Академический Документы
Профессиональный Документы
Культура Документы
(Exam Outline)
Effective Date: April 2013
1
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
April 2013
April 2013
Impartiality Statement
(ISC) is committed to impartiality by promoting a bias and discrimination free environment for
all members, candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)s board
of directors, management and staff understand the importance of impartiality in carrying out its
certification activities, manage conflict of interest and ensure the objectivity of its certification.
If you feel you have not received impartial treatment, please send an email to notice@isc2.org
or call +1.727.785.0189, so that we can investigate your claim.
Non-Discrimination Policy
(ISC) is an equal opportunity employer and does not allow, condone or support discrimination
of any type within its organization including, but not limited to, its activities, programs, practices,
procedures, or vendor relationships. This policy applies to (ISC) employees, members,
candidates, and supporters.
Whether participating in an (ISC) official event or certification examination as an employee,
candidate, member, staff, volunteer, subcontractor, vendor, or client if you feel you have been
discriminated against based on nationality, religion, sexual orientation, race, gender, disability,
age, marital status or military status, please send an email to notice@isc2.org or call
+1.727.785.0189, so that we can investigate your claim.
For any questions related to these polices, please contact the (ISC) Legal Department
at legal@isc2.org.
2
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
1)
2)
3)
4)
5)
6)
7)
4
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Before candidates are allowed to take the test at testing centers, they must respond yes
or No to the following four questions regarding criminal history and related background:
1. Have you ever been convicted of a felony; a misdemeanor involving a computer
crime, dishonesty, or repeat offenses; or a Court Martial in military service, or is there a
felony charge, indictment, or information now pending against you? (Omit minor
traffic violations and offenses prosecuted in juvenile court).
2. Have you ever had a professional license, certification, membership or registration
revoked, or have you ever been censured or disciplined by any professional
organization or government agency?
3. Have you ever been involved, or publicly identified, with criminal hackers or
hacking?
4. Have you ever been known by any other name, alias, or pseudonym? (You need not
include user identities or screen names with which you were publicly identified).
software developers
engineers and architects
product managers
project managers
software QA
QA testers
business analysts
professionals who manage these
stakeholders
5
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Confidentiality
Integrity (e.g., reliability, alterations, authenticity)
Availability
Authentication
Authorization
Accounting
Nonrepudiation
Least Privilege
Separation of Duties
Defense in Depth
Fail Safe
Economy of Mechanism
Complete Mediation
Open Design
Least Common Mechanism
Psychological Acceptability
Weakest Link
6
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
1.C. Privacy (e.g., data anonymization, user consent, disposition, test data
management)
1.D. Governance, Risk and Compliance (GRC)
D.1
D.2
D.3
D.4
7
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
8
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
9
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
3.A.3
A.3
3.A.4
A.4
3.A.5
3.A.6
3.D. Technologies
3.D.1
3.D.2
3.D.3
3.D.4
3.D.5
3.D.6
3.D.7
3.D.8
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
11
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
12
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Concurrency
Configuration
Cryptography
Output Sanitization (e.g., Encoding)
Error Handling
Input Validation
Logging & Auditing
Session Management
Exception management
Safe APIs
Type Safety
Memory Management (e.g., locality, garbage collection)
Configuration Parameter Management (e.g., start-up variables,
cryptographic agility)
4.C.14 Tokenizing
4.C.15 Sandboxing
13
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
14
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Penetration
Fuzzing (e.g., generated, mutated)
Scanning (e.g., vulnerability, content, privacy)
Simulation (e.g., environment and data)
Failure (e.g., fault injection, stress testing, break testing)
Cryptographic validation (e.g., PRNG)
Regression
Continuous (e.g., synthetic transactions)
15
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
6) SOFTWARE ACCEPTANCE
Overview
The Software Acceptance domain covers the content in determining if the software is ready to
deliver to customers from a security viewpoint. The domain provides an overall picture of the
security posture of the software and the likelihood that it will be able to withstand attack after the
software has been released to customers.
This domain also includes the post-release validation and verification (e.g., Common Criteria
testing) and an independent review of the software conducted by a third-party or by a central
security team of the organization.
The candidate is expected to know the methods for determining completion criteria, risk
acceptance and documentation (e.g., Disaster Recovery and Business Continuity Plans),
Common Criteria and methods of independent testing.
6.B. Post-release
6.B.1
6.B.2
16
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
17
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
18
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
8.E. Supplier Transitioning (e.g., code escrow, data exports, contracts, disclosure)
19
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
REFERENCES
(ISC) does not intend that candidates purchase and read all of the books and articles listed in
this reference list. Since most of the information tested in the examination pertains to a common
body of knowledge, this additional information serves only as a supplement to one's
understanding of basic knowledge. A reference list is not intended to be inclusive but is provided
to allow flexibility. The candidate is encouraged to supplement his or her education and
experience by reviewing other resources and finding information in areas which he or she may
consider himself or herself not as skilled or experienced. (ISC) does not endorse any particular
text or author. Although the list may include more than one reference that covers a content
area, one such reference may be enough. The candidate may also have resources available
that are not on the list but which will adequately cover the content area. The list does not
represent the only body of information to be used as study material.
Questions in the examination are also developed from information gained through practical
experience. This reference list is not intended to be all-inclusive, but rather, a useful list of
references used to support the test question development process. Use of the references does
not guarantee successful completion of the test.
On the next page is the suggested reference list:
20
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
SECURE SOFTWARE
CONCEPTS
Supplementary Reference
(ISC)2, Code of Ethics (https://www.isc2.org/ethics/default.aspx)
Cannon, J.C., (2004). Privacy: What Developers and IT Professionals Should
Know
Chess, B., McGraw, G., Migues, S., (2011). The Building Security In Maturity
Model (BSIMM3)
Eeles, P., P. Cripps, (2009). The Process of Software Architecting
Howard, M., D. LeBlanc, (2003). Writing Secure Code (2nd Edition)
Howard, M., S. Lipner, (2006). The Security Development Lifecycle
ISO/IEC 15026: 2011, Systems and Software Engineering -- Systems and
Software Assurance
ISO/IEC 27005:2008, Information Technology -- Security techniques -Information Security Risk Management
National Institute of Standards and Technology (NIST)1. 1) FIPS-197,
Advanced Encryption Standard, 2) FIP-186-3, Digital Signature Standard
(DSS), 3) FIPS-180-4, Secure Hash Standard (SHS), 4) FIPS-140-2, Security
Requirements for Cryptographic Modules, 5) SP 800-95, Guide to Secure Web
Services, 6) SP 800-92, Guide to Computer Security Log Management, 7) SP
800-64 Rev. 2, Security Considerations in the System Development Life Cycle,
8) SP 800-51 Rev. 1, Guide to Using Vulnerability Naming Schemes, 9) SP 80040 version 2.0, Creating a Patch and Vulnerability Management Program
Organization for the Advancement of Structured Information Standards
(OASIS)2. 1) Web Services Security v1.1, 2) Security Assertion Markup
Language (SAML) v2.0
Paul, M., (2011). Official (ISC)2 Guide to the CSSLP3
Shore, J., Chromatic, (2007). The Art of Agile Development
Simpson, S., (2008). Fundamental Practices for Secure Software
Development: A Guide to the Most Effective Secure Development Practices in
Use Today. SAFECode.
The Open Web Application Security Project (OWASP): 1) Top Ten Project, 2)
Code Review Guide, 3) Testing Guide, 4) Legal Project, 5) Development Guide,
6) Enterprise Security API (ESAPI) Project
The Payment Card Industry Security Standards Council (PCI SSC): 1) PCI DSS
(PCI Data Security Standard), 2) PA-DSS (Payment Application Data Security
Standard), 3) PCI PTS (PIN Transaction Security), 4) PCI P2PE (Point-to-Point
Encryption), and 5) PCI DSS Tokenization Guidelines
Vasudevan, V., A. Mangla, F. Ummer, S. Shetty, S. Pakala, S. Anbalahan,
(2008). Application Security in the ISO 27001 Environment
Wysopal, C., L. Nelson, D. Dai Zovi, E. Dustin, (2006). The Art of Software
Security Testing: Identifying Software Security Flaws
21
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
SECURE SOFTWARE
REQUIREMENTS
22
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
SECURE SOFTWARE
IMPLEMENTATION/CODING
23
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
SOFTWARE ACCEPTANCE
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
SOFTWARE ACCEPTANCE
SOFTWARE DEPLOYMENT,
OPERATIONS, MAINTENANCE
AND DISPOSAL
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
26
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Which of the following is the BEST method for providing integrity for released code?
(A)
(B)
(C)
(D)
Answer: B
________________________________________________________________
2.
Better security
Better performance
Easy to upgrade
Save cost
Answer: C
________________________________________________________________
3.
A software product has been tested, and several vulnerabilities were identified and
ranked with a low rating. In order to safely proceed with the acquisition and
incorporation of this product into an organizations infrastructure, which of the following
must be created?
(A)
(B)
(C)
(D)
An escrow agreement
An indemnification checklist
A statement of plausible deniability
A risk acceptance statement
Answer: D
________________________________________________________________
27
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Fees
Please visit the (ISC) website https://www.isc2.org/certification-register-now.aspx for the most
current examination registration fees.
28
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
CBT Demonstration
Candidates can experience a demonstration and tutorial of the CBT experience
on our Pearson VUE web page. The tutorial may be found at
www.pearsonvue.com/isc2 .
Exam Appointment
Test centers may fill up quickly because of high volume and previously scheduled special
events. Pearson VUE testing centers also serve candidates from other entities; thus waiting to
schedule the testing appointment may significantly limit the options for candidates desired
testing dates at the closest center available.
29
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
30
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
32
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Breaks
You will have up to six hours to complete the CISSP, and up to four hours to complete the CSSLP
and CCFP up to three hours to complete the following examinations:
SSCP
CAP
HCISPP
ISSAP
ISSEP
ISSMP
Total examination time includes any unscheduled breaks you may take. All breaks count
against your testing time. You must leave the testing room during your break, but you may not
leave the building or access any personal belongings unless absolutely necessary (e.g. for
33
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
The CISSP examination consists of 250 multiple choice questions with four (4) choices
each.
The CSSLP examination consists of 175 multiple choice questions with four (4) choices
each.
The HCISPP examination contains 125 multiple choice questions with four (4) choices
each.
The CCFP examination contains 125 multiple choice questions with four (4) choices each.
The SSCP examination contains 125 multiple choice questions with four (4) choices
each.
The ISSAP, ISSEP, and ISSMP concentration examinations contain 125, 150, 125
multiple choice questions respectively with four (4) choices each.
The Certified Authorization Professional (CAP) examination contains 125 multiple choice
questions with four (4) choices each. Also, administered in computers.
There may be scenario-based items which may have more than one multiple choice
question associated with it. These items will be specifically identified in the test booklet.
Each of these exams contains 25 questions which are included for research purposes only.
The research questions are not identified; therefore, answer all questions to the best of your
ability. There is no penalty for guessing, so candidates should not leave any item unanswered.
Examination results will be based only on the scored questions on the examination. There
are several versions of the examination. It is important that each candidate have an
equal opportunity to pass the examination, no matter which version is administered. Subject
Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in the
examinations. That information is used to develop examination forms that have comparable
difficulty levels. When there are differences in the examination difficulty, a mathematical
procedure called equating is used to make the difficulty level of each test form equal.
Because the number of questions required to pass the examination may be different for each
version, the scores are converted onto a reporting scale to ensure a common standard. The
passing grade required is a scale score of 700 out of a possible 1000 points on the grading
scale.
34
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidates examination.
If circumstances arise causing you to wait more than 30 minutes after your scheduled
appointment time, or a restart delay lasts longer than 30 minutes, you will be given the choice
of continuing to wait, or rescheduling your appointment without an additional fee.
o
o
o
If you choose to wait, but later change your mind at any time prior to beginning or
restarting the examination, you will be allowed to take exam at a later date, at
no additional cost.
If you choose not to reschedule, but rather test after a delay, you will have no
further recourse, and your test results will be considered valid.
If you choose to reschedule your appointment, or the problem causing the delay
cannot be resolved, you will be allowed to test at a later date at no additional
charge. Every attempt will be made to contact candidates if technical problems
are identified prior to a scheduled appointment.
Testing Environment
Pearson Professional Centers administer many types of examinations including some that
require written responses (essay-type). Pearson Professional Centers have no control over typing
noises made by candidates sitting next to you while writing their examination. Typing noise is
considered a normal part of the computerized testing environment, just as the noise of turning
pages is a normal part of the paper-and pencil testing environment. Earplugs are available
upon request.
Results Reporting
Candidates will receive their unofficial test result at the test center. The results will be handed
out by the Test Administrator during the checkout process. (ISC) will then follow up with an
official result via email. All test results are subject to (ISC)s psychometric and forensic
evaluation. Based on the number of tests administered, this evaluation may be conducted
35
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Retake Policy
Test takers who do not pass the exam the first time will be able to retest after 30 days. Test
takers that fail a second time will need to wait 90 days prior to sitting for the exam again. In the
unfortunate event that a candidate fails a third time, the next available time to sit for the exam
will be 180 days after the most recent exam attempt. Candidates are eligible to sit for (ISC)
exams a maximum of 3 times within a calendar year.
Recertification by Examination
Candidates and members may recertify by examination for the following reasons ONLY;
The candidate has become decertified due to reaching the expiration of the time limit
for endorsement.
The member has become decertified for not meeting the number of required continuing
professional education credits.
36
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
Candidates who successfully complete any of the (ISC) certification requirements may use the
appropriate Certification Mark or the Collective Mark, where appropriate, and the logo
containing the Certification Mark or the Collective Mark, where appropriate (the Logo) to
identify themselves as having demonstrated the professional experience and requisite
knowledge in the realm of information system security. Please visit the following link (URL) for
more information on logo use:
https://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal _and
_Policies/LogoGuidleines.pdf
Any questions?
(ISC)2 Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759
Phone: 1.866.331.ISC2 (4722) in the United States
1.727.785.0189 all others
Fax: 1.727.683.0785
37
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11
38
2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 8.20.15, V11