systems Protection C.4 Management of Identification, Authentication and Authorization in Cloud Infrastructure C.5 Audit Mechanisms 8

9 D. Plan Disaster Recovery and Business Continuity Management D.1 Understanding of the Cloud Environment D.2 Understanding of the Business Requirements D.3 Understanding of the Risks D.4 Disaster Recovery/Business Continuity strategy D.5 Creation of the Plan D.6 Implementation of the Plan 9

10 Domain 4: Cloud Application Security Effective Date: April 21, 2015 Overview The Cloud Application Security domain focuses on issues to ensure that the candidate understands and recognizes the need for training and awareness in application security, the processes involved with cloud software assurance and validation, and the use of verified secure software. The domain refers to the controls that are included within systems and applications software and the steps used in their development (e.g., SDLC). The candidate should fully understand the security and controls of the development process, system life cycle, application controls, change controls, program interfaces, and concepts used to ensure data and application integrity, security, and availability. In addition, the need to understand how to design appropriate Identity and Access Management (IAM) solutions for cloud based systems is important as well. Key Areas of Knowledge A. Recognize the need for Training and Awareness in Application Security A.1 Cloud Development Basics (e.g., RESTful) A.2 Common Pitfalls A.3 Common Vulnerabilities (e.g. OWASP Top 10) B. Understand Cloud Software Assurance and Validation B.1 Cloud-based Functional Testing B.2 Cloud Secure Development Lifecycle B.3 Security Testing (e.g., SAST, DAST, Pen Testing) C. Use Verified Secure Software C.1 Approved API C.2 Supply-Chain Management C.3 Community Knowledge D. Comprehend the Software Development Life-Cycle (SDLC) Process D.1 Phases & Methodologies D.2 Business Requirements D.3 Software Configuration Management & Versioning E. Apply the Secure Software Development Life-Cycle E.1 Common Vulnerabilities (e.g., SQL Injection, XSS, XSRF, Direct Object Reference, Buffer Overflow) E.2 Cloud-Specific Risks E.3 Quality of Service E.4 Threat Modeling F. Comprehend the Specifics of Cloud Application Architecture 10

11 F.1 Supplemental Security Devices (e.g., WAF, DAM, XML firewalls, API gateway) F.2 Cryptography (e.g. TLS, SSL, IPSEC) F.3 Sandboxing F.4 Application Virtualization G. Design Appropriate Identity and Access Management (IAM) Solutions G.1 Federated Identity G.2 Identity Providers G.3 Single Sign-On G.4 Multi-factor Authentication 11

12 Domain 5: Operations Overview The Operations domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the cloud architecture, from planning of the Data Center design and implementation of the physical and logical infrastructure for the cloud environment, to running and managing that infrastructure. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process. The need for compliance with regulations and controls through the applications of frameworks such as ITIL, and ISO/IEC are also discussed. In addition, the importance of risk assessment across both the logical and physical infrastructures and the management of communication with all relevant parties is focused on. The candidate is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls, and the principles of good practice. Key Areas of Knowledge A. Support the Planning Process for the Data Center Design A.1 Logical Design (e.g., tenant partitioning, access control) A.2 Physical Design (e.g., location, buy or build) A.3 Environmental Design (e.g., HVAC, multi-vendor pathway connectivity) B. Implement and Build Physical Infrastructure for Cloud Environment B.1 Secure Configuration of Hardware Specific Requirements (e.g., BIOS settings for virtualization and TPM, storage controllers, network controllers) B.2 Installation and Configuration of Virtualization Management Tools for the Host C. Run Physical Infrastructure for Cloud Environment C.1 Configuration of Access Control for Local Access (e.g., Secure KVM, Console based access mechanisms) C.2 Securing Network Configuration (e.g., VLAN s, TLS, DHCP, DNS, IPSEC) C.3 OS Hardening via Application of Baseline (e.g., Windows, Linux, VMware) C.4 Availability of Stand-Alone Hosts C.5 Availability of Clustered Hosts (e.g., distributed resource scheduling (DRS), dynamic optimization (DO), storage clusters, maintenance mode, high availability) D. Manage Physical Infrastructure for Cloud Environment D.1 Configuring Access Controls for Remote Access (e.g., RDP, Secure Terminal Access) D.2 OS Baseline Compliance Monitoring and Remediation D.3 Patch Management D.4 Performance Monitoring ( e.g., network, disk, memory, CPU ) 12

13 D.5 Hardware Monitoring (e.g., disk I/O, CPU temperature, fan speed) D.6 Backup and Restore of Host Configuration Effective Date: April 21, 2015 D.7 Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots, vulnerability assessments) D.8 Log Capture and Analysis (e.g., SIEM, Log Management ) D.9 Management Plain (e.g., scheduling, orchestration, maintenance) E. Build Logical Infrastructure for Cloud Environment E.1 Secure Configuration of Virtual Hardware Specific Requirements (e.g., network, storage, memory, CPU) E.2 Installation of Guest O/S Virtualization Toolsets F. Run Logical Infrastructure for Cloud Environment F.1 Secure Network Configuration (e.g., VLAN s, TLS, DHCP, DNS, IPSEC) F.2 OS Hardening via Application of a Baseline (e.g., Windows, Linux, VMware ) F.3 Availability of the Guest OS G. Manage Logical Infrastructure for Cloud Environment G.1 Access Control for Remote Access (e.g., RDP) G.2 OS Baseline Compliance Monitoring and Remediation G.3 Patch Management G.4 Performance Monitoring ( e.g., Network, Disk, Memory, CPU ) G.5 Backup and Restore of Guest OS Configuration ( e.g., Agent based, SnapShots, Agentless) G.6 Implementation of Network Security Controls ( e.g., firewalls, IDS, IPS, honeypots, vulnerability assessments) G.7 Log Capture and Analysis ( e.g., SIEM, log management) G.8 Management Plane (e.g., scheduling, orchestration, maintenance) H. Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC ) H.1 Change Management H.2 Continuity Management H.3 Information Security Management H.4 Continual Service Improvement Management H.5 Incident Management H.6 Problem Management H.7 Release Management H.8 Deployment Management H.9 Configuration Management H.10 Service Level Management 13

14 H.11 Availability Management H.12 Capacity Management I. Conduct Risk Assessment to Logical and Physical Infrastructure J. Understand the Collection, Acquisition and Preservation of Digital Evidence J.1 Proper Methodologies for Forensic Collection of Data J.2 Evidence Management K. Manage Communication with Relevant Parties K.1 Vendors K.2 Customers K.3 Partners K.4 Regulators K.5 Other Stakeholders 14

15 Domain 6: Legal and Compliance Overview The Legal and Compliance domain addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed, and methods used to gather evidence (e.g., Legal Controls, ediscovery, and Forensics). This domain also includes an understanding of privacy issues and audit process and methodologies required for a cloud environment, such as internal and external audit controls, assurance issues associated with virtualization and the cloud, and the types of audit reporting specific to the cloud (e.g., SAS, SSAE and ISAE). Further, examining and understanding the implications that cloud environments have in relation to enterprise risk management and the impact of outsourcing for design and hosting of these systems are also important considerations that many organizations face today. Key Areas of Knowledge A. Understand Legal Requirements and Unique Risks within the Cloud Environment A.1 International Legislation Conflicts A.2 Appraisal of Legal Risks Specific to Cloud Computing A.3 Legal Controls A.4 ediscovery (e.g., ISO/IEC 27050, CSA Guidance) A.5 Forensics Requirements B. Understand Privacy Issues, Including Jurisdictional Variation B.1 Difference between Contractual and Regulated PII B.2 Country-Specific Legislation Related to PII / Data Privacy B.3 Difference Among Confidentiality, Integrity, Availability, and Privacy C. Understand Audit Process, Methodologies, and Required Adaptions for a Cloud Environment C.1 Internal and External Audit Controls C.2 Impact of Requirements Programs by the Use of Cloud C.3 Assurance Challenges of Virtualization and Cloud C.4 Types of Audit Reports (e.g., SAS, SSAE, ISAE) C.5 Restrictions of Audit Scope Statements (e.g., SAS 70) C.6 Gap Analysis C.7 Audit Plan C.8 Standards Requirements (e.g., ISO/IEC 27018, GAPP) C.9 Internal Information Security Management System C.10 Internal information Security Controls System 15

16 C.11 Policies C.12 Identification and Involvement of Relevant Stakeholders Effective Date: April 21, 2015 C.13 Specialized Compliance Requirements for Highly Regulated Industries C.14 Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal jurisdictions) D. Understand Implications of Cloud to Enterprise Risk Management D.1 Access Providers Risk Management D.2 Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile, risk appetite, responsibility) D.3 Provision of Regulatory Transparency Requirements D.4 Risk Mitigation D.5 Different Risk Frameworks D.6 Metrics for Risk Management D.7 Assessment of Risk Environment (e.g., service, vendor, ecosystem) E. Understand Outsourcing and Cloud Contract Design E.1 Business Requirements (e.g., SLA, GAAP) E.2 Vendor Management (e.g., selection, common certification framework) E.3 Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data) F. Execute Vendor Management F.1 Supply-chain Management (e.g., ISO/IEC 27036) 16

17 Suggested References This reference list is not intended to be an all-inclusive collection representing the CCSP Common Body of Knowledge (CBK). Its purpose is to provide candidates a starting point for their studies in domains which need supplementary learning in order to complement their associated level of work and academic experience. Candidates may also consider other references, which are not on this list but adequately cover domain content. Note: (ISC) 2 does not endorse any particular text or author and does not imply that any or all references be acquired or consulted. (ISC) 2 does not imply nor guarantee that the study of these references will result in an examination pass. Supplementary References Challenging Security Requirements for US Government Cloud Computing Adoption, NIST Cloud Computing Public Security Working Group NIST Cloud Computing Program Information Technology Laboratory December 9, 2010 CSA Cloud Security Alliance - The Notorious Nine Cloud Computing Top Threats in Top Threats Working Group ENISA Cloud Computing, Benefits, risks and recommendations for information security, ENISA, November 2009 ISO/IEC 17788:2014 Information technology -- Cloud computing -- Overview and vocabulary ISO/IEC 17789:2014 Information technology -- Cloud computing -- Reference architecture NIST Cloud Computing 5 Security Reference Architecture, NIST Special Publication , June 11, 2013 Quick Reference Guide to the Reference Architecture, TCI Trusted Cloud Initiative, 2011 Cloud Security Alliance SecaaS Cat 1 IAM Implementation Guidance, Category 1 //Identity and Access Management, September 2012 SecaaS Cat 10 Network Security Implementation Guidance, Category 10 //Network Security, September 2012 SecaaS Cat 3 Web Security Implementation Guidance, Category 3 //Web Security, September 2012 SecaaS Cat 4 Security Implementation Guidance, Category 4 // Security, September 2012 SecaaS Cat 5 Security Assessments Implementation Guidance, Category 5 //Security Assessments, September 2012 SecaaS Cat 6 Intrusion Management Implementation Guidance, Category 6 //Intrusion Management, September 2012 SecaaS Cat 7 SIEM Implementation Guidance, Security Information and Event Management, October 2012 SecaaS Cat 8 Encryption Implementation Guidance, Category 8 //Encryption, September 2012 SecaaS Cat 9 BCDR Implementation Guidance, Category 9 //Business Continuity /Disaster Recovery, September 2012 SecaaS Implementation Guidance, Category 2 //Data Loss Prevention, September 2012 Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Could Security Alliance, 2011 TCI Trusted Cloud Initiative Reference Architecture, Version 2.0, 2011 TCI Trusted Cloud Initiative, Quick Guide to Reference Architecture, CSA Cloud Security Alliance White Paper, October 18, 2011 The Cloud Security Alliance Security as a Service Implementation Guidance Documents Top Threats Working Group, The Notorious Nine Cloud Computing Top Threats in 2013, February

18 Sample Exam Questions Effective Date: April 21, Which one of the following is the MOST important security consideration when selecting a new computer facility? (A) (B) (C) (D) Answer D Local law enforcement response times Adjacent to competitors facilities Aircraft flight paths Utility infrastructure 2. Which one of the following describes a SYN flood attack? (A) Rapid transmission of Internet Relay Chat (IRC) messages (B) Creating a high number of half-open connections (C) Disabling the Domain Name Service (DNS) server (D) Excessive list linking of users and files Answer B 3. The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to protect transmissions (A) (B) (C) (D) Answer B between the WAP gateway and the wireless device. between the web server and WAP gateway. from the web server to the wireless device. between the wireless device and the base station. 18

19 Exam Policies and Procedures Non-Discrimination Policy (ISC)² does not discriminate against candidates based on their nationality, gender, religion, race, ethnicity, sexual orientation, age or disability. For additional information on (ISC)² s non-discrimination and other candidate policies, please visit Registering for the Exam The CCSP examination is administered at Pearson VUE Testing centers around the world. To register for the exam: 1. Go to to register for an exam appointment 2. Select the most convenient test center 3. Select an appointment time 4. Pay for your exam appointment 5. Receive confirmation from Pearson VUE with the appointment details Please note that your registration information will be transferred to (ISC)² and all communication about the testing process from (ISC)² and Pearson VUE will be sent to you via . Fees Visit the (ISC)² website for the exam registration fees. Examination Agreement and Non-Disclosure Agreement All candidates must agree to the terms listed in the (ISC) 2 s Examination Agreement when registering for the exam on the Pearson Vue website. The agreement can be found under the View Testing Policies link on the Exam Details page. At the Pearson Vue testing center, prior to starting the exam, all candidates are also required to read and accept the (ISC)² non-disclosure agreement (NDA) within the allotted five (5) minutes prior to being presented with exam questions. If the NDA is not accepted by the candidate or the candidate does not accept the NDA within the time allotted, the exam will end, and the candidate will be asked to leave the test center. No refund of exam fees will be given. For this reason, all candidates are strongly encouraged to review the non-disclosure agreement prior to scheduling for, or taking the exam. Requesting Special Accommodations Pearson VUE Professional Centers can accommodate a variety of candidates needs, as they are fully compliant with the Americans with Disability Act (ADA), and the equivalent requirements in other countries. Requests for accommodations should be made to (ISC)² in advance of the desired testing appointment. Once (ISC)² grants the accommodations request, the candidate may schedule the testing appointment using Pearson VUE s special accommodations number. From there, a Pearson VUE coordinator will handle all of the arrangements. 19

20 Please note: Candidates that request special accommodations should not schedule their appointment online or call the main CBT registration line. Rescheduling or Cancellation of an Exam Appointment If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at least 48 hours before the exam date by contacting Pearson VUE at or at least 24 hours prior to exam appointment time by contacting Pearson VUE by phone. Please refer to Contact Information for more information and local telephone numbers for your region. Canceling or rescheduling an exam appointment less than 24 hours via phone notification, or less than 48 hours via online notification is subject to a forfeit of exam fees. Exam fees are also forfeited for no-shows. Please note that Pearson VUE charges a 50 USD/35 /40 fee for reschedules, and 100 USD/70 /80 fee for cancellations. Late Arrivals or No Shows If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he or she has technically forfeited his or her assigned seat. If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the discretion of the testing center as to whether or not the candidate may still take the exam. If the test administrator at the testing location is able to accommodate a late arriving candidate, without affecting subsequent candidates appointments, he/she will let the candidate sit for the exam. However, if the schedule is such that the test center is not able to accommodate a late arrival, the candidate will be turned away and his/her exam fees will be forfeited. If a candidate fails to appear for a testing appointment, the test result will appear in the system as a no-show and the candidate s exam fees will be forfeited. Pearson VUE Check-In Process Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testing time. If you arrive more than 15 minutes late to your scheduled appointment, you may lose your examination appointment. For checking-in: You will be required to present two acceptable forms of identification. You will be asked to provide your signature, submit to a palm vein scan, and have your photograph taken. Hats, scarves and coats may not be worn in the testing room, or while your photograph is being taken. You will be required to leave your personal belongings outside the testing room. Secure storage will be provided. Storage space is small, so candidates should plan appropriately. Pearson VUE Professional Centers assume no responsibility for candidates personal belongings. The Test Administrator (TA) will give you a short orientation, and then will escort you to a computer terminal. You must remain in your seat during the examination, except when authorized to leave by test center staff. You may not change your computer terminal unless a TA directs you to do so. During the exam, you may raise your hand to notify the TA if you believe you have a problem with your computer, need to change note boards, need to take a break, or need the TA for any reason. 20

21 Identification Requirements (ISC)² requires two forms of identification, a primary and a secondary, when checking in for a CBT test appointment at a Pearson VUE Test Center. All candidate identification documents must be valid (not expired) and must be an original document (not a photocopy or a fax). Primary IDs: Must contain a permanently affixed photo of the candidate, along with the candidate s signature. Secondary IDs: Must have the candidate s signature. Accepted Primary ID (photograph and signature, not expired) Government issued Driver s License or Identification Card U.S. Dept. of State Driver s License U.S. Learner s Permit (card only with photo and signature) National/State/Country Identification Card Passport Passport Cards Military ID Military ID for spouses and dependents Alien Registration Card (Green Card, Permanent Resident Visa) Government Issued local language ID (plastic card with photo and signature Employee ID School ID Credit Card* (A credit card can be used as a primary form of ID only if it contains both a photo and a signature and is not expired. Any credit card can be used as a secondary form of ID, as long as it contains a signature and is not expired. This includes major credit cards, such as VISA, MasterCard, American Express and Discover. It also includes department store and gasoline credit cards. Accepted Secondary ID (contains signature, not expired) U.S. Social Security Card Debit/ATM Card Credit Cards Any form of ID on the primary list Name Matching Policy Candidate s first and last name on the presented identification document must exactly match the first and last name on the registration record with Pearson VUE. If the name the candidate has registered with does not match the name on the identification document, proof of legal name change must be brought to the test center on the day of the test. The only acceptable forms of legal documentation are marriage licenses, divorce decrees, or court sanctioned legal name change documents. All documents presented at the test center must be original documents. If a mistake is made with a name during the application process, candidates should contact (ISC)² to correct the information well in advance of the actual test date. Name changes cannot be made at the test center or on the day of the exam. Candidates who do not meet the requirements presented in the name matching policy on the day of the test may be subject to forfeiture of testing fees and asked to leave the testing center. 21

22 Testing Environment Pearson VUE Professional Centers administer many types of examinations including some that require written responses (essay-type). Pearson VUE Professional Centers have no control over typing noises made by candidates sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized testing environment, just as the noise of turning pages is a normal part of the paper and pencil testing environment. Earplugs are available upon request. Breaks During the Exam You will have up to 4 hours to complete the CCSP examination. Total examination time includes any unscheduled breaks you may take. All breaks count against your testing time. You must leave the testing room during your break, but you may not leave the building or access any personal belongings unless absolutely necessary (e.g. for retrieving medication). Additionally, when you take a break, you will be required to submit to a palm vein scan before and after your break. Examination Format and Scoring The CCSP examination contains 125 multiple choice questions with four (4) choices each. There may be scenario-based items which may have more than one multiple choice question associated with it. The exam will contain 25 questions which are included for research purposes only. The research questions are not identified; therefore, answer all questions to the best of your ability. There is no penalty for guessing, so candidates should not leave any item unanswered. Results will be based only on the scored questions on the examination. There are several versions of the examination. It is important that each candidate have an equal opportunity to pass the examination, no matter which version is administered. Subject Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in the examinations. That information is used to develop examination forms that have comparable difficulty levels. When there are differences in the examination difficulty, a mathematical procedure called equating is used to make the difficulty level of each test form equal. Because the number of questions required to pass the examination may be different for each version, the scores are converted onto a reporting scale to ensure a common standard. The passing grade required is a scale score of 700 out of a possible 1000 points on the grading scale. Finishing the Exam After you have finished the examination, raise your hand to summon the TA. The TA will collect and inventory all note boards. The TA will dismiss you when all requirements are fulfilled. If you believe there was an irregularity in the administration of your test, or the associated test conditions adversely affected the outcome of your examination, you should notify the TA before you leave the test center. Results Reporting Candidates will receive their test result at the test center. The results will be handed out by the TA during the checkout process. (ISC)² will then follow up with an official result via . In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of the score data is conducted during every testing cycle before scores are released. A minimum number of candidates are required to take the exam before this analysis can be completed. Depending upon the volume of test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in 22

23 order to complete this critical process. Results will not be released over the phone. They will be sent via from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy, you should contact (ISC)² prior to your examination. Technical Issues On rare occasions, technical problems may require rescheduling of a candidate s examination. If circumstances arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment without an additional fee. If you choose to wait, but later change your mind at any time prior to beginning or restarting the examination, you will be allowed to take exam at a later date, at no additional cost. If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your test results will be considered valid. If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you will be allowed to test at a later date at no additional charge. Every attempt will be made to contact candidates if technical problems are identified prior to a scheduled appointment. Examination Retake Policy Candidates who do not pass on their first attempt may not retake the exam for a period of 90 days from the date of the first attempt. Candidates that fail a second time will need to wait an additional 90 days prior to sitting for the exam again. In the unfortunate event that a candidate fails a third time, that candidate may not sit for the exam for a period of 180 days after the most recent attempt. Candidates are eligible to sit for (ISC)² exams a maximum of 3 times within a calendar year. Exam Irregularities and Test Invalidation (ISC)² exams are intended to be delivered under standardized conditions. If any irregularity or fraud is encountered before, during, or after the administration of the exam, (ISC)² will examine the situation and determine whether action is warranted. If (ISC)² determines that any testing irregularity or fraud has happened, it may choose not to score the answer documents of the affected test taker(s), or it may choose to cancel the scores of the affected test taker(s). (ISC)² may at its sole discretion revoke any and all certifications a candidate may have earned and ban the candidate from earning future (ISC)² certifications, and decline to score or cancel any Exam under any of the circumstances listed in the (ISC)² Examination Agreement. Please refer to the (ISC)² Examination Agreement for further details. Recertification by Examination Candidates and members may recertify by examination for the following reasons only: The candidate has become decertified due to reaching the expiration of the time limit for endorsement. The member has become decertified for not meeting the number of required continuing professional education (CPE) credits. 23

24 Contact Information Please direct any questions or comments to: (ISC)² Candidate Services 311 Park Place Blvd, Suite 400 Clearwater, FL Phone: ISC2 (United States); (International) Fax: