Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam

description

Bookmark Enrolled Intermediate

Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam

The Information Systems Security Architecture Professional (CISSP-ISSAP) certification acts as a bridge between the foundational knowledge of CISSP (Certified Information Systems Security Professional) and the specialized skills required for security architecture. 

Who should consider this Certification:

  • Seasoned security professionals: Elevate your existing CISSP knowledge and specialize in security architecture.
  • Security architects and analysts: Validate your expertise in designing, implementing, and maintaining secure information systems.
  • IT professionals seeking career advancement: Demonstrate your commitment to specialized security architecture knowledge.

Key Roles and Responsibilities:

  • Design and implement secure information systems architectures: Translate business security requirements into technical design elements.
  • Select and integrate security controls: Choose appropriate security controls based on risk assessments and industry best practices.
  • Evaluate and test security architectures: Analyze security posture and identify vulnerabilities within the architecture.
  • Communicate security architecture decisions to stakeholders: Clearly explain technical concepts and security implications to non-technical audiences.
  • Stay up-to-date with evolving security threats and technologies: Continuously learn and apply new knowledge to maintain secure and resilient systems.

Prerequisites 

To qualify for the ISSAP (Information Systems Security Architecture Professional) certification, candidates must meet one of the following criteria:

  • Be a CISSP in good standing and have at least two years of cumulative, full-time work experience in one or more of the four domains outlined in the current ISSAP Exam Outline.
    OR

  • Have a minimum of seven years of cumulative, full-time work experience in two or more ISSAP domains. One year of this experience may be waived with a relevant bachelor’s or master’s degree in computer science, information technology, or a related field, or with an approved credential from the ISC2 list. Part-time work and internships may also be applied toward meeting the experience requirement, but only one year of experience can be waived.

Exam Details:

  • Question Format: 125 Multiple choice and advanced items
  • Time Limit: 3 hours
  • Languages: English
  • Passing Score: 700 out of 1000 points

Course Outline

Domain 1: Architect for Governance, Compliance and Risk Management

1.1 Determining legal, regulatory, organizational and industry requirements

  • Applicable information security standards and guidelines
  • Third-party and contractual obligations (e.g., supply chain, outsourcing, partners)
  • Applicable sensitive/personal data standards, guidelines, and privacy regulations
  • Resilient solutions 

1.2 Architecting for governance, risk, and compliance (GRC)

  • Identify key assets, business objectives, and stakeholders
  • Design monitoring and reporting (e.g., vulnerability management, compliance audit)
  • Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation, high assurance systems)
  • Incorporate risk assessment artifacts
  • Advise risk treatment (e.g., mitigate, transfer, accept, avoid)

Domain 2: Security Architecture Modeling

2.1 Identifying security architecture approach

  • Scope (e.g., enterprise, cloud) and types (e.g., network, service-oriented architecture (SOA))
  • Frameworks (e.g., The Open Group Architecture Framework (TOGAF), Sherwood Applied Business Security Architecture (SABSA), service-oriented modeling framework)
  • Reference architectures and blueprints
  • Threat modeling frameworks (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Common Vulnerability Scoring System (CVSS), threat intelligence) 

2.2 Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)

  • Results of threat modeling (e.g., threat vectors, impact, probability)
  • Gaps
  • Alternative solutions/mitigations/compensating controls
  • Internal or external third-party (e.g., tabletop exercises, modeling and simulation, manual review of functions, peer review)
  • Code review methodology (e.g., dynamic, manual, static, source composition analysis)

Domain 3: Infrastructure and System Security Architecture

3.1 Identifying infrastructure and system security requirements

  • Deployment model (e.g., On-premises, cloud-based, hybrid)
  • Information technology (IT) and operational technology
  • Physical security (e.g., perimeter protection and internal zoning, fire suppression)
  • Infrastructure and system monitoring
  • Infrastructure and system cryptography
  • Application security (e.g., Requirements Traceability Matrix, security architecture documentation, secure coding)

3.2 Architect infrastructure and system security

  • Physical security control set (e.g., cameras, doors, system controllers)
  • Platform security (e.g., physical, virtual, container, firmware, operating system (OS))
  • Network security (e.g., wired/wireless, public/private, Internet of Things (IoT), management, firewalls, airgaps, software defined perimeters, virtual private network (VPN), Internet Protocol Security (IPsec), Network Access Control (NAC), Domain Name System (DNS), Network Time Protocol (NTP), Voice over Internet Protocol (VoIP), Web Application Firewall (WAF))
  • Storage security (e.g., direct attached, storage area network (SAN), network-attached storage (NAS), archival and removable media, encryption)
  • Data repository security (e.g., access control, encryption, redaction, masking)
  • Cloud security (e.g., public/private, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS))
  • Operational technology (e.g., industrial control system (ICS), Internet of Things (IoT), supervisory control and data acquisition (SCADA))
  • Endpoint security (e.g., bring your own device (BYOD), mobile, endpoint detection and response (EDR), host-based intrusion detection system (HIDS)/host-based intrusion prevention system (HIPS))
  • Secure shared services (e.g., e-mail, Voice over Internet Protocol (VoIP), unified communications)
  •  Third-party integrations (e.g., internal/external, federation, application programming interface (API), virtual private network (VPN), Secure File Transfer Protocol (SFTP))
  • Infrastructure monitoring
  • Content monitoring (e.g., email, web, data, social media, data loss prevention (DLP))
  • Out-of-band communications (e.g., incident response, information technology (IT) system management, Business Continuity (BC)/disaster recovery (DR))
  • Evaluate applicability of security controls for system components (e.g., web client applications, proxy services, application services)

3.3 Architect infrastructure and system cryptographic solutions

  • Determine cryptographic design considerations and constraints (e.g., technologies, lifecycle, computational capabilities, algorithms, attack in system)
  • Determine cryptographic implementation (e.g., in-transit, in-use, at-rest)
  • Plan key management lifecycle (e.g., generation, storage, distribution)

Domain 4: Identity and Access Management (IAM) Architecture

4.1 Architect identity lifecycle

  • Establish identity and verify (e.g., physical, logical)
  • Assign identifiers (e.g., to users, services, processes, devices, components)
  • Identity provisioning and de-provisioning (e.g., joiners, movers, and leavers process)
  • Identity management technologies

4.2 Architect identity authentication

  • Define authentication approach (e.g., single-factor, multi-factor, risk-based elevation)
  • Authentication protocols and technologies (e.g., Security Assertion Markup Language (SAML), Remote Authentication Dial-In User Service (RADIUS), Kerberos, Open Authorization (OAuth))
  • Authentication control protocols and technologies (e.g., eXtensible Access Control Markup Language (XACML), Lightweight Directory Access Protocol (LDAP))
  • Define trust relationships (e.g., federated, stand-alone)

4.3 Architect identity authorization

  • Authorization concepts and principles (e.g., discretionary/mandatory, Separation of Duties (SoD), least privilege, interactive, non-interactive)
  • Authorization models (e.g., physical, logical, administrative)
  • Authorization process and workflow (e.g., governance, issuance, periodic review, revocation, suspension)
  • Roles, rights, and responsibilities related to system, application, and data access control (e.g., groups, Digital Rights Management (DRM), trust relationships)
  • Management of privileged accounts (e.g., Privileged Access Management (PAM))
  • Authorization approach (e.g., single sign-on (SSO), rule-based, role-based, attribute-based, token, certificate) 

4.4 Architect identity accounting

  • Determine accounting, analysis, and forensic requirements
  • Define audit events
  • Establish audit log alerts and notifications
  • Log management (e.g., log data retention, log data integrity)
  • Log analysis and reporting
  • Comply with policies and regulations (e.g., PCI-DSS, FISMA, HIPAA, GDPR)

Reviews

Be the first to write a review for this product.

Write a review

Note: HTML is not translated!
Bad           Good

Tags: CISSP-ISSAP practice exam, security architecture mock test, CISSP ISSAP certification, ISSAP sample questions, information systems security exam, ISSAP online test, (ISC)² ISSAP practice, cybersecurity architecture certification, advanced CISSP exam, ISSAP test series,