For the first time ever, CompTIA is venturing beyond entry-level, first-step certifications with its planned introduction of a CompTIA Advanced Security Practitioner (CASP) credential. This cert aims to identify individuals with 10 years of IT admin experience, of which 5 or more years involve hands-on security experience. It should be interesting to see if they can pull this off...
Next week, CompTIA will play host to a gathering of information security practitioners in Downers Grove, IL, as they begin reviewing the scope and coverage of this new "Advanced" security credential. Although all the details are still being finalized, this table from the CompTIA CASP page sums up the general size and shape of the related exam:
The exam objectives are already available and reflect the stated aims of this certification which are to cover "...the technical knowledge and skills required to conceptualize, design, and engineer secure solutions across complex enterprise environments. It involves applying critical thinking and judgment across a broad spectrum of security disciplines to propose and implement solutions that map to enterprise drivers."
Those objectives break down as follows:
Domain % of Exam
1.0 Enterprise Security 40%
2.0 Risk Mgmt, Policy/Procedure, & Legal 24%
3.0 Research & Analysis 14%
4.0 Integration of computing, comm, & 22%
The detailed objectives for each of the four domains listed cover 9 pages, and do a fair amount of justice to the state of information security arts and sciences as practiced today. There's a much greater emphasis on hands-on security implementation, maintenance and management than you'll find in other security certs such as the CISSP, and more emphasis on widely-used, current infosec tools and technologies. (There are also 5 pages of acronyms provided after the objectives, for over 50% of the page space used to present those objectives!)
There's even a "CASP Proposed Hardware and Software List" at the end of those objectives, to suggest to candidates the kinds of equipment and software they might want to be familiar with before taking the exam (pp. 16-17). There's enough mention of IPv6 to make me think CompTIA is taking it seriously, and a pretty complete software toolbox so that the exam appears to have some auditing or forensics/diagnostics coverage as well as the more usual risk management, security policy design and delivery, and access control and role-based management models so important to other security certs.
All in all, this looks extremely interesting and reasonably well thought-out. It will therefore be every bit as interesting to see what kind of splash CASP makes after its debut (CompTIA says "Tentative exam availability is scheduled for fall 2011"), and how well it's regarded and adopted in the marketplace.