ISSAP Self Study

down77

After many life changes last year, I've received management approval (aka. wife) to pursue the ISSAP in 2010. I am shooting for a May 1, 2010 exam date in Tampa, FL. Unfortunately, my current position will not provide training nor will they support the pursuit of training or reimbursement for materials, so this will be one out of the pocket.

The materials I am currently planning to use will be from the following:

Shon Harris AIO 4th Edition Review (Book, and Career Academy CBTs I purchased for CISSP). - Review of Material from overlapping subdomains

Security Engineering by Ross Anderson

SABSA/SOMF Frameworks

NIST SP(s)
-SP 800-30
-SP 800-48
-SP 800-64

ISSAP Review Material from a colleague who took the seminar

And most importantly, feedback from the various communities and forums! This list of materials will grow, so I will try to update this thread with my progress along the way. I will also be starting the MS:ISA track @ WGU March 1 so the studies on BCP/DR and GIAC 7799 may provide supplemental research/information for the ISSAP.

Regards

JDMurray

You may have already done this, but search the forums at www.cccure.org for "ISSAP". There is at least one member there who posted a rather long listing of what he used to pass the CISSP-ISSAP exam.

As of December 3, 2009, there are only 861 people worldwide who are CISSP-ISSAP certified, so it seem only useful to have this cert if an employer is actually asking for it. (The same is true of the CISSP-ISSEP and CISSP-ISSMP.) Changes in 2008 to DoD Directive 8570.01-M may one day make these certs more valuable to have, but that's not currently the situation. Regardless, I think it's a good cert to have.

down77

Thanks JD. I had reached out to eDuck @ CCCure a few times in the last year about the ISSAP but unfortunately life threw a curveball and had to postpone my exam date. I have some of the materials that they suggested reviewing but it never hurts to have other people weigh in on their point of view.

You are correct, there are a small number of ISSAP's in the world but I am doing this for myself rather than for work purposes. If it enhances my marketability down the line then that is a benefit, but not the main reason for me pursuing this certification.

Now I do have to admit, obtaining the CISSP was for work purposes... and I thoroughly enjoyed that journey!

j_a_s_o_n

Something to be aware of is that the ISSAP domain composition is changing as of the first of the year.

I took it last year, based on the present seminar materials and passed, but those materials will be out of date by the time that you sit for the test. I also picked up a copy of the Security Engineering book, but find it to have been of little use in hindsight. There are presently no other study materials out other that the seminar materials, but this should start to change around April. There are several book that are slated to come out around that time, including the official book from ISC2. My advice would be to slide your exam date out a little further until there is a better set of materials available for study. You can see what the new test will be based on in the latest CIB.

down77

I very well may slide the date out to December. I just grabbed the updated CIB and you are right, they have changed a few things as of Jan 1, 2010. Postponing the exam a few months won't hurt me.

I wonder when they will have the computer based testing available.... to me that is still bittersweet. Eventually candidates will only have to sweat 24hrs unlike the 4-6wks most of us waited in anticipation!

Thanks JD and Jason!

JDMurray

down77 wrote: »

I wonder when they will have the computer based testing available....

I would hope never. The testing sites will be immediately compromised and the CISSP exam braindumped beyond belief, irreparably compromising its integrity. Paper-based exams give a much greater control over keeping the exam contents secret.

The (ISC)2 is currently testing CBT using the CSSLP exam--a certification that no one cares about. It will likely be a success and they won't see the real trouble until the CISSP exam is rolled out to testing centers worldwide.

dynamik

I guess I fail to see why hard-copies are so much more secure. For as many people touch them world-wide, it's difficult to believe no one has the opportunity to run a set through a copier. It seems like it would almost be more difficult to copy the questions of the screen instead of just having someone grab the materials and run out the door.

I think the limited, proctored sessions are a much more important factor than the actual medium the test is delivered through. I think you'd have the same problem if you gave ever Vue and Prometric center a hard copy of the exams.

JDMurray

The physical access to the booklets and exam sheets is controlled by trusted proctors. The booklets are sealed until opened by the exam candidates, sealed in a shipping container immediately after the exam, and shipped to the processing center ASAP. You would need all three proctors to collude in copying the exams, which is not likely to happen.

Computer-based testing centers, however, are much more difficult to control. Although CBT exam information can be encrypted, it's impossible to verify that any administered exam isn't being copied (photographed) on-screen. Auditing testing centers using "secret shoppers" isn't cost-effective, especially in countries where cheating and bribery are considered normal aspect of doing business.

j_a_s_o_n

The paper exams also present a much smaller attack surface than the electronic ones. There are relatively few paper exams given at any one time due to the logistics of shipping things around, getting the space, scheduling the proctors, etc... With the electronic exams offered by a testing center, you can have exams any where you like, any time you like, hence much greater opportunity to steal the exam.

dynamik

j_a_s_o_n wrote: »

There are relatively few paper exams given at any one time due to the logistics of shipping things around, getting the space, scheduling the proctors, etc...

j_a_s_o_n wrote: »

With the electronic exams offered by a testing center, you can have exams any where you like, any time you like, hence much greater opportunity to steal the exam.

JDMurray wrote: »

Computer-based testing centers, however, are much more difficult to control. Although CBT exam information can be encrypted, it's impossible to verify that any administered exam isn't being copied (photographed) on-screen. Auditing testing centers using "secret shoppers" isn't cost-effective, especially in countries where cheating and bribery are considered normal aspect of doing business.

You guys seem to be backing my point more than anything. I was saying these exams are more secure because of the logistics, not simply because they're administered via hard-copy.

What if they bring a testing engine with them on an encrypted thumb drive/laptop and follow the same procedures? I don't think paper in inherently any more secure or electronic is inherently less secure. If you start shipping hard copies off to any test center that will administer an exam for a few dollars, you'll have the same problem.

JDMurray

dynamik wrote: »

If you start shipping hard copies off to any test center that will administer an exam for a few dollars, you'll have the same problem.

But that isn't the way the (ISC)2 currently administers exams, so it isn't relevant to a discussion of CBT-administered exams hurting the integrity of (ISC)2 certifications. That 's what we're really discussing here (aside from the CISSP-ISSAP).

dynamik

It is entirely relevant. What aspect of CBT-based exams mandates that they have to be blasted out to every VUE and Prometric center world-wide? I believe it is entirely possible to provide secure and manageable CBT-based exams that would not jeopardize the integrity of the certification. This paper vs. CBT talk always comes off as black-and-white, and as both of your responses to my initial post demonstrate, that's clearly not the case.

JDMurray

dynamik wrote: »

It is entirely relevant. What aspect of CBT-based exams mandates that they have to be blasted out to every VUE and Prometric center world-wide?

The (ISC)2 madates that it should happen. The major driver of making computer-based (ISC)2 cert exams available is to address the issue of how difficult it is now for candidates to schedule (ISC)2 exams when they are offered at so few times in so few locations. Therefore, the (ISC)2 will need to make their computer-based exams available far and wide to both gain new members and collect the cash necessary for pay for this new (and expensive) way of distributing their exams. It only takes one compromised testing center to make a good **** of any exam.

And we seems to have an "apples and oranges" thing going here. You are making a very general and academic argument that computer-based testing is no more or less secure than paper testing; I am making a specific argument that CBT is a threat to the integrity of CISSP certification when applied in the specific context of what the (ISC)2 is trying to achieve.

dynamik

JDMurray wrote: »

You are making a very general and academic argument that computer-based testing is no more or less secure than paper testing; I am making a specific argument that CBT is a threat to the integrity of CISSP certification when applied in the specific context of what the (ISC)2 is trying to achieve.

Fair enough. I was speaking generally, and I was just stating that I feel there is a middle-ground between convenience and security that doesn't ruin the integrity of the certification. I apologize for the misunderstanding.

JDMurray

Eh, no apologies necessary. It is my personal experience that most commercial testing centers that I've used are not very secure in one way or another. And once the high reputation of a certification has been compromised, it is very difficult to regain it. I just don't want that to happen with the (ISC)2.

GAngel

More info. I've almost convinced myself to get one of the three concentrations.

ISSEP is probably most related to where I want to take my career but the large focus on U.S. regulations may not be worth my while. Anyone done the ISSMP?

I can barely find any books for the three.

down77

The OIG for the ISSAP is scheduled to be available June 7, 2010 and I've reserved my copy. I may try for a November or December attempt depending on work/school. For those who are interested here is the information on the study guide:

Auerbach Publications Official (ISC2) Guide to the ISSAP CBK ISBN-10: 1439800936

In the interim, I'll be continuing on with the MS track which will only help to reinforce a few of the domains for the ISSAP.

dynamik

Yep, I'm looking forward to that as well. I might take a stab at that in September.

Here's another excellent resource: Amazon.com: Enterprise Security Architecture: A Business-Driven Approach (9781578203185): John Sherwood, Andrew Clark, David Lynas: Books

tpatt100

I ended up scheduling the ISSAP for next month. I was reviewing a couple of the domains for a project at work.

If I did not take a chance I would have had to wait until next year to give it a shot

down77

tpatt100 wrote: »

I ended up scheduling the ISSAP for next month. I was reviewing a couple of the domains for a project at work.

If I did not take a chance I would have had to wait until next year to give it a shot

Good luck and I look forward to hearing your experience with this one.

uajesusfreak99

JDMurray wrote: »

You may have already done this, but search the forums at www.cccure.org for "ISSAP". There is at least one member there who posted a rather long listing of what he used to pass the CISSP-ISSAP exam.

As of December 3, 2009, there are only 861 people worldwide who are CISSP-ISSAP certified, so it seem only useful to have this cert if an employer is actually asking for it. (The same is true of the CISSP-ISSEP and CISSP-ISSMP.) Changes in 2008 to DoD Directive 8570.01-M may one day make these certs more valuable to have, but that's not currently the situation. Regardless, I think it's a good cert to have.

My reasons for wanting to take this exam are A) to get more in depth on the CBK's (I don't like the inch-deep-mile-wide-ness of the CISSP) and to renew my CISSP (it does do that, right?).

j_a_s_o_n

uajesusfreak99 wrote: »

My reasons for wanting to take this exam are A) to get more in depth on the CBK's (I don't like the inch-deep-mile-wide-ness of the CISSP) and to renew my CISSP (it does do that, right?).

It won't renew your CISSP, but it will get you some CPEs toward renewing it.

JDMurray

j_a_s_o_n wrote: »

It won't renew your CISSP, but it will get you some CPEs toward renewing it.

You don't actually get any CPEs for passing an (ISC)2 exam. I am not sure if you would need to collect CPEs for both your CISSP and CISSP-ISSAP cert. Can anybody with an extended CISSP cert give the answer?

j_a_s_o_n

JDMurray wrote: »

You don't actually get any CPEs for passing an (ISC)2 exam. I am not sure if you would need to collect CPEs for both your CISSP and CISSP-ISSAP cert. Can anybody with an extended CISSP cert give the answer?

You actually get 20 CPEs for passing a concentration exam. Here's the line from mine:

Information Systems Security Architecture Professional Examination | Information Systems Security Architecture Professional Examination | Exam | 10/03/2009 | 20

And yes, you have to collect CPEs for both the CISSP and the concentration. Depending on which concentration you have and what the CPEs are from, they may count for just the CISSP, just the concentration, or they may count for both.

down77

It's been a while since I've updated this thread but... it looks like the Official ISSAP study guide has been postponed multiple times since its original date which is never a good sign. I'll be moving my attempt at this exam towards the end of 2011 which should give additional time for the "official" materials be become available. In the meantime I'll be working on the CCDP, CWSP, and CHFI exams as well as anything else that school/work throws my way. This may be a sign to shell out the money for the class....

For anyone that is interested, here is a link to the publishers site for the ISSAP CBK:

CRC Press Online - Book: Official (ISC)2 Guide to the ISSAP CBK