Information Systems Security Architecture Professional (CISSP - ISSAP) Practice Exam
CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam
About CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam
CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam is for professional specializing in designing security solutions and providing management with risk-based guidance to meet organizational goals. CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam facilitate the alignment of security solutions within the organizational context such as vision, mission, strategy, policies, requirements, change, and external factors. The broad spectrum of topics included in the ISSAP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of information security. Candidates gain the competency in the following domains-
- Architect for Application Security
- Security Architecture Modeling
- Architect for Governance, Compliance, and Risk Management
- Infrastructure Security
- Security Operations Architecture
- Identity and Access Management Architecture
Pre-requisites for CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam
Candidates must be a CISSP in good standing and have 2 years cumulative paid full-time work experience in 1 or more of the 6 domains of the CISSP-ISSAP CBK
Course Structure for CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam
Domain 1: Architect for Governance, Compliance and Risk Management
1.1 Determine legal, regulatory, organizational and industry requirements
- Determine applicable information security standards and guidelines
- Identify third-party and contractual obligations (e.g., supply chain, outsourcing, partners)
- Determine applicable sensitive/personal data standards, guidelines and privacy regulations
- Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation, high assurance systems)
- Coordinate with external entities (e.g., law enforcement, public relations, independent assessor)
1.2 Manage Risk
- Identify and classify risks
- Assess risk
- Recommend risk treatment (e.g., mitigate, transfer, accept, avoid)
- Risk monitoring and reporting
Domain 2: Security Architecture Modeling
2.1 Identify security architecture approach
- Types and scope (e.g., enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things (IoT), Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA))
- Frameworks (e.g., Sherwood Applied Business Security Architecture (SABSA), Service-Oriented Modeling Framework (SOMF))
- Reference architectures and blueprints
- Security configuration (e.g., baselines, benchmarks, profiles)
- Network configuration (e.g., physical, logical, high availability, segmentation, zones)
2.2 Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)
- Validate results of threat modeling (e.g., threat vectors, impact, probability)
- Identify gaps and alternative solutions
- Independent Verification and Validation (IV&V) (e.g., tabletop exercises, modeling and simulation, manual review of functions)
Domain 3: Infrastructure Security Architecture
3.1 Develop infrastructure security requirements
- On-premise, cloud-based, hybrid
- Internet of Things (IoT), zero trust
3.2 Design defense-in-depth architecture
- Management networks
- Industrial Control Systems (ICS) security
- Network security
- Operating systems (OS) security
- Database security
- Container security
- Cloud workload security
- Firmware security
- User security awareness considerations
3.3 Secure shared services (e.g., wireless, e-mail, Voice over Internet Protocol (VoIP), Unified
- Communications (UC), Domain Name System (DNS), Network Time Protocol (NTP))
3.4 Integrate technical security controls
- Design boundary protection (e.g., firewalls, Virtual Private Network (VPN), airgaps, software defined perimeters, wireless, cloud-native)
- Secure device management (e.g., Bring Your Own Device (BYOD), mobile, server, endpoint, cloud instance, storage)
3.5 Design and integrate infrastructure monitoring
- Network visibility (e.g., sensor placement, time reconciliation, span of control, record compatibility)
- Active/Passive collection solutions (e.g., span port, port mirroring, tap, inline, flow logs)
- Security analytics (e.g., Security Information and Event Management (SIEM), log collection, machine learning, User Behavior Analytics (UBA))
3.6 Design infrastructure cryptographic solutions
- Determine cryptographic design considerations and constraints
- Determine cryptographic implementation (e.g., in-transit, in-use, at-rest)
- Plan key management lifecycle (e.g., generation, storage, distribution)
3.7 Design secure network and communication infrastructure (e.g., Virtual Private Network (VPN), Internet Protocol Security (IPsec), Transport Layer Security (TLS))
3.8 Evaluate physical and environmental security requirements
- » Map physical security requirements to organizational needs (e.g., perimeter protection and internal zoning, fire suppression)
- » Validate physical security controls
Domain 4: Identity and Access Management (IAM) Architecture
4.1 Design identity management and lifecycle
- Establish and verify identity
- Assign identifiers (e.g., to users, services, processes, devices)
- Identity provisioning and de-provisioning
- Define trust relationships (e.g., federated, standalone)
Define authentication methods (e.g., Multi-Factor Authentication (MFA), risk-based, location-based, knowledge-based, object-based, characteristicsbased)
- Authentication protocols and technologies (e.g., Security Assertion Markup Language (SAML), Remote Authentication Dial-In User Service (RADIUS), Kerberos)
4.2 Design access control management and lifecycle
- Access control configurations (e.g., physical, logical, administrative)
- Authorization process and workflow (e.g., governance, issuance, periodic review, revocation)
- Roles, rights, and responsibilities related to system, application, and data access control (e.g., groups, Digital Rights Management (DRM), trust relationships)
- Management of privileged accounts
- Authorization (e.g., Single Sign-On (SSO), rulebased, role-based, attribute- based)
4.3 Design identity and access solutions
- Access control protocols and technologies (e.g., eXtensible Access Control Markup Language (XACML), Lightweight Directory Access Protocol (LDAP))
- Credential management technologies (e.g., password management, certificates, smart cards)
- Centralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
- Decentralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
- Privileged Access Management (PAM) implementation (for users with elevated privileges)
- Accounting (e.g., logging, tracking, auditing)
Domain 5: Architect for Application Security
5.1 Integrate Software Development Life Cycle (SDLC) with application security architecture (e.g., Requirements Traceability Matrix (RTM), security architecture documentation, secure
- Assess code review methodology (e.g., dynamic, manual, static)
- Assess the need for application protection (e.g., Web Application Firewall (WAF), anti-malware, secure Application Programming Interface (API), secure Security Assertion Markup Language (SAML))
- Determine encryption requirements (e.g., at-rest, in-transit, in-use)
- Assess the need for secure communications between applications and databases or other endpoints
- Leverage secure code repository
5.2 Determine application security capability requirements and strategy (e.g., open source, Cloud Service Providers (CSP), Software as a Service (SaaS)/Infrastructure as a Service (IaaS)/ Platform as a Service (PaaS) environments)
- Review security of applications (e.g., custom, Commercial Off-the-Shelf (COTS), in-house, cloud)
- Determine application cryptographic solutions (e.g., cryptographic Application Programming Interface (API), Pseudo Random Number Generator (PRNG), key management)
- Evaluate applicability of security controls for system components (e.g., mobile and web client applications; proxy, application, and database services)
5.3 Identify common proactive controls for applications (e.g., Open Web Application Security Project (OWASP))
Domain 6: Security Operations Architecture
6.1 Gather security operations requirements (e.g., legal, compliance, organizational, and business requirements)
6.2 Design information security monitoring (e.g., Security Information and Event Management (SIEM), insider threat, threat intelligence, user behavior analytics, Incident Response (IR) procedures)
- Detection and analysis
- Proactive and automated security monitoring and remediation (e.g., vulnerability management, compliance audit, penetration testing)
6.3 Design Business Continuity (BC) and resiliency solutions
6.4 Validate Business Continuity Plan (BCP)/Disaster Recovery Plan (DRP) architecture
6.5 Design Incident Response (IR) management
- Incorporate Business Impact Analysis (BIA)
- Determine recovery and survivability strategy
- Identify continuity and availability solutions (e.g., cold, warm, hot, cloud backup)
- Define processing agreement requirements (e.g., provider, reciprocal, mutual, cloud, virtualization)
- Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
- Design secure contingency communication for operations (e.g., backup communication channels, Out-of-Band (OOB))
- Preparation (e.g., communication plan, Incident Response Plan (IRP), training)
- Review lessons learned
Exam Pattern for CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam
- Testing center: Pearson VUE Testing Center
- Exam availability: English
- Passing Grade: 700 out of 1000 points
- Format: Multiple choice
- Total questions: 125
- Duration: 3 hours
FAQs on CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam
1. What is my (ISC)2 ID?
At the time of account creation, you will be assigned an (ISC)2 ID. On the (ISC)² website you can find your ID number on your profile page.
2. How my certification can be verified by a potential employer?
By using the Certification Verification page on our website your employer can see if you are a member in good standing. While in order to process the verification your last name and member ID number will be needed.
3. How can I become a member?
There are three steps followed to become a member of (ISC)2. First, you must take and pass one of the six credential examinations. Then, you must submit an endorsement application to prove that you have the years of experience that are required to hold the credential. Once your endorsement is approved, you must pay the Annual Maintenance Fee (AMF).
4. What should I do if I'm unable to locate a test center near me?
To assist you with scheduling your examination you can contact Pearson VUE Customer Service.
5. Can I get my exam score?
Scores are not provided for those who pass an examination. Although for those who failed an examination, scores will be provided upon completion of the exam.
6. What can be brought inside the test center?
No,items are not permitted inside the test center (enlisted in the instructions page). So, you will be instructed by the test administrator to empty your pockets and place all items in a locker.
7. Does Testprep Training offer Money Back Guarantee for the Exam Simulator?
Yes, we offer a 100% unconditional money back guarantee. In case you are not able to clear the exam for then you can request for the full refund. Please note that we only refund the cost of product purchased from Testprep Training and not from the Microsoft Learning.
8. Is there any assistance from Testprep Training in terms of exam preparation?
Yes, Testprep Training offers email support for any certification related query while you are preparing for the exam using our practice exams. Your query will be handled by experts in due course.
9. Can we try the free test before purchasing the practice exam?
Yes, testprep training offers free practice tests for CISSP - ISSAP Information Systems Security Architecture Professional Certification Exam which can be used before the final purchase for the complete test.
10. Do you provide any preparation guidance for this certification exam?
Yes, our experts frequently blog about the tips and tricks for exam preparation.
11. Do you offer any discount on the bulk purchase?
Yes, we offer nearly 50% discount for the order more than 10 products at a time. You can reach the testprep training Helpdesk for more details. The member of the support staff will respond as soon as possible.
For more FAQs
What do we offer?
- Full-Length Mock Test with unique questions in each test set
- Practice objective questions with section-wise scores
- In-depth and exhaustive explanation for every question
- Reliable exam reports to evaluate strengths and weaknesses
- Latest Questions with an updated version
- Tips & Tricks to crack the test
- Unlimited access
What are our Practice Exams?
- Practice exams have been designed by professionals and domain experts that simulate real time exam scenario.
- Practice exam questions have been created on the basis of content outlined in the official documentation.
- Each set in the practice exam contains unique questions built with the intent to provide real-time experience to the candidates as well as gain more confidence during exam preparation.
- Practice exams help to self-evaluate against the exam content and work towards building strength to clear the exam.
- You can also create your own practice exam based on your choice and preference
100% Assured Test Pass Guarantee
Table of Contents
- Architect for Application Security - 15%
- Security Architecture Modeling - 14%
- Architect for Governance, Compliance, and Risk Management - 16%
- Infrastructure Security - 19%
- Security Operations Architecture - 17%
- Identity and Access Management Architecture - 19%