Aspiring security engineers and Security professionals around the globe are usually conversant in the sphere’s two prime security certifications: the entry-level Security+ credential and the Premier Certified Information Systems Security Professional (CISSP) program. A lot of at the moment’s security consultants minimize their enamel on one or each of those certifications and went on to construct profitable careers with the paperwork framed on the wall, lending legal terms to their mastery of the domains of safety.
Whereas these credentials get massive quantities of consideration, the Systems Security Certified Practitioner (SSCP) credential fills a distinct segment that usually goes unnoticed: security engineers with a little bit of expertise below their belts. It’s positioned because the hands-on counterpart to the more theoretical CISSP certification. On this term, it instantly competes with the more well-liked Security+ credential, however differs considerably in that SSCP holders should have at the least one year of verified info security expertise.
Alternatives abound for holders of any of those info security certifications. Security expertise are in extraordinarily excessive demand and, after a couple of years of expertise, security specialists discover themselves earning six-figure salaries. Holders of the SSCP credential are notably well-qualified for security engineering, monitoring and implementation positions, the place they serve in a hands-on safety capability.
Earning the SSCP
The foremost hurdle to earning the SSCP certification is passing a 125-question examination consisting of multiple-choice question with 4 options each. (ISC)2 doesn't launch particulars on the scoring of the examination, apart from to say that candidates should earn at least 700 points on a 1000-point scale. The examination scoring system weighs questions in a different way based mostly upon the issue of every query, leading to entirely different rating scales for every type of the examination.
As well as, 25 of the examination questions are experimental questions being examined for future use on the examination and doesn't rely in the computation of a candidate’s rating. The examination makes use of a computer-based testing format and candidates take it at a Pearson VUE testing middle.
Candidates who cross the examination should then complete an expertise endorsement course of demonstrating that they've no less than 12 months of paid, full-time expertise working in a some of the seven SSCP domains. The endorsement course requires discovering an (ISC)2-certified particular person keen to attest to that have and full a brief written kind. Candidates who don't presently have the required expertise might as an alternative request the Affiliate of (ISC)2 certification after passing the examination after which have two years to finish the endorsement course of and turn into SSCP certified.
Understanding the Seven Domains
The SSCP examination covers sensible points from seven completely different domains of data safety. These embrace:
- Domain 1: Access Controls
- Domain 2: Security Operations and Administration
- Domain 3: Risk Identification, Monitoring and Analysis
- Domain 4: Incident Response and Recovery
- Domain 5: Cryptography
- Domain 6: Network and Communications Security
- Domain 7: Systems and Application Security
The SSCP Candidate Data Bulletin, out there free of charge from the (ISC)2 web site, offers detailed data on every of the domains and the data required to move the examination.
Access Controls
The primary area, Access Controls, covers points within the id and entry administration discipline, together with authentication and authorization controls. Candidates have to be acquainted with the totally different authentication strategies utilized in modern enterprises, perceive belief relationships between domains and know the way to implement each subject-based and object-based entry controls in a real-world atmosphere.
Security Operations and Administration
Security Operations and Administration, the second SSCP area, covers all kinds of security subjects and is commonly described because of the “basic safety” area. College students should perceive a few of the area’s primary rules, together with the Confidentiality, Integrity and Availability (CIA) triad, the classes of safety controls and the significance of security consciousness and coaching applications. This area additionally consists of protection of asset administration, change administration and bodily safety operations.
Risk Identification, Monitoring and Analysis
The third area, Risk Identification, Monitoring and Evaluation, delves into the significance of approaching securty from a risk-based viewpoint. Security controls should be designed appropriately to reply to dangers in a given working atmosphere. Designing controls that fail to adequately deal with dangers exposes the group to security incidents. Over-engineering controls, then again, will increase prices and hampers productiveness. Candidates learning this area be taught the significance of risk administration, security assessments, and managing a strong security monitoring program.
Incident Response and Recovery
Domain 4, Incident Response and Recovery, covers the processes used to handle conditions the place security controls fail and an incident happens. It consists of full protection of the incident dealing with steps, together with discovery, escalation, reporting, incident response and implementing countermeasures. Candidates preparing for this area should additionally perceive forensic investigation methods and the fundamental ideas of business continuity planning (BCP) and Disaster Restoration Planning (DRP).
Cryptography
Cryptography is a essential management for preserving the confidentiality, integrity and authenticity of data and it makes up the fifth SSCP area. Profitable SSCP candidates should perceive the ideas of encryption, decryption, digital signatures, hashing and non-repudiation. They have to additionally perceive when it's applicable to make use of cryptography to counter security dangers and the way they'll implement and help safe protocols. This area additionally delves into managing a public key infrastructure, digital certificates and different cryptographic administration subjects.
Network and Communications Security
The sixth SSCP area, Network and Communications Security , dives into a really meaty space — defending data in transit over networks and communications techniques. Efficiently answering questions on this area requires a primary information of networking ideas after which an in depth understanding of how safety professionals could strengthen the safety of their wired and wi-fi networks. This contains implementation of network entry management methods and designing safe segmented networks. Candidates should additionally display their understanding of the operation and configuration of firewalls, intrusion detection methods, proxies and different community safety gadgets.
Systems and Application Security
Methods and Utility Safety is the last SSCP domain. Whereas the title implies that it covers matters like software program improvement security, the fact is that it focuses largely on techniques security and safety points associated to a couple “scorching matters” in data expertise. On the system security entrance, candidates should exhibit familiarity with malicious code, endpoint safety and social engineering threats. (ISC)2 additionally throws within the front-burner problems with virtualization, Big Data and cloud security for good measure.
Is the SSCP Right For You?
If studying the descriptions of those seven domains triggers your curiosity, making ready for the SSCP credential could also be a very good profession transfer for you. Before you run out and purchase an SSCP ebook, nonetheless, you need to take into consideration what credential strategy greatest matches your present expertise and professional aspirations.
When you’re solely new to the data security field and seeking to land your first place, chances are you'll be higher suited pursuing the security+ certification. This program is equally well-regarded because the SSCP in most corners and has no expertise requirement. Security+ is usually the primary credential individuals earn when seeking to construct out their info security resume and show their curiosity to potential employers. It’s the quickest path from zero expertise to a revered data safety certification.
When you've got a number of years of experience, alternatively, the CISSP credential could also be your certain subsequent step. The CISSP requires 5 years of full-time expertise and covers a wider physique of information than the SSCP program, however, it's the premier certification in info safety and is usually a requirement for senior-level data safety positions. In case you aspire to a Chief Data Safety Officer (CISO) position, the CISSP is a must have.