(ISC)2 CAP the FISMA Certification In this module we will cover: Prerequisites Objective Common Body of Knowledge Study Materials Code of Ethics Exam
Out of Scope
Peripheral Knowledge
Supporting Knowledge
Core Knowledge
Presenter
Presentation Notes
In order to better prepare you for the exam this class will cover core knowledge needed for the exam. In addition, we will be covering supporting knowledge and peripheral knowledge related to the CAP domains. This will give you a stronger foundation for the core issues and prepare you for the few odd questions you might encounter. One can assume a majority of the questions will come from the core knowledge areas or domains. Fewer questions will come from supporting knowledge areas and even fewer, if any, from peripheral knowledge areas. As the course progresses through the course I will endeavor to point out where topics fall in relation to the areas of knowledge. This should help you in determining how much effort, on a giving topic, you should exert while preparing for the exam.
Formerly the Certification and Accreditation Professional
Presenter
Presentation Notes
Picture: Sunset; Photo by Donald E. Hester all rights reserved
Presenter
Presentation Notes
Certification and Accreditation Professional Tracks with NIST standards CAP domains will track with changes and evolutions with the standards Certified Authorization Professional Announced a change to the name March 21, 2010 Name will be changed effective November 2010 “Effective May 21, 2010, (ISC)² changed the name of its Certification and Accreditation Professional credential to the ‘Certified Authorization Professional’, maintaining the acronym (CAP), to reflect the new nomenclature contained in the latest draft of the National Institute of Standards and Technology’s SP800-37 publication: “Guide for Applying the Risk Management Framework to Federal Information Systems.”. In addition to the name change, in an effort to map to the new NIST approach, (ISC)² has evolved the four CAP domains into seven. The new CAP remains the same at its core but places a stronger emphasis on the underlying methodologies and processes associated with the harmonized security authorization process, including continuous monitoring. The domain updates will take effect in November 2010.” “In November 2010, (ISC)² will officially change the name of its Certification and Accreditation credential to the ‘Certified Authorization Professional’ keeping the same acronym CAP®.” https://www.isc2.org/cap-change-faqs.aspx
Presenter
Presentation Notes
Prerequisites Your professional experience must be a minimum of two years of direct, full-time information systems security certification and accreditation in one or more of the (ISC)² CAP domains
Presenter
Presentation Notes
CAP Domains Before March 1, 2010 Understanding the Purpose of Certification Initiation of the System Authorization Process Certification Phase Accreditation Phase Continuous Monitoring Phase
Presenter
Presentation Notes
CAP Domains Mar 2010 – Nov 2010 Understand the Purpose of Security Authorization Initiate the Preparation Phase Perform Execution Phase Perform Maintenance Phase
Presenter
Presentation Notes
CAP Domains Nov 2010 – Sep 2013 Understanding the Security Authorization of Information Systems Categorize Information Systems Establish the Security Control Baseline Apply Security Controls Assess Security Controls Authorize Information System Monitor Security Controls Https://www.isc2.org/cap-change-faqs.aspx Understanding the Security Authorization of Information Systems (formerly known as Certification and Accreditation (C&A)) Categorize Information Systems (formerly part of the Preparation Phase) Establish the Security Control Baseline (formerly part of the Preparation Phase) Apply Security Controls (formerly part of the Preparation Phase) Assess Security Controls (also known as the Certification Phase) Authorize Information System (formerly the Execution Phase) Monitor Security Controls (also known as Continuous Monitoring)
Presenter
Presentation Notes
CAP Domains After September 2013 Risk Management Framework (RMF) Categorization of Information Systems Selection of Security Controls Security Control Implementation Security Control Assessment Information System Authorization Monitoring of Security Controls On September 1, 2013, (ISC)²® will implement certain domain-related changes for the Certified Authorization Professional (CAP®) credential exam. These will be the new domains you will need to select when submitting CPE credits for your CAP certification. These domain changes are being implemented based on the outcome of the Job Task Analysis (JTA) completed in late 2012. The JTA provides the essential foundation for all of (ISC)²’s credential exams. Under general circumstances, changes due to a new JTA study are incremental, so addition or deletion of Domains does not occur normally.
Certification Assessment
Accreditation Authorization
Presenter
Presentation Notes
Term Transition Certification is now Assessment Accreditation is now Authorization
Exam Objectives
Presenter
Presentation Notes
Picture: First Battle Bull Run (Manassas Junction), Stonewall Jackson Monument, VA; Photo by Donald E. Hester all rights reserved (ISC)2 CAP Certification Exam Objectives
Presenter
Presentation Notes
Exam Objective The objective is to measure the knowledge, skills and abilities required for personnel involved in the process of certifying and accrediting security of information systems
Presenter
Presentation Notes
Common Body of Knowledge (CBK) Based Primarily on NIST Documents Also includes DoD, NSA and OMB documents And other related industry practices CBK is: Good for all audiences (not just government) Focused on proven processes Framework independent of industry
Presenter
Presentation Notes
Study Materials CAP Candidate Information Bulletin NIST SP 800-37 (latest revision) NIST SP 800-100 (latest revision) CNSSI No. 4009 Official (ISC)2 Guide to the CAP CBK (latest edition) Practice Exams
Presenter
Presentation Notes
To be certified you must Submit the application fee Two years of experience Commit to the Code of Ethics Answer questions on criminal history and background Pass with a score of 700 or higher An executed endorsement form
Country June 2009 June 2010 June 2011 Jan 2013Canada 7 5 6 4Germany 0 0 0 3Guam 0 0 0 2India 1 1 1 1Korea, Republic of 1 1 1 1
Puerto Rico 0 1 2 3Viet Nam 1 0 0 0United States 598 688 760 1,338
Presenter
Presentation Notes
Code of Ethics Preamble Safety of the commonwealth, duty to our principals and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.
Presenter
Presentation Notes
Code of Ethics Canons Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
Presenter
Presentation Notes
Code of Ethics Compliance with the preamble and canons is mandatory. Conflicts between the canons should be resolved in the order of the canons. The canons are not equal and conflicts between them are not intended to create ethical binds.
Presenter
Presentation Notes
Exam 3 Hours to complete the exam Method: computer based (as of May 25, 2011) 125 multiple choice questions (4 choices) Hard copy language translation dictionary (not electronic) Only write on note paper they provide No phones 25 non-scored questions Results instantly
IAM Level I & II and CAP DoD Directive 8570.1 https://www.isc2.org/dod-8570-CAP-certification.aspx “Under the 8570 Mandate, all personnel with "privileged access" to DoD systems must obtain an ANSI-approved commercial certification. (ISC)²® was the first organization to receive ANSI accreditation under ISO/IEC Standard 17024 and has since received accreditation for each of its credentials. For a comprehensive overview of the DoD Directive 8570.1, please refer to www.isc2.org/dodmandate.”
Picture: Space Needle, Seattle, WA; Photo by Donald E. Hester all rights reserved Exam Preparation Tips & Tricks
Presenter
Presentation Notes
See/source NIST SP 800-100 Chapter 10
Document RememberNIST SP 800-37 C & A program, overall process, guidelinesFIPS 199 Standard to define criticality / sensitivityNIST SP 800-60 Guideline to define criticality / sensitivityFIPS 200 Standard to select controlsNIST SP 800-53 Guidelines to selecting controls, control catalog NIST SP 800-53A Guidelines for assessing controls, auditNIST SP 800-30 Risk Assessment guidelinesNIST SP 800-18 Guidelines for System Security PlansNIST SP 800-64 Guidelines for Security and SDLCNIST SP 800-70 Security Configuration Checklist ProgramNIST SP 800-47 Guideline for System Interconnections (MOU/MOA)NIST SP 800-34 Contingency Planning GuideNIST SP 800-61 Computer Security Incident Handling Guide
Presenter
Presentation Notes
http://csrc.nist.gov/
Presenter
Presentation Notes
Other Resources from NIST The National Vulnerability Database (NVD) http://nvd.nist.gov/ The Security Content Automation Protocol (S-CAP) http://scap.nist.gov/ The Federal Desktop Core Configurations (FDCC) now US Government Configuration Baseline (USGCB) http://usgcb.nist.gov/ The NIST Checklist Program http://csrc.nist.gov/checklists/ http://checklists.nist.gov/
Presenter
Presentation Notes
Remember that the exam is about certification and accreditation (authorization) according to NIST. Be careful to remember the correct answer for the exam may not be the way you do it where you work.
Presenter
Presentation Notes
After the exam Continuing Education for CAP domains Pay your maintenance fee Currently $65 annually Follow the ‘Code of Ethics’ (ISC)2 website: http://www.isc2.org/
"CPE" is an acronym for "Continuing Professional Education.” After you become certified by (ISC)², you are required to perform continuing education during each 3-year certification cycle to become recertified. The CPE requirements are intended to ensure members maintain their competencies following initial certification. By developing and enhancing your skills through CPE activities, you’re making an important investment in yourself and increasing your value to your customers and employer. – (ISC)2
Presenter
Presentation Notes
Earning Continuing Professional Education (CPE) credits is key to maintaining your (ISC)² credential "CPE" is an acronym for "Continuing Professional Education.” After you become certified by (ISC)², you are required to perform continuing education during each 3-year certification cycle to become recertified. The CPE requirements are intended to ensure members maintain their competencies following initial certification. By developing and enhancing your skills through CPE activities, you’re making an important investment in yourself and increasing your value to your customers and employer. – (ISC)2
Failure to meet the minimum annual Continuing Professional Education credit (CPE) and Annual Maintenance Fee (AMF) requirements will result in suspension of your certification, which is the temporary loss of right of membership. Once the suspension is in effect, your “good standing” rights will be immediately revoked. Access to the Member Website will be restricted to entering only CPE credits and/or paying AMFs.
Suspension of certification can only be lifted when the minimum annual CPE credit and AMF requirements are met. From the date of suspension, you have a 90-day grace period to get your previously earned CPE credits and AMFs up to date. Actions resulting in suspension in the last year of your certification cycle will result in decertification at the end of the 90 day grace period following your certification expiration date. (ISC)2 will send you a notification by email to inform you that you have been decertified.
Presenter
Presentation Notes
Failure to Meet CPE Requirements Failure to meet the minimum annual Continuing Professional Education credit (CPE) and Annual Maintenance Fee (AMF) requirements will result in suspension of your certification, which is the temporary loss of right of membership. Once the suspension is in effect, your “good standing” rights will be immediately revoked. Access to the Member Website will be restricted to entering only CPE credits and/or paying AMFs. Suspension of certification can only be lifted when the minimum annual CPE credit and AMF requirements are met. From the date of suspension, you have a 90-day grace period to get your previously earned CPE credits and AMFs up to date. Actions resulting in suspension in the last year of your certification cycle will result in decertification at the end of the 90 day grace period following your certification expiration date. (ISC)2 will send you a notification by email to inform you that you have been decertified.
