SSCP difficulty.

ja5983 · June 2005

how hard is this cert in comparison to the security+ and TICSA?

I currently have both of those and i took the SSCP practice test on the site today just for fun and got an 80%.

I was thinking CCNA next but if i am scoring that well maybe i should go for SSCP...any input would be very helpful

ja5983 · June 2005

has anyone taken the SSCP?

Webmaster · June 2005

Ten9t6, the moderator of this forum, is a SSCP. I'm sure he'll notice your post when he gets the opportunity and can give you more info than I can.

Both security+ and TICSA and the SSCP exam have a lot of overlap. SSCP goes a bit further, both wider and deeper. Those two certs will definitely be an excellent primer for the SSCP, but not necessarily enough to pass the SSCP exam.

My SSCP practice exam here covers only a fraction of the topics in the SSCP exam. Try www.cccure.org for more practice questions to see where you stand.

ja5983 · June 2005

lol the one year experience...all you need to do is say you have your sec+ and they will let you take the TICSA...atleast they did for me

JDMurray · June 2005

ja5983 wrote:

lol the one year experience...all you need to do is say you have your sec+ and they will let you take the TICSA...atleast they did for me

Is that true? Hell, I stopped studying for the TICSA because I switched jobs and thought I'd need the year's experience from my current employer. Maybe I'll rethink going for the TICSA after I pass the CWSP. Thanks.

Ten9t6 · June 2005

ja5983 wrote:

lol the one year experience...all you need to do is say you have your sec+ and they will let you take the TICSA...atleast they did for me

Yes..but with the SSCP (and the CISSP), after you pass, you may find out that you are being audited. It would really suck to study, pay for, pass the exam, and have it yanked from you. Waste of a lot of time and money....

just something to think about...

JDMurray · June 2005

Would they actually revoke your SSCP certification or just deprecate it to "SSCP Associate?"

Webmaster · June 2005

Couldn't find the exact text, but I believe they will reject you even from future exams (i.e. CISSP).

JDMurray · June 2005

This "security work experience" requirement is a problem for me. As a software engineer, I work on applications that provide security solutions, but I don't have any specific duties involving the planning, implementation, or maintenance of security for my company or our customers. That could change in the future, but for right now I'm uncertain if my work experience would actually meet the prerequisite for many of these security cert exams.

Webmaster · June 2005

jdmurray wrote:

As a software engineer, I work on applications that provide security solutions, but I don't have any specific duties involving the planning, implementation, or maintenance of security for my company or our customers.

Everytime I read the requirements it seems to add more doubt. I'm in the same boat, and it must be as large as the Titanic considering there are so many with us. I have work experiences in all the mentioned areas, but not as a "full-time security professional". Although I think I can gather enough different projects to meet the 1 year for SSCP, I decided to go for the 'ISC2 Associate' option (by passing CISSP exam) instead. Partly based on a comment from you in an earlier discussion about "SSCP, CISSP, or associate". So since I'm not going for the cert, I might as well go for CISSP exam directly. The downfall is that you can use ISC2 Associate or Associate of ISC2, but not "SSCP Associate" or "CISSP Associate". Although I think being able to say 'I passed the CISSP exam' when I need to will do just fine.

SSCP Experience Requirements wrote:

Applicants must have a minimum of one year of direct full-time security professional work experience in one or more of the seven domains of the (ISC)² SSCP® CBK®.
SSCP professional experience includes:
- Work requiring special education or intellectual attainment, usually including a
technical school, liberal education or college degree.
- Work requiring habitual memory of a body of knowledge shared with others doing similar work.
- Management of projects and/or other employees.
- Supervision of the work of others while working with a minimum of supervision of one's self.
- Work requiring the exercise of judgment, management decision-making, and discretion.
- Work requiring the exercise of ethical judgment (as opposed to ethical behavior).
- Creative writing and oral communication.
- Teaching, instructing, training and the mentoring of others.
- Research and development.
- The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).

CISSP Experience Requirements wrote:

Applicants must have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master's Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

CISSP professional experience includes:

- Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
- Work requiring habitual memory of a body of knowledge shared with others doing similar work.
- Management of projects and/or other employees.
- Supervision of the work of others while working with a minimum of supervision of one's self.
- Work requiring the exercise of judgment, management decision-making, and discretion.
- Work requiring the exercise of ethical judgment (as opposed to ethical behavior).
- Creative writing and oral communication.
- Teaching, instructing, training and the mentoring of others.
- Research and development.
- The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).
- Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, representative, etc. Title may include programmer. It may include administrator, except where it applies to one who simply operates controls under the authority and supervision of others. Titles with the words "coder" or "operator" are likely excluded.

ISC2 wrote:

What are the qualifications required for a CISSP candidate? How flexible are these requirements?

A: The eligibility requirements to sit for examination are COMPLETELY SEPARATE from the eligibility requirements necessary to be certified. These requirements are NOT flexible, since flexibility in the matter of eligibility requirements would diminish the integrity of the credentials.

I read something on a CISSP group or article, in which people claimed that ISC2 allowed the some sort of significant "life experience" to substitute 1 of the 4 years required work experience for the CISSP cert.

I.e. from Intense School:

The CISSP program is targeted at professionals with at least 4 years of experience in the information security field or 3 years of experience and a college degree (or equivalent life experience).

Still not good enough for me, as 3 years is still a bit too much, but it may still apply to others.

I can understand the requirements for the CISSP exam, and it makes a great long term goal. But I thought the SSCP was created for those who don't meet the experience requirements of CISSP, but do want the benifits of an ISC2 certification. I also understand there is a work experience requirement for the SSCP, but "direct full-time security professional work experience" is somewhat unfair imho. Someone like you for example, with 22 years of experience as a developer/programmer, can know a lot more about security and have a lot more direct experience than someone who works as a full-time security professional for one year.

I contacted ISC2 a long time ago asking if there was someone available to discuss my work experience with, but never got a reply. Which seems to indicate that the only way to find out if ISC2 considers your experience valid, is to submit it and register for the exam (you have to choose SSCP/CISSP 'or' and associate exam).

JDMurray · June 2005

The (ISC)2 seem to consider a very broad range of experiences to comprise direct full-time security professional work experience. It looks as though you could meet the prerequisite for the SSCP just by taking three for four semesters of security classes from an accredited university recognized by the (ISC)2.

I'm going for my MS in InfoSec from a university whose InfoSec program is recognized by the (ISC)2, so in another year I may the prerequisites for the SSCP. Once I get my InfoSec degree, that might possibly be good enough for the CISSP prerequisite too. It looks as if I publish security information that I author myself (such as my thesis) on a web site, the (ISC)2 may consider that to be "creative writing" and "teaching of others." It would seem that the on-going support and maintenance of TechExams.net should give you some credit, and possibly some credit for other moderators here a well.

I would think that if you submitted what you believe to be valid security credentials as a prerequisite for the SSCP or CISSP, but the (ISC)2 determined that they didn't meet their requirements, you would not be penalized for having attempted to pass their audit, and would probably be awarded "associate" status instead. After all, if the candidate didn't do anything unethical by lying or falsifying information, and did pass the exam, then there would be no need to punish the candidate.

Webmaster · June 2005

jdmurray wrote:

It looks as if I publish security information that I author myself (such as my thesis) on a web site, the (ISC)2 may consider that to be "creative writing" and "teaching of others." It would seem that the on-going support and maintenance of TechExams.net should give you some credit, and possibly some credit for other moderators here a well.

That's one of the reasons I tried to contact ISC2. I don't know if I can include writing the Security+ TechNotes, the CCNA access lists TechNotes, or any forum activity for example. It is related work experience, but I'm not a full-time security professional. If it's not valid for the SSCP or CISSP, would it have been if I wrote the Sec+ Notes for example in 16 weeks in a row instead of spread out over 3 years? Or if I had a full-time security professional day job while I wrote them? It shouldn't of course cause it's still the same experience, but I'm not sure how ISC2 feels about that.

jdmurray wrote:

I would think that if you submitted what you believe to be valid security credentials as a prerequisite for the SSCP or CISSP, but the (ISC)2 determined that they didn't meet their requirements, you would not be penalized for having attempted to pass their audit, and would probably be awarded "associate" status instead. After all, if the candidate didn't do anything unethical by lying or falsifying information, and did pass the exam, then there would be no need to punish the candidate.

I think that would depend on how much inappropriate work experience was submitted, and depending on how strictly "direct full-time security professional work experience" should be interpreted it can make a lot of difference in my case. But you are probably right that if there isn't any obvious intent to falsify the info, they won't punish a candidate.

Here's another quote from the ISC2 site that provides a different description:

CISSP Applicant Requirements wrote:

Valid professional experience includes information systems security-related work performed as a practitioner, auditor, consultant, vendor, investigator or instructor, or that which requires IS security knowledge and involves direct application of that knowledge.

I'm going to try and contact ISC2 again this week, maybe our local ISC2 office can give me some more info about how to interpret the work experience requirements.

JDMurray · June 2005

I'm thinking that TechExams.net should offer podcasts of various IT security topics. All you need to do is speak into a microphone, record lectures as MP3 files, and distribute them from this web site using RSS. This could be used in addition to the technotes as "providing security information to the public" as an instructor. I don't think we'd be competition to LearnKey or CBT Nuggets, but it would be valid security material produced and distributed to the public.

Interested in trying out TechExams.net podcasting?

http://en.wikipedia.org/wiki/Podcast

SSCP difficulty.

Comments