How to Ace Your SABSA Advanced Security Architecture Exam — Part I
I had the pleasure of participating in both the SABSA A1 and SABSA A3 courses in February/March 2019. Doing the course and passing the exam that follows are two very different things. The official period for submitting your exam is four weeks — rarely anyone is actually able to do that. This blog is about how my journey in the past year of doing my SABSA A1 Exam.
First up, what kind of exam is it?
There are three kinds of certifications in the SABSA world:
SABSA SCF (Chartered Foundation). The foundation level is the easiest title to get. You do a week-long course with an accredited training provider and pass a multiple-choice exam. There’s over 4000 SCFs in 74 countries across the world!
SABSA SCP (Chartered Practitioner). The SCP level requires you to complete one Advanced Level module. There are five Advanced Level modules:
- A1 — Advanced SABSA Risk, Assurance & Governance
- A2 — Advanced SABSA Architecture Program Management
- A3 — Advanced SABSA Architecture Design
- A4 — Advanced SABSA Incident, Monitoring & Investigations Architecture
- A5 — Advanced SABSA Business Continuity and Crisis Management
Each A[X] Module needs to be taught by a SABSA Master employed by a licensed training provider. In practice only A1 and A3 are common options for A[X] modules in any geography. After a week-long training course you receive a paper with five exam questions. You need to pick two questions to answer in an exam paper. The two papers are dual-marked by two SABSA Masters and you need to get 75% on the papers to pass for SCP. Like I said, this is much harder — there’s only around 300 SCPs in the world.
SABSA SCM (Chartered Master). After having obtained the title of SCP, you have to:
- Do another A[X] course and complete another two exam papers.
- Write a SCM thesis. Like a thesis for university, this is seen as the crowning achievement of your SABSA career. You’re supposed to do at least 3 months of research and write 10,000–25,000 words. This should be a novel application of the SABSA framework and must be original work.
- Prove your real-life security architecture experience with 5 years of general security experience, 3 years of security architecture experience and 3 applications or projects using SABSA.
That is a lot. As you can imagine, there are only 12 SABSA Masters in the world. And I intend to be the first female one, ha! And perhaps the youngest.
Why all the fuss?
The SABSA Institute (TSI) believes that one can’t measure true proficiency with a multiple-choice exam. And I agree. I do think they might have made it into a real challenge for full time working professionals to get the SCP and SCM. The SABSA Institute makes use of a framework called Bloom’s Taxonomy.
The Foundation exam verifies one’s knowledge and comprehension. As you can imagine a multiple-choice exam suffices for testing that. The questions in the Advanced SABSA Exams ask one to deliver on certain ‘competency words’. For instance, a question asks to ‘deliver X’. This means that you should supply, provide, or present to the stakeholder. Every question has some competency words for level 3 (application) and level 4 (analysis) — these are worth max 10 points. This is the level of understanding that TSI associates with being an SCP. Each question also has some competency words for level 5 (synthesis) and (evaluation). These are associated with being a SABSA Master (SCM). Candidates are expected to show off mastery of all competency levels in the SCM thesis.
What’s taking me so long?
So, since I did two courses in one go I needed to submit 4 exam papers. In part, that just seemed very daunting at the time. In part, life happened. I spend a lot of time preparing my promotion, my talks for the COSAC conference that year, bla bla bla. But in part it there were also some concrete content hurdles! I’ll spend the next article on how I addressed some of these, including:
- Picking a case study as I can’t use my own company or any of my clients if I ever want to re-use some of my exam materials.
- Determining what the actual question is (trust me, not that easy).
- Figuring out how to answer the question without writing 100 pages.
- Making sense of conflicting materials to base my SABSA approach on.
- How to structure the answers within the limitations of a Word document.
And so you see, there were many issues to be tackled before I even got one letter written down…
