Documente Academic
Documente Profesional
Documente Cultură
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
(Exam Outline)
Effective Date: September 1, 2013
2
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
Non-Discrimination
ISC) does not discriminate candidates based on their nationality, gender, religion,
race, ethnicity, sexual orientation, age and disability. For further information on (ISC)s
non-discrimination policy, please visit https://www.isc2.org/legal-info-policies.aspx.
3
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
This Candidate Information Bulletin provides ............................................................................. 5
CAP Candidate Information Bulletin Overview ......................................................................... 7
1) RISK MANAGEMENT FRAMEWORK (RMF) ............................................................................. 8
Overview ...................................................................................................................................... 8
Key Areas of Knowledge ........................................................................................................... 8
2) CATEGORIZATION OF INFORMATION SYSTEMS .................................................................. 10
Overview .................................................................................................................................... 10
Key Areas of Knowledge ......................................................................................................... 10
3) SELECTION OF SECURITY CONTROLS ................................................................................... 11
Overview .................................................................................................................................... 11
Key Areas of Knowledge ......................................................................................................... 11
4) SECURITY CONTROL IMPLEMENTATION ............................................................................... 12
Overview .................................................................................................................................... 12
Key Areas of Knowledge ......................................................................................................... 12
5) SECURITY CONTROL ASSESSMENT ........................................................................................ 13
Overview .................................................................................................................................... 13
Key Areas of Knowledge ......................................................................................................... 13
6) INFORMATION SYSTEM AUTHORIZATION ............................................................................. 14
Overview .................................................................................................................................... 14
Key Areas of Knowledge ......................................................................................................... 14
7) MONITORING OF SECURITY CONTROLS .............................................................................. 15
Overview .................................................................................................................................... 15
Key Areas of Knowledge ......................................................................................................... 15
REFERENCES ................................................................................................................................... 16
GENERAL EXAMINATION INFORMATION .................................................................................... 21
Paper Based Test (PBT) ............................................................................................................ 21
Any questions? .............................................................................................................................. 25
GENERAL EXAMINATION INFORMATION .................................................................................... 26
Computer Based Test (CBT) ........................................................................................................ 26
4
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
Registering for the Exam .............................................................................................................. 26
Scheduling a Test Appointment ................................................................................................. 27
Non Disclosure ............................................................................................................................... 30
Day of the Exam ........................................................................................................................... 30
Any questions? .............................................................................................................................. 34
5
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
This Candidate Information Bulletin provides
Exam blueprint to a limited level of detail that outlines major topics and sub-topics
within the domains
Suggested reference list
Description of the format of the items on the exam
Basic registration/administration policies
The ideal candidate should have experience, knowledge and skill in the following areas:
System authorization processes
Information risk management processes
Systems development experience
Security control testing and continuous monitoring
IT security/information assurance
Information security policy
Technical and/or auditing experience within U.S. Federal government agencies (e.g.,
U.S. Department of Defense etc.), financial institutions, healthcare providers, auditing
and/or consulting organizations.
Strong familiarity with NIST and OMB publications
Candidates must meet the following requirements prior to taking the CAP examination:
Submit the examination fee
A candidate is required to have a minimum of two years of cumulative paid full-time
security professional work experience in one or more of the seven domains of the
(ISC) CAP CBK;
Valid professional experience includes the direct application of appropriate Security
Authorization (formally Certification & Accreditation) knowledge performed as a
practitioner, auditor, or contractor
Attest to the truth of his or her assertions regarding professional experience, and
legally commit to abide by the (ISC) Code of Ethics (Section 3).
Before candidates are allowed to take the test at testing centers, they must respond
yes or No to the following four questions regarding criminal history and related
background:
1. Have you ever been convicted of a felony; a misdemeanor involving a
computer crime, dishonesty, or repeat offenses; or a Court Martial in military
service, or is there a felony charge, indictment, or information now pending
against you? (Omit minor traffic violations and offenses prosecuted in juvenile
court).
6
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
2. Have you ever had a professional license, certification, membership or
registration revoked, or have you ever been censured or disciplined by any
professional organization or government agency?
3. Have you ever been involved, or publicly identified, with criminal hackers or
hacking?
4. Have you ever been known by any other name, alias, or pseudonym? (You
need not include user identities or screen names with which you were publicly
identified).
7
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
CAP Candidate Information Bulletin Overview
The Certified Authorization Professional (CAP) is an information security practitioner who
champions system security commensurate with an organizations mission and risk tolerance,
while meeting legal and regulatory requirements.
The Office of Management and Budget (OMB) first mandated systems authorization in OMB
Circular A-130, Appendix III in 1987 by stating that all general support systems and major
applications must be authorized prior to the system or application being placed in operation.
The Federal Information Security Management Act (FISMA) of 2002 renewed focus on systems
authorization with associated OMB oversight and reporting requirements and National Institute
of Standards and Technology (NIST) implementation guidance.
In August 2009, NIST released revision 3 of Special Publication 800-53: Security Controls for
Federal Information Systems and Organizations. Then in February 2010, NIST released revision 1 of
Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach. These two documents form the building
blocks for the emerging harmonized control taxonomy and security authorization processes,
respectively, that now govern across all federal government agencies. While numerous NIST
and OMB publications constitute the CAP exam targeted for release in November 2010 (see
reference guide on page 11), the seven domains for this exam conceptually mirror the NIST
system authorization process. A candidate must understand and be able to apply knowledge
in each domain to be successful. This includes synthesizing material from many sources in order
to be successful. The CAP domains are:
1. Risk Management Framework (RMF)
2. Categorization of Information Systems
3. Selection of Security Controls
4. Security Control Implementation
5. Security Control Assessment
6. Information System Authorization
7. Monitoring of Security Controls
8
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
1) RISK MANAGEMENT FRAMEWORK (RMF)
Overview
Security authorization of a system is a result of a tiered risk management approach to evaluate
both strategic and tactical risk. The authorization process is primarily driven by the application of
NISTs Risk Management Framework (RMF). The RMF process identifies security controls, which
are commensurate with risk, vulnerabilities, countermeasures and determines residual risks. The
residual risks are evaluated and deemed either acceptable or unacceptable. The system may
be deployed only when the residual risks are acceptable to the enterprise.
Key Areas of Knowledge
A. Describe the Risk Management Framework (RMF)
A.1
Distinguish between applying risk management principles and satisfying
compliance requirements
A.2 Identify and maintain information systems inventory
A.3 Explain the importance of securing information
A.4 Understand organizational mission and operations
B. Describe and Distinguish between the RMF Steps
B.1
Categorize information system
B.2
Select security controls
B.3
Implement security controls
B.4
Assess security controls
B.5
Authorize information system
B.6
Monitor security controls
C. Identify Roles and Define Responsibilities
C.1
Head of agency (Chief Executive Officer)
C.2
Risk executive (Function)
C.3
Chief information officer
C.4
Information owner/steward
C.5
Senior information security officer
C.6
Authorizing official
C.7
Authorizing official designated representative
9
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
C.8
Common control provider
C.9
Information system owner
C.10
Information system security officer
C.11
Information security architect
C.12
Information system security engineer
C.13
Security control assessor
D. Understand and Describe How the RMF Process Relates to:
D.1
Organization-wide risk management
D.2
Enterprise and information security architecture
D.3
Information System boundaries
D.4
Authorization decisions
D.5
Security control assessor independence
D.6
Security controls in external environments (e.g., third-party, cloud)
D.7
Security control allocation (e.g., resources, common controls, component level)
E. Understand the Relationship between the RMF and System Development Life
Cycle (SDLC)
E.1
Promote security integration within SDLC (e.g., policy, procedures, standards)
E.2 Collaborate with stakeholders (e.g., integrated project teams, architects,
developers, management)
F. Understand Legal, Regulatory, and Other Security Requirements
F.1
Federal information security and privacy legislation
F.2
Office of Management and Budget (OMB)
F.3
Committee on National Security Systems (CNSS)
F.4
National Institute of Standards and Technology (NIST) publications
10
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
2) CATEGORIZATION OF INFORMATION SYSTEMS
Overview
Categorization of an information system is based on an impact analysis. It is performed to
determine the types of information included within the security authorization boundary, the
security requirements for the information types, and the potential impact on the organization
resulting from a security compromise. The result of the categorization is used as the basis for
developing the security plan, selecting security controls, and determining the risk inherent in
operating the system.
Key Areas of Knowledge
A. Categorize the System
A.1
Identify the information types
A.2
Determine confidentiality, integrity, and availability values
A.3
Determine potential impact on organizations and individuals
A.4
Categorize information types
A.5
Categorize information system
A.6
Document categorization in the Security Plan (SP)
A.7
Perform Privacy Threshold Analysis and Privacy Impact Assessment
B. Describe the Information System (Including the Security Authorization
Boundaries)
C. Register the System
11
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
3) SELECTION OF SECURITY CONTROLS
Overview
The security control baseline is established by determining specific controls required to protect
the system based on the security categorization of the system. The baseline is tailored and
supplemented in accordance with an organizational assessment of risk and local parameters.
The security control baseline, as well as the plan for monitoring it, is documented in the security
plan (SP).
Key Areas of Knowledge
A. Identify and Document Common (Inheritable) Controls
B. Select, Tailor, and Document Security Controls
C. Develop Security Control Monitoring Strategy
D. Review and Approve SP
12
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
4) SECURITY CONTROL IMPLEMENTATION
Overview
The security controls specified in the security plan are implemented after taking into account
the minimum organizational assurance requirements. The security plan describes how the
controls are to be employed within the information system and its operational environment. The
security assessment plan documents the methods for testing controls and the expected results
throughout the system life-cycle.
Key Areas of Knowledge
A. Implement Selected Security Controls
B. Document Security Control Implementation
13
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
5) SECURITY CONTROL ASSESSMENT
Overview
The security control assessment follows the approved plan, including defined procedures, to
determine the effectiveness of the controls in meeting security requirements of the information
system. The results are documented in the security assessment report.
Key Areas of Knowledge
A. Prepare for Security Control Assessment
A.1
Establish objectives and scope
A.2
Establish points of contact, provide notifications and timelines
A.3
Select security control assessor (e.g., independence, competency)
A.4 Collect and review artifacts (e.g., previous assessments, system documentation,
policies)
B. Develop Security Control Assessment Plan
B.1
Determine security assessment methods and level of effort
B.2 Obtain necessary approvals (e.g., security assessment plan, rules of
engagement, resources)
C. Assess Security Control Effectiveness
C.1
Apply standard assessment methods (e.g., examine, interview, test)
C.2
Collect and inventory assessment evidence
D. Develop Initial Security Assessment Report (SAR)
D.1
Analyze assessment results
D.2
Determine root causes of identified weaknesses
D.3
Propose remediation actions
E. Review Interim SAR and Perform Initial Remediation Actions
E.1
Determine initial risk responses
E.2
Apply initial remediations
E.3
Reassess and validate the remediated controls
F. Develop Final SAR and Optional Addendum
14
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
6) INFORMATION SYSTEM AUTHORIZATION
Overview
Any residual risk identified during the security control assessment are evaluated and a decision
is made to authorize the system to operate, deny its operation, or remediate the deficiencies.
Associated documentation is prepared and/or updated depending on the authorization
decision.
Key Areas of Knowledge
A. Develop Plan of Action and Milestones (POAM) (e.g., Resources, Schedule,
Requirements)
B. Assemble Security Authorization Package
C. Determine Risk
D. Determine the Acceptability of Risk
E. Obtain Security Authorization Decision
15
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
7) MONITORING OF SECURITY CONTROLS
Overview
After an Authorization to Operate (ATO) is granted, ongoing continuous monitoring is performed
on identified security controls as well as the physical environment in which the system operates.
Changes to the system or its operational environment are documented and analyzed. The
security state of the system is reported to designated officials. Significant changes will cause the
system to re-enter the security authorization process. Otherwise, the system will continue to be
monitored on an ongoing basis in accordance with the organizations monitoring strategy.
Key Areas of Knowledge
A. Determine Security Impact of Changes to System and Environment
B. Perform Ongoing Security Control Assessments (e.g., Continuous Monitoring,
internal and external assessments)
C. Conduct Ongoing Remediation Actions (resulting from incidents,
vulnerability scans, audits, vendor updates, etc)
D. Update Key Documentation (e.g., SP, SAR, POAM)
E. Perform Periodic Security Status Reporting
F. Perform Ongoing Risk Determination and Acceptance
G. Decommission and Remove System
16
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
REFERENCES
Document Version Title/Subject URL Date
5 U.S.C. 552a N/A Privacy Act of 1974
http://www.justice.gov/opcl/privstat.htm
January 1, 1974
CNSS Instruction No. 1253a Version 1
Committee on National Security
Systems Instruction (CNSSI) No.
1253a SECURITY CONTROL
OVERLAYS TEMPLATE
http://www.cnss.gov/Assets/pdf/Final_CNSSI_1253a.pdf
March 2012
FIPS 199
Standards for Security
Categorization of Federal
Information and Information
Systems
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-
final.pdf
February 1, 2004
FIPS 200
Minimum Security Requirements
for Federal Information and
Information Systems
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-
march.pdf
March 1, 2006
NIST SP 800-18 Rev.1
Guide for Developing Security
Plans for Information Technology
Systems
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-
18-Rev1-final.pdf
February 1, 2006
NIST SP 800-30 Rev.1
Guide for Conducting Risk
Assessments
http://csrc.nist.gov/publications/nistpubs/800-30-
rev1/sp800_30_r1.pdf
September, 2012
NIST SP 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-
34-rev1_errata-Nov11-2010.pdf
November 11,
2010
NIST SP 800-37 Rev.1
Guide for Applying the Risk
Management Framework to
Federal Information Systems: A
Security Life Cycle Approach
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-
37-rev1-final.pdf
February 22, 2010
17
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
Document Version Title/Subject URL Date
NIST SP 800-39 Final
Managing Information
Security Risk
http://csrc.nist.gov/publications/nistpubs/800-
39/SP800-39-final.pdf
March 2011
NIST SP 800-40 v.2
Creating a Patch and
Vulnerability Management
Program
http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-
40v2.pdf
November 1,
2005
NIST SP 800-41 Rev. 1
Guidelines on Firewalls and
Firewall Policy
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-
41-rev1.pdf
September
2009
NIST SP 800-47
Security Guide for
Interconnecting Information
Technology Systems
http://csrc.nist.gov/publications/nistpubs/800-47/sp800-47.pdf
August 1, 2002
NIST SP 800-50 Final
Building an Information
Technology Security Awareness
and Training Program
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-
50.pdf
October, 2003
NIST SP 800-53 Rev. 4
Security and Privacy Controls for
Federal Information Systems and
Organizations
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
53r4.pdf
April 2013
NIST SP 800-53A
Rev. 1
Guide for Assessing the Security
Controls in Federal Information
Systems
http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-
53A-rev1-final.pdf
June, 2010
NIST SP 800-55 Rev. 1
Performance Measurement
Guide for Information Security
http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-
55-rev1.pdf
July 1, 2008
NIST SP 800-59
Guideline for Identifying an
Information System as a National
Security System
http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf
August 2003
NIST SP 800-60 Rev. 1
Guide for Mapping Types of
Information and Information Systems
to Security Categories: (2 Volumes)
- Volume 1: Guide Volume 2:
Appendices
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-
60_Vol1-Rev1.pdf
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-
60_Vol2-Rev1.pdf
June 1, 2004
18
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
NIST SP 800-144
Guidelines on Security and
Privacy in Public Cloud
Computing
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-
144.pdf
December 2011
Document Version Title/Subject URL Date
NIST SP 800-61 Rev. 2
Computer Security Incident
Handling Guide
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-
61rev2.pdf
August, 2012
NIST SP 800-64 Rev. 2
Security Considerations in the
System Development Life Cycle
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-
64-Revision2.pdf
October 1, 2008
NIST SP 800-83
Guide to Malware Incident
Prevention and Handling
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
November 1,
2005
NIST SP 800-88 Guidelines for Media Sanitization
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-
88_rev1.pdf
September, 2006
NIST SP 800-92
Guide to Computer Security Log
Management
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
September 1,
2006
NIST SP 800-100
Information Security Handbook:
A Guide for Managers
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-
Mar07-2007.pdf
October 1, 2006
NIST SP 800-115
Technical Guide to Information
Security Testing
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-
115.pdf
September, 2008
NIST SP 800-122
Guide to Protecting the
Confidentiality of Personally
Identifiable Information (PII)
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-
122.pdf
April 22, 2010
NIST SP 800-128
Guide for Security-Focused
Configuration Management of
Information Systems
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-
128.pdf
August 2011
NIST SP 800-137
Information Security Continuous
Monitoring for Federal
Information Systems and
Organizations
http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-
Final.pdf
September 2011
19
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
Document Version Title/Subject URL Date
OMB M-04-04 E-Authentication Guidance
http://www.whitehouse.gov/omb/memoranda_2004
Dec 16, 2003
OMB M-04-15
Development of Homeland
Security Presidential Directive
(HSPD) 7 Critical Infrastructure
Protection Plans to Protect
Federal Critical Infrastructures
and Key Resources
http://www.whitehouse.gov/omb/memoranda_2004
June 17, 2004
OMB M-03-22
OMB Guidance for
Implementing the Privacy
Provisions of the E-Government
Act of 2002
http://www.whitehouse.gov/omb/memoranda_2003
Sept 30, 2003
OMB M-01-05
Guidance on Inter-Agency
Sharing of Personal Data-
Protecting Personal Privacy
http://www.whitehouse.gov/omb/memoranda_2001
March 9, 2001
OMB M-00-13
Privacy Policies and Data
Collection on Federal Websites
http://www.whitehouse.gov/omb/memoranda_2000
June 22, 2000
OMB M-00-15
OMB Guidance on
Implementing the Electronic
Signatures in Global and
National Commerce Act
http://www.whitehouse.gov/omb/memoranda_2000
Sept 25, 2000
OMB Circular A-11
Preparation, Submission, and
Execution of the Budget
http://www.whitehouse.gov/omb/circulars_a11_current_year
_a11_toc
July 1, 2007
20
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
Document Version Title/Subject URL Date
OMB Circular A-123
Managements Responsibility for
Internal Control
http://www.whitehouse.gov/omb/assets/omb/circulars/a123/
a123_rev.pdf
December 21,
2004
OMB Circular A-130
Revised,
(Transmittal
Memorandu
m No. 4)
Management of Federal
Information Resources
http://www.whitehouse.gov/omb/circulars_a130_a130trans4
November 28,
2000
Section 3541 Title 44 U.S.C.
Title III-
Information
Security
Federal Information Security
Management Act of 2002
http://uscode.house.gov/download/pls/44C35.txt
January 1, 2002
21
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
GENERAL EXAMINATION INFORMATION
Paper Based Test (PBT)
General Information The doors to all examination rooms will open at 8:00a.m. Examination
instructions will begin promptly at 8:30a.m. All examinations will begin at approximately 9:00a.m.
The maximum duration of the CISSP exam is 6 hours. The maximum duration of all other exams except
the CSSLP is 3 hours. The CSSLP candidates are allowed a maximum of 4 hours to complete the
exam.
Please note there will be no lunch break during the testing period. However, you are permitted to bring
a snack with you. You may, at your option, take a break and eat your snack at the back of the
examination room. No additional time will be allotted for breaks.
Examination Admittance Please arrive at 8:00a.m. when the doors a r e opened. Please bring your
admission letter to the examination site. In order to be admitted, photo identification is also required.
You will not be admitted without proper identification. The only acceptable forms of identification are
a drivers license, government-issued identification card, or passport. No other written forms of
identification will be accepted.
Examination Security Failure to follow oral and written instructions will result in your application being
voided and application fee being forfeited. Conduct that results in a violation of security or disrupts the
administration of the examination could result in the confiscation of your test and your dismissal from
the examination. In addition, your examination will be considered void and will not be scored.
Examples of misconduct include, but are not limited to, the following: writing on anything other than
designated examination materials, writing after time is called, looking at another candidates examination
materials, talking with other candidates at any time during the examination period, failing to turn in all
examination materials before leaving the testing room.
You must not discuss or share reference materials or any other examination information with any
candidate during the entire examination period. You are particularly cautioned not to do so after
you have completed the exam and checked out of the test room, as other candidates in the area
might be taking a break and still not have completed the examination. You may not attend the
examination only to review or audit test materials. You may not copy any portion of the examination for
any reason. No examination materials may leave the test room under any circumstances and all
examination materials must be turned in and accounted for before leaving the testing room. No
unauthorized persons will be admitted into the testing area.
Please be further advised that all examination content is strictly confidential. You may only
communicate about the test, or questions on the test, using the appropriate comment forms
provided by the examination staff at the test site. At no other time, before, during or after the
22
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited 1.16.14, V6
Certified Authorization Professional CAP
Candidate Information Bulletin
Effective Date September 2013
examination, may you communicate orally, electronically or in writing with any person or entity
about the content of the examination or individual examination questions.
Reference Material Candidates writing on anything other than examination materials distributed by
the proctors will be in violation of the security policies above. Reference materials are not allowed in
the testing room. Candidates are asked to bring as few personal and other items as possible to the testing
area.
Hard copies of language translation dictionaries are permitted for the examination, should you
choose to bring one to assist you with language conversions. Electronic dictionaries will not be
permitted under any circumstances. The Examination Supervisor will fully inspect your dictionary at
check-in. Your dictionary may not contain any writing or extraneous materials of any kind. If the
dictionary contains writing or other materials or papers, it will not be permitted in the examination
room. Additionally, you are not permitted to write in your dictionary at any time during the
examination, and it will be inspected a second time prior to dismissal from the examination. Finally,
(ISC) takes no responsibility for the content of such dictionaries or interpretations of the contents by a
candidate.
Examination Protocol While the site climate is controlled to the extent possible, be prepared for either
warm or cool temperatures at the testing center. Cellular phones and beepers are prohibited in the
testing area. The use of headphones inside the testing area is prohibited. Electrical outlets will not
be available for any reason. Earplugs for sound suppression are allowed. No smoking or use of
tobacco products will be allowed inside the testing area. Food and drinks are only allowed in the
snack area located at the rear of the examination room. You must vacate the testing area after you have
completed the examination. If you require special assistance, you must contact (ISC) Candidate
Services (see address at the bottom of this document) at least one week in advance of the examination
date and appropriate arrangements will be made. Due to limited parking facilities at some sites, please
allow ample time to park and reach the testing area.
Admission Problems A problem table for those candidates who did not receive an admission notice or
need other assistance will be available 30 minutes prior to the opening of the doors.
Examination Format and Scoring
The CISSP
examination consists of 250 multiple choice questions with four (4) choices each.
The CSSLP
examination consists of 175 multiple choice questions with four (4) choices each.
The HCISPP
SM
examination contains 125 multiple choice questions with four (4) choices each.
The CSCCP
SM
examination contains 125 multiple choice questions with four (4) choices each.
The CCFP examination contains 125 multiple choice questions with four (4) choices each.
The SSCP
examination contains 125 multiple choice questions with four (4) choices each.
The ISSAP
, ISSEP
, and ISSMP
examination consists of 250 multiple choice questions with four (4) choices each.
The CSSLP
examination consists of 175 multiple choice questions with four (4) choices each.
The HCISPP examination contains 125 multiple choice questions with four (4) choices each.
The CSCCP
SM
examination contains 125 multiple choice questions with four (4) choices each.
The CCFP
SM
examination contains 125 multiple choice questions with four (4) choices each.
The SSCP
examination contains 125 multiple choice questions with four (4) choices each.
The ISSAP
, ISSEP
, and ISSMP