(ISC)2
In addition to the CISSP certification, the International Information Systems Security Certifications Consortium (ISC)2 offers the Systems Security Certified Practitioner (SSCP), Certified Secure Software Lifecycle Professional (CSSLP), and Certification and Accreditation Professional (CAP) certifications.
SSCP
Developed in 1998, the SSCP certifies network and systems administrators who implement security policies, standards, and procedures. The SSCP tests the candidate’s knowledge in seven domains that comprise the Information Systems Security Administrator Common Body of Knowledge (CBK):
Access Controls
Analysis and Monitoring
Cryptography
Malicious Code
Networks and Telecommunications
Risk, Response, and Recovery
Security Operations and Administration
Similar in format to the CISSP exam, the SSCP exam is a paper-based, 125-question, multiple-choice examination. You have three hours to complete the exam. A minimum of one year of related work experience in at least one of the seven domains is required.
CSSLP
The CSSLP is designed to address security deficiencies in the software life cycle, as evidenced by the fact that most security breaches are related to applications security. The CSSLP is for any stakeholder in the software life cycle who has at least four years of experience. Potential candidates include
Top management
Business unit heads
IT managers
Security specialists
Application owners
Developers and coders
Project managers and team leaders
Technical architects
Quality assurance managers
Business analysts
Industry group delivery heads
Client-side program managers
Auditors
The CSSLP CBK focuses on building security into the software development life cycle (SDLC) and consists of the following domains:
Secure Software Concepts
Secure Software Requirements
Secure Software Design
Secure Software Implementation/Coding
Secure Software Testing
Software Acceptance
Software Deployment, Operations, Maintenance, and Disposal
CAP
The CAP certification is for candidates in U.S. state and local governments, and for civilians in the commercial job market, who are responsible for formally certifying and accrediting security in information systems. Candidates have job positions such as authorizing officials, system or information owners, information system security officers (ISSOs), and senior system managers. CAP candidates must have a minimum of two years of direct, full-time systems security certification and accreditation in one or more of the following five CAP domains:
Understanding the Purpose of Certification
Initiation of the System Authorization Process
Certification Phase
Accreditation Phase
Continuous Monitoring Phase
CISSP concentrations
(ISC)2 also offers three CISSP concentrations:
ISSAP (Information Systems Security Architecture Professional): For CISSPs who have at least two years of experience in security architecture. The six CBK domains are
• Access Control Systems and Methodology
• Cryptography
• Physical Security Integration
• Requirements Analysis and Security Standards, Guidelines, and Criteria
• Technology-Related Business Continuity and Disaster Recovery Planning
• Telecommunications and Network Security
ISSEP (Information Systems Security Engineering Professional): Developed in cooperation with the U.S. National Security Agency (NSA) for systems security engineering professionals. The four CBK domains include
• Certification and Accreditation
• Systems Security Engineering
• Technical Management
• U.S. Government Information Assurance Regulations
ISSMP (Information Systems Security Management Professional): For CISSPs who have at least two years of management experience, specifically in the areas of project management, risk management, security awareness program development and management, or Business Continuity Planning management at an enterprise-wide level. The five included CBK domains are
• Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP)
• Enterprise Security Management Practices
• Enterprise-Wide System Development Security
• Law, Investigations, Forensics, and Ethics
• Overseeing Compliance of Operations Security