Appendix C The Information System Security Architecture Professional (ISSAP) Certification

Overview

The ISSAP Certification is defined by (ISC)2 as the CISSP concentration area that is designed to denote competence and expertise in information security architecture, telecommunications, preservation of business operations, and related security issues.

To qualify for and obtain the ISSAP certification, the candidate must possess the CISSP credential, sit for and pass the ISSAP examination, and maintain the ISSAP credential in good standing.

The ISSAP examination is similar in format to that of the CISSP examination. The questions are multiple choice, with the examinee being asked to select the best answer of four possible answers. The examination comprises 150 questions, 25 of which are experimental questions that are not counted. The candidate is allotted three hours to complete the examination.

The CISSP Architecture Concentration validates detailed, extensive knowledge in the following areas of the CBK:

  • Access Control Systems and Methodology
  • Telecommunications and Network Security
  • Cryptography
  • Requirements Analysis and Security Standards/Guidelines Criteria
  • Technology-Related Business Continuity Planning and Disaster Recovery Planning
  • Physical Security Integration

The key concepts that ISSAP candidates need to understand in these domains are summarized and reviewed in this appendix and in chapters in the text. Most of the information required by ISSAP is already covered in the CISSP. The difference is that ISSAP concentrates on five domain-related areas and goes into a little more detail.

If you did well on your CISSP exam, you will probably do well on the ISSAP too. Go through this book, concentrating on the five ISSAP domain areas discussed in the following sections. We’ve listed the domain areas here with referrals to the related chapter information. We’ve also included a little more information on design requirements analysis, and included some questions at the end of this appendix.

Access Control Systems Methodology

This material is reviewed in Chapter 2.

Telecommunications and Network Security

This material is reviewed in Chapter 3.

Cryptography

This material is reviewed in Chapter 4.

Requirements Analysis and Security Standards Guidelines Criteria

Requirements analysis provides the necessary and sufficient information for the correct design and valid implementation of a system. This process should address both the functional and security requirements of the system.

Analysis of Design Requirements

In general, requirements comprise the following types of information:

  • Environmental description - Discusses the objectives of the system and how it is intended to interact with its environment
  • Functionality - Describes the functionality of the system, including internal and observable external behavior
  • Functional constraints - Lists system constraints such as response times, quality of service, up-times, number of users serviced, and so on
  • Security constraints - Delineates the required system security postures, including security standards, levels of protection, policies, access protections, authentication procedures, auditing requirements, and so on
  • Design constraints - Stipulates customer-driven design constraints such as hardware and software compatibility issues, operating systems, protocols, and so on.
  • Project management-related constraints - Addresses management related issues such as budget control and monitoring, delivery schedules, handling changes, training, installation, acceptance testing, and so on
  • Communication protocols - Covers communications issues, including transferring information into and out of the system, special protocol needs, displays, and so on

Requirements are critical components in verifying that the system meets specifications and validating that the completed system performs as expected in the real world.

As in any endeavor, problems will occur in the requirements analysis process. The two major categories of problems are “essence” problems and accidents. Essence problems refer to the inability to meet essential system requirements. Usually, these problems are not easily solvable, but are handled through techniques such as requirements reviews, proving system properties, knowledge-based methods, and rapid prototyping. Accidents are not inherently related to requirements but are the result of adopting a particular design and implementation approach.

Design Architecture

System and security design architectures are the primary high level design processes and are concerned with major system components, functionality, structure, and their interactions. The design architecture derives from the system specifications, but in some instances the design structure must be different from some of the requirements in order to meet real-world operational, time, and cost constraints. The design architecture should include verified design specifications, requirements traceability, control structures, data structures, initial test specifications, initial users’ and operations manuals, and main headings of a maintenance manual. In addition, some unquantifiable elements have to be considered, including ease of use, reliability, reusability, and maintainability.

There are a number of approaches to developing a design architecture, such as functional, process-driven, or object-oriented decomposition into components and subcomponents.

Understanding Information System Security Standards and Guidelines

These concepts are presented in Chapters 1 and 15.

Assessment of Effectiveness and Security of Information Systems Design

These concepts are presented in Chapter 12.

Technology Related Business Continuity Planning and Disaster Recovery Planning

This material is reviewed in Chapter 8.

Physical Security Integration

This material is reviewed in Chapter 10.

Assessment Questions ISSAP

You can find the answers to the following questions in Appendix A.

1. 

Which one of the following is not one of the types of information comprised in requirements?

  1. Environmental description
  2. Functionality
  3. Security constraints
  4. Design architecture

answer: d the design architecture derives from the system specifications.

2. 

What are the two major problem categories in the requirements analysis process?

  1. Essence and accidents
  2. Essence and system properties
  3. System properties and essence
  4. Maintainability and accidents

answer: a answers b, c, and d are distracters.

3. 

Which one of the high-level design processes includes verified design specifications, requirements traceability, control structures, and data structures?

  1. Design architecture
  2. Communications protocols
  3. Design constraints
  4. Functional descriptions

answer: a answers b, c, and d are distracters.

4. 

Which one of the following requirements categories stipulates customer-driven constraints such as hardware and software compatibility issues, operating systems, and protocols?

  1. Functional constraints
  2. Functionality
  3. Design constraints
  4. Project management

answer: c the answer is c, by definition.

5. 

Which one of the following activities is not an approach to developing design architecture?

  1. Functional decomposition
  2. Traceable decomposition
  3. Process-driven decomposition
  4. Object-oriented decomposition

answer: b answer b is a made-up distracter.

6. 

Which one of the following processes provides the necessary and sufficient information for the correct design and valid implementation of a system?

  1. Requirements analysis
  2. Design analysis
  3. Functional analysis
  4. Design architecture generation

answer: a answers b, c, and d are distracters.

7. 

The design architecture derives from which one of the following:

  1. High-level design processes
  2. Control analysis
  3. Impact analysis
  4. System specifications

image from book

8. 

Requirements analysis addresses which of the following issues?

  1. Functional requirements
  2. Functional and security requirements
  3. Security requirements
  4. Effectiveness

image from book

9. 

Which one of the following requirements addresses issues such as budget control, delivery schedules, training, and acceptance testing?

  1. Environmental descriptions
  2. Project management constraints
  3. Communications protocols
  4. Functional constraints

image from book

10. 

What is a critical component in verifying and validating the completed system?

  1. Requirements
  2. System architecture
  3. Design analyses
  4. Decomposition

image from book

Answers

1. 

Answer: d

The design architecture derives from the system specifications.

2. 

Answer: a

Answers b, c, and d are distracters.

3. 

Answer: a

Answers b, c, and d are distracters.

4. 

Answer: c

The answer is c, by definition.

5. 

Answer: b

Answer b is a made-up distracter.

6. 

Answer: a

Answers b, c, and d are distracters.

7. 

Answer: d

8. 

Answer: b

9. 

Answer: b

10. 

Answer: a



The CISSP and CAP Prep Guide. Platinum Edition
The CISSP and CAP Prep Guide: Platinum Edition
ISBN: 0470007923
EAN: 2147483647
Year: 2004
Pages: 239

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net