The Information System Security Engineering Professional (ISSEP) is a CISSP concentration that specializes in security engineering. In addition to the ISSEP, there are two other CISSP concentrations, the Information System Security Architecture Professional (ISSAP) and the Information System Security Management Professional (ISSMP). The ISSAP overlaps with many of the technical concepts from the CISSP, the ISSMP overlaps with many of the management aspects. The ISSEP is an entirely different animal with a distinctive U.S. government flavor to it.
About the Exam
The ISSEP exam is made up of 150 questions and has a four hour time limit. Like other ISC2 test, 25 of these questions are used for research purposes only and are not counted when determining your grade. You need a 700/1000 to pass the exam. The domains and questions were developed by ISC2 in conjunction with the U.S. National Security Agency (NSA). Because of the NSA’s participation in question development, you may notice a different style and tone between ISSEP and CISSP questions.
Who Should Take it
I took the ISSEP exam twice because I was caught up in ISC2 erroneous grading debacle. I would highly recommend the certification to anyone performing Information Assurance for the U.S. Defense Department or a national security system. The exam is also applicable to anyone working in non-defense Federal Agencies, but less so. Although some ISSEP material is relevant to the commercial segment, most isn’t. If you don’t work for the U.S. Government, I’d recommend you pass on the ISSEP.
Think You’re Ready?
Want to see how much you may need to study prior to taking the test? Try taking our free CISSP-ISSEP practice test. Use the results to focus your study plan toward areas where you didn’t do so well.
The only book available for the ISSEP is Official (ISC)2 Guide to the CISSP-ISSEP CBK ((ISC)2 Press), by Susan Hansche. Its a hefty 993 pages long but certainly covers all of the material. I found the book almost impossible to read from start to end. During my study period I grew increasingly frustrated at the focus on regulations. There are simply to many policies, procedures, directives, and laws, to gain an educated understanding of each. For the most part, you only need to have a basic understanding of each. However, some areas such as DOD Instruction 8510 and IATF Chapter 3 deserver a more detailed understanding. In fact, Susan’s mentions the following in the preface:
One of the most important and most daunting challenges for an ISSEP lies in having a basic familiarity with the various sets of USG regulations. Because of this, you will find that more than on-half of this book is devoted to providing an in-depth overview of some USG policies and procedures. About half way through my research for this book, I began to tire of reading policies and regulations and, no doubt, you will too.
System Security Engineering (SSE)
This domain is focused on the Information Assurance Technical Framework (IATF), notably chapter 3. The IATF was jointly developed by NSA and the NIST. Unfortunately, it hasn’t been maintained or updated since 2002. Despite this, the concepts are still applicable and worth understanding. I also assume that the SSE process contained within the IATF will be carried forward within different guidance in the future. The SSE domain is made up of the following concepts:
- Chapter 3 of the IATF
- Understand the relationship between security engineering and System Engineering
- Discover Information Protection needs
- Define system security requirements
- Design system security architecture
- Develop detailed security design
- Implement system security
Certification and Accreditation
This domain focuses mostly on NIST 800-37 and the DOD Information Assurance Certification and Accreditation Process (DIACAP) which is outlined in DoD 8510. Note that Susan’s book covers DIACAP’s predecessor, DITSCAP. However the actual test covers the newer DIACAP. Also, ISC2′s Certified Authorization Professional (CAP) includes almost the same content as this domain. It may be a good idea to schedule the CAP just before or after the ISSEP so that you can re-use this information for both certifications. The rest of this domain is made up of:
- Understand the US Gov C&A process
- Understant the roles and responsabilites of stakeholders in the C&A process
- Understand Risk Management
- Integrate C&A with system engineering
I think this domain could be more appropriately called “IA Project Management”. I was lacking formal project management skills so was very happy have an excuse to review the topics. This domain focuses on controlling the Time, Cost, and Quality of projects. The sections include:
- Understand and support the acquisition process
- Initiate the technical effort
- Plan the technical effort
- Implment and manage the technical effort
- Close the technical effort
U.S. Government IA Rules and Regulations
This domain is long, boring, and difficult to read from start to finish. However, I think that the information I learned here was more applicable to my job than any other domain. Even policy wonks like me will learn a great deal. Understanding the “big picture” and being able to track requirements back to their original source can help you connect the dots with many compliance activities. This domain focuses on:
- Understanding National Laws and Policies
- Understanding Civil Agency policies and guidelines
- Understanding DOD policies and guidelines
- Understanding International standards
Image courtesy ISC2