Security professionals and aspiring security engineers around the world are generally familiar with the field’s two top security certifications: the entry-level Security+ credential and the premier Certified Information Systems Security Professional (CISSP) program. Many of today’s security experts cut their teeth on one or both of these certifications and went on to build successful careers with those documents framed on the wall, lending legitimacy to their mastery of the domains of security. While these credentials get large amounts of attention, the Systems Security Certified Practitioner (SSCP) credential fills a niche that often goes unnoticed: security engineers with a bit of experience under their belts.
The SSCP credential comes from the International Information Systems Security Certification Consortium (ISC)2 and serves as their entry-level certification, targeted at security practitioners with about a year of experience. It’s positioned as the hands-on counterpart to the more theoretical CISSP certification. In this space, it directly competes with the more popular Security+ credential but differs significantly in that SSCP holders must have at least one year of verified information security experience.
Opportunities abound for holders of any of these information security certifications. Security skills are in extremely high demand and, after a few years of experience, security experts commonly find themselves earning six-figure salaries. Holders of the SSCP credential are particularly well-qualified for security engineering, monitoring and implementation positions, where they serve in a hands-on security capacity.
Earning the SSCP
The major hurdle to earning the SSCP certification is passing a 125-question exam consisting of multiple-choice items with four choices each. (ISC)2 does not release details on the scoring of the exam, other than to say that candidates must earn at least 700 points on a 1000-point scale. The exam scoring system weights questions differently based upon the difficulty of each question, resulting in different score scales for each version of the examination.
In addition, 25 of the exam questions are experimental questions being tested for future use on the exam and do not count in the computation of a candidate’s score. The exam uses a computer-based testing format and candidates take it at a Pearson VUE testing center.
Candidates who pass the exam must then complete an experience endorsement process demonstrating that they have at least one year of paid, full-time experience working in one or more of the seven SSCP domains. The endorsement process requires finding an (ISC)2-certified individual willing to attest to that experience and complete a short written form. Candidates who do not currently have the required experience may instead request the Associate of (ISC)2 certification after passing the exam and then have two years to complete the endorsement process and become SSCP certified.
It is very important to understand that the paid and full-time portions of the experience requirement are strictly enforced. Candidates must be working in a position where their job is security-focused and they must be compensated for that job. Jobs with ancillary security responsibilities and volunteer positions do not count toward the experience requirement.
Understanding the Seven Domains
The SSCP exam covers practical issues from seven different domains of information security. These include:
- Domain 1: Access Controls
- Domain 2: Security Operations and Administration
- Domain 3: Risk Identification, Monitoring and Analysis
- Domain 4: Incident Response and Recovery
- Domain 5: Cryptography
- Domain 6: Network and Communications Security
- Domain 7: Systems and Application Security
The SSCP Candidate Information Bulletin, available for free from the (ISC)2 website, provides detailed information on each of the domains and the knowledge required to pass the exam.
The first domain, Access Controls, covers issues in the identity and access management field, including authentication and authorization controls. Candidates must be familiar with the different authentication methods used in modern enterprises, understand trust relationships between domains and know how to implement both subject-based and object-based access controls in a real-world environment. They must also understand the full identity management lifecycle, including authorization, proofing, provisioning, maintenance and entitlement.
Security Operations and Administration, the second SSCP domain, covers a wide variety of security topics and is often described as the “general security” domain. Students must understand some of the field’s basic principles, including the Confidentiality, Integrity and Availability (CIA) triad, the categories of security controls and the importance of security awareness and training programs. This domain also includes coverage of asset management, change management and physical security operations.
The third domain, Risk Identification, Monitoring and Analysis, delves into the importance of approaching security from a risk-based viewpoint. Security controls must be designed appropriately to respond to risks in a given operating environment. Designing controls that fail to adequately address risks exposes the organization to security incidents. Over-engineering controls, on the other hand, increases costs and hampers productivity. Candidates studying this domain learn the importance of risk management, security assessments, and managing a robust security monitoring program.
Domain four, Incident Response and Recovery, covers the processes used to address situations where security controls fail and an incident occurs. It includes complete coverage of the incident handling steps, including discovery, escalation, reporting, incident response and implementing countermeasures. Candidates preparing for this domain must also understand forensic investigation techniques and the basic concepts of business continuity planning (BCP) and disaster recovery planning (DRP).
Cryptography is a critical control for preserving the confidentiality, integrity and authenticity of information and it makes up the fifth SSCP domain. Successful SSCP candidates must understand the concepts of encryption, decryption, digital signatures, hashing and non-repudiation. They must also understand when it is appropriate to use cryptography to counter security risks and how they can implement and support secure protocols. This domain also delves into managing a public key infrastructure, digital certificates and other cryptographic management topics.
The sixth SSCP domain, Network and Communications Security, dives into a very meaty area — protecting information in transit over networks and communications systems. Successfully answering questions in this domain requires a basic knowledge of networking concepts and then a detailed understanding of how security professionals may strengthen the security of their wired and wireless networks. This includes implementation of network access control systems and designing secure segmented networks. Candidates must also demonstrate their understanding of the operation and configuration of firewalls, intrusion detection systems, proxies and other network security devices.
Systems and Application Security is the final SSCP domain. While the name implies that it covers topics like software development security, the reality is that it focuses largely on systems security and security issues related to a few “hot topics” in information technology. On the system security front, candidates must demonstrate familiarity with malicious code, endpoint security and social engineering threats. (ISC)2 also throws in the front-burner issues of virtualization, Big Data and cloud security for good measure.
Is the SSCP Right For You?
If reading the descriptions of these seven domains triggers your interest, preparing for the SSCP credential may be a good career move for you. Before you run out and buy an SSCP book, however, you should think about what credential approach best matches your current experience and career aspirations.
If you’re entirely new to the information security field and looking to land your first position, you may be better suited pursuing the Security+ certification. This program is equally well-regarded as the SSCP in most corners and has no experience requirement. Security+ is typically the first credential people earn when looking to build out their information security resume and demonstrate their interest to potential employers. It’s the quickest path from zero experience to a respected information security certification.
If you have several years of experience, on the other hand, the CISSP credential may be your natural next step. The CISSP requires five years of full-time experience and covers a wider body of knowledge than the SSCP program, but it is the premier certification in information security and is often a requirement for senior-level information security positions. If you aspire to a Chief Information Security Officer (CISO) role, the CISSP is a must-have.
If you find yourself somewhere between these two extremes, however, then the SSCP credential may indeed be the best next step for your career. It doesn’t require mastering the diverse body of knowledge found in the CISSP program and does demonstrate to potential employers that you have at least a small amount of experience in information security. Who knows? That may just be enough to push you over the edge and land you that next job interview!