The (ISC)2 Systems Security Certified Practitioner (SSCP) is a logical next step for many people that have passed the CompTIA Security+ exam. If you’re planning on taking it, you should be aware that it is changing. Everything is the same until January 31, 2012. However, effective February 1, 2012, the domains are changing. This article outlines the changes.
It’s worth noting that there aren’t any changes to the work experience requirements. SSCP only requires candidates to have one year of professional work experience making it more accessible to many IT professionals. In contrast, the Certified Information Systems Security Professional (CISSP) requires five years of experience.
All of the domains are still named the same, but the Key Areas of Knowledge have some changes and additions.
Access Controls Domain
In this domain, they added identity management (including provisioning, maintenance and entitlement) and removed a sub area titled account creation and maintenance. On the surface, this isn’t a significant change since identity management encompasses account creation and maintenance. However, identity management is much broader and includes all the elements required to identify, authenticate, and authorize users, often using automation.
They also separated Discretionary Access Control (DAC) and added Non-discretionary Access Control. This is not a significant change but does indicate the exam will focus more on these concepts. Last, they added cloud computing concepts. Similarly, CompTIA’s Security+ added cloud computing to their SY0-301 objectives.
Security Operations and Administration Domain
This domain has the majority of the changes. Interestingly, they moved Code of Ethics topics to the beginning. This is almost a guarantee that you’ll see at least one question on ethics, such as the (ISC)2 code of ethics.
There are two new security administrative duties in the list of topics: asset management (e.g., hardware, software, data), and develop and maintain systems and security control documentation. Other new topics include:
- Support certification and accreditation (i.e. security authorization)
- Understand impact of security testing
- Comply with data management policies (e.g. storage media (paper or electronic), transmission, archiving, retention requirements,
destruction, deduplication, data loss prevention, social network usage, information rights management (IRM) - Understand security concepts (e.g. confidentiality, integrity, availability, privacy)
Monitoring and Analysis
Not much changed here. Objective 3.A. added continuous monitoring as an example of maintaining effective monitoring systems. Additionally, unauthorized connections was added as another type of unauthorized change.
Risk, Response, and Recovery Domain
Within the risk management topics, they added impacts to threats and vulnerabilities. Risk is the likelihood that a threat will exploit a vulnerability, and impact is the result if the risk occurs. Most risk assessment methods evaluate impact so this isn’t a big change.
They also added in some terms such as safeguards and countermeasures as mitigation methods. Within evidence handling, they added forensic investigations, first responder, and preservation of scene.
Cryptography Domain
Most of the cryptography topics are the same with some minor rewording, though there are some additions. For example, Install and maintain cryptographic systems and Understand basic key management concepts (e.g. public key infrastructure) are both new. Additionally, they added a focus on key management by adding key creation, exchange, revocation, and escrow.
Networks and Communications Domain
Many of the changes in this domain are minor rewording, but there are some additions. For example, this is a new topic: Network topographies and relationships (e.g. token ring, star, bus, Ethernet). This topic was in an earlier edition of the SSCP exam but it was removed in the 2009 version. Also, they modified the wireless technology topic by adding WiMax, GSM, 3G, and NFC.
Malicious Code and Activity Domain
Although many of the changes in this domain just moved the malware topics around, there are some notable additions. A new topic within software security is server side input validation, an important programming concept that is often overlooked. Some malicious activities added include DDoS, spoofing, phishing, pharming, and spam.
Other topics are completely new such as: cross site scripting, cross site request forgery, injection, social networking attacks, zero day exploits, and Advanced Persistent Threat (APT). Interestingly, all of these topics (except for APT) are also in the Security+ SY0-301 objectives. Since I’ve been rewriting my SYO-201 book, much of this is very familiar to me.
On a personal note, the SSCP Systems Security Certified Practitioner All-in-One Exam Guide (ISBN-10: 0071771565) I’ve written hasn’t made it to publication yet. It was expected to be released in November 2011, but I’m working with the publisher to make the required changes to cover the new topics. I’m not sure when it’ll be released, but when it comes out, it will cover these new topics.
Best of luck in your studies.
Darril Gibson