ISSAP_Ebbok

8/10/2019 ISSAP_Ebbok

1/32

1

2013 Internationa l Information Systems Sec urity Certification Consortium, Inc. All Rights Reserved. Duplication for commercial

purposes is prohibited. 7.30.13 V.11

Information Systems Security Architecture Professional (ISSAP)

Candidate Information Bulletin

Effective Date: April 2

Effec tive Date J anuary 1, 2010

(Exam Outline)



2/32


3/32

3






Day of the Exam ....................................................................................................................................... 27

Any questions? .......................................................................................................................................... 31


4/32

4






ISSAPs are CISSPs who specialize in designing security solutions and providing management

with risk-based guidance to meet organizational goals. They facilitate the alignment ofsecurity solutions within the organizational context (e.g., vision, mission, strategy, policies,requirements, change, and external factors).

This Candidate Information Bulletin provides the following:

Exam blueprint to a limited level of detail that outlines major topics and sub-topicswithin the domains,

Suggested reference list,

Description of the format of the items on the exam, and

Basic registration/administration policies

General Exam Information for computer based testing and paper based testing.

Candidates should review this section accordingly.

Candidates for the C ISSP-ISSAP must:

Be a CISSP in good standing Demonstrate 2 years of professional experience in one or more domains of this

concentration. Pass the CISSP-ISSAP examination

Maintain the credential in good standing along with the underlying C ISSP. Before candidates are allowed to take the test at testing c enters, they must respond

yes or No to the following four questions regarding criminal history and relatedbackground:

1. Have you ever been convicted of a felony; a misdemeanor involving a computercrime, dishonesty, or repeat offenses; or a Court Martial in military service, or isthere a felony charge, indictment, or information now pending against you? (Omitminor traffic violations and offenses prosecuted in juvenile court).

2. Have you ever had a professional license, certification, membership or registrationrevoked, or have you ever been censured or disciplined by any professionalorganization or government agency?

3. Have you ever been involved, or publicly identified, with criminal hackers orhacking?

4. Have you ever been known by any other name, alias, or pseudonym? (You neednot include user identities or screen names with which you were publiclyidentified).


5/32

5






1)

ACCESS CONTROL SYSTEMS & METHODOLGYOverv iew

The Access Control Systems & Methodology domain details the critical requirements to

establish adequate and effec tive access controls for an organization. Access controls

protect systems, data, physical infrastructure and personnel in order to maintain their

integrity, availability and confidentiality.

Failure to design, develop, maintain and enforce appropriate access control will leave an

organization vulnerable to sec urity breaches. This applies to all types of breaches whetherthey are locally or remotely initiated. Understanding of the types of controls available,

current technologies and the principles of access control are imperative for the Security

Architec ture Professional.

The Security Architecture Professional is also expected to apply the hard and soft aspects of

access controls, policy, organizational structure, and technical means. Awareness of the

principles of best practices in designing access controls is also expected to be

demonstrated.

Key Areas of Know led g e

1.A Apply Access Control Concepts, Methodologies, and Techniques

1.A.1 Application of control concepts and principles (e.g., discretionary/mandatory,

segregation/separation of duties, rule of least privilege)

1.A.2 Account life cycle management (e.g., registration, enrollment, access control

administration)

1.A.3 Identification, authentication, authorization, and accounting methods

1.B Determine identity and access management architecture

1.B.1 Centralized

1.B.2 Decentralized

1.B.3 Federated identity

1.B.4 Ac cess Control Protocols and Technologies (e.g., RADIUS, Kerberos, EAP, SAML,

XACML, LDAP)


6/32

6






2)

COMMUNICATIONS & NETWORK SECURITYOverv iew

The Communications & Network Security domain addresses the security concerns related to

the critica l role of communications and networks in todays computing environments. The

Security Architecture Professional must understand the risks to communications networks

whether they are data, voice or multimedia. This includes understanding of communications

processes and protocols, threats and countermeasures, support for organizational growth and

operations, and the ability to design, implement and monitor, secure architectures.


2.A Determine Comm unic at ions Archi tec ture

2.A.1 Unified communication (e.g., convergence, collaboration, messaging)

2.A.2 Content type (e.g., data, voice, video, facsimile)

2.A.3 Transport mechanisms (e.g., satellite, landlines, microwave, radio, fiber)2.A.4 Communication topology (e.g., centralized, distributed, cloud, mesh)

2.B Determine Netwo rk Arc hi tec ture

2.B.1 Network types (e.g., public, private, hybrid)

2.B.2 Protocols

2.B.3 Securing common services (e.g., wireless, e-mail, VoIP)

2.C Protec t Com m unica t ions and Networks

2.C.1 Communication and network policies2.C.2 Boundary protection (e.g., firewalls, VPNs, airgaps )

2.C.3 Gateways, routers, switches and architecture (e.g., access control

segmentation, out-of-band management, OSI layers)

2.C.4 Detection and response

2.C.5 Content monitoring, inspection and filtering (e.g., email, web, data)


7/32

7






2.C.6 Device control

2.D Ide nti fy Sec urity Design Conside ra tio ns a nd Asso c iate d Risks

2.D.1 Interoperability

2.D.2 Auditability (e.g., regulatory, legislative, forensic requirements, segregation,

verifiability of high assuranc e systems)

2.D.3 Security configuration (e.g., baselines)

2.D.4 Remote access

2.D.5 Monitoring (e.g., sensor placement, time reconc iliation, span of control,

record c ompatibility)

2.D.6 Network configuration (e.g., physica l, logical, high availability)

2.D.7 Operating environment (e.g., virtualization, cloud computing)

2.D.8 Secure sourcing strategy


8/32

8






3)CRYPTOGRAPHY

Overv iew

This Cryptography domain requires the Security Architecture Professional to understand

cryptographic methodologies and the use of c ryptography to protect an organizations data

storage and communications from compromise or misuse. This includes awareness of threats to

an organizations cryptographic infrastructure. The Sec urity Architec ture Professional should

understand the responsibility involved in choosing, implementing and monitoring cryptographic

products and adoption of corporate cryptographic standards and policy. This may include

oversight of digital signatures and PKI implementations and a secure manner of addressing theissues and risks associated with management of cryptographic keys.


3.A Ide nt ify Req uirem en ts (e.g. , c on f id en t ia l ity integ ri ty , non-rep ud iat ion)

3.B Dete rmine Usa g e (i.e., in tra nsit, a t rest)

3.C Ide nt ify Cryp tog ra p hic Design Co nside ra t ion s a nd C on stra ints

3.C.1 Vetting of proprietary cryptography

3.C.2 Computational overhead

3.C.3 Useful life

3.C.4 Design testable cryptographic system

3.D Define Key Mana g em ent Li fec yc le (e.g ., c rea t ion , d istribut ion , escrow ,

recovery)

3.E De sign integ ra ted c ryp tog rap hic so lution s (e.g ., Pub lic Key Infra struc ture

(PKI), API sele c tion , ide nti ty system integ ra tion )


9/32

9






4)SECURITY ARCHITECTURE ANALYSIS

Overv iew

Security Architecture Analysis depends on diligence and attention to standards, awareness of

threats, and identification of risks. The Security Architec ture Professional should know and follow

the best practices and standards for network and information systems design, and implement

an architecture that will provide adequate security to accomplish the business goals of the

enterprise. This requires the evaluation and choice of different architec tures, and

understanding the risks associated with each type of design.


4.A Id ent ify Sec uri ty Archi tec ture Ap proa c h

4.A.1 Types and scope (e.g., enterprise, network, SOA)

4.A.2Frameworks (e.g., Sherwood Applied Business Sec urity Architec ture (SABSA),

Service-Oriented Modeling Framework (SOMF))

4.A.3Supervisory Control and Data Acquisition (SCADA) (e.g., process automation

networks, work interdependencies, monitoring requirements)

4.B Pe rform Req uirem ents An a lysis

4.B.1Business and functional needs (e.g., locations, jurisdictions, business sectors,

cost, stakeholder preferences, quality attributes, capacity, manageability)

4.B.2 Threat modeling

4.B.3Evaluate use cases (e.g., business rules and control objectives, misuse,

abuse)

4.B.4 Gap analysis

4.B.5 Assess risk

4.B.6 Apply maturity models

4.C Desig n Sec urity A rc hitec ture

4.C.1Apply existing information security standards and guidelines (e.g., ISO/IEC,

PC I, NIST)

4.C.2Systems Development Life C ycle (SDLC) (e.g., requirements traceability

matrix, security architecture documentation, secure coding)


10/32

10






4.C.3 Application Sec urity (e.g., Commercial Off-the-Shelf (COTS) integration)

4.D Ve ri fy and Va l id a te Desig n

4.D.1Validate threat model (e.g., access control attacks, cryptanalytic attacks,

network attacks)

4.D.2 Evaluate controls against threats and vulnerabilities

4.D.3 Remediate gaps

4.D.4 Independent verification and validation


11/32

11






5)TECHNOLOGY RELATED BUSINESS CONTINUITY

PLANNING (BCP) & DISASTER RECOVERY

PLANNING (DRP)

Overv iew

Business Continuity and Disaster Rec overy Planning involves the identification of adverse events

that could threaten the ability of the organization to continue the normal operations. Once

identified, the Security Architecture Professional should implement countermeasures to reduce

the risk of such incidents oc curring. Furthermore the Sec urity Architec ture Professional should

play a key role in designing and developing business continuity plans that will meet theoperational business requirements of the organization through planning for the provisioning of

appropriate recovery solutions.


5.A. Inc o rp o ra te Business Imp a c t An a lysis (BIA) (e.g ., leg a l, fina nc ial,

stak eh old ers )

5.B De term ine Sec urity Stra teg ies for Av a i la b i li ty an d Rec ov e ry

5.B.1 Identify solutions (e.g., cold, warm, hot, insource, outsource)

5.B.2Define processing agreement requirements (e.g., rec iprocal, mutual, cloud,

outsourcing, virtualization)

5.B.3 Establish rec overy time objectives and recovery point objectives

5.C Design Co nt inui ty a nd Rec ov ery Solut ion

5.C.1High availability, failover and resiliency (e.g., communication path diversity,

pa ired deployment, pass-through network interfaces, application)

5.C.2 Availability of service provider/supplier support (e.g., cloud, SLAs)

5.C.3 BCP/DRP Architec ture Validation (e.g., test scenarios, requirements trace-ability matrix, trade-off matrices)


12/32

12






6)PHYSICAL SECURITY CONSIDERATIONS

Overv iew

The Physical Security Considerations domain recognizes the importance of physical security and

personnel controls in a complete information systems security model. The Security Architec ture

Professional should be able to demonstrate understanding of the risks and tools used in

providing physica l security. This includes secure management, administration and deployment

of physical access controls, whether to prevent, detect or react to suspicious activity.


6.A Assess Req uirem ents

6.A.1Policies and standards (e.g., export controls, escort policy, liaise with law

enforcement and external media)

6.A.2Integrate physical security with identity management (e.g., wiring closet

access, badge and enterprise identity management)

6.A.3Map physica l security needs against business drivers (e.g., outsourcing,

relocations, mergers, acquisitions, divestitures, plant closings)

6.B Integ ra te Phy sic a l Se c urity Pro d uc ts a nd System s

6.B.1 Review common techniques, technologies and architectural principles

6.B.2 Perimeter protection and internal zoning

6.C Eva lua te Solutions

6.C.1 Define test scenarios

6.C.2 Evaluate test deficiencies


13/32

13






REFERENCES

ISC) does not require c andidates to purchase and read all of the books listed in this reference

list. Most of the information tested in the examination is taken from widely accepted best

practices and standards to the information security profession. This referenc e list provides

suggested study material that can be used to supplement the candidates own knowledge, skill

and experience.

This reference list is not intended to be all inclusive. The candidate is encouraged to supplement

his or her own education and experience by reviewing many resources and finding information

in areas which he or she may consider himself or herself not as skilled or experienced. (ISC)

does not endorse any particular text or author. Multiple references are included in somecontent areas to provide flexibility. The candidate may also have resources available that are

not on the list but which will adequately cover the content area. The list does not represent the

only body of information to be used as reference material. Questions on the examination are

also developed from information gained through practical experience. Use of these or any

other reference materials do not guarantee successful completion of the test.

Below is the suggested referenc e list:

REFERENCE

Access Control, Authentication, and Public Key Infrastructure,

2010

Bill Ballad, Tricia Ballad, Erin

Banks

Asset Protec tion and Security Management Handbook, 2003 J ames Walsh

Auditing Business Continuity: Global Best Practices, November

2002Rolf von Roessing

Biometric Systems: Technology, Design and Performance

Evaluation, 2004

J ames L. Wayman, Anil K.

J ain, Davide Maltoni, Dario

Maio

Build the Best Data Center Facility for Your Business, June 2005 Douglas Alger

Business Continuity Planning for Data Centers and Systems Ronald H. Bowman

The CERT Guide to Insider Threats: How to Prevent, Detect,

and Respond to Information Technology Crimes (Theft,

Sabotage, Fraud), 2012

Dawn M. Cappelli, Andrew P.

Moore, Randall F. Trzec iak

CMMI Version 1.3 SEI


14/32

14






REFERENCE

Computer Security Hand Book 5thedition or later, 2009Seymour Bosworth, M. E.

Kabay, Eric Whyne

Cryptography Engineering: Design Principles and Practical

Applications, 2010

Niels Ferguson, Bruce

Schneier, Tadayoshi Kohno

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC,

HMI, and SIS, 2011

Tyson Macaulay, Bryan L.

Singer

Design and Evaluation of Physical Protection Systems, Second

Edition, October 2007Mary Lynn Garcia

Designing Network Security Second Edition, 2003 Merike Kaeo

Disaster Recovery planning, 3rd Ed., 2002 J on William Toigo

Enterprise Architec ture As Strategy: Creating a Foundation for

Business Execution, 2006

J eanne W. Ross, Peter Weill,

David Robertson

Enterprise Security Architec ture: A Business-Driven Approach,

2005

J ohn Sherwood, Andrew

Clark, David Lynas

Information Security Management Handbook Sixth Edition,

Vol 3, 2009 and all previous editions (1998 - 2008)Tipton and Krause

Industrial Network Security: Sec uring C ritical Infrastructure

Networks for Smart Grid, SCADA, and Other Industrial Control

Systems

Eric D. Knapp

Inside Network Perimeter Sec urity (2nd Edition), 2005

Stephen Northcutt, Lenny

Zeltser, Scott Winters, Karen

Kent, Ronald W. Ritchey

ISO/IEC 11770 parts 1-5, Information technology - Security

techniques - Key managementISO

ISO/IEC 15408 parts 1-3, Information technology - Security

techniques - Evaluation criteria for IT security (CommonCriteria)

ISO

ISO/IEC 18028-2:2006, Information technology - Security

techniques - IT network security - Part 2: Network sec urity

architecture

ISO


15/32

15






REFERENCE

ISO/IEC 19790:2006, Information technology - Security

techniques - Security requirements for cryptographic modules ISO

ISO/IEC 27033-3:2010, Information technology - Security

techniques - Network security - Part 3: Reference networking

scenarios - Threats, design techniques and control issues

ISO

Network Security Architec tures (Networking Tec hnology), 2004 Sean Convery

Network Sec urity Essentials. Applications and Standards, 2010 William Stallings

Network Security Private Communication in a Public World,

2002Kaufman, Perlman, Speciner

Network Warrior, 2011 Gary A. Donahue

NIST Special Publication 800-48 Rev. 1 or later, July 2008,

Guide to Securing Legacy IEEE 802.11 Wireless Networks

http://csrc.nist.gov/publications/PubsSPs.html

Richard Kissel, Kevin Stine,

Matthew Scholl, Hart

Rossman, J im Fahlsing, J essica

Gulick

NIST Special Publication 800-58, J anuary 2005,

Security Considerations for Voice Over IP Systems


D. Richard Kuhn, Thomas J .

Walsh, Steffen Fries

NIST Special Publication 800-64 Rev. 2 or later, October 2008,Sec urity Considerations in the System Development Life Cycle


Karen Scarfone, Derrick Dicoi,

Matthew Sexton, Cyrus Tibbs

PKI Uncovered: Certificate-Based Security Solutions for Next-

Generation Networks, 2011

Andre Karamanian, Srinivas

Tenneti, Francois Dessart

Practical Intrusion Analysis: Prevention and Detection for the

Twenty-First Century, 2009Ryan Trost

Practical Unix & Internet Security (3rd ed) 2003 Garfinkel, Spaford, Schwartz

Sec uring the Virtual Environment: How to Defend theEnterprise Aga inst Attack, 2012

Davi Ottenheimer, MatthewWallace

Security Engineering, A guide to Building Dependable

Distributed Systems, 2008Ross J . Anderson
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html


16/32

16






REFERENCE

SIP Security, May 2009

Dorgham Sisalem, J ohn

Floroiu, J iri Kuthan, Ulrich

Abend, Henning Schulzrinne

SOA SecurityRamarao Kanneganti, Prasad

A Chodavarapu

Voice over IP Security, September 2009 Patrick Park

The Web Application Hac ker's Handbook: Finding and

Exploiting Sec urity Flaws, 2ndEd., 2011Dafydd Stuttard, Marcus Pinto


17/32

17






SAMPLE EXAM QUESTIONS

1. With reference to the Open Systems Interconnection (OSI) Model, which of the following

would be found at the Presentation Layer?

(A) Hypertext Transfer Protocols (HTTP)

(B) Media Access Control (MAC )

(C) Secure/Multipurpose Internet Mail Exchange (S/MIME)

(D) Internet Protocol (IP) addressing

Answer: C

2. A data center has been damaged by a recent hurricane. All critical business processes

have been recovered according to the organizations Business Continuity Plan (BCP) and

are functioning at the hot site. At the damaged facility there is significant structural and

water damage to systems and documentation. The first priority in recovering the original

site should be to

(A) stabilize the situation to prevent further damage.

(B) contact the insurance carrier.

(C) ensure the safety of personnel.

(D) segregate damaged and undamaged items.

Answer: C


18/32

18






3. Virtual Private Network (VPN) authentication can be strengthened significantly by using

(A) S/Key.

(B) key escrow.

(C) Public Key Infrastructure (PKI).

(D) asymmetric encryption.

Answer: C


19/32

19






GENERAL EXAMINATION INFORMATION

Paper Based Test (PBT)

Plea se no te: Ge ne ral Exa m Informa tion there a re two sets of instruc tions on e for Compute r

Ba sed Test (CBT), an d o ne for Pa per Ba sed Test (PBT). Plea se c ho ose a c c ord ingly .

General Information The doors to all examination rooms will open at 8:00a.m. Examination

instructions will begin promptly at 8:30a.m. All examinations will begin at approximately

9:00a.m.

The maximum duration of the CISSP exam is 6 hours. The maximum duration of all other exams

except the CSSLP is 3 hours. The C SSLP candidates are allowed a maximum of 4 hours to

complete the exam.

Please note there will be no lunch break during the testing period. However, you are

permitted to bring a snack with you. You may, at your option, take a break and eat your

snac k at the back of the examination room. No additional time will be allotted for breaks.

Examination Admittance Please arrive at 8:00a.m. when the doors a re opened. Please

bring your admission letter to the examination site. In order to be admitted, photo

identification is also required. You will not be admitted without proper identification. The only

acceptable forms of identification are a drivers license, government-issued identification

card, or passport. No other written forms of identification will be accepted.

Examination Security Failure to follow oral and written instructions will result in your application

being voided and application fee being forfeited. Conduct that results in a violation of

security or disrupts the administration of the examination could result in the confiscation of

your test and your dismissal from the examination. In addition, your examination will be

considered void and will not be scored. Examples of misconduct include, but are not limited

to, the following: writing on anything other than designated examination materials, writing after

time is called, looking at another candidates examination materials, talking with other

candidates at any time during the examination period, failing to turn in all examination

materials before leaving the testing room.You must not discuss or share reference materials or any other examination information

with any candidate during the entire examination period. You are particularly cautioned

not to do so after you have completed the exam and checked out of the test room, as

other candidates in the area might be taking a break and still not have completed the

examination. You may not attend the examination only to review or audit test materials.

You may not copy any portion of the examination for any reason. No examination materials


20/32

20






may leave the test room under any circumstances and all examination materials must be

turned in and accounted for before leaving the testing room. No unauthorized persons will be

admitted into the testing area.

Please be further advised that all examination content is strictly confidential. You may only

communicate with (ISC) about the test, or questions on the test, using the appropriate

comment forms provided by the examination staff at the test site. At no other time, before,

during or after the examination, may you communicate orally, elec tronically or in writing

with any person or entity about the content of the examination or individual examination

questions.

Reference Material Candidates writing on anything other than examination materials

distributed by the proctors will be in violation of the security policies above. Reference

materials are not allowed in the testing room. Candidates are asked to bring as few personal

and other items as possible to the testing area.

Hard copies of language translation dictionaries are permitted for the examination, should

you c hoose to bring one to assist you with language conversions. Elec tronic dictionaries

will not be permitted under any circumstances. The Examination Supervisor will fully inspect

your dictionary at check-in. Your dictionary may not contain any writing or extraneous

materials of any kind. If the dictionary contains writing or other materials or papers, it will not

be permitted in the examination room. Additionally, you are not permitted to write in your

dictionary at any time during the examination, and it will be inspected a second time prior

to dismissal from the examination. Finally, (ISC) takes no responsibility for the content of

such dictionaries or interpretations of the c ontents by a candidate.

Examination Protocol While the site c limate is controlled to the extent possible, be prepared

for either warm or cool temperatures at the testing center. Cellular phones and beepers are

prohibited in the testing area. The use of headphones inside the testing area is prohibited.

Elec trical outlets will not be available for any reason. Earplugs for sound suppression are

allowed. No smoking or use of tobacco products will be allowed inside the testing area.

Food and drinks are only allowed in the snack area located at the rear of the examination

room. You must vacate the testing area after you have completed the examination. If you

require special assistance, you must c ontact (ISC) Candidate Services (see address at the

bottom of this document) at least one week in advance of the examination date and

appropriate arrangements will be made. Due to limited parking fac ilities at some sites, please

allow ample time to park and reach the testing area.

Admission Problems A problem table for those candidates who did not receive an admission

notice or need other assistance will be available 30 minutes prior to the opening of the doors.


21/32

21






Examination Format and Scoring

The CISSP examination consists of 250 multiple choice questions with four (4)

choices each.

The CSSLPexamination consists of 175 multiple choice questions with four (4) choices

each.

The SSCP examination contains 125 multiple choice questions with four (4) choices

each.

The ISSAP, ISSEP, and ISSMP c onc entra tion examinations contain 125, 150, 125

multiple choice questions respectively with four (4) choices each.

The Certified Authorization Professional (CAP) examination contains 125 multiple

choice questions with four (4) choices each. Also, administered in computers.There may be scenario-based items which may have more than one multiple choice

question assoc iated with it. These items will be specifica lly identified in the test booklet.

Each of these exams contains 25 questions which are included for research purposes only.

The research questions are not identified; therefore, answer all questions to the best of your

ability. There is no penalty for guessing, so candidates should not leave any item unanswered.

Examination results will be based only on the scored questions on the examination. There

are several versions of the examination. It is important that each candidate have an

equal opportunity to pass the examination, no matter which version is administered. Subject

Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in theexaminations. That information is used to develop examination forms that have comparable

difficulty levels. When there are differences in the examination difficulty, a mathematical

procedure called equating is used to make the difficulty level of each test form equal.

Because the number of questions required to pass the examination may be different for each

version, the scores are converted onto a reporting scale to ensure a common standard. The

passing grade required is a scale score of 700 out of a possible 1000 points on the grading

scale.

Examination Results Examination results will normally be released, via e mail, within 4 to 6

weeks of the examination date. A comprehensive statistical and psychometric analysis of

the score data is conducted prior to the release of scores. A minimum number of

candidates must have taken the examination for the analysis to be conducted.

Accordingly, depending upon the schedule of test dates for a given cycle, there may be

occasions when scores are delayed beyond the 4-6 week time frame in order to complete

this critica l process. Results WILL NOT be released over the telephone. In order to receive

your results, your prima ry e ma il a d d ress must be current and any email address changes


22/32

22






must be submitted to (ISC) Customer Support via [email protected],or may be

updated online in your candidate profile.

Exam Response Information Your answer sheet MUST be completed with your name andother information as required. The answer sheet must be used to record all answers to the

multiple-choice questions. Upon completion, you are to wait for the proctor to collec t your

examination materials. Answers marked in the test booklet will not be counted or graded, and

additional time will not be a llowed in order to transfer answers to the answer sheet. All marks

on the answer sheet must be made with a No. 2 pencil. You must blacken the appropriate

circles completely and completely erase any incorrec t marks. Only your responses marked on

the answer sheet will be considered. An unanswered question will be scored as incorrec t.

Dress is business casual (neat...but certainly comfortable).

Any questions?

(ISC)2

Candidate Services311 Park Place Blvd, Suite 400

Clearwater, FL 33759

Phone: 1.866.331.ISC2 (4722) in the United States
mailto:[email protected]:[email protected]:[email protected]:[email protected]


23/32

23






GENERAL EXAMINATION INFORMATION

Computer Based Test (CBT)

Plea se no te: Ge ne ral Exa m Informa tion there a re two sets of instruc tions on e for Compute r

Ba sed Test (CBT), an d o ne for Pa per Ba sed Test (PBT). Plea se c ho ose a c c ord ingly .

Reg istering for the Exa m

Process for Registration Overview

This section describes procedures for candidates registering to sit for a Computer Based Test

(CBT). The test is administered at Pearson VUE Testing centers in the US, Canada, and otherparts of the world.

1. Go towww.pearsonvue.com/isc2to register for a test appointment.2. Select the most convenient test center3. Select an appointment time.4. Pay for your exam appointment.5. Receive confirmation from Pearson VUE with the appointment details, test center

location and other relevant instructions, if any.

Please note that your registration information will be transferred to (ISC) and all

communication about the testing process from (ISC) and Pearson VUE will be sent to you via

email.

Fees

Please visit the (ISC) website https://www.isc2.org/certification-register-now.aspx for the most

current examination registration fees.

U.S. Government Veterans Administration G.I. Bill

The U.S. Department of Veterans Affairs has approved reimbursement to veterans under the G.I.

Bill for the c ost of the Certified Information System Security Professional (CISSP), the CISSP

Concentrations (ISSAP, ISSEP, ISSMP), the Certification and Ac creditation Professional (CAP), and

the System Sec urity Certified Practitioner (SSCP) examinations. Please refer to the U.S.Department of Veterans Affairs Website at www.va.gov for more details.

CBT Demonstration

C a ndida tes c an experienc e a de monstra tion a nd tutoria l of the C BT experienc e

on our Pea rson VUE web pa ge . The tutorial may be found a t

www.pearsonvue.com/ isc2.
http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2https://www.isc2.org/certification-register-now.aspxhttps://www.isc2.org/certification-register-now.aspxhttp://www.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2/https://www.isc2.org/certification-register-now.aspxhttp://www.pearsonvue.com/isc2


24/32

24






Sc he d ul ing a Test Ap p o intmen t

Process for Registration Overview

Candidates may register for a testing appointment direc tly with Pearson VUE (

www.pearsonvue.com/isc2). Candidates who do not pass the test will be subject to the retake

policy and must wait the applicable time before they are a llowed to re-sit for the examination.

Exam Appointment

Test centers may fill up quickly because of high volume and previously scheduled special

events. Pearson VUE testing centers also serve candidates from other entities; thus waiting to

schedule the testing appointment may significantly limit the options for candidates desiredtesting dates at the closest center available.

Scheduling for a Testing Appointment

Candidates may schedule their appointment online at (ISC) CBT Website located atwww.pearsonvue.com/isc2. Candidates will be required to create a Pearson VUE account inorder to complete registration. Candidates profile will be transferred to (ISC) and becomespart of the candidates permanent record. Candidates will be able to locate test centers andselect from a choice of available examination appointment times at the Pearson VUE website.

Candidates may also register over the telephone with a CBT registration specialist. Please refer

toC ontact Information for local telephone numbers for your region.

Rescheduling or Cancellation of a Testing Appointment

If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at

least 48 hoursbefore the exam date by contacting Pearson VUE online

(www.pearsonvue.com/isc2), OR at least 24 hoursprior to exam appointment time by

contacting Pearson VUE over the phone. Canceling or rescheduling an exam appointment less

than 24 hours via phone notification, or less than 48 hours via online notification is subjec t to a

forfeiture of exam fees. Exam fees are also forfeited for no-shows. Please note that, Pearson

VUE charges a 50 USD/35 /40 fee for reschedules, and 100 USD/70 /80 fee forcancellations.

Reschedules and cancellations may be done at the (ISC) CBT Candidate Website(www.pearsonvue.com/isc2)or via telephone. Please refer to C ontac t Information for moreinformation and local telephone numbers for your region.
http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www6.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www.pearsonvue.com/isc2http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www6.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2http://www6.pearsonvue.com/isc2/http://www.pearsonvue.com/isc2


25/32

25






Late Arrivals or No Shows

If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he orshe has technica lly forfeited his or her assigned seat.

If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to thediscretion of the testing c enter as to whether or not the candidate may still take the exam. If thetest administrator at the testing location is able to accommodate a late arriving candidate,without affec ting subsequent candidates appointments, he/she will let the candidate to sit forthe exam and launch his/her exam.

Any/all attempts are made to accommodate candidates who arrive late. However, if theschedule is such that the test center is not able to accommodate a late arrival, the candidatewill be turned away and his/her exam fees will be forfeited.

If a candidate fails to appear for a testing appointment, the test result will appear in the systemas a No-Show and the candidates exam fees will be forfeited.

Procedure for Requesting Special Accommodations

Pearson VUE Professional Centers can accommodate a variety of candidates needs, as theyare fully compliant with the Americans with Disability Ac t (ADA), and the equivalentrequirements in other countries.

Requests for accommodations should be made to (ISC) in advance of the desired testing

appointment. Once (ISC) grants the accommodations request, the candidate may schedulethe testing appointment using Pearson VUEs special accommodations number. From there, aPearson VUE coordinator will handle all of the arrangements.

PLEASE NOTE: Candidates that request special accommodations should not schedule theirappointment online or call the main CBT registration line.


26/32

26






Wha t to Bring to the Te st Ce nte r

Proper Identification

(ISC) requires two forms of identification, a primary and a secondary, when checking in for aCBT test appointment at a Pearson VUE Test Center. All candidate identification documentsmust be valid (not expired) and must be an original document (not a photocopy or a fax).

Primary IDs: Must contain a permanently affixed photo of the candidate, along with thecandidates signature.

Secondary IDs: Must have the candidates signature.

Accepted Primary ID (photograph and signature, not expired)

Government issued Drivers License or Identification Card

U.S. Dept of State Drivers License

U.S. Learners Permit (card only with photo and signature)

National/State/Country Identification Card

Passport

Passport Cards

Military ID

Military ID for spouses and dependents

Alien Registration Card (Green Card, Permanent Resident Visa)

Government Issued local language ID (plastic card with photo and signature Employee ID

School ID

Credit Card* (A credit card can be used as a primary form of ID only if it contains both aphoto and a signature and is not expired. Any credit card can be used as a secondaryform of ID, as long as it contains a signature and is not expired. This includes major creditcards, such as VISA, MasterCard, American Express and Discover. It also includesdepartment store and gasoline credit cards.

Accepted Secondary ID (contains signature, not expired)

U.S. Soc ial Security Card

Debit/(ATM) Card

Credit Cards

Any form of ID on the primary list


27/32

27






Name Matching Policy

Candidates first and last name on the presented identification document must exactly matchthe first and last name on the registration record with Pearson VUE. If the name the candidatehas registered with does not match the name on the identification document, proof of legalname change must be brought to the test center on the day of the test. The only acceptableforms of legal documentation are marriage licenses, divorce decrees, or court sanctioned legalname change documents. All documents presented at the test center must be originaldocuments. If a mistake is made with a name during the application process, candidatesshould contac t (ISC) to correc t the information well in advance of the actual test date. Namechanges cannot be made at the test center or on the day of the exam. Candidates who donot meet the requirements presented in the name matching policy on the day of the test may

be subject to forfeiture of testing fees and asked to leave the testing c enter.

Non Disc losure

Prior to starting the exam, all candidates are presented with (ISC) non-disclosure agreement(NDA), and are required in the computer to ac cept the agreement prior to being presentedwith exam questions. If the NDA is not accepted by the candidate, or refused to accept withinthe time allotted, the exam will end, and the candidate will be asked to leave the test center.No refund of exam fees will be given. For this reason, all candidates are strongly encouraged toreview the non-disclosure agreement prior to scheduling for, or taking the exam.

The agreement is located atwww.pearsonvue.com/isc2/isc2_nda.pdf.

Day of the Exam

Check-In Process

Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testingtime. If you arrive more than 15 minutes late to your scheduled appointment, you may lose yourexamination appointment. For checking-in:

You will be required to present two acceptable forms of identification. You will be asked to provide your signature, submit to a palm vein scan, and have

your photograph taken. Hats, scarves and coats may not be worn in the testing room,or while your photograph is being taken.

You will be required to leave your personal belongings outside the testing room.Secure storage will be provided. Storage space is small, so candidates should plan
http://www.pearsonvue.com/isc2/isc2_nda.pdfhttp://www.pearsonvue.com/isc2/isc2_nda.pdfhttp://www.pearsonvue.com/isc2/isc2_nda.pdfhttp://www.pearsonvue.com/isc2/isc2_nda.pdf


28/32

28






appropriately. Pearson Professional Centers assume no responsibility for candidatespersonal belongings.

The Test Administrator (TA) will give you a short orientation, and then will escort you to

a computer terminal. You must remain in your seat during the examination, exceptwhen authorized to leave by test center staff. You may not change your computerterminal unless a TA direc ts you to do so.

Raise your hand to notify the TA if you

believe you have a problem with your computer. need to change note boards. need to take a break. need the administrator for any reason.

Breaks

You will have up to six hoursto complete the CISSP, and up to four hoursto complete the CSSLPand CCFPup to three hoursto complete the following examinations:

SSCP

CAP

HCISPP

ISSAP

ISSEP

ISSMP

Total examination time includes any unscheduled breaks you may take. All breaks count

against your testing time. You must leave the testing room during your break, but you may notleave the building or access any personal belongings unless absolutely nec essary (e.g. forretrieving medication). Additionally, when you take a break, you will be required to submit to apalm vein scan before and after your break.

Examination Format and Scoring

The CISSP

examination consists of 250 multiple choice questions with four (4) choices

each.

The CSSLP

examination consists of 175 multiple choice questions with four (4) choices

each. The HCISPP examination contains 125 multiple choice questions with four (4) choices

each.

The CCFP examination contains 125 multiple choice questions with four (4) choices each.

The SSCPexamination contains 125 multiple choice questions with four (4) choices

each.

The ISSAP, ISSEP, and ISSMPc onc entra tion examinations contain 125, 150, 125

multiple choice questions respectively with four (4) choices each.


29/32


30/32

30






Testing Environment

Pearson Professional Centers administer many types of examinations including some thatrequire written responses (essay-type). Pearson Professional Centers have no control over typingnoises made by candidates sitting next to you while writing their examination. Typing noise isconsidered a normal part of the computerized testing environment, just as the noise of turningpages is a normal part of the paper-and pencil testing environment. Earplugs are availableupon request.

When the Exam is Finished

After you have finished the examination, raise your hand to summon the TA. The TA will collectand inventory all note boards. The TA will dismiss you when all requirements are fulfilled.

If you believe there was an irregularity in the administration of your test, or the assoc iated testconditions adversely affected the outcome of your examination, you should notify the TAbefore you leave the test center.

Results Reporting

Candidates will receive their unofficial test result at the test center. The results will be handedout by the Test Administrator during the checkout process. (ISC) will then follow up with anofficial result via email.

In some instances, real time results may not be available. A comprehensive statistical andpsychometric analysis of the score data is conducted during every testing cycle before scoresare released. A minimum number of candidates are required to take the exam before thisanalysis can be completed. Depending upon the volume of test takers for a given cycle, theremay be occasions when scores are delayed for approximately 4-6 weeks in order to completethis critica l process. Results WILL NOT be released over the phone. They will be sent via emailfrom (ISC) as soon as the scores are finalized. If you have any questions regarding this policy,you should contac t (ISC) prior to your examination.

Retake Policy

Test takers who do not pass the exam the first time will be able to retest after 30 days. Testtakers that fail a second time will need to wait 90 days prior to sitting for the exam again. In theunfortunate event that a candidate fails a third time, the next available time to sit for the examwill be 180 days after the most recent exam attempt. Candidates are eligible to sit for (ISC)exams a maximum of 3 times within a calendar year.


31/32

31






Recertification by Examination

Candidates and members may recertify by examination for the following reasons ONLY;

The candidate has become dec ertified due to reaching the expiration of the time limit

for endorsement.

The member has bec ome decertified for not meeting the number of required continuing

professional education credits.

Log o Usa g e Gu id e line s

(ISC) is a non-profit membership organization identified as the leader in certifying individuals in

information sec urity.

Candidates who successfully complete any of the (ISC) certification requirements may use the

appropriate Certification Mark or the Collec tive Mark, where appropriate, and the logo

containing the Certification Mark or the Collec tive Mark, where appropriate (the Logo) to

identify themselves as having demonstrated the professional experience and requisite

knowledge in the realm of information system security. Please visit the following link (URL) for

more information on logo use:

https://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal _and _Policies/LogoGuidleines.pdf

Any questions?

(ISC)2

Candidate Services311 Park Place Blvd, Suite 400

Clearwater, FL 33759

Phone: 1.866.331.ISC2 (4722) in the United States

1.727.785.0189 all others

Fax: 1.727.683.0785
https://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal%20_and%20_Policies/LogoGuidleines.pdfhttps://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal%20_and%20_Policies/LogoGuidleines.pdfhttps://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal%20_and%20_Policies/LogoGuidleines.pdf


32/32




Documents

ISSAP_Ebbok