Ultimate Test Taking Clinic

In this course, we will explore everything good test takers do “prior” to taking a professional certification exam.

Security Plus SY0-401

The CompTIA Security+ Certification is a vendor neutral credential. The CompTIA Security+ exam is an internationally recognized validation of foundation-level security skills and knowledge, and is used by organizations and security professionals around the globe.

The CompTIA Security+ exam will certify that the successful candidate has the knowledge and skills required to identify risk, to participate in risk mitigation activities, and to provide infrastructure, application, information, and operational security. In addition, the successful candidate will apply security controls to maintain confidentiality, integrity, and availability, identify appropriate technologies and products, troubleshoot security events and incidents, and operate
with an awareness of applicable policies, laws, and regulations.
The CompTIA Security+ Certification is aimed at an IT security professional who has:

  • A minimum of 2 years experience in IT administration with a focus on security
  • Day to day technical information security experience
  • Broad knowledge of security concerns and implementation including the topics in the domain list below CompTIA Security+ is accredited by ANSI to show compliance with the ISO 17024 Standard and, as such, undergoes regular reviews and updates to the exam objectives.


The following CompTIA Security+ objectives reflect the subject areas in this edition of this exam, and result from subject matter expert workshops and industry-wide survey results regarding the skills and knowledge required of an information security professional with two years of experience.

This examination blueprint includes domain weighting, test objectives, and example content.
Example topics and concepts are included to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination.
The table below lists the domain areas measured by this examination and the approximate extent to which they are represented in the examination:

ISSMP – Information System Security Management Professional



Enterprise Security Management Practices

  • Enterprise Governance
  • Security Roles & Responsibilities

Enterprise-Wide System Development Security Domain

  • SDLC Security
  • System Testing
  • Certification and Accreditation

Overseeing Compliance of Security Operations

  • Operations Security Issues
  • Auditing
  • Compliance
  • Configuration Management
  • Penetration & Vulnerability Testing


  • BCP DRP Project Planning
  • BIA
  • Recovery Strategies
  • Plan Design

Law Investigation, Forensic and Ethics 

  • Information Security Laws
  • Elements of Investigations
  • Professional Ethics


CAP – Certification Authorization Professional

Security Authorization of IS

  • Introduction
  • Key Elements of an Enterprise System Authorization Program
  • NIST 800-37
  • System Authorization Roles and responsibilities
  • System Authorization Life Cycle
  • Why System Authorization Programs Fail
  • System Authorization Project Planning
  • System Inventory Process
  • Interconnected Systems

Information System Categorization

  • Introduction
  • Defining Sensitivity
  • Data Sensitivity and System Sensitivity
  • Sensitivity Assessment Process
  • Data Classification Approaches
  • Responsibility for Data Sensitivity Assessment
  • ranking Data Sensitivity
  • National Security Information
  • Criticality
  • Criticality Assessment
  • Criticality in the View of the System Owner
  • Raking Criticality
  • Changes in Criticality and Sensitivity
  • NIST Guidance on System Categorization

Establishment of the Security Control Baselines

  • Introduction
  • Minimum Security Baselines and Best Practices
  • Assessing Risk
  • System Security Plans
  • NIST Guidance on Security Control Selection

Application of Security Controls

  • Introduction
  • Security Procedures
  • Remediation Planning
  • NIST Guidance on Implementation of Security Controls

Assessment of Security Controls

  • Introduction
  • Scope of Testing
  • Level of Effort
  • Assessor Independence
  • Developing the Test Plan
  • Role of the Host
  • Test Execution
  • Documenting Test Results
  • NIST Guidance on Assessment of Security Control Effectiveness

Information System Authorization

  • Introduction
  • System Authorization Decision Making
  • Essential System Authorization Documentation
  • NIST Guidance on Authorization of IS

Security Controls Monitoring

  • Introduction
  • Continuous Monitoring
  • NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the IS

System Authorization Case Studies

  • Situation
  • Action Plan
  • Lessons Learned
  • Tools
  • Document Templates
  • Coordination
  • Role of the Inspector General
  • Compliance monitoring
  • Measuring Success
  • Project milestones
  • Interim Accreditation
  • Management Support and Focus
  • Results and future Challenges

The Future of the IS Authorization (Bonuses)

  • References
  • Glossary
  • Statement of Work
  • Sample Work Project Plan
  • Sample Project Wrap-Up Presentation Outline
  • Sample System Inventory Policy
  • Sample BIA
  • Sample Rules of Behavior (GSS)
  • Sample Rules of Behavior  (Major Application)
  • Sample System Security Plan Outline
  • Sample Memorandum of Understanding
  • Sample Interconnection Security Agreement
  • Sample Risk Assessment Outline
  • Sample Security Procedure
  • Sample Certification Test Results Matrix
  • Sample Risk Remediation Plan
  • Sample Certification Statement
  • Sample Accreditation Letter
  • Sample Interim Accreditation Letter
  • Certification and Accreditation Professional CBK


This course is the Step-By-Step guide to preparing for the Certified Information Systems Auditor CISA exam.    This is not an ISACA course or official training.  This is a classroom tried and true teaching method to prepare for advanced certifications.  The subject matter of CISA will specifically be used to demonstrate the method of instruction to teach the CISA Course.  All Trademarks are property of their respective owners.

This course covers

  • The Process of Auditing IS’s
  • Governance and Management of IT
  • Information Systems Acquisition, Development and Implementation
  • Information Systems Operations, Maintenance and Support
  • Protection of Information Assets


Practice Test Questions and Case Studies are used within this course.

ISSAP – Technology Related BCP & DRP

Planning Phases and Deliverables

  • Risk Analysis
    • Natural hazard Risks
    • Human-Made Risks and Threats
    • Industry Risks
    • Do Not Forget the Neighbors!
  • Business Impact Analysis
    • Data Stored in Electronic Form
    • Remote Replication and Off-Site Journaling
    • Backup Strategies
  • Selecting A Recovery Strategy for Technology
    • Cost-Benefit Analysis
    • Implementing Recovery Strategies
    • Documenting the Plan
    • The Human Factor
    • Logistics
    • Plan Maintenance Strategies
  • Sample Walk-Through DR Plan’s

ISSAP – Security Architecture Analysis


Risk Analysis

  • Quantitative Risk Analysis
  • Qualitative Risk Analysis
  • Risk Theory
  • Attack Vectors
  • Methods of Vector Attack
  • Attack By Email
  • Attack By Deception
  • Hoaxes
  • Hackers
  • Web Page Attack
  • Attack of the Worms
  • Malicious Macros
  • Instant Messaging, IRC, P2P File Sharing Networks
  • Viruses
  • Asset And Data Value
  • Corporate Versus Departmental Valuation
  • Business, Legal and regulatory Requirements

Product Assurance Evaluation Criteria

  • CC
  • TOE
  • EAL
  • EAL1-7
  • CC Assurance Paradigm
  • Significance of Vulnerabilities
  • The Causes of Vulnerabilities
  • Common Criteria Assurance

Assurance Through Evaluation

  • CC Assurance Scale
  • ISO/IEC 27000 Series
  • SEI
  • CMMI
  • Introducing the CMM
  • Sources of the CMM
  • Structure of the CMMI-DEV v1.3
  • Inter group Coordination
  • Peer Reviews
  • ISO 7498
  • Concepts of a Layered Architecture
  • Architectural Solutions

Architecture Frameworks

  • DoDAF
  • Zackman Framework

Design Process

  • System Security Engineering Methodologies
  • Design Validation
  • Certification
  • Peer Reviews
  • Documentation


ISSAP – Cryptography

Cryptography Principles

  • Applications of Cryptography
    • Benefits
    • Uses
    • Message Encryption
    • Security IP Communication
    • Remote Access
    • Secure IP Communication
    • Remote Access
    • Secure Wireless Communication
    • Others
    • Identification and Authentication
    • Storage Encryption
    • Electronic commerce
    • Software Code Signing
    • Interoperability
    • Methods of Cryptography
    • Symmetric
    • Block
    • Stream
    • Asymmetric
    • Hash Functions and MAC
    • DS
  • Vet Proprietary Cryptography &  Design Testable Cryptographic Systems
  • Computational Overhead & Useful Life

Key Management

  • Purpose of Keys and Key types
  • Cryptographic Strength and Key Size

Key Life Cycle

  • Key Creation
  • Key Distribution & Transit
  • Symmetric Keys Distribution
  • Public and Private Key Distribution
  • Key Storage
  • Key Update
  • Key Revocation
  • Key Escrow
  • Backup and recovery
  • Backup
  • Key recovery


  • Key Distribution
  • Certificate andKey Storage
  • PKI Registration
  • How Subject Proves its organizational Entity
  • Person Authenticates a request
  • Certificate Issuance
  • Trust Models
  • Subordinate Hierarchy
  • Cross-Certified Mesh
  • Certificate Chains
  • Certificate Revocation
  • Traditional CRL Model
  • Modified CRL-Based Models
  • Cross-Certification
  • How Applications use Cross-Certification
  • How Cross-Certification is set up
  • How Cross-Certification with a bridge CA is Implemented in Practice

Design Validation

  • Review of Cryptanalytic Attacks
  • Attack Models
  • Symmetric Attacks
  • Asymmetric Attacks
  • Hash Function Attacks
  • Network-Based Crytanalytic Attacks
  • Attacks Against Keys
  • Brute Force Attacks
  • Side-Channel Crytanalysis
  • Risk-Based Crypotgraphic Architecture
  • Identifying Risk and Requirements by Cryotographic Areas
  • Case Studies