SSCP

/usr

How exactly does the application process work?

I've been looking into it more. With only a year of experience required, I could meet that criteria I think. The only thing is, how do I prove it to them that I meet the criteria?

JDMurray

You will have either your employer(s) or an (ISC)2 member(s) verify your employment experience and other requirements.

https://www.isc2.org/cgi-bin/content.cgi?page=46

Also, I've heard that not every (ISC)2 exam candidiate is fully audited to assure that they meet all certification requirements. The audit rate has been supposed to be only 50%, but it may be lower.

Does anyone have any accurate information on this?

/usr

Can an employer vouch for experience through school and certifications?

I don't know any (ISC)2 members.

JDMurray

I think they want only practical work experience. You'll have to email the (ISC)2 for the the full details.

Webmaster

I heard they are pretty strict with the requirements, no special cases.

The applicant must meet the following requirements to qualify to sit for the examination: A. Subscribe to the (ISC)² Code of Ethics; and B. Have one years of direct work experience in one or more of the ten test domains of the information systems security Common Body of Knowledge(CBK). Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, system administrator or analyst, network administrator or related activity that requires IS security knowledge and involves the direct application of that knowledge. The one year of experience must be the equivalent of actual full-time IS security work (not just IS security responsibilities for a one year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.

List positions that qualify for your one year of work experience. If your titles are not clearly IS security-related, describe your work in the space enterd. (ISC)² may, at its sole discretion, require more information and/or reject any candidate's application.

Also, I've heard that not every (ISC)2 exam candidiate is fully audited to assure that they meet all certification requirements. The audit rate has been supposed to be only 50%, but it may be lower.

Basically anyone can register for this exam and sit the exam. As they mention on their website being eligable to take the exam and to become certified are two entirely different things. So you register, fill in the online form or PDF file including work experience as mentioned above, you pay for the exam, pass the exam, and then ISC2 may decide to audit the information you provided. If it is correct, you'll be certified, if it is not correct or you won't get certified, but maybe they would allow you to become an associate (which means you still passed the exam, and once you reach the 1 year experience, they'll send you the cert). If anyone would submit bogus information, they may reject any future registrations and deny you the cert (without a refund, you pay for the exam, not the cert.).

I'm hoping to take this exam 15th of April (in Utrecht), but I just found out ISC2 has a new branch location in Amsterdam that has a spot on Feb 12...

/usr

Bah, I doubt I qualify by their standards. I'm definately not studying for and taking the exam unless I know I'll be getting the certification. I still emailed and asked, it's worth a shot.

Guess I'll be moving on to something else...

Ten9t6

/usr wrote:

Bah, I doubt I qualify by their standards. I'm definately not studying for and taking the exam unless I know I'll be getting the certification. I still emailed and asked, it's worth a shot.

Guess I'll be moving on to something else...

How much experience do you have? could you have the year by the time you sit the test? The test is a really good stepping stone towards the CISSP.

If you are holding off for a while, you can always take the CWNA.....then go take the CWSP..and tell me what you think... haha

Ten9t6

actually...to stay with the security theme...you could look a Check Point.

Webmaster

/usr wrote:

I still emailed and asked, it's worth a shot.

Indeed, and I assume you mentioned you are a CEH, which may make a difference. And like Ten9t6 said, you may have sufficient experience when you pass the test. If you are really interested in this, and the material would fit well after Security+ and surely there is some overlap with CEH as well, you can always go for the associate option and still become certified after you get those additional months of experience. And ISC2 Associate for SSCP will look pretty good on your resume...

If you are holding off for a while, you can always take the CWNA.....then go take the CWSP..and tell me what you think... haha

and then try to get some work related to securing wireless networks. CWSP seems to become very popular. I have the book+voucher+practice exams, but haven't got passed chapter 1... partly because of my SSCP study, but now that Wildfire is putting his lab online (including a 2950) I feel the urge to pick up my BCMSN book again and finish CCNP. So much to choose from

/usr

So much to choose from

You couldn't be more correct...

/usr

Am I reading right, in that the experience has to be in ONE of the domains, not spread out among them?

/usr

So if I fill out all the required information, study for and pass the exam, and they decide to audit me and decide that I don't meet the standards, is it almost guaranteed that I can become an Associate as long as I didn't lie on the application?

On the other hand, if I study for and pass the exam and they don't audit me, I just get the certification, right?

Also, what is some good study material for the exam, and I can order it and study without approval, right? I just don't want to put a bunch of time into this, only to find out I'm not able to even sit for the exam.

Their methods for finding out if you qualify or if/when they'll let you know if you do, are fuzzy at best.

JDMurray

These are all great questions that you should directly ask of the (ISC)2 itself. Please let us know what they reply.

https://www.isc2.org/cgi-bin/contact.cgi

/usr

They are a bit slow to reply, I've already emailed them once.

Webmaster

Am I reading right, in that the experience has to be in ONE of the domains, not spread out among them?

Correct. Although I bet if you have experience in 'just' one or two domains you'll be likely one to be audited.

/usr wrote:

Also, what is some good study material for the exam, and I can order it and study without approval, right? I just don't want to put a bunch of time into this, only to find out I'm not able to even sit for the exam.

I'm using CISSP material but there are several SSCP guides including the official guide, which indeed anyone can other. The time you spend on this won't be wasted, cause the knowledge is very general and should benifit your security carreer regardless of the cert. I understand what you mean though.

So if I fill out all the required information, study for and pass the exam, and they decide to audit me and decide that I don't meet the standards, is it almost guaranteed that I can become an Associate as long as I didn't lie on the application?

That's indeed a question you might want to direct to ISC2 before you register.

JDMurray

From a resume standpoint, I would bet that most employers who desire/require a CISSP certification don't know--or possibly care-- about the difference between a fully-certified CISSP and a CISSP Associate. Simply passing the CISSP exam may be enough "experience" for the majority of employers.

Also, the full details of the CISSP Associate is explined in the (ISC)2 FAQ: https://www.isc2.org/cgi-bin/content.cgi?page=8#cat07

/usr

I don't mind being audited. I won't be putting any false information or stretching the truth at all. I just want to know what will happen after I take/pass the exam.

I'll email (ISC)2 tonight with more detailed questions.

/usr

Wow, they wouldn't even answer my questions through email...I'm supposed to call them. Guess I will tonight when I get home.

/usr

Have at least 1 year of cumulative work experience in one or more of the seven test domains in information systems [IS] security.

Seems like your knowledge can be spread out or focused.

/usr

I'm going to go ahead with this certification. I spoke with the guy from (ISC)2 and he sounded positive about my experience, and especially the fact that I had other security-related certifications. He did explain that this cert isn't that well know, however. I think he said around 800 people, as opposed to 20,000 CISSP's? Don't quote me on the numbers, but it was similar. However, I expect it will grow, as it is a bit newer than the CISSP.

I just need some good study material. If anyone knows of anything to use, let me know. I would rather not use CISSP books, as I don't want to try and cram too much into my head when I won't even need it...not yet anyway.

/usr

A search on amazon only turned up 4 books, with one of them being the official CISSP exam guide.

Any suggestions?

Webmaster

This one: The Official (Isc)2 Guide to the Sscp Exam Nagement by Miguel J. Bagajewicz wasn't there yet when I bought my CISSP book so I don't know about that one, but I ended up bying Mike Meyers (actually Shon Harris) CISSP book, because I couldn't find much positive info about the others. With the exam objectives it's quite easy to pick out the topics that apply to SSCP as well, but I wouldn't recommend it because there are some topics on the SSCP exam that aren't covered by the CISSP exam.

Here's the best site for SSCP and CISSP info (including a huge load of free practice questions): www.cccure.org Maybe you can find some more book suggestions or reviews there.

/usr

Wondering if I should get the official CISSP guide, then match it up to the CSSP objectives. Then also get the two recommended on the cccure.org webpage to cover what I can't get from the CISSP book.

What do you think?

Webmaster

I think that would do the trick for sure, but why 2 SSCP books? I think you'll be suprised how much you know already (i.e. the Malicious Code and the Cryptography domain). If you do get a CISSP book, get that All-in-one, it is a very good book, I'm sure Ten9t6 can confirm that.

Have you downloaded the 'Study guide for SSCP certification' (Basically the exam objectives)? It contains a book list that have been used as a reference during the test development process, you might be able to pick one or more of those to go with the CISSP guide to cover the rest. Those books are usually a better reference than yet another cert guide.

Webmaster

/usr wrote:

I'm going to go ahead with this certification. I spoke with the guy from (ISC)2 and he sounded positive about my experience, and especially the fact that I had other security-related certifications. He did explain that this cert isn't that well know, however. I think he said around 800 people, as opposed to 20,000 CISSP's? Don't quote me on the numbers, but it was similar. However, I expect it will grow, as it is a bit newer than the CISSP.

That's good news, and only fair considering the requirements for CEH.
Only 800? Well, I think putting 'ISC2' in front of it will do the trick. I knew it wasn't much but expected at least a couple of thousand. Did he mention worldwide?

/usr

No, just said 800. I didn't pursue it further.


I was going to go with two SSCP books because in EVERY review I've read, they say that you really need another source. Since this exam is most likely going to be the toughest (as well as the most expensive, at $350+), I figured I might as well go with as much material as I can find.

I don't like the idea of going through a book and picking things out, but since the CISSP book is the "official" guide, it may teach me most of what I need to know.

And yes, I have the objectives. The rep emailed it to me when I asked if they had an official study guide. I guess I confused him.

Webmaster

Yeah, with the cost of the exam a second book is certainly justifiable. I think the problem with certification guides is that they usually don't got far enough (not just for the exam but to really understand how the technologies and concepts apply in real world scenarios) hence a second book is not a bad idea, but I rather use some none-cert material in addition. I haven't found any practice exams for this one when I looked a couple of months ago, but that's kinda logical if only 800 are certified so far...

JDMurray

I've been looking through a lot of InfoSec job postings and the only security certification I continually see required (or desired) are CISSP, CISA, and CISM. Occasionally, there will be an IT security position that asks for Security+ or any GIAC cert. I found only one posting asking for MCSE+Security.

It looks to me that a CISSP Associate designation is a better investment than a fully-certified SSCP--if only for the acronym recognition among both peers and employers.

/usr

Webmaster, any comments on that? He seems to be right, but there has to be some downside, or upside to the SSCP, or else everyone would be ignoring it and going for the CISSP Associate route.

Webmaster

I wouldn't expect that from someone with a CWNA But, jdmurray has a valid point as usual.

Considering the popularity of ISC2's CISSP exam and the popularity of security knowledge and skills in general, there's only one way this cert can go. And once companies start to realize that Security+ doesn't mean much they'll be looking at more reputable certifications. Plus it is a bit cheaper than SSCP so personally I rather invest in the certification than the 'designation'.

Ten9t6 suggested it to me a while ago and there was something in particular why I decided to go for SSCP instead of the associate option. I'll have to check some of those hidden pages at ISC2 again but I think it had something to do with not being allowed to use 'CISSP', as in you wouldn't be a "ISC2 Associate on CISSP" or something like that (for the outside world), but 'just' an ISC2 Associate. Not sure if I remember that correctly and the site is currently down for maintenance, for two days... Maybe I read it in my book, will check that one in a bit.

if only for the acronym recognition among both peers and employers.

Regarding the peers I agree, and in case the company doesn't know exactly what CISSP or ISC2 is, you are probably right also, but for such positions they often know exactly what they want and know what it means if you're not certified. (and explaining that you don't have enough experience just sounds kinda negative).

I do plan to go for CISSP eventually though, so doing SSCP first is not the cheapest road. I haven't tried to strech it or including any writing in my security experience, or contact ISC2 to see what they think, but I still have a lot of time to go before I would be able to turn that associate into certified, so I really prefer the certificate. My main reason for these ISC2 certs is that I want to teach Security+ classes and increase my credibility for Security+ study material, and of course the knowledge I gain from preparing for those exams, so I haven't really checked jobsites myself to see for what jobs a SSCP would help.

Maybe Ten9t6 can shed some light on the issue. Ten9t6? What's your opinion about the associate option?

He did explain that this cert isn't that well know, however.

This does make me wonder though, did it sound like a hint?

but there has to be some downside, or upside to the SSCP, or else everyone would be ignoring it and going for the CISSP Associate route.

And then there certainly wouldn't be much reason for the SSCP Associate...

Although this doesn't mean anything: I did see SSCP listed in a salary survey recently with a salary average close to CISSP.

/usr

Even if jobs aren't asking for an SSCP, it certainly won't hurt. I'm like you in that I have so far to go (much more than you, I'm sure) before I would ever be eligble to get the CISSP. The SSCP has to have some credibility. Perhaps it just isn't widely recognized yet. I would assume that it certainly won't hurt in getting you an entry level security job, plus you're really only "losing" the testing fee if you decide to go on to the CISSP, since everything (or most at least) from the SSCP will carry over.

I am simply not ready for the CISSP. I do not have 3 years of Information Security experience, and I don't know that any amount of studying would give me enough to pass that exam. SSCP just seems like the more logical of the two, at least at this point in MY certification path.