Stay ahead by continuously learning and advancing your career.. Learn More

Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam

description

Bookmark Enrolled Intermediate

Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam


The Information Systems Security Architecture Professional (CISSP-ISSAP) certification acts as a bridge between the foundational knowledge of CISSP (Certified Information Systems Security Professional) and the specialized skills required for security architecture. 


Who should consider this Certification:

  • Seasoned security professionals: Elevate your existing CISSP knowledge and specialize in security architecture.
  • Security architects and analysts: Validate your expertise in designing, implementing, and maintaining secure information systems.
  • IT professionals seeking career advancement: Demonstrate your commitment to specialized security architecture knowledge.


Key Roles and Responsibilities:

  • Design and implement secure information systems architectures: Translate business security requirements into technical design elements.
  • Select and integrate security controls: Choose appropriate security controls based on risk assessments and industry best practices.
  • Evaluate and test security architectures: Analyze security posture and identify vulnerabilities within the architecture.
  • Communicate security architecture decisions to stakeholders: Clearly explain technical concepts and security implications to non-technical audiences.
  • Stay up-to-date with evolving security threats and technologies: Continuously learn and apply new knowledge to maintain secure and resilient systems.


Prerequisites 

  • CISSP is a prerequisite: Earning the CISSP certification is a mandatory requirement before pursuing the CISSP-ISSAP.
  • Expands on CISSP knowledge: The CISSP-ISSAP builds upon the foundational security concepts covered in the CISSP, focusing specifically on security architecture principles and best practices.


Exam Details:

  • Format: Computer-based exam with multiple-choice questions
  • Time Limit: 3 hours
  • Languages: English
  • Passing Score: 700


Course Outline

Domain 1: Architect for Governance, Compliance and Risk Management

1.1 Determining legal, regulatory, organizational and industry requirements

  • Determining applicable information security standards and guidelines
  • Identifying third-party and contractual obligations (e.g., supply chain, outsourcing, partners)
  • Determining applicable sensitive/personal data standards, guidelines and privacy regulations
  • Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation, high assurance systems)
  • Coordinate with external entities (e.g., law enforcement, public relations, independent assessor)

1.2 Manage Risk

  • Identifying and classify risks
  • Assess risk
  • Recommend risk treatment (e.g., mitigate, transfer, accept, avoid)
  • Risk monitoring and reporting

Domain 2: Security Architecture Modeling

2.1 Identifying security architecture approach

  • Types and scope (e.g., enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things (IoT), Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA))
  • Frameworks (e.g., Sherwood Applied Business Security Architecture (SABSA), Service-Oriented Modeling Framework (SOMF))
  • Reference architectures and blueprints
  • Security configuration (e.g., baselines, benchmarks, profiles)
  • Network configuration (e.g., physical, logical, high availability, segmentation, zones)

2.2 Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)

  • Validate results of threat modeling (e.g., threat vectors, impact, probability)
  • Identifying gaps and alternative solutions
  • Independent Verification and Validation (IV&V) (e.g., tabletop exercises, modeling and simulation, manual review of functions)

Domain 3: Infrastructure Security Architecture

3.1 Develop infrastructure security requirements

  • On-premise, cloud-based, hybrid
  • Internet of Things (IoT), zero trust

3.2 Design defense-in-depth architecture

  • Management networks
  • Industrial Control Systems (ICS) security
  • Network security
  • Operating systems (OS) security
  • Database security
  • Container security
  • Cloud workload security
  • Firmware security
  • User security awareness considerations

3.3 Secure shared services (e.g., wireless, e-mail, Voice over Internet Protocol (VoIP), Unified

  • Communications (UC), Domain Name System (DNS), Network Time Protocol (NTP))

3.4 Integrate technical security controls

  • Design boundary protection (e.g., firewalls, Virtual Private Network (VPN), airgaps, software defined perimeters, wireless, cloud-native)
  • Secure device management (e.g., Bring Your Own Device (BYOD), mobile, server, endpoint, cloud instance, storage)

3.5 Design and integrate infrastructure monitoring

  • Network visibility (e.g., sensor placement, time reconciliation, span of control, record compatibility)
  • Active/Passive collection solutions (e.g., span port, port mirroring, tap, inline, flow logs)
  • Security analytics (e.g., Security Information and Event Management (SIEM), log collection, machine learning, User Behavior Analytics (UBA))

3.6 Design infrastructure cryptographic solutions

  • Determining cryptographic design considerations and constraints
  • Determining cryptographic implementation (e.g., in-transit, in-use, at-rest)
  • Plan key management lifecycle (e.g., generation, storage, distribution)

3.7 Design secure network and communication infrastructure (e.g., Virtual Private Network (VPN), Internet Protocol Security (IPsec), Transport Layer Security (TLS))

3.8 Evaluate physical and environmental security requirements

  • Map physical security requirements to organizational needs (e.g., perimeter protection and internal zoning, fire suppression)
  • Validate physical security controls

Domain 4: Identity and Access Management (IAM) Architecture

4.1 Design identity management and lifecycle

  • Establish and verify identity
  • Assign identifiers (e.g., to users, services, processes, devices)
  • Identity provisioning and de-provisioning
  • Define trust relationships (e.g., federated, standalone)
  • Define authentication methods (e.g., Multi-Factor Authentication (MFA), risk-based, location-based, knowledge-based, object-based, characteristicsbased)
  • Authentication protocols and technologies (e.g., Security Assertion Markup Language (SAML), Remote Authentication Dial-In User Service (RADIUS), Kerberos)

4.2 Design access control management and lifecycle

  • Access control concepts and principles (e.g., discretionary/mandatory, segregation/Separation of Duties (SoD), least privilege)
  • Access control configurations (e.g., physical, logical, administrative)
  • Authorization process and workflow (e.g., governance, issuance, periodic review, revocation)
  • Roles, rights, and responsibilities related to system, application, and data access control (e.g., groups, Digital Rights Management (DRM), trust relationships)
  • Management of privileged accounts
  • Authorization (e.g., Single Sign-On (SSO), rulebased, role-based, attribute- based)

4.3 Design identity and access solutions

  • Access control protocols and technologies (e.g., eXtensible Access Control Markup Language (XACML), Lightweight Directory Access Protocol (LDAP))
  • Credential management technologies (e.g., password management, certificates, smart cards)
  • Centralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
  • Decentralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
  • Privileged Access Management (PAM) implementation (for users with elevated privileges)
  • Accounting (e.g., logging, tracking, auditing)

Domain 5: Architect for Application Security 

5.1 Integrate Software Development Life Cycle (SDLC) with application security architecture (e.g., Requirements Traceability Matrix (RTM), security architecture documentation, secure coding)

  • Assess code review methodology (e.g., dynamic, manual, static)
  • Assess the need for application protection (e.g., Web Application Firewall (WAF), anti-malware, secure Application Programming Interface (API), secure Security Assertion Markup Language (SAML))
  • Determining encryption requirements (e.g., at-rest, in-transit, in-use)
  • Assess the need for secure communications between applications and databases or other endpoints
  • Leverage secure code repository

5.2 Determining application security capability requirements and strategy (e.g., open source, Cloud Service Providers (CSP), Software as a Service (SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS) environments)

  • Review security of applications (e.g., custom, Commercial Off-the-Shelf (COTS), in-house, cloud)
  • Determining application cryptographic solutions (e.g., cryptographic Application Programming Interface (API), Pseudo Random Number Generator (PRNG), key management)
  • Evaluate applicability of security controls for system components (e.g., mobile and web client applications; proxy, application, and database services)

5.3 Identifying common proactive controls for applications (e.g., Open Web Application Security Project (OWASP))

Domain 6: Security Operations Architecture

6.1 Gather security operations requirements (e.g., legal, compliance, organizational, and business requirements)

6.2 Design information security monitoring (e.g., Security Information and Event Management (SIEM), insider threat, threat intelligence, user behavior analytics, Incident Response (IR) procedures)

  • Detection and analysis
  • Proactive and automated security monitoring and remediation (e.g., vulnerability management, compliance audit, penetration testing)

6.3 Design Business Continuity (BC) and resiliency solutions

6.4 Validate Business Continuity Plan (BCP)/Disaster Recovery Plan (DRP) architecture

6.5 Design Incident Response (IR) management

  • Incorporate Business Impact Analysis (BIA)
  • Determining recovery and survivability strategy
  • Identifying continuity and availability solutions (e.g., cold, warm, hot, cloud backup)
  • Define processing agreement requirements (e.g., provider, reciprocal, mutual, cloud, virtualization)
  • Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Design secure contingency communication for operations (e.g., backup communication channels, Out-of-Band (OOB))
  • Preparation (e.g., communication plan, Incident Response Plan (IRP), training)
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Review lessons learned

Reviews

Tags: Information Systems Security Architecture Professional (CISSP - ISSAP) Exam, Information Systems Security Architecture Professional (CISSP - ISSAP) Questions, ,

Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam

Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam

  • Test Code:1117-P
  • Availability:In Stock

  • $7.99

  • Ex Tax:$7.99


%s reviews / Write a review

Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam


The Information Systems Security Architecture Professional (CISSP-ISSAP) certification acts as a bridge between the foundational knowledge of CISSP (Certified Information Systems Security Professional) and the specialized skills required for security architecture. 


Who should consider this Certification:

  • Seasoned security professionals: Elevate your existing CISSP knowledge and specialize in security architecture.
  • Security architects and analysts: Validate your expertise in designing, implementing, and maintaining secure information systems.
  • IT professionals seeking career advancement: Demonstrate your commitment to specialized security architecture knowledge.


Key Roles and Responsibilities:

  • Design and implement secure information systems architectures: Translate business security requirements into technical design elements.
  • Select and integrate security controls: Choose appropriate security controls based on risk assessments and industry best practices.
  • Evaluate and test security architectures: Analyze security posture and identify vulnerabilities within the architecture.
  • Communicate security architecture decisions to stakeholders: Clearly explain technical concepts and security implications to non-technical audiences.
  • Stay up-to-date with evolving security threats and technologies: Continuously learn and apply new knowledge to maintain secure and resilient systems.


Prerequisites 

  • CISSP is a prerequisite: Earning the CISSP certification is a mandatory requirement before pursuing the CISSP-ISSAP.
  • Expands on CISSP knowledge: The CISSP-ISSAP builds upon the foundational security concepts covered in the CISSP, focusing specifically on security architecture principles and best practices.


Exam Details:

  • Format: Computer-based exam with multiple-choice questions
  • Time Limit: 3 hours
  • Languages: English
  • Passing Score: 700


Course Outline

Domain 1: Architect for Governance, Compliance and Risk Management

1.1 Determining legal, regulatory, organizational and industry requirements

  • Determining applicable information security standards and guidelines
  • Identifying third-party and contractual obligations (e.g., supply chain, outsourcing, partners)
  • Determining applicable sensitive/personal data standards, guidelines and privacy regulations
  • Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation, high assurance systems)
  • Coordinate with external entities (e.g., law enforcement, public relations, independent assessor)

1.2 Manage Risk

  • Identifying and classify risks
  • Assess risk
  • Recommend risk treatment (e.g., mitigate, transfer, accept, avoid)
  • Risk monitoring and reporting

Domain 2: Security Architecture Modeling

2.1 Identifying security architecture approach

  • Types and scope (e.g., enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things (IoT), Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA))
  • Frameworks (e.g., Sherwood Applied Business Security Architecture (SABSA), Service-Oriented Modeling Framework (SOMF))
  • Reference architectures and blueprints
  • Security configuration (e.g., baselines, benchmarks, profiles)
  • Network configuration (e.g., physical, logical, high availability, segmentation, zones)

2.2 Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)

  • Validate results of threat modeling (e.g., threat vectors, impact, probability)
  • Identifying gaps and alternative solutions
  • Independent Verification and Validation (IV&V) (e.g., tabletop exercises, modeling and simulation, manual review of functions)

Domain 3: Infrastructure Security Architecture

3.1 Develop infrastructure security requirements

  • On-premise, cloud-based, hybrid
  • Internet of Things (IoT), zero trust

3.2 Design defense-in-depth architecture

  • Management networks
  • Industrial Control Systems (ICS) security
  • Network security
  • Operating systems (OS) security
  • Database security
  • Container security
  • Cloud workload security
  • Firmware security
  • User security awareness considerations

3.3 Secure shared services (e.g., wireless, e-mail, Voice over Internet Protocol (VoIP), Unified

  • Communications (UC), Domain Name System (DNS), Network Time Protocol (NTP))

3.4 Integrate technical security controls

  • Design boundary protection (e.g., firewalls, Virtual Private Network (VPN), airgaps, software defined perimeters, wireless, cloud-native)
  • Secure device management (e.g., Bring Your Own Device (BYOD), mobile, server, endpoint, cloud instance, storage)

3.5 Design and integrate infrastructure monitoring

  • Network visibility (e.g., sensor placement, time reconciliation, span of control, record compatibility)
  • Active/Passive collection solutions (e.g., span port, port mirroring, tap, inline, flow logs)
  • Security analytics (e.g., Security Information and Event Management (SIEM), log collection, machine learning, User Behavior Analytics (UBA))

3.6 Design infrastructure cryptographic solutions

  • Determining cryptographic design considerations and constraints
  • Determining cryptographic implementation (e.g., in-transit, in-use, at-rest)
  • Plan key management lifecycle (e.g., generation, storage, distribution)

3.7 Design secure network and communication infrastructure (e.g., Virtual Private Network (VPN), Internet Protocol Security (IPsec), Transport Layer Security (TLS))

3.8 Evaluate physical and environmental security requirements

  • Map physical security requirements to organizational needs (e.g., perimeter protection and internal zoning, fire suppression)
  • Validate physical security controls

Domain 4: Identity and Access Management (IAM) Architecture

4.1 Design identity management and lifecycle

  • Establish and verify identity
  • Assign identifiers (e.g., to users, services, processes, devices)
  • Identity provisioning and de-provisioning
  • Define trust relationships (e.g., federated, standalone)
  • Define authentication methods (e.g., Multi-Factor Authentication (MFA), risk-based, location-based, knowledge-based, object-based, characteristicsbased)
  • Authentication protocols and technologies (e.g., Security Assertion Markup Language (SAML), Remote Authentication Dial-In User Service (RADIUS), Kerberos)

4.2 Design access control management and lifecycle

  • Access control concepts and principles (e.g., discretionary/mandatory, segregation/Separation of Duties (SoD), least privilege)
  • Access control configurations (e.g., physical, logical, administrative)
  • Authorization process and workflow (e.g., governance, issuance, periodic review, revocation)
  • Roles, rights, and responsibilities related to system, application, and data access control (e.g., groups, Digital Rights Management (DRM), trust relationships)
  • Management of privileged accounts
  • Authorization (e.g., Single Sign-On (SSO), rulebased, role-based, attribute- based)

4.3 Design identity and access solutions

  • Access control protocols and technologies (e.g., eXtensible Access Control Markup Language (XACML), Lightweight Directory Access Protocol (LDAP))
  • Credential management technologies (e.g., password management, certificates, smart cards)
  • Centralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
  • Decentralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
  • Privileged Access Management (PAM) implementation (for users with elevated privileges)
  • Accounting (e.g., logging, tracking, auditing)

Domain 5: Architect for Application Security 

5.1 Integrate Software Development Life Cycle (SDLC) with application security architecture (e.g., Requirements Traceability Matrix (RTM), security architecture documentation, secure coding)

  • Assess code review methodology (e.g., dynamic, manual, static)
  • Assess the need for application protection (e.g., Web Application Firewall (WAF), anti-malware, secure Application Programming Interface (API), secure Security Assertion Markup Language (SAML))
  • Determining encryption requirements (e.g., at-rest, in-transit, in-use)
  • Assess the need for secure communications between applications and databases or other endpoints
  • Leverage secure code repository

5.2 Determining application security capability requirements and strategy (e.g., open source, Cloud Service Providers (CSP), Software as a Service (SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS) environments)

  • Review security of applications (e.g., custom, Commercial Off-the-Shelf (COTS), in-house, cloud)
  • Determining application cryptographic solutions (e.g., cryptographic Application Programming Interface (API), Pseudo Random Number Generator (PRNG), key management)
  • Evaluate applicability of security controls for system components (e.g., mobile and web client applications; proxy, application, and database services)

5.3 Identifying common proactive controls for applications (e.g., Open Web Application Security Project (OWASP))

Domain 6: Security Operations Architecture

6.1 Gather security operations requirements (e.g., legal, compliance, organizational, and business requirements)

6.2 Design information security monitoring (e.g., Security Information and Event Management (SIEM), insider threat, threat intelligence, user behavior analytics, Incident Response (IR) procedures)

  • Detection and analysis
  • Proactive and automated security monitoring and remediation (e.g., vulnerability management, compliance audit, penetration testing)

6.3 Design Business Continuity (BC) and resiliency solutions

6.4 Validate Business Continuity Plan (BCP)/Disaster Recovery Plan (DRP) architecture

6.5 Design Incident Response (IR) management

  • Incorporate Business Impact Analysis (BIA)
  • Determining recovery and survivability strategy
  • Identifying continuity and availability solutions (e.g., cold, warm, hot, cloud backup)
  • Define processing agreement requirements (e.g., provider, reciprocal, mutual, cloud, virtualization)
  • Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Design secure contingency communication for operations (e.g., backup communication channels, Out-of-Band (OOB))
  • Preparation (e.g., communication plan, Incident Response Plan (IRP), training)
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Review lessons learned