The CompTIA CASP Exam Experience
by, 01-15-2013 at 10:42 PM (22674 Views)
I recently took the opportunity to not only review the McGraw-Hill book CASP CompTIA Advanced Security Practitioner Certification Study Guide (Exam CAS-001), but also to take the CompTIA CASP exam for myself. There have been some rather controversial opinions about the CASP certification here in the CASP certification discussion forum at TechExams.Net. I really wanted to see for myself if CompTIA had produced a serious contender to the few, dominate general Information Security certifications available today, or had only managed to produce a “Security++” cert.
Another InfoSec Cert from CompTIA?
If you ask most anyone on TechExams.Net where you should start in getting a foothold in the world of Information Security, the answer you will most likely receive is to first look at the CompTIA Security+ certification. Security+ is probably the most widely-recognized foundational certification for InfoSec knowledge in the US IT industry. Studying the objectives of Security+ will give you an idea of what field(s) of InfoSec you might like to choose as a career and also show you that InfoSec is not what you though it was. When trying to get an InfoSec job, it usually doesn’t hurt to have Security+.
So what cert should you get after the Security+ cert? This can be tough question to answer.
There aren’t many general purpose, mid-level InfoSec certifications to choose from. When you rule out the specialized InfoSec certs, like the CCNA/CCNP Security, OSCP, C|EH, EnCE, most GIAC certs, and the more “professional” InfoSec certs, including the CISSP, CISA, and CISM, the only ones left to choose from for general InfoSec are typically the (ISC)2 SSCP and GIAC GSEC. CompTIA likely realize there was room for another cert in this mid-level niche and created CASP.
What’s so new and “Advanced” about CASP?
CASP was released in December 2011 as the first cert in CompTIA’s new Mastery Series of certifications. CompTIA is known for providing a wide variety of exams to certify entry-level knowledge related to specialties within the Information Technology industry using exams with a fairly simple format. CompTIA’s Mastery certifications are designed to test a candidate’s understands of multiple, related disciplines through the demonstration of advanced skills to perform detailed and complex tasks. The InfoSec skills tested by passing the CASP exam certify that a candidate is “advanced” in the InfoSec profession.
The CASP material covers enterprise-class systems and networks, their design, how they are implemented, and the problems that IT people working in large organizations face. For exam candidates who may be from the softer, paper-shuffling side of InfoSec, the CASP objectives listing includes a list of hardware and software that can be used in a lab setting to become more familiar with the “harder,” technology side of InfoSec. CASP is vendors-neutral, so you won’t see details about specific technologies, such as routers from Cisco and operating systems from Microsoft.
CASP is also advertised as global or international certification, meaning that it is suitable for InfoSec certification candidates worldwide. I take to mean that that CASP does not go in to specifics about USA or EU computer or information privacy laws. However, every InfoSec professional should be quite learned on what these types of legislations and regulations are designed to require and protect, which might come in handy even on an international certification exam.
What? CASP is not a lifetime cert?
Something that has really crinkled the noses of many IT certification aficionados is CompTIA’s shift away from lifetime certifications and towards certifications that both expire and require the collection of Continuing Education Units (CEUs) to maintain certification renewal. CASP holders are required to be enrolled in the CompTIA Continuing Education (CE) Program and earn 75 Continuing Education Units (CEUs) per 3-year CE cycle. What qualifies as a CEU is detailed in the CompTIA Continuing Education Program Activity Chart (PDF).
This change in CompTIA’s certification renewal policy is because of CompTIA’s need to comply with the ISO/IEC 17024 standardization for Personnel (human) Certification Accreditations. This standard is increasingly recognized by organizations, such as the US Department of Defense, as an indication of a quality certification program. It is therefore likely you may see CASP listed on DoD Directive 8570.01 one day. As a CompTIA lifetime cert hold myself, I think certification renewal is a very good thing, as I can see how my unrenewed A+ cert from 2003 now only represents a piece of ancient tech history.
What’s needed to try CASP?
There are no mandatory prerequisites to take the CASP exam. You can sign up and take it tomorrow if you like. However, CompTIA recommends that anyone attempting the CASP exam have at least 10 years of experience in IT administration, including at least 5 years of hands-on technical security experience. This means that CASP is designed to test what a candidate has learned from on-the-job experience and not only from what you’ve learned by reading books and watching training videos.
CASP builds on the objectives of the Security+ certification. Where Security+ tests for InfoSec knowledge used in the operation of a work environment, CASP also tests for knowledge of the use of security in the planning, design, and implementation of enterprise-class networks used by large business organization. Already having the Security+ certification--or at least the equivalent knowledge--prior to taking the CASP exam is extra insurance for a pass.
Signing up for the CASP Exam
CompTIA exams are taken at Pearson Vue testing centers. You register and pay for exams online and select your testing center using your own Pearson Vue account. If you haven’t been to a Pearson Vue testing center lately, you might be surprised by the detailed security procedures now required. I won’t bother going into details, but don’t think you will be taking jackets, hats, gloves, electronics, or electro-mechanical devices into the testing area. Also make sure you are shorn and shaven so you’ll take a decent picture that looks something like you.
How Did I Study For the CASP Exam?
I really didn’t have a lot of time from when I decided to review the CASP Study Guide until my exam date. I needed to know what CASP objectives I already knew well and which I needed to study. The McGraw-Hill CASP Study Guide provides full coverage of all CASP objectives, albeit in varying amounts of detail, and does include practice exam material.
I initially used the MGH CASP book as an assessment to determine which CASP objectives I needed to learn, to brush up on, and which I could safely skip studying. The book’s chapter summaries and quizzes and practice exams really helped out with this assessment. If there were any objectives I needed more detailed information than what the book provided, I certainly found it on the Web.
Two other things that will help with passing the CASP exam are: 1) already having general InfoSec certifications (such as the Security+, SSCP, CISSP, GSEC) or the equivalent knowledge and, 2) enterprise-level IT experience, where you have actively worked with many aspects of the business policies, procedures, and technologies typically found in very large organizations. I can’t emphasize enough how these will help you with CASP.
Oh—there are a lot of acronyms listed in the CASP objectives. I would suggest knowing them all and then some.
What’s on the CASP Exam?
I can say that CASP is definitely more than just a beefed-up Security+ exam. Although Security+ holders can expect to see a few familiar exam features, also expect to do a lot more reading, analytical deconstruction, and problem-solving than you would on the Security+ exam.
Each CASP exam will have up to 80 questions and the candidate is given 150 minutes to complete the exam. The up to part wasn’t clear to me until I saw that my own exam contained only 61 questions. I assume CASP exams will vary in their total number of questions because of the variable weighted complexity of the sims randomly selected for each exam. This means that having fewer questions on your exam does not make it an easier exam. It also implies that partial credit is awarded for only giving a partially correct answer to some of the more complex questions. (This is just me guessing, BTW.)
The CASP exam questions are worded well and are fairly straight-forward. (Cert exams with poorly-worded questions and bad grammar are detested by the cert-taking community.) Answer selections are single or multiple choice and with fairly plausible distractors. You will probably find nothing unusual or unfamiliar about the form and functions of the drag-and-drop questions.
Scenario-based questions test an exam candidate’s understanding of policy, planning, design, implementation, operations, and risk management. Some CASP questions require the demonstration of an understanding of concepts and relationships using drag-and-drop to build ordered lists. Simulations are given for the candidate to demonstrate problem solving and remediation skills related to enterprise organizations. Although the sims are part of the performance-based aspect of the CASP exam, the “performance” is in performing complex tasks correctly, and not necessarily in using the least amount of time (at least not that I could tell).
Personally, I really enjoyed the simulations. They seemed simplistic to me at first, but you could easily guess wrong if you were not thorough in your analysis of the situation graphically presented to you. Expect both graphical point-and-click and command line skills to be utilized. Based on my exam, I think exam candidates who have not been actively involved in systems and network operations might feel very out of place in the CASP sims.
And yes, you can go back to previous questions and change your answers. You are also given a chance to mark/review/change your answers before exiting the exam. There were several exam questions that I wish I could have reported my thoughts/complaints about. However, unlike several of its certification-vending competitors, CompTIA does not give the ability to provide feedback on its exam questions.
So How Did I Do?
Well, I passed the CASP exam. I took my time working through it and finished in about 95 minutes. I was a little taken aback when I saw on my exam printout that I “incorrectly answered one or more questions” in twelve of the CASP objective areas. CASP must have close to 200 objective areas; I have no idea how many of them were on my exam.
Unlike the other CompTIA exams, there is no numeric or percentage scoring assigned on the CASP exam. Only a PASS or FAIL indication is given to the exam candidate at the completion of the exam. The psychometric evaluation of the candidate’s answers may makes giving a numerical score irrelevant, but using the “a pass is a pass” technique is possibly to level the field of CASP-certified individuals, and not create a stratum of candidates who are more CASP-certified than others.
For me personally, my CASP exam was too short and it likely did not cover all of the CASP certification’s objective areas. I, along with many other certification consumers, prefer to be actually tested on what we’ve been studying for the weeks and months prior to taking a certification exam. This is not to say that the CASP exam isn’t a challenge, but it could be a lot more.
I can see how many people who work in small IT shops may dislike the CASP exam, and simply disbelieve that a requirement to demonstrate a mastery of many of the objectives is necessary to be a true information security professional. People may well reflect on the CompTIA’s use of the terms advanced and mastery and end up think that CASP is neither.
What’s the future of the CompTIA CASP Certification?
The current $329US price tag of the CASP exam leaves me believing that this certification is targeted at businesses looking to train their employees on CompTIA courseware and not individuals looking to consolidate their skills on their resume. Unless a certification is widely recognized and valued by the IT-skill-seeking organizations, people looking to change or further their careers will usually not spend this kind of money.
In an attempt to determine if the CASP cert is currently worth its cost, I performed searches on several major job boards for job postings with “CASP” and “CompTIA Advanced Security Practitioner.” I came up with no results. I discovered that “CASP” was not a recognized keyword by any job sites I tried, although the names of many other CompTIA certifications were recognized. I eventually found a few job postings that did reference CASP by doing a string search rather than a keyword search, but the results were seemingly too small to justify the cost of the CASP certification. I’m hopeful this will change in the future.
Considering that the CASP cert has been released for over a year now the lack of IT job posting mentioning it is truly surprising. If employers are to be given a chance to find value in a certification, they need to understand why this certification will help train their workforce to solve business problems. Only then will employers put CASP in their job postings, otherwise prospective exam candidates will not find any value in pursing the CASP certification.
For More CASP Information
If you require more information on CASP, please refer to the CompTIA CASP page or email CompTIA directly. There is also CompTIA’s interesting marketing glossy PDF on certifying your cyber-security workforce. And then there always engaging the IT-certification-consuming community directly in the CompTIA CASP discussion forum here at TechExams.Net.
Total Trackbacks 0