The SSCP credential seems to be the most misunderstood and under appreciated of
those certifications offered by (ISC)2. In actuality, it is one of the most critical and
essential in the field. This is because the work of the SSCP is where the effectiveness
of information security is implemented. Few CISSPs have the technical skills necessary
to perform the hands-on implementation of the information security controls
that they determine to be necessary to effectively protect the critical and sensitive
resources of the organization.
In a mainframe environment, the SSCP role is usually performed by systems
programmers assigned to the security department. Otherwise, it would be the
responsibility of a system or network administrator from operations.
The security role of the SSCP is twofold. First, they are responsible for the
due care activity of correctly implementing and maintaining designated security
mechanisms. Second, they are in the best position to accurately evaluate the effectiveness
of the installed controls—the due diligence side of the equation.
The SCP certification domains are named after the seven major categories of
the SSCP Common Body of Knowledge (CBK). The CBK is a taxonomy of topics
and sub-topics that is updated annually by the SSCP CBK Committee composed
of international subject matter experts. Currently, the seven categories are:
◾Access Control
◾Analysis and Monitoring
◾Cryptography
◾Malicious Code
◾Networks and Telecommunications
◾Risk, Response, and Recovery
◾Security Operations and Administration
