ISSAP Self Study
After many life changes last year, I've received management approval (aka. wife) to pursue the ISSAP in 2010. I am shooting for a May 1, 2010 exam date in Tampa, FL. Unfortunately, my current position will not provide training nor will they support the pursuit of training or reimbursement for materials, so this will be one out of the pocket.
The materials I am currently planning to use will be from the following:
Shon Harris AIO 4th Edition Review (Book, and Career Academy CBTs I purchased for CISSP). - Review of Material from overlapping subdomains
Security Engineering by Ross Anderson
SABSA/SOMF Frameworks
NIST SP(s)
-SP 800-30
-SP 800-48
-SP 800-64
ISSAP Review Material from a colleague who took the seminar
And most importantly, feedback from the various communities and forums! This list of materials will grow, so I will try to update this thread with my progress along the way. I will also be starting the MS:ISA track @ WGU March 1 so the studies on BCP/DR and GIAC 7799 may provide supplemental research/information for the ISSAP.
Regards
The materials I am currently planning to use will be from the following:
Shon Harris AIO 4th Edition Review (Book, and Career Academy CBTs I purchased for CISSP). - Review of Material from overlapping subdomains
Security Engineering by Ross Anderson
SABSA/SOMF Frameworks
NIST SP(s)
-SP 800-30
-SP 800-48
-SP 800-64
ISSAP Review Material from a colleague who took the seminar
And most importantly, feedback from the various communities and forums! This list of materials will grow, so I will try to update this thread with my progress along the way. I will also be starting the MS:ISA track @ WGU March 1 so the studies on BCP/DR and GIAC 7799 may provide supplemental research/information for the ISSAP.
Regards
CCIE Sec: Starting Nov 11
Comments
-
JDMurray Admin Posts: 13,101 AdminYou may have already done this, but search the forums at www.cccure.org for "ISSAP". There is at least one member there who posted a rather long listing of what he used to pass the CISSP-ISSAP exam.
As of December 3, 2009, there are only 861 people worldwide who are CISSP-ISSAP certified, so it seem only useful to have this cert if an employer is actually asking for it. (The same is true of the CISSP-ISSEP and CISSP-ISSMP.) Changes in 2008 to DoD Directive 8570.01-M may one day make these certs more valuable to have, but that's not currently the situation. Regardless, I think it's a good cert to have. -
down77 Member Posts: 1,009Thanks JD. I had reached out to eDuck @ CCCure a few times in the last year about the ISSAP but unfortunately life threw a curveball and had to postpone my exam date. I have some of the materials that they suggested reviewing but it never hurts to have other people weigh in on their point of view.
You are correct, there are a small number of ISSAP's in the world but I am doing this for myself rather than for work purposes. If it enhances my marketability down the line then that is a benefit, but not the main reason for me pursuing this certification.
Now I do have to admit, obtaining the CISSP was for work purposes... and I thoroughly enjoyed that journey!CCIE Sec: Starting Nov 11 -
j_a_s_o_n Member Posts: 75 ■■□□□□□□□□Something to be aware of is that the ISSAP domain composition is changing as of the first of the year.
I took it last year, based on the present seminar materials and passed, but those materials will be out of date by the time that you sit for the test. I also picked up a copy of the Security Engineering book, but find it to have been of little use in hindsight. There are presently no other study materials out other that the seminar materials, but this should start to change around April. There are several book that are slated to come out around that time, including the official book from ISC2. My advice would be to slide your exam date out a little further until there is a better set of materials available for study. You can see what the new test will be based on in the latest CIB. -
down77 Member Posts: 1,009I very well may slide the date out to December. I just grabbed the updated CIB and you are right, they have changed a few things as of Jan 1, 2010. Postponing the exam a few months won't hurt me.
I wonder when they will have the computer based testing available.... to me that is still bittersweet. Eventually candidates will only have to sweat 24hrs unlike the 4-6wks most of us waited in anticipation!
Thanks JD and Jason!CCIE Sec: Starting Nov 11 -
JDMurray Admin Posts: 13,101 AdminI wonder when they will have the computer based testing available....
The (ISC)2 is currently testing CBT using the CSSLP exam--a certification that no one cares about. It will likely be a success and they won't see the real trouble until the CISSP exam is rolled out to testing centers worldwide. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□I guess I fail to see why hard-copies are so much more secure. For as many people touch them world-wide, it's difficult to believe no one has the opportunity to run a set through a copier. It seems like it would almost be more difficult to copy the questions of the screen instead of just having someone grab the materials and run out the door.
I think the limited, proctored sessions are a much more important factor than the actual medium the test is delivered through. I think you'd have the same problem if you gave ever Vue and Prometric center a hard copy of the exams. -
JDMurray Admin Posts: 13,101 AdminThe physical access to the booklets and exam sheets is controlled by trusted proctors. The booklets are sealed until opened by the exam candidates, sealed in a shipping container immediately after the exam, and shipped to the processing center ASAP. You would need all three proctors to collude in copying the exams, which is not likely to happen.
Computer-based testing centers, however, are much more difficult to control. Although CBT exam information can be encrypted, it's impossible to verify that any administered exam isn't being copied (photographed) on-screen. Auditing testing centers using "secret shoppers" isn't cost-effective, especially in countries where cheating and bribery are considered normal aspect of doing business. -
j_a_s_o_n Member Posts: 75 ■■□□□□□□□□The paper exams also present a much smaller attack surface than the electronic ones. There are relatively few paper exams given at any one time due to the logistics of shipping things around, getting the space, scheduling the proctors, etc... With the electronic exams offered by a testing center, you can have exams any where you like, any time you like, hence much greater opportunity to steal the exam.
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□There are relatively few paper exams given at any one time due to the logistics of shipping things around, getting the space, scheduling the proctors, etc...With the electronic exams offered by a testing center, you can have exams any where you like, any time you like, hence much greater opportunity to steal the exam.Computer-based testing centers, however, are much more difficult to control. Although CBT exam information can be encrypted, it's impossible to verify that any administered exam isn't being copied (photographed) on-screen. Auditing testing centers using "secret shoppers" isn't cost-effective, especially in countries where cheating and bribery are considered normal aspect of doing business.
You guys seem to be backing my point more than anything. I was saying these exams are more secure because of the logistics, not simply because they're administered via hard-copy.
What if they bring a testing engine with them on an encrypted thumb drive/laptop and follow the same procedures? I don't think paper in inherently any more secure or electronic is inherently less secure. If you start shipping hard copies off to any test center that will administer an exam for a few dollars, you'll have the same problem. -
JDMurray Admin Posts: 13,101 AdminIf you start shipping hard copies off to any test center that will administer an exam for a few dollars, you'll have the same problem.
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□It is entirely relevant. What aspect of CBT-based exams mandates that they have to be blasted out to every VUE and Prometric center world-wide? I believe it is entirely possible to provide secure and manageable CBT-based exams that would not jeopardize the integrity of the certification. This paper vs. CBT talk always comes off as black-and-white, and as both of your responses to my initial post demonstrate, that's clearly not the case.
-
JDMurray Admin Posts: 13,101 AdminIt is entirely relevant. What aspect of CBT-based exams mandates that they have to be blasted out to every VUE and Prometric center world-wide?
And we seems to have an "apples and oranges" thing going here. You are making a very general and academic argument that computer-based testing is no more or less secure than paper testing; I am making a specific argument that CBT is a threat to the integrity of CISSP certification when applied in the specific context of what the (ISC)2 is trying to achieve. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□You are making a very general and academic argument that computer-based testing is no more or less secure than paper testing; I am making a specific argument that CBT is a threat to the integrity of CISSP certification when applied in the specific context of what the (ISC)2 is trying to achieve.
Fair enough. I was speaking generally, and I was just stating that I feel there is a middle-ground between convenience and security that doesn't ruin the integrity of the certification. I apologize for the misunderstanding. -
JDMurray Admin Posts: 13,101 AdminEh, no apologies necessary. It is my personal experience that most commercial testing centers that I've used are not very secure in one way or another. And once the high reputation of a certification has been compromised, it is very difficult to regain it. I just don't want that to happen with the (ISC)2.
-
GAngel Member Posts: 708 ■■■■□□□□□□More info. I've almost convinced myself to get one of the three concentrations.
ISSEP is probably most related to where I want to take my career but the large focus on U.S. regulations may not be worth my while. Anyone done the ISSMP?
I can barely find any books for the three. -
down77 Member Posts: 1,009The OIG for the ISSAP is scheduled to be available June 7, 2010 and I've reserved my copy. I may try for a November or December attempt depending on work/school. For those who are interested here is the information on the study guide:
Auerbach Publications Official (ISC2) Guide to the ISSAP CBK ISBN-10: 1439800936
In the interim, I'll be continuing on with the MS track which will only help to reinforce a few of the domains for the ISSAP.CCIE Sec: Starting Nov 11 -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Yep, I'm looking forward to that as well. I might take a stab at that in September.
Here's another excellent resource: Amazon.com: Enterprise Security Architecture: A Business-Driven Approach (9781578203185): John Sherwood, Andrew Clark, David Lynas: Books -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□I ended up scheduling the ISSAP for next month. I was reviewing a couple of the domains for a project at work.
If I did not take a chance I would have had to wait until next year to give it a shot -
down77 Member Posts: 1,009I ended up scheduling the ISSAP for next month. I was reviewing a couple of the domains for a project at work.
If I did not take a chance I would have had to wait until next year to give it a shot
Good luck and I look forward to hearing your experience with this one.CCIE Sec: Starting Nov 11 -
uajesusfreak99 Registered Users Posts: 4 ■□□□□□□□□□You may have already done this, but search the forums at www.cccure.org for "ISSAP". There is at least one member there who posted a rather long listing of what he used to pass the CISSP-ISSAP exam.
As of December 3, 2009, there are only 861 people worldwide who are CISSP-ISSAP certified, so it seem only useful to have this cert if an employer is actually asking for it. (The same is true of the CISSP-ISSEP and CISSP-ISSMP.) Changes in 2008 to DoD Directive 8570.01-M may one day make these certs more valuable to have, but that's not currently the situation. Regardless, I think it's a good cert to have. -
j_a_s_o_n Member Posts: 75 ■■□□□□□□□□uajesusfreak99 wrote: »My reasons for wanting to take this exam are A) to get more in depth on the CBK's (I don't like the inch-deep-mile-wide-ness of the CISSP) and to renew my CISSP (it does do that, right?).
It won't renew your CISSP, but it will get you some CPEs toward renewing it. -
JDMurray Admin Posts: 13,101 AdminIt won't renew your CISSP, but it will get you some CPEs toward renewing it.
-
j_a_s_o_n Member Posts: 75 ■■□□□□□□□□You don't actually get any CPEs for passing an (ISC)2 exam. I am not sure if you would need to collect CPEs for both your CISSP and CISSP-ISSAP cert. Can anybody with an extended CISSP cert give the answer?
You actually get 20 CPEs for passing a concentration exam. Here's the line from mine:
Information Systems Security Architecture Professional Examination | Information Systems Security Architecture Professional Examination | Exam | 10/03/2009 | 20
And yes, you have to collect CPEs for both the CISSP and the concentration. Depending on which concentration you have and what the CPEs are from, they may count for just the CISSP, just the concentration, or they may count for both. -
down77 Member Posts: 1,009It's been a while since I've updated this thread but... it looks like the Official ISSAP study guide has been postponed multiple times since its original date which is never a good sign. I'll be moving my attempt at this exam towards the end of 2011 which should give additional time for the "official" materials be become available. In the meantime I'll be working on the CCDP, CWSP, and CHFI exams as well as anything else that school/work throws my way. This may be a sign to shell out the money for the class....
For anyone that is interested, here is a link to the publishers site for the ISSAP CBK:
CRC Press Online - Book: Official (ISC)2 Guide to the ISSAP CBKCCIE Sec: Starting Nov 11