CPP Requirements and Exam Information
Before candidates can take the CPP exam, they must first meet the CPP eligibility requirements. These entail meeting one of more of the following qualifications:
- Nine years of security experience, at least three of which must involve responsibility for a security function.
- A bachelor's degree (or a more advanced degree) from an accredited institution of higher learning, plus seven years of security experience, at least three of which must involve responsibility for a security function. Official transcripts are necessary if education is to be counted.
These requirements are a bit more stringent than those for other security certifications, so be prepared to furnish the necessary documentation if you decide to pursue this credential. The responsibility clause aside, however, any network or systems administration position that includes security aspects qualifies toward the experience requirements.
Assuming that you can meet the eligibility requirements, the next item on the agenda is the CPP exam. It's what ASIS calls a "generalist" exam that covers a broad range of security topics and issues. Detailed preparation in all areas is highly recommended to maximize your chances of passing. The topics for the exam fall into seven major categories:
- Security Management. (Thirty-eight percent of questions come from this area.) This area covers management-related security issues for countermeasures, financial management, management systems, personnel management, vulnerability and risk assessments, policies, internal and external relations, identification and disposition of abusers, prevention programs, types of security solutions, loss prevention, liaison with security organizations and law enforcement, and substance abuse issues.
- Investigations. (Fifteen percent of questions come from this area.) This area covers legal, ethical, and procedure matters and methods relevant to security investigations. This includes investigative resources, methods of investigation, results and reports of investigation, and types of investigations.
- Legal Aspects. (Seven percent of questions come from this area.) Legal matters pertaining to formulation, implementation, and enforcement of security policies and procedures fall into this area. This includes administrative and regulatory agency requirements, civil liability torts, civil rights and fair employment practices, contract considerations, crimes, criminal procedures and the criminal justice system, and due process and constitutional immunities.
- Personnel Security. (Nine percent of questions come from this area.) Issues related to personnel management and security fall into this area. This includes employee selection and retention standards, evaluation of employee information, screen techniques, security awareness programs, and disciplinary actions.
- Physical Security. (Nineteen percent of questions come from this area.) Issues related to physical access to facilities, equipment, data, and related controls fall into this area. This includes employee and visitor control; alarms; barriers; facility planning; guard patrols and weapons; materials controls; mechanical, electrical, and electronic devices and equipment; perimeter boundaries, gates, and lobbies; protective lighting; security surveys; and parking, traffic control, communications, and security transportation.
- Protection of Sensitive Information. (Six percent of questions come from this area). Issues related to protection and access controls to sensitive paper and electronic data fall into this category. This includes control, identification methods, and assessments of sensitivity and risk of exposure/disclosure.
- Emergency Management. (Six percent of questions come from this area.) Issues related to interruptions of access, service, or communications fall into this category. This includes formulation and implementation of disaster recovery or business continuity plans, plus identification of likely scenarios requiring recovery and contingencies designed to counteract them.
Although this exam has a decidedly management flavor and emphasizes numerous topics beyond IT-specific concerns, it shares with many other security certifications a keen awareness that physical and human security issues, policies, and procedures are every bit as important as data, systems, and network security issues.