Official (ISC)2® Guide to the ISSAP® CBK ((ISC)2 Press) 2nd Edition

It’s old, but still the best resource to pass the ISSAP

Three part review below:1) 2nd ed. vs. 1st ed text comparison. (NOTE - CIB = Candidate Information Bulletin, downloaded 8/13).2) Opinion on exam prep usefulness, and what I did to actually pass the ISSAP exam.3) Opinion on usefulness for the Security Architect role. (ISSAP + SABSA = winner).PART ONE: After purchasing the prior edition and this edition, I'll run through two sections for this review so you can get an idea of text improvements below. Physically speaking - the 2nd edition has much larger font for the majority of the text - but not the tables and figures. Yes, the font got SMALLER in many of the tables and figures (like the attack vectors table). Some of the figures were visually changed - but not the content.Note - this is a *reference* text designed to provide *essential* coverage of key topics - it will not replace in depth reading. For example - there are several summary / key points pages on the Common Criteria, which is several hundred pages itself as a source doc. Many of the relevant NIST docs are highly summarized as well.Technical BCP: In particular, the Technical BCP section has expanded/improved (a common criticism of the 1st edition.) There are many footnotes spread throughout the text to augment the text. There is an improved BIA discussion. The BCP section also now includes an "architecture focused" discussion of the domain. One really nice - and useful in real life - section in the 2nd edition is the "walk through of a DR Plan" with emphasis for the Security Architect.Security Architecture: Based on the ToC, the domain has changed names; content is similar, though (I don't have the prior ISC2 CIB to know). I did notice some additional paragraphs after the `attack vector' table which makes critical points - vector is NOT the same as payload, for example. Some of the attack vectors were also improved, along with a few new ones. The "Common Criteria" support tables discussion has also improved in content, keeping current w/ updates to the CC. The CMM model has improved, along with changes to the figures and expansion of the text. The architectural solutions section has some updated text, but the figure in the 2nd edition (4.6, 4.3 in the 1st) got smaller! The DODAF 2.02 is now current (improved also, assume it had corrections applied - I assume, I've never read the original DODAF). The 1st edition discussed DODAF 2.0.PART TWO: I've been in the technical security business (engineering, three SIEM implementations, eDiscovery/incident response, policy/procedure, design, architecture) for 10+ years, have taught the CISSP curriculum for SANS, and participated in two update cycles for the ISC2 CISSP material. With all that, here is what I did to pass the exam. If you have breadth and hands on technical depth in your career, TAKE THE EXAM!!!!A) Read the "Access Control" and "Security Architecture Analysis" sections completely (get their language).B) Skimmed the Technical BCP section. (like, 15 minutes).C) Used the 36 page ISSAP mind maps from "expandingsecurity.com". These were a GREAT resource. Use them and this book. Spent hrs. w/ these.D) Read the Wikipedia articles for CIB topics that weren't in the book ToC (maybe a few hours).E) Did not read "telecom" and "physical" chapters - I'd skimmed those a while back, when I got the first edition, glanced at the ToC.Passed exam.The other thing that REALLY helped was the SABSA Foundation course - many of the thinking/synthesis concepts in that course are highly relevant to the ISSAP discipline (you can see this in the book). I suggest the "Enterprise Security Architecture" blue book as well for your prep.Will this textbook help you? Sure it will, especially if you are `young in the tooth' when it comes to technical security architecture. It will help you find your weak spots. It aligns with most of the Q2/2013 CIB. It has been refreshed/updated, with more complete CIB coverage. However, if you want 100% coverage of the CIB, you need to look for a few more resources. For example - I could not find "Service Oriented Modeling Framework" or "Supervisory Control And Data Acquisition" in the ToC, the index (on the CIB), or the most likely sections in the text. I double checked, skimmed - not there, as far as I can tell. No comment if these concepts were on the test or not!PART THREE: As a principle enterprise and security architect of a Fortune 500 healthcare company, I've often wanted to augment my credential set with the ISC2 ISSAP. About two years ago I attended the SABSA course - and while that course and model is the only preparation I've found for the business focused aspects of the "Security Architect" position, the ISSAP, on the other hand, as described in this text, is focused on assessing if someone has breadth and depth in the technical aspects of security architecture. As a consumer of both - the SABSA course and certification and the ISSAP certification - I am happy to have both, although SABSA is more relevant when it comes to working with the business.

Very good book which covers security architecture fundamentals to deep insights

ISC2 needs to release a new version of this book reflecting the new domain structure and 7 years of updated IT technology. That said, there is a pretty limited set of materials out there for studying for this credential, so it's better than nothing.

Bottom line: Most of the content covered in the book wasn't in the exam. Even if you find the writing style tolerable, the mis-match between the study guide and exam is what's offensive to me.It feels to me like the authors were writing the book blind. ISC(2) ought to at least give the "endorsed" authors an NDA and let them browse through the question bank as they're writing. What they wrote in this book somehow managed to cover the topics in a way that didn't help on the exam.I got sick of reading sentences like "It is important for the security architect to consider..." That phrase or a similar variant appears frequently. The whole first two chapters, as 1/2 of the book, were nothing but some light discourse on topics architects should be aware of. The writing sucks. It's painful to read. I feel like I'm the subject of someone's late night project that they were dreading to write. The authors didn't have fun, they stick to too many academic writing formalities, which bored the authors, and it shows.Way too many topics are discussed as if the reader is an ignorant fool, like defining what a fingerprint reader is or what authentication is - topics which any CISSP already covered in way more detail before even starting ISSAP studying.The networking chapter's author seems to only have a tiny knowledge on basic topics like a web DMZ, or thinks that the reader will be too dumb to grasp any real detail about them. There were several mentions of 56k dialup and modems and large swaths of discussion seemed to focus more on giving a history lesson than trying to introduce the reader to details of modern technologies. The reader is warned about "mobile code" defined as JavaScript, VBScript, Java, and ActiveX as that can be malicious and "activated" when clicked. Well duh. I expected to read about mobile devices like phones when I saw the mobile code section heading. The networking chapter author also clearly specializing in Microsoft products at their work.Cryptography was discussed a bit more nicely than the previous two chapters, but got bogged down in the details of PKI.The author of Chapter 4 had some fun with the writing and made it more conversational, even though it still talks about email spreading viruses like that's new information. Even without some additional editing, Chapter 4 isn't dreadful to read like the first half of the book.The end of chapter practice tests are hurriedly-written, don't test meaningful topics, and I think I picked out at least two cases where the "correct" answer is plain wrong.

Great for exam preparation!

CISSP, CISM, IT Security management, CISO, ISSAP, CEH, CGEIT - great to get these study materials so easily!

This book is rife with typographical and formatting errors, poorly organized, and has several technical inaccuracies / obsolete information. While organized in the same manner as the CBK with one chapter per domain, this makes for extremely long chapters (the first three being 100+ pages) with no hierarchical organization (it really should be in sections with multiple chapters per domain, but if not have multiple sub-heading levels so you can move from topic to topic within a domain easily). Highly relevant and accurate sections of this 2014 edition include PCM analog voice transmission, several pages on secure modems, an in depth (and not fully accurate) discussion of SSL3.0 with only a mention of TLS. (SSL has been recommended for retirement for several years and finally was retired around the time of publishing, so a forward looking book should be dealing with TLS, or at least addressing migration from SSL to TLS in a forward looking manner).While the dated material may be due to an outdated CBK in which case it will still be necessary for the exam (this is an exam prep book after all), ISC2 should be no less ashamed of that fact either.Two stars assumes it will still be useful for the exam (I have not taken it yet).