25 internautes sur 26 ont trouvé ce commentaire utile
- Publié sur Amazon.com
Three part review below:
1) 2nd ed. vs. 1st ed text comparison. (NOTE - CIB = Candidate Information Bulletin, downloaded 8/13).
2) Opinion on exam prep usefulness, and what I did to actually pass the ISSAP exam.
3) Opinion on usefulness for the Security Architect role. (ISSAP + SABSA = winner).
PART ONE: After purchasing the prior edition and this edition, I'll run through two sections for this review so you can get an idea of text improvements below. Physically speaking - the 2nd edition has much larger font for the majority of the text - but not the tables and figures. Yes, the font got SMALLER in many of the tables and figures (like the attack vectors table). Some of the figures were visually changed - but not the content.
Note - this is a *reference* text designed to provide *essential* coverage of key topics - it will not replace in depth reading. For example - there are several summary / key points pages on the Common Criteria, which is several hundred pages itself as a source doc. Many of the relevant NIST docs are highly summarized as well.
Technical BCP: In particular, the Technical BCP section has expanded/improved (a common criticism of the 1st edition.) There are many footnotes spread throughout the text to augment the text. There is an improved BIA discussion. The BCP section also now includes an "architecture focused" discussion of the domain. One really nice - and useful in real life - section in the 2nd edition is the "walk through of a DR Plan" with emphasis for the Security Architect.
Security Architecture: Based on the ToC, the domain has changed names; content is similar, though (I don't have the prior ISC2 CIB to know). I did notice some additional paragraphs after the `attack vector' table which makes critical points - vector is NOT the same as payload, for example. Some of the attack vectors were also improved, along with a few new ones. The "Common Criteria" support tables discussion has also improved in content, keeping current w/ updates to the CC. The CMM model has improved, along with changes to the figures and expansion of the text. The architectural solutions section has some updated text, but the figure in the 2nd edition (4.6, 4.3 in the 1st) got smaller! The DODAF 2.02 is now current (improved also, assume it had corrections applied - I assume, I've never read the original DODAF). The 1st edition discussed DODAF 2.0.
PART TWO: I've been in the technical security business (engineering, three SIEM implementations, eDiscovery/incident response, policy/procedure, design, architecture) for 10+ years, have taught the CISSP curriculum for SANS, and participated in two update cycles for the ISC2 CISSP material. With all that, here is what I did to pass the exam. If you have breadth and hands on technical depth in your career, TAKE THE EXAM!!!!
A) Read the "Access Control" and "Security Architecture Analysis" sections completely (get their language).
B) Skimmed the Technical BCP section. (like, 15 minutes).
C) Used the 36 page ISSAP mind maps from "expandingsecurity.com". These were a GREAT resource. Use them and this book. Spent hrs. w/ these.
D) Read the Wikipedia articles for CIB topics that weren't in the book ToC (maybe a few hours).
E) Did not read "telecom" and "physical" chapters - I'd skimmed those a while back, when I got the first edition, glanced at the ToC.
The other thing that REALLY helped was the SABSA Foundation course - many of the thinking/synthesis concepts in that course are highly relevant to the ISSAP discipline (you can see this in the book). I suggest the "Enterprise Security Architecture" blue book as well for your prep.
Will this textbook help you? Sure it will, especially if you are `young in the tooth' when it comes to technical security architecture. It will help you find your weak spots. It aligns with most of the Q2/2013 CIB. It has been refreshed/updated, with more complete CIB coverage. However, if you want 100% coverage of the CIB, you need to look for a few more resources. For example - I could not find "Service Oriented Modeling Framework" or "Supervisory Control And Data Acquisition" in the ToC, the index (on the CIB), or the most likely sections in the text. I double checked, skimmed - not there, as far as I can tell. No comment if these concepts were on the test or not!
PART THREE: As a principle enterprise and security architect of a Fortune 500 healthcare company, I've often wanted to augment my credential set with the ISC2 ISSAP. About two years ago I attended the SABSA course - and while that course and model is the only preparation I've found for the business focused aspects of the "Security Architect" position, the ISSAP, on the other hand, as described in this text, is focused on assessing if someone has breadth and depth in the technical aspects of security architecture. As a consumer of both - the SABSA course and certification and the ISSAP certification - I am happy to have both, although SABSA is more relevant when it comes to working with the business.