The Certified Authorization Professional (CAP) certification from (ISC)2 confirms that you have the knowledge, skills and experience required for authorizing and maintaining information systems within the new Risk Management Framework as outlined in NIST SP 800-37 Rev 1. Commercial organizations, civilian and local governments, and the U.S. federal government - including the State Department and Department of Defense (DoD) - rely on your expertise to ensure that information systems not only have the appropriate security measures in place, but that they are also aligned with the organization's level of exposure to risk.
CAP certification candidates must have a minimum of 2 years of cumulative paid full-time work experience in information systems security authorization. The CAP examination tests the breadth and depth of a candidate's knowledge in the seven domains of the (ISC)2 CAP CBK (Common Body of Knowledge).
What job title do you have?
CAPs hold various job functions related to security authorization, including the following titles:
- Information system security officers (ISSOs)
- Information system security managers (ISSMs)
- Information assurance (IA) practitioners performing security authorization and continuous monitoring
- Executives "signing off" on Authority to Operate (ATO)
- Inspector generals (IGs) and auditors performing independent reviews
- Program managers developing or maintaining IT systems
What's a typical day like for a CAP?
A typical day revolves around activities that ensure information systems are aligned with the organization's overall risk management framework. CAPs spend time conducting continuous monitoring exercises, risk/vulnerability assessments and other authorization activities throughout the entire lifecycle of a system. For those full-time CAPs working for an organization, they often meet with management, engineers and security staff to gather requirements, inspect systems and understand how security controls are being implemented. In addition, they advise their organization on how to mitigate threats and develop policies and security plans. CAPs that work in a consultant or analyst role conduct short-term security authorizations on behalf of their clients.
What's your job setting like?
Some CAPs work in an office or cube environment at their organization, while others work remotely as consultants performing independent assessments. CAPs are often also operating in military or government/federal agencies, where they have privileged access to information systems.
What skill sets are most important to your job?
CAPs need to have a broad set of managerial, operational and technical skills. They must have a strong understanding of risk management, security architectures and associated threats so they can properly determine whether systems meet the organization's security requirements. Additionally, they must understand the system development lifecycle - from when a system is created to when it is disposed - and the supporting security authorization activities required at each step along the way. They need to be critical thinkers with exceptional analytical and writing skills so they can review, interpret and develop security policies and procedures and other documentation. CAPs should understand the authorization process, and be able to comprehend how vulnerabilities affect security authorization. They also need the interpersonal skills to work alongside engineers and system owners to evaluate implementations, assess the risks, and articulate the value proposition for completing assessment and authorization (A&A) activities.
If a security breach were to take place, what is your role in handling remediation and/or prevention?
CAPs are involved in advising, monitoring, directing and documenting the mitigation and response to the breach. They investigate what happ ned to identify system vulnerabilities and lessons learned, and use this knowledge to institute new policies and procedures that will help to prevent similar incidents in the future as well as make recommendations for improvements to help minimize the risk of future breaches.