PASSED 11/26/2018 CCSP 30 days....

--chris-- · November 2018

Found some info on the storage/memory thing...

Per ISC official study guide:

Cloud resources are compute (CPU & RAM), storage and networking.

Since memory is not listed by name in this resource list (its called RAM), they can use it to reference the medium that data is stored on.

--chris-- · November 2018

Domain 3 practice test: 114/143 (79%)

After reviewing what I got wrong, its not clumped into one single area that I am lacking but stuff on the fringes (like what do you call it when a user on one VM can see the resource calls of a another user on a different VM? Answer: Inference attack). I had never seen that before now, but now I know. I will work through these again and see if I can spot a trend and put together some study notes to post here.

--chris-- · November 2018

Domain 4 practice test: 80/112 (71%)

Found a weak spot! A series of questions referred to "installing APIs" on BYOD devices (I missed 4 of 5 of these) then asked about security controls to mitigate risks specific to this situation. It appears that API's/application can be used interchangeably by ISC2 when referring to user interaction. So of course all of my answer were cloud centric and not user/end device centric which is what they were looking for.

SDLC (user input is MOST necessary during the design phase, during testing is the best time to bring in "3rd party" or external help)
ISO 27034, STRIDE model
REST vs SOAP,
REST server response types (JSON & XML)
comparing MOST important controls in legacy vs cloud deployments (encrypting at all stages of application use, multi-tenancy, application isolation, focusing on building with known-secure library)
WAF & DAM are L7 devices
XML gateways (per ISC2) are focused on monitoring SFTP traffic (not WAF)
TLS uses symmetric encryption, If a question references TLS "communication session" creation it is asking about the symmetric encryption and asymm
What occurs during dynamic testing (aka fuzzing per ISC2, "logical path" testing is a metric here)
What occurs during static testing (source code review, "code coverage" is a metric used here)

Some of these I got wrong simply because I took the "technical" point of view instead of the management point of view. For example, when asked about over deploying security controls I selected "will negatively impact performance" and the correct answer was "be a waste of money".

--chris-- · November 2018

Domain 5 practice test 69%

Domain 6 practice test 71%

--chris-- · November 2018

Reviewed Domain 6, below are fuzzy areas (many).

CSA STAR
-Three levels
-tier 1, self assurement
-tier 2, 3rd party certification
-tier 3, continuous auditing

OECD Privacy Principles
Collection limitation principle
-Place limits to the collection of personal data

Data Quality principle
-Personal data should be relevant and the data subject should be able to update the PII

Purpose Specification Principle
-The reason why personal data is collected should be made clear when the data is collected

Use limitation principle
-PII should not be used or disclosed for purposes other than those specified in the purpose specification

Security Safeguards principle
-PII should have reasonable security measures in place to protect it

Openness Principle
-A general policy of openness should exist about developments, practices and policies in regards to a subjects PII

Individual participation principle
-Lists individual rights in regards to the PII (4+)

Accountability Principle
-The data controller will be accountable for complying with measures that give effect to the principles stated above

ISO 27001 vs 27002
-27001 details requirements against which an organizations ITSM can be audited
-27002 details individual security controls, in a much greater detail

SAS70
-Created by the AICPA, replaced by the SSAE 16 in 2011. Used to audit service organizations.

SOC Report types
-SOC 1; restricted use (internal only), Reports on controls regarding financial reporting
-SOC 2; Generally restricted, may be released with NDA; Reports on controls related to compliance and/or operations
-SOC 3; General Use Report; freely shared with clients, Reports on controls related to compliance (leaving out details found in SOC 2)

NIST 800-53 - Security and Privacy controls
NIST 800-37 - Risk Management Framework
ISO 27034 - Standards for Secure Application Development
ISO 27017 - A set of standards regarding the guidelines for info sec controls that apply to cloud services

EU Data Directive created (or provided outline for) the "Safe Harbor" program which was established and run by the US FTC until it was replaced by the Privacy Shield program. This is used by US companies to process data from EU entities.

Due Diligence vs Due Care

Due care: This is doing what a reasonable person in your position or situation would o

Due Diligence: This is the management of Due Care; often thought of as step beyond due care. Is the verification of due care through attainment of evidence (reports).

--chris-- · November 2018

Confidence is not that high, I feel like if I pass it will be just barely. I plan on taking one practice exam tomorrow, then focused review of my weakest areas (2-3 total) then take the rest of the day off.

Then Monday morning, focused review of techniques for taking the exam and "tips" provided by the bootcamp instructor (1-1.5 hour total time). Then eat & drink well, take a break for 2 hours and drive the hour to the exam center (arriving 15 minutes early). Then TEST.

--chris-- · November 2018

PASSED!

I don't know how the score broke down, but I got a pass! I didn't get any questions on frameworks (ISO, NIST, ENISA, CSA, nothing!). I had ~10 questions on SOAP and REST, focusing on their best usage and not about the technical specs. I had some questions that came out of left field which must have been the no-score questions.

I had 5 scenario questions (The kind where you get a paragraph of background, then 2-3 questions about what "BEST" suits this situation) and 2 drag and drop questions with 5 variables in each.

There were a handful of questions about law, evidence collection, privacy practices, etc... (domain 6). Many tested on how well I knew the 3 types of service (IaaS, PaaS, SaaS), where the responsibility lies in each situation and what controls would be appropriate for the level of responsibility. But of course they are not asked in plain English, instead they are asked in a convoluted manner with a few grammatical errors tossed in. For instance the words "assess" and "access" were used interchangeably twice. Be ready to recognize when a mistake was made, swap in the correct word in the question and then select your answer. Don't dwell on whether or not your interpreted it correctly, just move on .

There were also several questions that I believe the correct answer was to not use the cloud, which caught me off guard but I think I got right.

The proctor for the center was weird and the testing center location was not easy to get into nor was it well placed (who in the hell thought it would be a good idea to put the test room next door to the campus sexual assault reporting office filled with crying people that can be heard occasionally through the walls?) But not ISC2's fault.

Rinzler · November 2018

Congrats on passing CCSP. I hope to take this exam after CISSP is conquered, sir.

COBOL_DOS_ERA · November 2018

Congrats on the pass!! and thanks for sharing your exam experience with us.

cyberguypr · November 2018

Congrats!

leoglory · November 2018

Congrats!

Azt7 · November 2018

Congrats !

anthonx · November 2018

Congrats!

--chris-- · November 2018

Thanks everyone!

DZA_ · November 2018

Congratulations Chris, it definitely inspires me to retake the exam in the new year but I've putting it off recently because of work commitments. I'm debating whether to take the exam or not given its value overall in my given situation and how sometimes the CCSP questions can be super vague. Great stuff on the pass.