Security first: An overview of CompTIA CASP and SMSP certification
Posted on
June 27, 2016
CompTIA security credentials can help you get ahead in your career.

When it comes to IT-related certifications that are a mouthful, CompTIA wins at both ends of the spectrum. On one end, they have what is commonly known merely as "A+," though it consists of multiple exams intended to authenticate entry-level hardware and operating system skills.

At the opposite end, there is the relatively new "Social Media Security Professional Powered by CompTIA" certification (SMSP) that is administered through Ultimate Knowledge Institute (UKI).

CompTIA also now has impressive security breadth in its certification portfolio, with the popular Security+ credential serving as a foundational certification. Security+ is now complemented by SMSP and the CompTIA Advanced Security Practitioner (CASP) credential, two completely different specialty offerings.

Since most people in IT readily associate Security+ with CompTIA, but are less familiar with the other two, we will focus on those complementary offerings in this overview.


The Social Media Security Professional certification is the "industry's first social media security certification" and is good for life (no three-year limit or need for renewal). It requires passing a single exam of 65 questions, which must be answered in 90 minutes with a passing score of 700.

Training courses taken through UKI qualify candidates to sit for the exam. Otherwise, one year of verified cybersecurity work experience is needed. If you take the standard exam, the cost is $275.

If you take the three-day self-paced exam, the cost is $799, but you get the added benefit of earning 24 continuing education units (CEUs). These can be applied to keeping other CompTIA certifications (such as A+, Network+, or Security+) up-to-date.

The SMSP exam has five domains, each encompassing various objectives. The following table shows the domains and objectives. The topics beneath each objective are listed in the Common Body of Knowledge (CBK) which can be requested here.

Domain Objectives
  1. Social Media Theory and Principles
Understand Social Media Theory
Understand Social Media Typing
Social Media Implementations and Use Cases
  1. Social Media Technical Composition
Understand Social Media Capabilities
Understand Social Hosting Platforms
Understand Social Media End User Platforms and Applications
Understand Social Media Standards and Protocols
  1. Social Media Risks
Understand Social Media Threats
Understand Social Media Common Attack Characteristics
  1. Social Media Security and Incident Response
Understand Foundational Detection and Protection Strategies
Understand Common Social Media Security Settings
Understand Social Media Incident Response Strategies
  1. Social Media Management
Understand Social Media Policy Framework
Understand Social Media Terms of Service
Understand Social Media Privacy Statements – Policy

In addition to the Common Body of Knowledge, you can also request sample questions. More information about the exam and certification can be obtained by contacting UKI at 888.677.5696 or


The CompTIA Advanced Security Practitioner credential is still a relative newcomer to the IT certification scene. Launched in the fall of 2011, the CASP is intended to build on the cybersecurity knowledge of individuals whose initial exposure to cybersecurity skills and concepts is rooted in CompTIA's popular Security+ certification.

CompTIA security certifications can advance your career.

CompTIA describes the CASP — which some in the cybersecurity community view as being a comparable alternative to the more widely-recognized CISSP certification sponsored by (ISC)2 — in the following terms

"CompTIA Advanced Security Practitioner (CASP) meets the growing demand for advanced IT security in the enterprise. Recommended for IT professionals with at least 5 years of experience, CASP certifies critical thinking and judgment across a broad spectrum of security disciplines and requires candidates to implement clear solutions in complex environments."

The latest version of the CASP exam (CAS-002) requires answering up to 90 questions in 165 minutes. Those questions combine multiple-choice with performance-based questions and candidate either pass or fail and a passing score isn't revealed.

The cost is currently $414. It is recommended that candidates have 10 years of experience with IT administration, five of which are directly related to security. This is not a lifetime certification. Credential holders must keep their skills current either by recertifying or via continuing education units (CEUs).

Like the SMSP exam, the CASP exam has five domains, each of which encompasses various objectives. Unlike SMSP, however, the weighting of each domain is known and noted in the following table that shows those domains and objectives.

Note: While there is not a Common Body of Knowledge for this exam, there is a more detailed list of what topics are beneath each domain that includes a glossary of acronyms, which can be accessed from the CompTIA website.

Domain Objectives
  1. Enterprise Security (30 percent)
Given a scenario, select appropriate cryptographic concepts and techniques
Explain the security implications associated with enterprise storage
Given a scenario, analyze network and security components, concepts and architectures
Given a scenario, select and troubleshoot security controls for hosts
Differentiate application vulnerabilities and select appropriate security controls
  1. Risk Management and Incident Response (20 percent)
Interpret business and industry influences and explain associated risks
Given a scenario, execute risk mitigation planning, strategies and controls
Compare and contrast security, privacy policies and procedures based on organizational requirements
Given a scenario, conducts incident response and recovery procedures
  1. Research and Analysis (18 percent)
Apply research methods to determine industry trends and impacts to the enterprise
Analyze scenarios to secure the enterprise
Given a scenario, select methods or tools appropriate to conduct an assessment and analyze results
  1. Integration of Computing, Communications and Business Disciplines (16 percent)
Given a scenario, facilitate collaboration across diverse business units to achieve security goals
Given a scenario, select the appropriate control to secure communications and collaboration solutions
Implement security activities across the technology life cycle
  1. Technical Integration of Enterprise Components (16 percent)
Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture
Given a scenario, integrate advanced authentication and authorization technologies to support enterprise objectives

We will explore the subjects covered on the exam in more detail in future articles, but following are five questions to test your knowledge of CASP-related topics. These questions are not intended to mirror those on the exam, but merely to test your knowledge of similar topics.

Security-Related Questions

1) Melanie regularly encrypted a folder full of files with her public key to keep them safe from prying eyes. Jerry, an administrator, thought Melanie had been fired when actually it was Melody in Sales who was let go. Erroneously, Jerry deleted Melanie's account, which had exclusive access to the private key. What can be used to remedy this situation?

A. The same public key used to encrypt the files can be used to decrypt them.
B. A recovery agent can be used to decrypt the files and/or the private key.
C. A steganography key, often referred to as a bump key, can be used to decrypt the files.
D. The files cannot be recovered.

2) EAD Enterprises has numerous branch offices and a skeleton crew of IT professionals at each to support operations. If configured correctly, what type of Incident Response Team should exist at the main office to help guide those at the branch offices responsible for each of their locations?

A. Central
B. Coordinating
C. Distributed
D. Outsourced

3) Log files point to the possibility that someone is using a port scanner on your servers looking for a weakness. Which of the following would NOT be a good way to minimize the vulnerabilities port scanning could uncover?

A. Disable unnecessary ports and services.
B. Use TCP wrappers on services that are vulnerable and cannot be otherwise protected
C. Implement grid computing
D. Remove banners as much as possible

4) The Security Development Lifecycle (SDL) helps developers build more secure software. During which phase of SDL would threat modeling be first used?

A. Verification
B. Implementation
C. Design
D. Requirements

CompTIA security credentials can help you get ahead in your career.

5) Which of the following is a cross-domain, browser-based, Single Sign-On (SSO) framework and extension of the SAML (Security Assertion Markup Language) 1.1 standard?

A. Shibboleteh


1) B. If the recovery agent is available, it can be used to help in this situation to recover/decrypt either the private key or use a different one to decrypt the data. This topic is covered in the Enterprise Security domain.

2) B. A coordinating incident response team combines features from the central and distributed model. Their role is to help guide those at the branch offices responsible for each of their locations. This topic is covered in the Risk Management and Incident Response domain.

3) C. Grid computing would do nothing to minimize the possibility of a port scan showing vulnerabilities. Disabling ports that are not needed, using TCP wrappers, and removing banners from applications and OSes that create them would all help minimize the risk. This topic is covered in the Research, Analysis, and Assessment domain.

4) C. Threat modeling would be used during the Design phase of SDL. During this step, they goal would be to identify security vulnerabilities and design ways to eliminate or mitigate them. This topic is covered in the Integration of Computing, Communications and Business Disciplines domain.

5) D. Shibboleth is a cross-domain, browser-based, Single Sign-On (SSO) framework and extension of the SAML (Security Assertion Markup Language) 1.1 standard. This topic is covered in the Technical Integration of Enterprise Components domain.

About the Author

Emmett Dulaney is a professor at Anderson University and the author of several books including Linux All-in-One For Dummies and the CompTIA Network+ N10-008 Exam Cram, Seventh Edition.

Posted to topic:

Important Update: We have updated our Privacy Policy to comply with the California Consumer Privacy Act (CCPA)

CompTIA IT Project Management - Project+ - Advance Your IT Career by adding IT Project Manager to your resume - Learn More