Introduction: The CASP Exam

This chapter covers the following topics:

The CompTIA Certified Advanced Security Practitioner (CASP) exam is designed to identify IT professionals with advanced-level competency in enterprise security; risk management; incident response; research and analysis; and integration of computing, communications, and business disciplines.

As the number of security threats to organizations grows and the nature of these threats broadens, companies large and small have realized that security can no longer be an afterthought. It must be built into the DNA of the enterprise to be successful. This means trained professionals must not only be versed in security theory but must also be able to implement measures that provide enterprisewide security. While no prerequisites exist to take the exam, it is often the next step for many security professionals after passing the CompTIA Security+ exam.

The Goals of the CASP Certification

The CASP exam is a vendor-neutral exam created and managed by CompTIA. An update to the CASP certification exam launched April 2, 2018. The new exam, CAS-003, replaces CAS-002, which will retire in October 2018. This book is designed to prepare you for the new exam, CAS-003, but can also be used to prepare for the CAS-002 exam. This certification is considered a mastery- or advanced-level certification.

In today’s world, security is no longer a one-size-fits-all proposition. Earning the CASP credential is a way security professionals can demonstrate their ability to design, implement, and maintain the correct security posture for an organization, based on the complex environments in which today’s organizations exist.

Sponsoring Bodies

CompTIA is an American National Standards Institute (ANSI)-accredited certifier that creates and maintains a wide array of IT certification exams, such as A+, Network+, Server+, and Security+. The credentials obtained by passing these various exams are recognized in the industry as demonstrating the skills tested in these exams.

Other Security Exams

The CASP exam is one of several security-related exams that can validate a candidate’s skills and knowledge. The following are some of the most popular ones, to put the CASP exam in proper perspective:

  • Certified Information Systems Security Professional (CISSP); ISC2: This is a globally recognized standard of achievement that confirms an individual’s knowledge in the field of information security. CISSPs are information assurance professionals who define the architecture, design, management, and/or controls that assure the security of business environments. It was the first certification in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024.

  • Security+ (CompTIA): This exam covers the most important foundational principles for securing a network and managing risk. Access control, identity management, and cryptography are important topics on the exam, along with a selection of appropriate mitigation and deterrent techniques to address network attacks and vulnerabilities.

  • Certified Ethical Hacker (CEH; EC Council): This exam validates the skills of an ethical hacker. Such individuals are usually trusted people who are employed by organizations to undertake attempts to penetrate networks and/or computer systems using the same methods and techniques as unethical hackers.

Stated Goals

CompTIA’s stated goal (verbatim from the CompTIA CASP web page) is as follows:

Successful candidates will have the knowledge required to:

  • Conceptualize, engineer, integrate and implement secure solutions across complex enterprise environments

  • Apply critical thinking and judgment across a broad spectrum of security disciplines to propose and implement sustainable security solutions that map to organizational strategies

  • Translate business needs into security requirements

  • Analyze risk impact

  • Respond to security incidents

The Value of the CASP Certification

The CASP certification holds value for both the exam candidate and the enterprise. The CASP certification has been approved by the U.S. Department of Defense to meet Information Assurance (IA) technical and management certification requirements and has been chosen by Dell and HP advanced security personnel. Advantages can be gained by both the candidate and the organization employing the candidate.

To the Security Professional

There are numerous reasons a security professional would spend the time and effort required to achieve this credential. Here are some of them:

  • To meet the growing demand for security professionals

  • To become more marketable in an increasingly competitive job market

  • To enhance skills in a current job

  • To qualify for or compete more successfully for a promotion

  • To increase salary

Department of Defense Directive 8140 and 8570 (DoDD 8140 and 8570)

DoDD 8140 and 8750 workforce qualification requirements both prescribe that members of the military who hold certain job roles must hold security certifications. The directive lists the CASP certification at several levels. Figure I-1 shows job roles that require various certifications, including CASP.

The job roles that require various certifications are shown.

Figure I-1 DoDD 8570

In short, the CASP certification demonstrates that the holder has the knowledge and skills tested in the exam and also that the candidate has hands-on experience and can organize and implement a successful security solution.

To the Enterprise

For the organization, the CASP certification offers a reliable benchmark to which job candidates can be measured by validating knowledge and experience. Candidates who successfully pass this rigorous exam will stand out from the rest, not only making the hiring process easier but also adding a level of confidence in the final hire.

CASP Exam Objectives

The material contained in the CASP exam objectives is divided into five domains. The following pages outline the objectives tested in each of the domains for the CAS-003 exam.

1.0 Risk Management

1.1 Summarize business and industry influences and associated security risks.
  • Risk management of new products, new technologies and user behaviors

  • New or changing business models/strategies

    • Partnerships

    • Outsourcing

    • Cloud

    • Acquisition/merger–divestiture/demerger

      • Data ownership

      • Data reclassification

  • Security concerns of integrating diverse industries

    • Rules

    • Policies

    • Regulations

      • Export controls

      • Legal requirements

    • Geography

      • Data sovereignty

      • Jurisdictions

  • Internal and external influences

    • Competitors

    • Auditors/audit findings

    • Regulatory entities

    • Internal and external client requirements

    • Top-level management

  • Impact of de-perimeterization (e.g., constantly changing network boundary)

    • Telecommuting

    • Cloud

    • Mobile

    • BYOD

    • Outsourcing

    • Ensuring third-party providers have requisite levels of information security

1.2 Compare and contrast security, privacy policies and procedures based on organizational requirements.
  • Policy and process life cycle management

    • New business

    • New technologies

    • Environmental changes

    • Regulatory requirements

    • Emerging risks

  • Support legal compliance and advocacy by partnering with human resources, legal, management and other entities

  • Understand common business documents to support security

    • Risk assessment (RA)

    • Business impact analysis (BIA)

    • Interoperability agreement (IA)

    • Interconnection security agreement (ISA)

    • Memorandum of understanding (MOU)

    • Service-level agreement (SLA)

    • Operating-level agreement (OLA)

    • Non-disclosure agreement (NDA)

    • Business partnership agreement (BPA)

    • Master service agreement (MSA)

  • Research security requirements for contracts

    • Request for proposal (RFP)

    • Request for quote (RFQ)

    • Request for information (RFI)

  • Understand general privacy principles for sensitive information

  • Support the development of policies containing standard security practices

    • Separation of duties

    • Job rotation

    • Mandatory vacation

    • Least privilege

    • Incident response

    • Forensic tasks

    • Employment and termination procedures

    • Continuous monitoring

    • Training and awareness for users

    • Auditing requirements and frequency

    • Information classification

1.3 Given a scenario, execute risk mitigation strategies and controls.
  • Categorize data types by impact levels based on CIA

  • Incorporate stakeholder input into CIA impact-level decisions

  • Determine minimum-required security controls based on aggregate score

  • Select and implement controls based on CIA requirements and organizational policies

  • Extreme scenario planning/worst-case scenario

  • Conduct system-specific risk analysis

  • Make risk determination based upon known metrics

    • Magnitude of impact based on ALE and SLE

    • Likelihood of threat

      • Motivation

      • Source

      • ARO

      • Trend analysis

    • Return on investment (ROI)

    • Total cost of ownership

  • Translate technical risks in business terms

  • Recommend which strategy should be applied based on risk appetite

    • Avoid

    • Transfer

    • Mitigate

    • Accept

  • Risk management processes

    • Exemptions

    • Deterrence

    • Inherent

    • Residual

  • Continuous improvement/monitoring

  • Business continuity planning

    • RTO

    • RPO

    • MTTR

    • MTBF

  • IT governance

    • Adherence to risk management frameworks

  • Enterprise resilience

1.4 Analyze risk metric scenarios to secure the enterprise.
  • Review effectiveness of existing security controls

    • Gap analysis

    • Lessons learned

    • After-action reports

  • Reverse engineer/deconstruct existing solutions

  • Creation, collection and analysis of metrics

    • KPIs

    • KRIs

  • Prototype and test multiple solutions

  • Create benchmarks and compare to baselines

  • Analyze and interpret trend data to anticipate cyber defense needs

  • Analyze security solution metrics and attributes to ensure they meet business needs

    • Performance

    • Latency

    • Scalability

    • Capability

    • Usability

    • Maintainability

    • Availability

    • Recoverability

    • ROI

    • TCO

  • Use judgment to solve problems where the most secure solution is not feasible

2.0 Enterprise Security Architecture

2.1 Analyze a scenario and integrate network and security components, concepts and architectures to meet security requirements.
  • Physical and virtual network and security devices

    • UTM

    • IDS/IPS

    • NIDS/NIPS

    • INE

    • NAC

    • SIEM

    • Switch

    • Firewall

    • Wireless controller

    • Router

    • Proxy

    • Load balancer

    • HSM

    • MicroSD HSM

  • Application and protocol-aware technologies

    • WAF

    • Firewall

    • Passive vulnerability scanners

    • DAM

  • Advanced network design (wired/wireless)

    • Remote access

      • VPN

        • IPSec

        • SSL/TLS

      • SSH

      • RDP

      • VNC

      • VDI

      • Reverse proxy

    • IPv4 and IPv6 transitional technologies

    • Network authentication methods

    • 802.1x

    • Mesh networks

    • Placement of fixed/mobile devices

    • Placement of hardware and applications

  • Complex network security solutions for data flow

    • DLP

    • Deep packet inspection

    • Data flow enforcement

    • Network flow (S/flow)

    • Data flow diagram

  • Secure configuration and baselining of networking and security components

  • Software-defined networking

  • Network management and monitoring tools

    • Alert definitions and rule writing

    • Tuning alert thresholds

    • Alert fatigue

  • Advanced configuration of routers, switches and other network devices

    • Transport security

    • Trunking security

    • Port security

    • Route protection

    • DDoS protection

    • Remotely triggered black hole

  • Security zones

    • DMZ

    • Separation of critical assets

    • Network segmentation

  • Network access control

    • Quarantine/remediation

    • Persistent/volatile or non-persistent agent

    • Agent vs. agentless

  • Network-enabled devices

    • System on a chip (SoC)

    • Building/home automation systems

    • IP video

    • HVAC controllers

    • Sensors

    • Physical access control systems

    • A/V systems

    • Scientific/industrial equipment

  • Critical infrastructure

    • Supervisory control and data acquisition (SCADA)

    • Industrial control systems (ICS)

2.2 Analyze a scenario to integrate security controls for host devices to meet security requirements.
  • Trusted OS (e.g., how and when to use it)

    • SELinux

    • SEAndroid

    • TrustedSolaris

    • Least functionality

  • Endpoint security software

    • Anti-malware

    • Antivirus

    • Anti-spyware

    • Spam filters

    • Patch management

    • HIPS/HIDS

    • Data loss prevention

    • Host-based firewalls

    • Log monitoring

    • Endpoint detection response

  • Host hardening

    • Standard operating environment/configuration baselining

      • Application whitelisting and blacklisting

    • Security/group policy implementation

    • Command shell restrictions

    • Patch management

      • Manual

      • Automated

        • Scripting and replication

      • Configuring dedicated interfaces

        • Out-of-band management

        • ACLs

        • Management interface

        • Data interface

      • External I/O restrictions

        • USB

        • Wireless

          • Bluetooth

          • NFC

          • IrDA

          • RF

          • 802.11

          • RFID

        • Drive mounting

        • Drive mapping

        • Webcam

        • Recording mic

        • Audio output

        • SD port

        • HDMI port

      • File and disk encryption

      • Firmware updates

    • Boot loader protections

      • Secure boot

      • Measured launch

      • Integrity measurement architecture

      • BIOS/UEFI

      • Attestation services

      • TPM

    • Vulnerabilities associated with hardware

    • Terminal services/application delivery services

2.3 Analyze a scenario to integrate security controls for mobile and small form factor devices to meet security requirements.
  • Enterprise mobility management

    • Containerization

    • Configuration profiles and payloads

    • Personally owned, corporate-enabled

    • Application wrapping

    • Remote assistance access

      • VNC

      • Screen mirroring

    • Application, content and data management

    • Over-the-air updates (software/firmware)

    • Remote wiping

    • SCEP

    • BYOD

    • COPE

    • VPN

    • Application permissions

    • Side loading

    • Unsigned apps/system apps

    • Context-aware management

      • Geolocation/geofencing

      • User behavior

      • Security restrictions

      • Time-based restrictions

    • Security implications/privacy concerns

      • Data storage

        • Non-removable storage

        • Removable storage

      • Cloud storage

      • Transfer/backup data to uncontrolled storage

      • USB OTG

  • Device loss/theft

  • Hardware anti-tamper

    • eFuse

  • TPM

  • Rooting/jailbreaking

  • Push notification services

  • Geotagging

  • Encrypted instant messaging apps

  • Tokenization

  • OEM/carrier Android fragmentation

  • Mobile payment

    • NFC-enabled

    • Inductance-enabled

    • Mobile wallet

    • Peripheral-enabled payments (credit card reader)

  • Tethering

    • USB

    • Spectrum management

    • Bluetooth 3.0 vs. 4.1

  • Authentication

    • Swipe pattern

    • Gesture

    • Pin code

    • Biometric

      • Facial

      • Fingerprint

      • Iris scan

      • Malware

      • Unauthorized domain bridging

      • Baseband radio/SOC

      • Augmented reality

      • SMS/MMS/messaging

  • Wearable technology

    • Devices

      • Cameras

      • Watches

      • Fitness devices

      • Glasses

      • Medical sensors/devices

      • Headsets

  • Security implications

    • Unauthorized remote activation/deactivation of devices or features

    • Encrypted and unencrypted communication concerns

    • Physical reconnaissance

    • Personal data theft

    • Health privacy

    • Digital forensics of collected data

2.4 Given software vulnerability scenarios, select appropriate security controls.
  • Application security design considerations

    • Secure: by design, by default, by deployment

  • Specific application issues

    • Unsecure direct object references

    • XSS

    • Cross-site request forgery (CSRF)

    • Click-jacking

    • Session management

    • Input validation

    • SQL injection

    • Improper error and exception handling

    • Privilege escalation

    • Improper storage of sensitive data

    • Fuzzing/fault injection

    • Secure cookie storage and transmission

    • Buffer overflow

    • Memory leaks

    • Integer overflows

    • Race conditions

      • Time of check

      • Time of use

    • Resource exhaustion

    • Geotagging

    • Data remnants

    • Use of third-party libraries

    • Code reuse

  • Application sandboxing

  • Secure encrypted enclaves

  • Database activity monitor

  • Web application firewalls

  • Client-side processing vs. server-side processing

    • JSON/REST

    • Browser extensions

      • ActiveX

      • Java applets

    • HTML5

    • AJAX

    • SOAP

    • State management

    • JavaScript

  • Operating system vulnerabilities

  • Firmware vulnerabilities

3.0 Enterprise Security Operations

3.1 Given a scenario, conduct a security assessment using the appropriate methods.
  • Methods

    • Malware sandboxing

    • Memory dumping, runtime debugging

    • Reconnaissance

    • Fingerprinting

    • Code review

    • Social engineering

    • Pivoting

    • Open source intelligence

      • Social media

      • Whois

      • Routing tables

      • DNS records

      • Search engines

    • Types

      • Penetration testing

        • Black box

        • White box

        • Gray box

      • Vulnerability assessment

      • Self-assessment

        • Tabletop exercises

      • Internal and external audits

      • Color team exercises

        • Red team

        • Blue team

        • White team

    3.2 Analyze a scenario or output, and select the appropriate tool for a security assessment.
    • Network tool types

      • Port scanners

      • Vulnerability scanners

      • Protocol analyzer

        • Wired

        • Wireless

      • SCAP scanner

      • Network enumerator

      • Fuzzer

      • HTTP interceptor

      • Exploitation tools/frameworks

      • Visualization tools

      • Log reduction and analysis tools

      • Host tool types

        • Password cracker

        • Vulnerability scanner

        • Command line tools

        • Local exploitation tools/frameworks

        • SCAP tool

        • File integrity monitoring

        • Log analysis tools

        • Antivirus

        • Reverse engineering tools

      • Physical security tools

        • Lock picks

        • RFID tools

        • IR camera

3.3 Given a scenario, implement incident response and recovery procedures.
  • E-discovery

    • Electronic inventory and asset control

    • Data retention policies

    • Data recovery and storage

    • Data ownership

    • Data handling

    • Legal holds

  • Data breach

    • Detection and collection

      • Data analytics

    • Mitigation

      • Minimize

      • Isolate

      • Recovery/reconstitution

      • Response

      • Disclosure

    • Facilitate incident detection and response

      • Hunt teaming

      • Heuristics/behavioral analytics

      • Establish and review system, audit and security logs

    • Incident and emergency response

      • Chain of custody

      • Forensic analysis of compromised system

      • Continuity of operations

      • Disaster recovery

      • Incident response team

      • Order of volatility

    • Incident response support tools

      • dd

      • tcpdump

      • nbtstat

      • netstat

      • nc (Netcat)

      • memcopy

      • tshark

      • foremost

    • Severity of incident or breach

      • Scope

      • Impact

      • Cost

      • Downtime

      • Legal ramifications

    • Post-incident response

      • Root-cause analysis

      • Lessons learned

      • After-action report

4.0 Technical Integration of Enterprise Security

4.1 Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture.
  • Adapt data flow security to meet changing business needs

  • Standards

    • Open standards

    • Adherence to standards

    • Competing standards

    • Lack of standards

    • De facto standards

  • Interoperability issues

    • Legacy systems and software/current systems

    • Application requirements

    • Software types

      • In-house developed

      • Commercial

      • Tailored commercial

      • Open source

    • Standard data formats

    • Protocols and APIs

  • Resilience issues

    • Use of heterogeneous components

    • Course of action automation/orchestration

    • Distribution of critical assets

    • Persistence and non-persistence of data

    • Redundancy/high availability

    • Assumed likelihood of attack

  • Data security considerations

    • Data remnants

    • Data aggregation

    • Data isolation

    • Data ownership

    • Data sovereignty

    • Data volume

  • Resources provisioning and deprovisioning

    • Users

    • Servers

    • Virtual devices

    • Applications

    • Data remnants

  • Design considerations during mergers, acquisitions and demergers/divestitures

  • Network secure segmentation and delegation

  • Logical deployment diagram and corresponding physical deployment diagram of all relevant devices

  • Security and privacy considerations of storage integration

  • Security implications of integrating enterprise applications

    • CRM

    • ERP

    • CMDB

    • CMS

    • Integration enablers

      • Directory services

      • DNS

      • SOA

      • ESB

4.2 Given a scenario, integrate cloud and virtualization technologies into a secure enterprise architecture.
  • Technical deployment models (outsourcing/insourcing/managed services/partnership)

    • Cloud and virtualization considerations and hosting options

      • Public

      • Private

      • Hybrid

      • Community

      • Multitenancy

      • Single tenancy

    • On-premise vs. hosted

    • Cloud service models

      • SaaS

      • IaaS

      • PaaS

  • Security advantages and disadvantages of virtualization

    • Type 1 vs. Type 2 hypervisors

    • Container-based

    • vTPM

    • Hyperconverged infrastructure

    • Virtual desktop infrastructure

    • Secure enclaves and volumes

  • Cloud augmented security services

    • Anti-malware

    • Vulnerability scanning

    • Sandboxing

    • Content filtering

    • Cloud security broker

    • Security as a service

    • Managed security service providers

  • Vulnerabilities associated with comingling of hosts with different security requirements

    • VMEscape

    • Privilege elevation

    • Live VM migration

    • Data remnants

  • Data security considerations

    • Vulnerabilities associated with a single server hosting multiple data types

    • Vulnerabilities associated with a single platform hosting multiple data types/owners on multiple virtual machines

  • Resources provisioning and deprovisioning

    • Virtual devices

    • Data remnants

4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.
  • Authentication

    • Certificate-based authentication

    • Single sign-on

    • 802.1x

    • Context-aware authentication

    • Push-based authentication

  • Authorization

    • OAuth

    • XACML

    • SPML

  • Attestation

  • Identity proofing

  • Identity propagation

  • Federation

    • SAML

    • OpenID

    • Shibboleth

    • WAYF

  • Trust models

    • RADIUS configurations

    • LDAP

    • AD

4.4 Given a scenario, implement cryptographic techniques.
  • Techniques

    • Key stretching

    • Hashing

    • Digital signature

    • Message authentication

    • Code signing

    • Pseudo-random number generation

    • Perfect forward secrecy

    • Data-in-transit encryption

    • Data-in-memory/processing

    • Data-at-rest encryption

      • Disk

      • Block

      • File

      • Record

    • Steganography

    • Implementations

      • Crypto modules

      • Crypto processors

      • Cryptographic service providers

      • DRM

      • Watermarking

      • GPG

      • SSL/TLS

      • SSH

      • S/MIME

      • Cryptographic applications and proper/improper implementations

        • Strength

        • Performance

        • Feasibility to implement

        • Interoperability

      • Stream vs. block

      • PKI

        • Wild card

        • OCSP vs. CRL

        • Issuance to entities

        • Key escrow

        • Certificate

        • Tokens

        • Stapling

        • Pinning

      • Cryptocurrency/blockchain

      • Mobile device encryption considerations

      • Elliptic curve cryptography

        • P256 vs. P384 vs. P512

4.5 Given a scenario, select the appropriate control to secure communications and collaboration solutions.
  • Remote access

    • Resource and services

    • Desktop and application sharing

    • Remote assistance

  • Unified collaboration tools

    • Conferencing

      • Web

      • Video

      • Audio

    • Storage and document collaboration tools

    • Unified communication

    • Instant messaging

    • Presence

    • Email

    • Telephony and VoIP integration

    • Collaboration sites

      • Social media

      • Cloud-based

5.0 Research, Development and Collaboration

5.1 Given a scenario, apply research methods to determine industry trends and their impact to the enterprise.
  • Perform ongoing research

    • Best practices

    • New technologies, security systems and services

    • Technology evolution (e.g., RFCs, ISO)

  • Threat intelligence

    • Latest attacks

    • Knowledge of current vulnerabilities and threats

    • Zero-day mitigation controls and remediation

    • Threat model

  • Research security implications of emerging business tools

    • Evolving social media platforms

    • Integration within the business

    • Big Data

    • AI/machine learning

  • Global IA industry/community

    • Computer emergency response team (CERT)

    • Conventions/conferences

    • Research consultants/vendors

    • Threat actor activities

    • Emerging threat sources

5.2 Given a scenario, implement security activities across the technology life cycle.
  • Systems development life cycle

    • Requirements

    • Acquisition

    • Test and evaluation

    • Commissioning/decommissioning

    • Operational activities

      • Monitoring

      • Maintenance

      • Configuration and change management

    • Asset disposal

    • Asset/object reuse

  • Software development life cycle

    • Application security frameworks

    • Software assurance

      • Standard libraries

      • Industry-accepted approaches

      • Web services security (WS-security)

      • Forbidden coding techniques

      • NX/XN bit use

      • ASLR use

      • Code quality

      • Code analyzers

        • Fuzzer

        • Static

        • Dynamic

    • Development approaches

      • DevOps

      • Security implications of agile, waterfall and spiral software development methodologies

      • Continuous integration

      • Versioning

    • Secure coding standards

    • Documentation

      • Security requirements traceability matrix (SRTM)

      • Requirements definition

      • System design document

      • Testing plans

    • Validation and acceptance testing

      • Regression

      • User acceptance testing

      • Unit testing

      • Integration testing

      • Peer review

    • Adapt solutions to address:

      • Emerging threats

      • Disruptive technologies

      • Security trends

    • Asset management (inventory control)

5.3 Explain the importance of interaction across diverse business units to achieve security goals.
  • Interpreting security requirements and goals to communicate with stakeholders from other disciplines

    • Sales staff

    • Programmer

    • Database administrator

    • Network administrator

    • Management/executive management

    • Financial

    • Human resources

    • Emergency response team

    • Facilities manager

    • Physical security manager

    • Legal counsel

  • Provide objective guidance and impartial recommendations to staff and senior management on security processes and controls

  • Establish effective collaboration within teams to implement secure solutions

  • Governance, risk and compliance committee

Steps to Becoming a CASP

To become a CASP, there are certain prerequisite procedures to follow. The following sections cover those topics.

Qualifying for the Exam

While there is no required prerequisite, the CASP certification is intended to follow CompTIA Security+ or equivalent experience and has a technical, hands-on focus at the enterprise level.

Signing Up for the Exam

A CompTIA Advanced Security Practitioner (CASP) voucher costs $390.

About the Exam

The following are the characteristics of the exam:

  • Launches: April 2, 2018

  • Number of questions: 90 (maximum)

  • Type of questions: Multiple choice and performance based

  • Length of test: 165 minutes

  • Passing score: Pass/fail only; no scaled score

  • Recommended experience: 10 years’ experience in IT administration, including at least 5 years of hands-on technical security experience

  • Languages: English

CompTIA Authorized Materials Use Policy

CompTIA has recently started a more proactive movement toward preventing test candidates from using brain dumps in their pursuit of certifications. CompTIA currently implements the CompTIA Authorized Quality Curriculum (CAQC) program, whereby content providers like Pearson can submit their test preparation materials to an authorized third party for audit. The CAQC checks to ensure that adequate topic coverage is provided by the content. Only authorized partners can submit their material to the third party.

In the current CAS-003 Blueprint, CompTIA includes a section titled “CompTIA Authorized Materials Use Policy” that says:

CompTIA Certifications, LLC is not affiliated with and does not authorize, endorse or condone utilizing any content provided by unauthorized third-party training sites (aka “brain dumps”). Individuals who utilize such materials in preparation for any CompTIA examination will have their certifications revoked and be suspended from future testing in accordance with the CompTIA Candidate Agreement. In an effort to more clearly communicate CompTIA’s exam policies on use of unauthorized study materials, CompTIA directs all certification candidates to the CompTIA Certification Exam Policies. Please review all CompTIA policies before beginning the study process for any CompTIA exam. Candidates will be required to abide by the CompTIA Candidate Agreement. If a candidate has a question as to whether study materials are considered unauthorized (aka “brain dumps”), he/she should contact CompTIA at [email protected] to confirm.

Remember: Just because you purchase a product does not mean that the product is legitimate. Some of the best brain dump companies out there charge for their products. Also, keep in mind that using materials from a brain dump can result in certification revocation. Please make sure that all products you use are from a legitimate provider rather than a brain dump company. Using a brain dump is cheating and directly violates the non-disclosure agreement (NDA) you sign at exam time.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.215.186.30