Appendix C The Information System Security Architecture Professional (ISSAP) Certification

Overview

The ISSAP Certification is defined by (ISC)2 as the CISSP concentration area that is designed to denote competence and expertise in information security architecture, telecommunications, preservation of business operations, and related security issues.

To qualify for and obtain the ISSAP certification, the candidate must possess the CISSP credential, sit for and pass the ISSAP examination, and maintain the ISSAP credential in good standing.

The ISSAP examination is similar in format to that of the CISSP examination. The questions are multiple choice, with the examinee being asked to select the best answer of four possible answers. The examination comprises 150 questions, 25 of which are experimental questions that are not counted. The candidate is allotted three hours to complete the examination.

The CISSP Architecture Concentration validates detailed, extensive knowledge in the following areas of the CBK:

• Access Control Systems and Methodology
• Telecommunications and Network Security
• Cryptography
• Requirements Analysis and Security Standards/Guidelines Criteria
• Technology-Related Business Continuity Planning and Disaster Recovery Planning
• Physical Security Integration

The key concepts that ISSAP candidates need to understand in these domains are summarized and reviewed in this appendix and in chapters in the text. Most of the information required by ISSAP is already covered in the CISSP. The difference is that ISSAP concentrates on five domain-related areas and goes into a little more detail.

If you did well on your CISSP exam, you will probably do well on the ISSAP too. Go through this book, concentrating on the five ISSAP domain areas discussed in the following sections. We’ve listed the domain areas here with referrals to the related chapter information. We’ve also included a little more information on design requirements analysis, and included some questions at the end of this appendix.

Access Control Systems Methodology

This material is reviewed in Chapter 2.

Telecommunications and Network Security

This material is reviewed in Chapter 3.

Cryptography

This material is reviewed in Chapter 4.

Requirements Analysis and Security Standards Guidelines Criteria

Requirements analysis provides the necessary and sufficient information for the correct design and valid implementation of a system. This process should address both the functional and security requirements of the system.

Analysis of Design Requirements

In general, requirements comprise the following types of information:

• Environmental description - Discusses the objectives of the system and how it is intended to interact with its environment
• Functionality - Describes the functionality of the system, including internal and observable external behavior
• Functional constraints - Lists system constraints such as response times, quality of service, up-times, number of users serviced, and so on
• Security constraints - Delineates the required system security postures, including security standards, levels of protection, policies, access protections, authentication procedures, auditing requirements, and so on
• Design constraints - Stipulates customer-driven design constraints such as hardware and software compatibility issues, operating systems, protocols, and so on.
• Project management-related constraints - Addresses management related issues such as budget control and monitoring, delivery schedules, handling changes, training, installation, acceptance testing, and so on
• Communication protocols - Covers communications issues, including transferring information into and out of the system, special protocol needs, displays, and so on

Requirements are critical components in verifying that the system meets specifications and validating that the completed system performs as expected in the real world.

As in any endeavor, problems will occur in the requirements analysis process. The two major categories of problems are “essence” problems and accidents. Essence problems refer to the inability to meet essential system requirements. Usually, these problems are not easily solvable, but are handled through techniques such as requirements reviews, proving system properties, knowledge-based methods, and rapid prototyping. Accidents are not inherently related to requirements but are the result of adopting a particular design and implementation approach.

Design Architecture

System and security design architectures are the primary high level design processes and are concerned with major system components, functionality, structure, and their interactions. The design architecture derives from the system specifications, but in some instances the design structure must be different from some of the requirements in order to meet real-world operational, time, and cost constraints. The design architecture should include verified design specifications, requirements traceability, control structures, data structures, initial test specifications, initial users’ and operations manuals, and main headings of a maintenance manual. In addition, some unquantifiable elements have to be considered, including ease of use, reliability, reusability, and maintainability.

There are a number of approaches to developing a design architecture, such as functional, process-driven, or object-oriented decomposition into components and subcomponents.

Understanding Information System Security Standards and Guidelines

These concepts are presented in Chapters 1 and 15.

Assessment of Effectiveness and Security of Information Systems Design

These concepts are presented in Chapter 12.

Technology Related Business Continuity Planning and Disaster Recovery Planning

This material is reviewed in Chapter 8.

Physical Security Integration

This material is reviewed in Chapter 10.

Assessment Questions ISSAP

You can find the answers to the following questions in Appendix A.

Answers