The SSCP Certification Experience
by, 06-06-2008 at 01:26 AM (43114 Views)
This is a review of the (ISC)2 SSCP (Systems Security Certified Practitioner) certification. I passed the SSCP exam in April 2008, but unlike many IT certifications, passing the exam is only one step in achieving the certification itself. As with the other (ISC)2 certifications, the SSCP has a several steps that must be completed and verified by the (ISC)2. This is my personal accounting and impressions of the SSCP certification experience.
The SSCP Certification: What am I getting myself into?
The first step of SSCP certification is to find out what you are getting yourself into. The details of the SSCP exam and testing rules are found in the SSCP Candidate Information Bulletin and the Registration and Processing FAQ. You will find the requirements to pass a 125-question exam and to provide a professional endorsement. After becoming certified, the requirements to pay a $65US Annual Maintenance Fee (AMF) and to collect 60 Continuing Professional Education (CPE) credits every three years in lieu of taking a renewal exam also apply.
You can sign up for the SSCP exam by mail or online, where you will specify how you meet the experience requirements to become SSCP-certified and where you want to take the exam. You will also pay for the exam at registration time regardless of when or where you actually decide to take it. There is also a $100US rescheduling fee, so make sure that you will be ready to take the exam on the date that you choose.
Information about the (ISC)2 examination rules, procedures, and protocol can be found on the (ISC)2 Examination Registration Form and in the How to Certify page on the (ISC)2 Web site. (ISC)2 exams are not given in a Prometric or Vue testing center. Instead, they are sponsored by an organization endorsed by the (ISC)2 who members administers and proctors (ISC)2 exams.
Studying for the SSCP Exam
The primary study resource for the SSCP exam is the Official (ISC)2 Guide to the SSCP CBK (a.k.a., the “SSCP Gold Book”). This book describes the content of the SSCP CBK (Common Body of Knowledge) on which the exam is based. I have issues with the style and editing of the 1st edition of this book, but the content is very recent and fits the exam quite nicely.
More inexpensive SSCP study guides include the books from Syngress and Wiley. I bought both of these from the discount booksellers on Amazon.com for under $10US each (including shipping). I wouldn't recommend using these books as your only study material unless you already know the information in all of the domains of the SSCP CBK quite well.
I also found the Official (ISC)2 Guide to the CISSP CBK (a.k.a., the “CISSP Gold Book”) and Shon Harris' CISSP Certification All-in-One Exam Guide (3rd or 4th ed.) to be very relevant to the SSCP exam as well (and especially recommended if you will be taking the CISSP exam one day). The AIO is also a very easy read, so you might want to start with it first.
Although there is quite a bit of overlap in subject matter between the SSCP and CISSP CBKs, just remember that you will need a more technical understanding of the SSCP CBK topics than what is typically found in CISSP study material. Also, the CISSP domain topics of physical security, application security, and law and ethics are not covered in the SSCP CBK.
If you are not sure that you want to actually take the SSCP exam, before spending any money, I suggest that you sign up for a free account on www.cccure.org, have a look at the free SSCP study notes available there (as a PDF), and at the postings in the SSCP forum. Also run through some of the SSCP practice questions at www.freepracticetests.org to get a good feel for the type and style of questions that are on the SSCP exam. Also search for discussion postings with “SSCP” at TechExams.net for opinions of people who are SSCP-certified. These free resources will give a very good indication if the SSCP certification is for you.
As always, what study materials you use and what and how much you need to study depends entirely on you and your knowledge and experience with the topics covered by the exam. Remember that the purpose of studying for certifications is not only to pass the exams, but also to learn new information that will help you in your career.
The SSCP Exam
The SSCP exam is very technical and covers quite a broad range of subject matter. I have read much speculation that the SSCP exam is very similar to the Security+ exam. Well, I can tell you first-hand that it is not. The Security+ exam, like most technical exams, is filled with fact-based questions that have only one answer, such as, “What network port is commonly associated with the syslog service?” The SSCP exam is more concept-based, with questions like, “What is the most important goal of an information security program?” Besides basic facts, you really need to understand the concepts of the SSCP CBK domains and the best-practices of the processes they describe.
The SSCP exam itself contains 125 questions, each with four choices and only one correct answer (i.e., no multiple choice, true or false, or fill in the blank answers). 25 of the questions (20%) are research questions that do not count towards the final score, and are not indicated as such in the exam. A passing score is 700 of a possible 1000 points – not 70% as some sources erroneously describe . The questions are worth different point values based on their level of difficulty, so it may be possible to answer 70% of the questions correctly and still not acquire the minimum of 700 points necessary to pass the exam.
The SSCP Exam Experience
For my SSCP exam, I signed up for an exam session given by a technical training company in Orange County, CA. The exam was given at a hotel about a 15-minute, Sunday morning drive from my house. (No, I didn't need to fly 3000 miles or drive five hours through a blinding snow storm like many CISSP candidates have had to do.)
There were 22 people present for the CISSP exam and only two SSCP candidates (I was one and the other was a no-show). Most of the candidates had spent the entire week at the hotel in a CISSP training workshop given by the same company sponsoring the exam. There were three exam proctors; I do not know if they were from the training company. Sign-in began at 8AM, the reading of the rules and instructions at 8:30AM, and the exam at 9AM. Drinks and snacks were provided by the hotel (bananas and bottled water were popular with the examinees). Individual bathroom breaks were also allowed via a sign-out sheet.
The exam materials distributed included the SSCP exam question booklet, a Scantron-style answer sheet, and two #2 pencils. I started the exam by reading through the first fifty questions or so to get a feel for the style and content of the questions and answers. I then went back to the beginning of the exam and started marking possible answers in the exam booklet itself.
You are allowed to write in the exam booklet, and encouraged to mark your answers in the booklet before marking your answer sheet. If you do this, it's important to remember to reserve some time for marking and double-checking your marks. At the beginning of the exam you can also quickly jot down anything you've been struggling to keep in your brain, like the TCP/IP and OSI diagrams, or the ALE and SLE formulas.
Make sure that you full understand an exam question before trying to answer it. Read each exam question very carefully, noting words like NOT, BEST, MOST, and LEAST. I tried guessing the answer to each question before looking at the choices given. I then read each answer carefully and decide why or why not this could be the correct answer to the question. (For the SSCP exam, I believe that these two test-taking tactics help quite a bit.) Being careful, methodical, and patient is the safest way to go.
I made it to the back of the exam booklet after 90 minutes and had managed to answer only about half of the questions. The others I had marked with multiple possible answers and left four or so blank without even a guess. It took me another 45 minutes to finish answering all of the questions in the booklet, and another 15 minutes to mark and double-check the answer sheet for a total personal exam time of 2.5 hours. I quietly thanked two of the proctors and left the room (still occupied by the 20 CISSP candidates) feeling cautiously optimistic .
The After-exam Wait
I was notified via email eight days after the exam that I had passed. (It's very important that your spam filter allow email from firstname.lastname@example.org or your own notice make be regarded by your email client as junk mail.) The email will contain your exam score and a list of (in)correct questions you gave in each domain only if you failed the exam.
The email gave instructions for my next steps in the SSCP certification process. I was to email, fax, or snail mail the SSCP endorsement form and a copy of my current resume to the (ISC)2. The endorsement form was to be filled out by both myself and a member of the (ISC)2 in “ good standing” (i.e., current on CPE, dues, and ethics) who can attest to my meeting the experience requirements.
The CISO of where I work was happy to endorse me, and I faxed my completed endorsement form and resume to the (ISC)2. Ten business days later I received an email congratulating me that my endorsement was accepted and I was SSCP-certified. I have no idea what specific auditing the (ISC)2 performed to determine if I, in fact, did meet the experience requirements for the SSCP certification—but I can say that they did arrive at the correct conclusion.
In all, my SSCP exam experience was professional, thorough, efficient, and I encountered no unusual problems. The SSCP is not an easy exam, but I did not have a particularly difficult time taking it. In fact, I found it a rather enjoyable challenge. I must remark that the questions at www.freepracticetests.org and in the SSCP Gold Book are good approximations, but the SSCP exam questions are well-crafted and (sometimes) more oddly worded. (The wording may be to introduce difficulty into the questions.) I feel that having gone through the SSCP experience gives me a significant advantage for passing the CISSP exam one day.
People sometimes post questions on TechExams.net asking, “Is the SSCP worth getting?”, “Why should I bother getting the SSCP certification?”, and “Why not go straight for the CISSP (aka., the money certification )?” I decided to get the SSCP before the CISSP for several reasons, including:
- The SSCP is a technical security certification while the CISSP is more on the managerial side. (I am a technical InfoSec professional.)
- Like the CISSP, the SSCP is a professional information security certification, but it is easier to qualify for than the CISSP. (This is important of you are looking to put something on your resume sooner rather than later.)
- When lacking significant information security experience, the SSCP will give you more credibility for the InfoSec knowledge that you do possess.
- Very few people have the SSCP certification as compared to the CISSP; having both the SSCP and CISSP gives a bit of a distinction from people with only the CISSP.
- Preparing for and taking the SSCP exam is excellent preparation for the CISSP exam.
Total Trackbacks 0