ISC2 SSCP (Systems Security Certified Practitioner) Study Guide

Jon Portfolio, Training

The SSCP certification validates your hands-on ability to implement, monitor, and administer security controls in an IT infrastructure. The exam is highly focused on operational security and technical application.

Domain 1: Security Operations and Administration (15%)

This domain covers the foundational rules and processes that govern security within an organization.

  • Security Roles and Responsibilities: Understand the difference between roles like CISO, Security Manager, Security Analyst, and Data Owner/Custodian.
  • Security Awareness and Training: Know the importance of regular training, distinguishing between awareness (changing behavior) and training (imparting skills).
  • Change Management Process: Understand the importance of the change control process (request, approval, test, implement, review) to ensure security isn’t compromised by configuration changes.
  • Asset Management and Inventory: Know how to identify, classify, and track IT assets throughout their lifecycle.
  • Media Protection: Procedures for secure handling, storage, and destruction of physical and digital media.
  • Physical Security: Understanding the basics of site security, entry controls, and environmental controls (e.g., HVAC, fire suppression).
  • Documentation: Importance of maintaining accurate, current policies, standards, procedures, and baselines.

Domain 2: Access Controls (16%)

Access controls are fundamental to confidentiality, availability, and integrity. This is often the largest technical domain.

  • Authentication Mechanisms:
    • Three Factors: Something you know (password), something you have (token), something you are (biometrics).
    • Multi-Factor Authentication (MFA): Using two or more distinct factors.
    • Federated Identity and Single Sign-On (SSO): Understanding SAML, OAuth, and OpenID Connect.
  • Authorization Models:
    • Mandatory Access Control (MAC): Used in high-security environments; access determined by system labels.
    • Discretionary Access Control (DAC): Users own resources and set permissions (e.g., typical Windows/Linux file permissions).
    • Role-Based Access Control (RBAC): Access based on a user’s role (the most common model).
  • Access Control Technologies: Firewalls, proxies, RADIUS, TACACS+, and Network Access Control (NAC).
  • Principle of Least Privilege: Users should only have the minimum access rights necessary to perform their job duties.
  • Account Management: Procedures for provisioning, reviewing, and de-provisioning user accounts (critical for employee turnover).

Domain 3: Risk Identification, Monitoring, and Analysis (15%)

This domain focuses on identifying threats, measuring risk, and actively monitoring the environment.

  • Risk Management Concepts: Understanding assets, threats, vulnerabilities, and risk.
  • Risk Analysis Methods:
    • Qualitative: Uses descriptive terms (High, Medium, Low) and subjective judgment.
    • Quantitative: Uses hard values and calculations to assign a dollar value to risk (SLE, ARO, ALE).
  • Vulnerability Assessment: Running tools to identify weaknesses in systems and applications.
  • Penetration Testing: Understanding the phases (planning, discovery, attack, reporting) and different types (black box, white box, gray box).
  • Monitoring Tools:
    • Intrusion Detection/Prevention Systems (IDS/IPS): Signature-based vs. anomaly-based detection.
    • Security Information and Event Management (SIEM): Aggregation and analysis of security logs across the enterprise.
  • Log Management: Proper collection, storage, retention, and review of audit logs.

Domain 4: Incident Response and Recovery (14%)

Knowing how to handle a security breach and ensuring the business can continue operations during a disaster.

  • Incident Response (IR) Process: Understand the six phases of the IR lifecycle:
    1. Preparation
    2. Identification (Detection and Triage)
    3. Containment (Isolation of the affected systems)
    4. Eradication (Removing the root cause)
    5. Recovery (Restoring systems)
    6. Lessons Learned (Post-incident review)
  • Digital Forensics: Understanding the basics of the chain of custody and preserving evidence (e.g., volatile vs. non-volatile data).
  • Business Continuity Planning (BCP): Focusing on maintaining essential business functions during and after a disaster.
  • Disaster Recovery Planning (DRP): Focuses on restoring IT infrastructure and systems back to operational status.
  • Recovery Metrics: Know the difference between RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
  • Backups: Understanding different types (Full, Incremental, Differential) and the importance of testing recovery procedures.

Domain 5: Cryptography (9%)

This is the smallest domain, focusing on the application and management of encryption.

  • Cryptography Types:
    • Symmetric: Uses a single, shared key (e.g., AES). Best for bulk encryption speed.
    • Asymmetric: Uses a public/private key pair (e.g., RSA, ECC). Best for key exchange and digital signatures.
  • Hashing: Used for data integrity; understanding functions like SHA-256 and why they are one-way.
  • Public Key Infrastructure (PKI): Components like Certificate Authorities (CA), Registration Authorities (RA), and certificate revocation lists (CRL).
  • Key Management: Procedures for key generation, storage, escrow, revocation, and destruction.
  • Applications of Cryptography: Understanding how encryption is used in email (S/MIME, PGP), web (TLS/SSL), and data storage.

Domain 6: Network and Communications Security (16%)

This domain covers securing the network infrastructure, including protocols, devices, and wireless technologies.

  • Network Topologies and Technologies: Understanding the OSI model layers and common network devices (switches, routers, hubs).
  • Secure Network Devices: Proper configuration of firewalls (ACLs), proxies (forward/reverse), and Intrusion Prevention Systems (IPS).
  • Network Segmentation: Using VLANs, DMZs, and physical separation to isolate critical assets.
  • Secure Protocols: Knowing secure alternatives to insecure protocols (e.g., SSH over Telnet, SNMPv3 over earlier versions, HTTPS over HTTP).
  • Wireless Security: Understanding WPA3 (the current standard) and best practices for securing access points (e.g., disabling SSID broadcast, strong authentication).
  • Virtual Private Networks (VPNs): Understanding tunneling protocols and types (Site-to-Site vs. Remote Access).

Domain 7: Systems and Application Security (15%)

Focuses on securing operating systems, databases, and application code.

  • Operating System Hardening: Applying patches, disabling unnecessary services, implementing strong user permissions, and using security baselines.
  • Endpoint Security: Implementing endpoint detection and response (EDR) and host-based firewalls.
  • Virtualization and Cloud Security: Understanding the security implications of virtual machines, hypervisors, and cloud deployment models (IaaS, PaaS, SaaS).
  • Database Security: Securing database access, enforcing least privilege for queries, and encrypting sensitive fields.
  • Software Development Life Cycle (SDLC) Security: Understanding where security should be integrated, particularly in testing and configuration management.
  • Malware Analysis Basics: Knowing the different types of malware (ransomware, spyware, rootkits) and basic methods for detection.

Final Study and Exam Strategy

  • Focus on the Operational: The SSCP is a practitioner exam. Think less about “why” a control is necessary (CISSP) and more about “how” you would implement or troubleshoot it.
  • Prioritize the Canons: Remember the ISC2 Code of Ethics (especially Canon 1: Protect society) as they often frame the most challenging ethical scenario questions.
  • Practice Questions: Use high-quality practice exams to familiarize yourself with the ISC2 question style, which often asks for the best or next course of action.
  • Hands-on Experience: If possible, practice with the technologies mentioned (configuring a firewall, running a vulnerability scan, setting permissions) to solidify the concepts.