Advance Your IT Career with CompTIA Advanced Security Practitioner (CASP)

Security concept bank vault door

Information security is one of the hottest IT career paths. As companies around the world seek to secure their infrastructure, they are creating tremendous demand for IT professionals skilled in the art of confidentiality, integrity and availability. While even entry-level security professionals command premium salaries, engineers with demonstrated security experience and skillsets are among the most coveted staffers in the industry.


The CompTIA Advanced Security Practitioner (CASP) certification program provides IT professionals with the opportunity to demonstrate that they not only know information security, but they possess the advanced knowledge necessary to build and maintain complex security programs. The certification goes beyond the entry-level Security+ program by requiring that candidates exhibit critical thinking skills that enable them to design, integrate and implement security technology within an enterprise environment.


Inside the CASP


CASP is a vendor-neutral security certification program that asks candidates to demonstrate detailed technical knowledge, but does not base its content on any particular product. The CASP program is a newcomer to the information security certification scheme. First started in 2011, the program positions itself between CompTIA's entry-level Security+ certification and the industry's premier professional certification: the Certified Information Systems Security Professional (CISSP) credential from the International Information Systems Security Certification Consortium (ISC)2.


You will need some experience to successfully pass the CASP exam. While the questions are not hands-on, they are complex and require thoughtful analysis across several security domains. For example, one of the sample questions on CompTIA's site reads:


"An IT Manager has requested that specific files stored on the company SAN containing data which is not protected by patent law, but is classified as trade secret, be encrypted with a block cipher which is both secure and fast. Which of the following BEST satisfies the request?"


While this question asks about encryption algorithms, candidates can't simply answer the question by recalling a fact, as they would on the Security+ exam. Successfully answering this question requires knowledge of encryption algorithms and intellectual property law combined with thoughtful cross-domain analysis.


CompTIA recommends that CASP candidates have at least 10 years of experience in IT administration with at least 5 years of hands-on technology experience. That said, there is no true experience requirement for the CASP credential. Anyone may take the exam. Truthfully, while you need some experience to take the exam, a couple of years of security work is probably sufficient. If you already have a decade of IT experience under your belt with five years of security experience, then you're probably better off setting your sights on the CISSP.


The CASP exam follows a typical certification exam format. You'll be asked a series of up to 80 questions across the domains of information security. Most of those will be multiple choice questions with either four or five answer choices, with a few performance-based questions sprinkled throughout the exam for good measure. Be aware that some of the questions may have multiple correct answers, asking you to choose all of the correct options — those are a little tricky! You're allotted 165 minutes to complete the exam, giving you a little more than two minutes per question, on average.


One catch with the CASP exam is that CompTIA does not provide any score information. When you receive your exam report, it will simply say whether you passed or failed the exam. They do note that they scale the scores and, presumably, some questions are weighted differently than others. Unfortunately, CompTIA's lips are sealed about the requirements and the passing rate for the examination.


The Five CASP Domains


CompTIA organizes the CASP exam objectives into five general categories of information that students must master. These include:


● Enterprise Security

● Risk Management and Incident Response

● Research and Analysis

● Integration of Computing, Communications and Business Disciplines

● Technical Integration of Enterprise Components


Each of these domains contains detailed objectives, available for download from the CompTIA website.


IT guy on the phone from the server room

The Enterprise Security domain covers the widest variety of material and constitutes the largest portion of the exam. You'll find that 30 percent of your exam questions cover topics within this domain. Some of the most difficult material on the CASP exam falls within this domain, asking you to learn the detailed intricacies of encryption algorithms, security concerns associated with enterprise storage, network security, endpoint security and application security.

The material on the exam delves deeply into enterprise security concepts, diving down far enough into the weeds to cover cross-site request forgeries (XSRF), heating, ventilation and air conditioning (HVAC) controller security and the four modes of the Data Encryption Standard (DES).


The second CASP domain, Risk Management and Incident Response, constitutes 20 percent of the examination and dives into some of the more business-oriented topics in security. You're expected to demonstrate knowledge of risk assessment and management, business considerations associated with security risks, security and privacy policies, and security incident response. Mastering this domain requires detailed knowledge of topics like electronic discovery, quantitative risk assessment, contract and agreement types and common security principles.


Moving on to the third domain, Research and Analysis, you'll learn important material that makes up 18 percent of the CASP exam. This domain includes coverage of industry trends, business analysis, and security scenario assessment. Questions in this domain may ask you to assess a given situation and then make recommendations about security controls appropriate to that scenario. Read carefully and remember that the questions here are asking about best practices in information security.


The fourth domain, Integration of Computing, Communications and Business Disciplines, makes up 16 percent of the exam. It includes topics related to collaboration across business units, appropriate communication and collaboration security controls and integrating security activities throughout the technology life cycle.


You're expected to know details about how security professionals with other functional units, securing video conferencing, email and other collaboration tools, and integrating security into the software development lifecycle (SDLC) and other technology/business processes.


This June, CompTIA will retire the original version of the CASP exam and replace it with CAS-002, a fully revised and updated version of the test. The biggest change in the curriculum is the addition of a fifth domain: Technical Integration of Enterprise Components. This domain constitutes the final 16 percent of the exam, or about a dozen questions. Most, if not all, of these questions will be scenario-based and cover topics related to integrating security controls within your enterprise environment, with a particular focus on authentication and authorization. You should be familiar with cloud hosting models, enterprise applications, identity federation and similar topics when tackling questions in this domain.


CASP and Your Career


The CASP fits neatly into the information security career path and its suitability for you will depend upon your current position and your career aspirations. If you're an information security professional with around three years of experience and aspirations to deepen your technical roots, then the CASP might be a perfect match for you. If you're new to the profession, you should probably start with the Security+ certification. If you have five years of experience and management aspirations, the CISSP might be a better path.


If you fit the CASP profile, you'll hopefully find that it is a career-enhancing move. Earning this certification will demonstrate to your current and prospective employers that you're serious about your career in information security and committed to taking the next step in your professional development. The CASP credential is a great way to position yourself for a senior engineering or team lead position. Good luck on your certification journey!


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.