Exam Profile: (ISC)2 Systems Security Certified Practitioner (SSCP)
Date: Apr 4, 2011
The SSCP exam is an entry-level security exam sponsored by International Information Systems Security Certification Consortium, Inc., or (ISC)2. It is considered by many to be a stepping stone on the path to earning the (ISC)2 Certified Information Systems Security Practitioner (CISSP). (ISC)2 describes the person with the SSCP certification as the person doing the hands-on work, or the enforcer that everyone is going to for answers. However, don’t think that this means that you’ll be asked a lot of questions of how to use specific tools. The exam is still focused on understanding key security concepts.
To achieve the SSCP certification, you have to complete several steps:
- Have one year of relevant security experience (in one or more of the seven domains)
- Subscribe to the (ISC)2 code of ethics
- Pass the exam with a score of at least 700
- Be endorsed by an (ISC)2 certified member in good standing
- Exam Type: Proctored
- Number of questions: 125
- Type of Questions: Multiple choice
- Passing score: 700/1000
- Time limit: 3 hours
- How to register: (ISC)2 Website
- Exam price: $300.
- Time to get results: About 4 to 6 weeks
This is a paper-based exam administered by proctors. You’ll be filling in little circles with an old-fashioned #2 pencil. It is often administered in a hotel conference room. If you take a review seminar, it is usually administered in the same place as the seminar. There will be several proctors walking around the room while you are taking the test.
Only 100 questions are graded. The other 25 questions are for research purposes, but they are mixed into the entire 125 questions so you won’t know which questions are graded. You’ll need to answer every question as if it’s graded.
The questions are basic multiple choice questions. You may have some scenario-based items where you’ll read a scenario and then answer two or more questions related to the scenario. You aren’t penalized for wrong answers, so make sure you answer each question.
The questions are weighted, so a score of 700 doesn’t indicate that you need to get exactly 70 questions correct.
You’re expected to arrive at 8 AM, instructions begin at 8:30, and the exam starts at 9. If you’re late, you probably won’t be allowed in. You’ll have until 12:00 to take the exam while other people will likely be taking the CISSP exam which lasts until 3:00 PM.
Registering for this exam is different than many other vendor exams such as CompTIA, Cisco, and Microsoft exams. You start the process at this page.
After clicking on the link to register, you’ll be able to search for when the exam is administered in your area. There are a limited number of seats at each exam and they often sell out before the test day, so if one is in your area, sign up early. You’ll be prompted to agree to the code of ethics during the process and after registering, you’ll be emailed admission documents. You’ll need these documents on the day of the exam, along with a government-issued photo identification such as a driver’s license or passport.
If you register at least 16 days early, you can get a $50 discount. In other words, you can take the exam for $250 instead of $300. However, if you have to reschedule, there’s a hefty rescheduling fee of $100.
Unlike many exams where you know right away whether you pass or not, you’ll need to wait for the SSCP results. (ISC)2 says you’ll get the results in your email about 4 to 6 weeks after taking the exam, but they often come a little earlier.
Many people find the following two domains especially challenging.
- Risk, Response, and Recovery
This is one of those topics that most people don’t work with on a regular basis and it has sufficient depth to really throw you. However, if you understand cryptography at the level required for the Security+ exam, you’ll only need to add a little knowledge.
This topic covers a wide range of topics that are beyond the experience level of someone with only a single year of experience. The topics aren’t overly difficult, but they do require some focused studying.
One of the first things to do when considering the SSCP exam is to download the Candidate Information Bulletin (CIB). They provide you with a significant amount of information about the exam, including details about the domains covered by the exam. You can retrieve a candidate information bulletin for the SSCP exam here after providing some registration information.
If you’ve studied and passed the Security+ exam, you are well on your way to taking and passing this exam. SSCP includes many of the same topics, though the questions will often be asked differently. If you truly learned the material for the Security+ exam, you can probably brush up on the topics and find that you’re prepared for more than 50% of the exam. However, you will find that many of the questions on the SSCP exam require a deeper level of understanding for many of the topics.
Many people wonder about the difference between the SSCP and the CISSP. There is quite a bit of crossover between the exams. However, the CISSP exam questions are much more complex, requiring a deeper level of understanding of the topics. Additionally, the CISSP exam covers a much broader range of questions. However, if you plan on taking the CISSP exam in the future, it’s worthwhile studying some of the CISSP resources for the SSCP topics. You’ll have a solid understanding for the SSCP exam, and you’ll be a step ahead of the game when you tackle the CISSP.
Recommended Study Resources
The CIB lists almost 100 references that make up the common body of knowledge (CBK) for the exam. However, it’s not feasible or even recommended to purchase and read all of these books. Unfortunately, there isn’t a standout book available on the SSCP at this time. The biggest challenge is that the CIB covers such a broad base of knowledge, it’s difficult for a single book to cover all of the objectives adequately. Your best bet is to get more than one book. You can start with a search on Amazon for SSCP or even Security+ books. Additionally, there is an active forum on SSCP (combined with CISSP).
Last, ccure.org has some free study guides for SSCP. You’ll need to create a profile; after logging in, search on “SSCP” or follow the menu for Certifications -> ISC2 Certifications -> SSCP. They have several free SSCP study guides, but be aware that many of these are older. Some knowledge, like the OSI model, is timeless, but other topics, like cryptography, change frequently.
The SSCP includes topics from seven domains:
- Access controls
- Malicious code and activity
- Monitoring and analysis
- Networks and communications
- Risk, response, and recovery
- Security operations and administration
This includes items such as the different factors of authentication, and various controls used to control access to files, systems, and networks.
You should have a basic understanding of the purpose of cryptography, including hashing, symmetric encryption, asymmetric encryption, certificates, and secure protocols such as IPSec, SSL, TLS, and S/MIME.
This includes a wide variety of malicious activity such as phishing, viruses, worms, Trojan horses, botnets, Denial of Service (DoS) attacks, and more. In addition to knowing the methods to detect malware, you should also know some of the different methods that malware uses to prevent detection. This topic also includes non-technical aspects such as social engineering and the importance of user training.
These topics start to get a little more technical with items such as Intrusion Detection Systems, Intrusion Prevention Systems, honeypots, and sniffers. You should also have a basic understanding of what to look for when analyzing the results.
Common networking topics such as the OSI and TCP/IP models, common protocols, remote access, firewalls, and wireless technologies are covered. If you have a networking background, you’ll find this material familiar, though you’ll need to ensure you brush up on the individual topics listed in the CIB. A Network+ or CCNA certification will definitely help you here.
These topics cover a widely diverse set of knowledge that someone with only a single year of experience will rarely have. It includes concepts about risk management, security assessments, incident handling, Business Continuity Plans (BCPs), and Disaster Recovery Plans (DRPs).
Topics include security administration, change management, security awareness education, the (ISC)2 code of ethics, and more. It’s worth noting that the code of ethics you subscribe to isn’t something you should just scan over. They are actually identified in the CIB.
Where to Go From Here
Get the CIB, read it, and take notes to identify your weaknesses. Once you’ve identified your weaknesses, look for resources to increase your knowledge in those areas. Good luck!