Among the most respected certification programs by information security professionals are those offered by the consortium (ISC) 2 (International Information Systems Security Certification Consortium). Certified Information Systems Security Professional (CISSP) certification is quite popular – it is usually available to mid-level and senior IT security professionals – IT security architects, CISO (Chief Information Security Officer), CSO (Chief Security Officer), vice presidents of security. The CISSP exam lasts 6 hours and includes 250 questions distributed in 10 domains, and specialists with over 3 years of experience are allowed to test their knowledge. A few years ago (ISC) 2 developed 3 more certification programs that require applicants to already have CISSP status. These are:
– ISSEP: Information Systems Security Engineering Professional
– ISSAP: Information Systems Security Architecture Professional
– ISSMP: Information Systems Security Management Professional
The idea of these programs is to enable IT security professionals to deepen their knowledge in a specific area – technology, architecture, management.
We talk to Brad Cooper – Information Security Manager (CISO) at BVOP (Business Value-Oriented Principles Ltd) about the benefits of certification, the factors that support the preparation, and the current tasks for IT security specialists.
Mr. Cooper, how did you come up with the idea for ISSAP certification?
Training and certification are part of the work of information security professionals, especially in organizations like ours. BVOP must meet many information security requirements set by the EU and the Bulgarian control authorities. The requirements for the organization are even higher, as it also performs the functions of a Paying Agency – this requires the introduction of the ISO 27001: 2005 standard. Part of the requirements I mentioned is the constant training of IT security officers. Reference: Chief Technology Officer (CTO) certification and course: Certified CTO program
Over the years, I and my teammates have participated in various training and certification programs – CISSP, CISM, lead auditor under ISO 27001 & 9001. These certificates contribute to the reputation of the Agency as an organization that implements good practices in its work. Here is the place to note that we have successfully passed the numerous audits by the European Union and we are the fourth paying agency in the EU to successfully implement the ISO 27001: 2005 standard. This shows that training and certification help us do our job, and for me the next step was ISSAP.
What is this certification program?
The requirement for ISSAP certification is the presence of a CISSP certificate. As far as I know, there are 123 professionals in Europe with this status. ISSAP is the next, highest level for professionals in our field. The program focuses on the design and architecture of information security systems in large organizations.
ISSAP consists of 6 domains:
Access control systems and Methodology – describes the most important requirements for the architecture of access control methods in the organization. Even the smallest flaws in the design of the access control system would allow unauthorized access to critical data. This section describes the architectures of the main models for access control – MAC, DAC, RBAC as well as the architecture and implementation of an access control system through biometric data.
Cryptography – this domain includes a description of cryptographic algorithms and hash functions used to protect the privacy and integrity of data. The design and mathematical functions of the main encryption algorithms such as AES, IDEA, RSA, and ECC are discussed in great detail. The architecture, design, and implementation of PKI infrastructure in an organization are discussed in great detail.
Physical Security Integration – the section describes in detail the architectures of the systems for the physical protection of people, processes, and technologies. The steps in the design and implementation of such a system in an organization, the effective and rational choice of security controls, the different levels of access depending on the confidentiality of information, surveillance systems, and video surveillance of physical access are presented.
Requirements Analysis and Security Standards / Guidelines Criteria – this domain describes the analysis of the requirements for the design of a product in the field of information security. CC – Common Criteria and the seven levels of evaluation of a product and its design are discussed in detail. The ISO 27000 series of standards, their requirements, and methods used for control, risk management, and measuring the effectiveness of an implemented information security management system are discussed. The CMM – Capability Maturity Model – its five levels of organization depending on its maturity in software development is also discussed. The architectures of the following models are also described in detail – US DoDAF – Department of Defense Architecture Framework; US FEAF – Federal Enterprise Architecture Framework; UK MoDAF – Ministry of Defense Architecture Framework; SABSA – Sherwood Applied Business Security Architecture; SOMF – Service-Oriented Modeling Framework;
Technology – Related Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) – involves reviewing the design, planning, and implementation phases of BCP and DRP plans in an organization. Identification of critical business processes and their recovery in case of accidents. Strategies for data archiving and recovery, identification of DRC centers and their type.
Telecommunications and Network Security – here are affected the methods of data protection in a distributed environment, network topologies in terms of information security. Network protocols and methods for remote connection, validation of network design in the organization, monitoring, and control of network connections and authentication devices. IPSec, L2TP, SSL / TLS, IEEE 802.11i are discussed in detail. The steps for designing a network from the point of view of information security are described in detail.
The ISSAP certification exam includes 120 rather complex questions that must be answered within 3 hours. There are currently about 1,000 ISSAP-certified professionals worldwide – even in countries such as France and Germany, there are only two or three ISSAP professionals each.
Probably a special course is needed to get acquainted with all these topics. How did your preparation for the exam go and what should the specialists who will take such an exam in the future have in mind?
With a limited budget, we only invested in the purchase of the book (ISC) 2- “Official (ISC) 2 guide to the ISSAP CBK”, intended for this certification, and ordered it from the website of (ISC)
For the successful passing of the exam, the information from the ISSAP book alone is not enough. Most of the questions are not covered in the book, and almost all of them require a comprehensive analysis of the situation. It is very important to have practical experience. A professional with a year or two of work experience can hardly take the exam successfully -, according to ISC2, 6-7 years of experience is required.
Communication with colleagues in the professional LinkedIn network was also very useful for me in the preparation process.
After all, what is the result of your ISSAP certification? Is your professional experience enriched?
Definitely yes. In each of the six domains, I came across issues I had never encountered before. The ISSAP certification book presents cases, solutions, analyzes how certain decisions affect the infrastructure, how users are affected, management, etc. In the exam itself, the questions require in a given situation to decide which is the optimal solution according to certain criteria, so the preparation for the exam involves adaptation to a way of thinking that is useful in practice.
What has your team’s work focused on in recent years and what do you have to do from now on?
The areas we have focused on in recent years are probably the same as in any large organization. We have already implemented many data protection solutions. Among the implemented initiatives is the implementation of the ISO 27001: 2005 standard, the development of a business continuity plan, and the construction of a backup data center, which was highly praised by the audit organizations. Here I must note that the Agency goes through 3 different audits each year (control, accreditation, and internal) and so far we have received only positive evaluations.
At the last meeting of the IT directors of the Paying Agencies in the EU, our head presented our experience in implementing the ISO 27001: 2005 standard and we already have requests for exchange of experience in this field from several Paying Agencies – in Cyprus, Macedonia and others.
We also consider the established practice of conducting regular internal training for the Agency’s employees to be a success. Such training is conducted every year, and employees are introduced to the standards in the field and their responsibilities. Representatives of our team are members of the European Network and Information Security Agency (ENISA) – the EU agency that works to raise awareness in the field of information security. From ENISA we receive training materials and methods that are very useful for the successful implementation of various controls, including training materials aimed at different groups of users (management, employees, etc.).
At the moment we have the two certificates that are needed to work following the requirements of the EU – these are ISO 27001: 2005 and ISO 9001: 2008. The task remains to maintain these certificates, to successfully present ourselves to the conducted audits, and to constantly improve the implemented solutions in each area.
From now on, we have to improve the existing controls aimed at risk management (ISO 27005: 2011 – Information technology – Security techniques – Information security risk management), to measure the effectiveness of information security systems (ISO 27004: 2009 – Information technology – Security techniques – Information security management – Measurement), etc. Most organizations pay attention only to ISO 27001: 2005, but in fact, the ISO 27000 series is a set of many standards, and taking into account each of them is beneficial for every organization.