(ISC)2 Systems Security Certified Practitioner

Candidates must have a minimum of 1-year cumulative work experience in 1 or more of the 7 domains of the SSCP CBK. A 1-year prerequisite pathway will be granted for candidates who received a degree (bachelors or masters) in a cybersecurity program.

A candidate that doesn’t have the required experience to become an SSCP may become an Associate of (ISC)² by successfully passing the SSCP examination. The Associate of (ISC)² will then have 2 years to earn the 1 year required experience. You can learn more about SSCP experience requirements and how to account for part-time work and internships at www.isc2.org/Certifications/SSCP/experiencerequirements.

• Single/multifactor authentication
• Single sign-on » Device authentication
• Federated access

• Trust relationships (e.g., 1-way, 2-way, transitive)
• Extranet
• Third party connections

• Authorization » Proofing
• Provisioning/de-provisioning
• Maintenance » Entitlement
• Identity and Access Management (IAM) systems

• Mandatory
• Non-discretionary
• Discretionary
• Role-based
• Attribute-based
• Subject-based
• Object-based

• (ISC)² Code of Ethics
• Organizational code of ethics

• Confidentiality
• Integrity
• Availability
• Accountability
• Privacy
• Non-repudiation
• Least privilege
• Separation of duties

• Deterrent controls
• Preventative controls
• Detective controls
• Corrective controls
• Compensating controls

• Lifecycle (hardware, software, and data)
• Hardware inventory
• Software inventory and licensing
• Data storage

• Technical controls (e.g., session timeout, password aging)
• Physical controls (e.g., mantrap, cameras, locks)
• Administrative controls (e.g., security policies and standards, procedures, baselines)
• Periodic audit and review

• Risk visibility and reporting (e.g., risk register, sharing threat intelligence, Common Vulnerability Scoring System (CVSS))
• Risk management concepts (e.g., impact assessments, threat modelling, Business Impact Analysis (BIA))
• Risk management frameworks (e.g., ISO, NIST)
• Risk treatment (e.g., accept, transfer, mitigate, avoid, recast)

• Participate in security testing » Interpretation and reporting of scanning and testing results » Remediation validation
• Audit finding remediation 3.3 Operate and maintain monitoring systems (e.g., continuous monitoring)
• Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)
• Logging » Source systems
• Legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)

• Security baselines and anomalies
• Visualizations, metrics, and trends (e.g., dashboards, timelines)
• Event data analysis
• Document and communicate findings (e.g., escalation)

• Preparation
• Detection, analysis, and escalation
• Containment » Eradication
• Recovery
• Lessons learned/implementation of new countermeasure

• Legal and ethical principles
• Evidence handling (e.g., first responder, triage, chain of custody, preservation of scene)

• Emergency response plans and procedures (e.g., information system contingency plan)
• Interim or alternate processing strategies
• Restoration planning
• Backup and redundancy implementation
• Testing and drills

• Hashing » Salting
• Symmetric/asymmetric encryption/Elliptic Curve Cryptography (ECC)
• Non-repudiation (e.g., digital signatures/ certificates, HMAC, audit trail)
• Encryption algorithms (e.g., AES, RSA)
• Key strength (e.g., 256, 512, 1024, 2048 bit keys)
• Cryptographic attacks, cryptanalysis, and counter measures

• Fundamental key management concepts (e.g., key rotation, key composition, key creation, exchange, revocation, escrow)
• Web of Trust (WOT) (e.g., PGP, GPG)
• Hashing
• Salting
• Symmetric/asymmetric encryption/Elliptic Curve Cryptography (ECC)
• Non-repudiation (e.g., digital signatures/ certificates, HMAC, audit trail)
• Encryption algorithms (e.g., AES, RSA)
• Key strength (e.g., 256, 512, 1024, 2048 bit keys)
• Cryptographic attacks, cryptanalysis, and counter measures
• Confidentiality
• Integrity and authenticity
• Data sensitivity (e.g., PII, intellectual property, PHI)
• Regulatory
• Services and protocols (e.g., IPSec, TLS, S/MIME, DKIM)
• Common use cases » Limitations and vulnerabilities

• OSI and TCP/IP models » Network topographies (e.g., ring, star, bus, mesh, tree)
• Network relationships (e.g., peer to peer, client server)
• Transmission media types (e.g., fiber, wired, wireless)
• Commonly used ports and protocols

• Network access control and monitoring (e.g., remediation, quarantine, admission)
• Network access control standards and protocols (e.g., IEEE 802.1X, Radius, TACACS)
• Remote access operation and configuration (e.g., thin client, SSL VPN, IPSec VPN, telework)

• Logical and physical placement of network devices (e.g., inline, passive)
• Segmentation (e.g., physical/logical, data/control plane, VLAN, ACLs)
• Secure device management

• Firewalls and proxies (e.g., filtering methods) » Network intrusion detection/prevention systems
• Routers and switches » Traffic-shaping devices (e.g., WAN optimization, load balancing)

• Transmission security
• Wireless security devices (e.g.,WIPS, WIDS)

• Malware (e.g., rootkits, spyware, scareware, ransomware, trojans, virus, worms, trapdoors, backdoors, and remote access trojans)
• Malicious code countermeasures (e.g., scanners, anti-malware, code signing, sandboxing)
• Malicious activity (e.g., insider threat, data theft, DDoS, botnet)
• Malicious activity countermeasures (e.g., user awareness, system hardening, patching, sandboxing, isolation)

• HIDS
• Host-based firewalls
• Application white listing
• Endpoint encryption
• Trusted Platform Module (TPM)
• Mobile Device Management (MDM) (e.g., COPE, BYOD)
• Secure browsing (e.g., sandbox)

• Deployment models (e.g., public, private, hybrid, community)
• Service models (e.g., IaaS, PaaS and SaaS)
• Virtualization (e.g., hypervisor) » Legal and regulatory concerns (e.g., privacy, surveillance, data ownership, jurisdiction, eDiscovery)
• Data storage and transmission (e.g., archiving, recovery, resilience)
• Third party/outsourcing requirements (e.g., SLA, data portability, data destruction, auditing) » Shared responsibility model

• Software-defined networking
• Hypervisor
• Virtual appliances
• Continuity and resilience
• Attacks and countermeasures
• Shared storage