Exam Profile: (ISC)2 Systems Security Certified Practitioner (SSCP)

Date: Apr 4, 2011

This article profiles the SSCP exam, an entry-level security exam sponsored by the International Information Systems Security Certification Consortium, Inc., or (ISC)2. Pearson IT Certification provides a variety of exam preparation tools to help our customers in their quest for certification. As part of our service to you, we have developed this Exam Profile series. Each profile is developed based on the testing experience of one of our trainers or authors. You won’t get exact questions or answers, but you will get a real feel for the exam. Each profile describes question forms, trouble spots, hints for exam preparation, and recommendations for additional study resources. Find out what you can expect to see on the exam and how you can better prepare for it.

The SSCP exam is an entry-level security exam sponsored by International Information Systems Security Certification Consortium, Inc., or (ISC)2. It is considered by many to be a stepping stone on the path to earning the (ISC)2 Certified Information Systems Security Practitioner (CISSP). (ISC)2 describes the person with the SSCP certification as the person doing the hands-on work, or the enforcer that everyone is going to for answers. However, don’t think that this means that you’ll be asked a lot of questions of how to use specific tools. The exam is still focused on understanding key security concepts.

To achieve the SSCP certification, you have to complete several steps:

Have one year of relevant security experience (in one or more of the seven domains)
Subscribe to the (ISC)2 code of ethics
Pass the exam with a score of at least 700
Be endorsed by an (ISC)2 certified member in good standing

Exam Details

Exam Type: Proctored

This is a paper-based exam administered by proctors. You’ll be filling in little circles with an old-fashioned #2 pencil. It is often administered in a hotel conference room. If you take a review seminar, it is usually administered in the same place as the seminar. There will be several proctors walking around the room while you are taking the test.

Number of questions: 125

Only 100 questions are graded. The other 25 questions are for research purposes, but they are mixed into the entire 125 questions so you won’t know which questions are graded. You’ll need to answer every question as if it’s graded.

Type of Questions: Multiple choice

The questions are basic multiple choice questions. You may have some scenario-based items where you’ll read a scenario and then answer two or more questions related to the scenario. You aren’t penalized for wrong answers, so make sure you answer each question.

Passing score: 700/1000

The questions are weighted, so a score of 700 doesn’t indicate that you need to get exactly 70 questions correct.

Time limit: 3 hours

You’re expected to arrive at 8 AM, instructions begin at 8:30, and the exam starts at 9. If you’re late, you probably won’t be allowed in. You’ll have until 12:00 to take the exam while other people will likely be taking the CISSP exam which lasts until 3:00 PM.

How to register: (ISC)2 Website

Registering for this exam is different than many other vendor exams such as CompTIA, Cisco, and Microsoft exams. You start the process at this page.

After clicking on the link to register, you’ll be able to search for when the exam is administered in your area. There are a limited number of seats at each exam and they often sell out before the test day, so if one is in your area, sign up early. You’ll be prompted to agree to the code of ethics during the process and after registering, you’ll be emailed admission documents. You’ll need these documents on the day of the exam, along with a government-issued photo identification such as a driver’s license or passport.

Exam price: $300.

If you register at least 16 days early, you can get a $50 discount. In other words, you can take the exam for $250 instead of $300. However, if you have to reschedule, there’s a hefty rescheduling fee of $100.

Time to get results: About 4 to 6 weeks

Unlike many exams where you know right away whether you pass or not, you’ll need to wait for the SSCP results. (ISC)2 says you’ll get the results in your email about 4 to 6 weeks after taking the exam, but they often come a little earlier.

Trouble Spots

Many people find the following two domains especially challenging.

Cryptography

This is one of those topics that most people don’t work with on a regular basis and it has sufficient depth to really throw you. However, if you understand cryptography at the level required for the Security+ exam, you’ll only need to add a little knowledge.

Risk, Response, and Recovery

This topic covers a wide range of topics that are beyond the experience level of someone with only a single year of experience. The topics aren’t overly difficult, but they do require some focused studying.

Preparation Hints

One of the first things to do when considering the SSCP exam is to download the Candidate Information Bulletin (CIB). They provide you with a significant amount of information about the exam, including details about the domains covered by the exam. You can retrieve a candidate information bulletin for the SSCP exam here after providing some registration information.

If you’ve studied and passed the Security+ exam, you are well on your way to taking and passing this exam. SSCP includes many of the same topics, though the questions will often be asked differently. If you truly learned the material for the Security+ exam, you can probably brush up on the topics and find that you’re prepared for more than 50% of the exam. However, you will find that many of the questions on the SSCP exam require a deeper level of understanding for many of the topics.

Many people wonder about the difference between the SSCP and the CISSP. There is quite a bit of crossover between the exams. However, the CISSP exam questions are much more complex, requiring a deeper level of understanding of the topics. Additionally, the CISSP exam covers a much broader range of questions. However, if you plan on taking the CISSP exam in the future, it’s worthwhile studying some of the CISSP resources for the SSCP topics. You’ll have a solid understanding for the SSCP exam, and you’ll be a step ahead of the game when you tackle the CISSP.

Recommended Study Resources

The CIB lists almost 100 references that make up the common body of knowledge (CBK) for the exam. However, it’s not feasible or even recommended to purchase and read all of these books. Unfortunately, there isn’t a standout book available on the SSCP at this time. The biggest challenge is that the CIB covers such a broad base of knowledge, it’s difficult for a single book to cover all of the objectives adequately. Your best bet is to get more than one book. You can start with a search on Amazon for SSCP or even Security+ books. Additionally, there is an active forum on SSCP (combined with CISSP).

Last, ccure.org has some free study guides for SSCP. You’ll need to create a profile; after logging in, search on “SSCP” or follow the menu for Certifications -> ISC2 Certifications -> SSCP. They have several free SSCP study guides, but be aware that many of these are older. Some knowledge, like the OSI model, is timeless, but other topics, like cryptography, change frequently.

Exam Objectives

The SSCP includes topics from seven domains:

Access controls

This includes items such as the different factors of authentication, and various controls used to control access to files, systems, and networks.

Cryptography

You should have a basic understanding of the purpose of cryptography, including hashing, symmetric encryption, asymmetric encryption, certificates, and secure protocols such as IPSec, SSL, TLS, and S/MIME.

Malicious code and activity

This includes a wide variety of malicious activity such as phishing, viruses, worms, Trojan horses, botnets, Denial of Service (DoS) attacks, and more. In addition to knowing the methods to detect malware, you should also know some of the different methods that malware uses to prevent detection. This topic also includes non-technical aspects such as social engineering and the importance of user training.

Monitoring and analysis

These topics start to get a little more technical with items such as Intrusion Detection Systems, Intrusion Prevention Systems, honeypots, and sniffers. You should also have a basic understanding of what to look for when analyzing the results.

Networks and communications

Common networking topics such as the OSI and TCP/IP models, common protocols, remote access, firewalls, and wireless technologies are covered. If you have a networking background, you’ll find this material familiar, though you’ll need to ensure you brush up on the individual topics listed in the CIB. A Network+ or CCNA certification will definitely help you here.

Risk, response, and recovery

These topics cover a widely diverse set of knowledge that someone with only a single year of experience will rarely have. It includes concepts about risk management, security assessments, incident handling, Business Continuity Plans (BCPs), and Disaster Recovery Plans (DRPs).

Security operations and administration

Topics include security administration, change management, security awareness education, the (ISC)2 code of ethics, and more. It’s worth noting that the code of ethics you subscribe to isn’t something you should just scan over. They are actually identified in the CIB.

Where to Go From Here

Get the CIB, read it, and take notes to identify your weaknesses. Once you’ve identified your weaknesses, look for resources to increase your knowledge in those areas. Good luck!