SSCP potential

cashew

I got a new job (thanks MCSE!) and my employer would like me to get my CISSP. However, they are aware that I only have 2 1/2 years of Sys Admin experience. The ISC2 site is not the easiest to navigate. It looks like I would qualify for the SSCP under the Analysis and monitoring domain. I have a few questions:

1) Does having my MCSE credit me towards anything?

2) Being a Sys Admin for a few years, does this credit me enough to qualify to take the test?

3) Would there be a benefit by obtaining Security + first?

JDMurray

The Security+ is an excellent security cert to start with. It is recognized by several other cert organizations, including Microsoft, and is required when working in information security with DoD or HIPAA organizations. All of the information in the objectives of the Security+ exam are also in the SSCP and CISSP exams.

The MCSE or Security+ cert will allow you to waive one year of the experience requirement for the CISSP (here's the full cert listing). The CISSP requires five years of work-related experience in at least two of the ten domains of the CBK. You can knock one year off for having the Security+ or MCSE, and a second year off for having a 4-year college degree. You also need an endorsement from a CISSP holder that knows your work and experience (see CISSP Applicant Requirements).

If you already have 2.5 years of system security admin experience, plan on taking the CISSP in six or more months so you will have the minimum three years needed (assuming you have a college degree). In that time you will get your Security+ and be studying for the CISSP. You could also use the SSCP exam as a way to prep for the CISSP exam too. If your employer is paying for your certification attempts and annual renewal fees, I say go for all three.

cashew

No Degree. Since I have the 2.5 years experience and MCSE, I can qualify to take the SSCP right? Also, if I obtained my Sec+ would that count as an additional year? MCSE + Sec+ = 2 years credit, or can I only exempt 1 year from certs?

JDMurray

The SSCP Applicant Requirements include at least one year of cumulative work experience in one or more of the seven domains in information security covered by the SSCP exam. There are many experiences listed which are accepted, but IT certifications aren't among them. Review the SSCP Work Experience Requirements page to see if you meet the requirements in other ways. If you have questions that aren't answered by the (ISC)2 site, you should email the (ISC)2 directly at [email protected].

cashew

Thanks for all your advice. It looks like within the 2.5 year admin experience I had experience with the following domains:

Access Controls, Analysis and monitoring, and Security Operations and administration.

https://www.isc2.org/cgi-bin/content.cgi?page=950

It looks like I can go for the SSCP! I will go the route you recommended seeing as my employer will be funding my education.

1) Sec+
2) SSCP
3) CISSP

What's confusing however is the difference between the domains and the professional experience page.

JDMurray

cashew wrote:

1) Sec+
2) SSCP
3) CISSP

This is a good order in which to take these exams. There is actually a big jump from Security+ to SSCP in the amount of subject matter that you need to digest, but it's all good information that you will need for the InfoSec profession. It's also a good prep for learning the CISSP material. Another important thing to realize is that the information in the SSCP exam is more on the technical side, while the CISSP exam content is more on the managerial side.

Also, the 4th edition of Shon Harris' CISSP A-I-O Exam Guide is due out this month; I'd recommend waiting to buy it.