Introduction and Objectives
Certified Cyber Attack Simulation Professional (CCASP)
Framework and structure
With the aim to further enhance the cyber resilience of the banking sector in Hong Kong, the Hong Kong Monetary Authority (HKMA) has announced the Cybersecurity Fortification Initiative (CFI) in May 2016.
The CFI features the common core competences required of cybersecurity practitioners in the Hong Kong banking industry. The objectives of the CFI are twofold:
(a) To train and nurture cybersecurity practitioners in the AIs and the information technology industry; and
(b) To enhance their cybersecurity awareness and technical capabilities of conducting cyber resilience assessments and simulation testing
The CFI consists of three pillars: Cyber Resilience Assessment Framework (C-RAF), Professional Development Programme (PDP), and Cyber Intelligence Sharing Platform (CISP).
Under the PDP, the HKMA is working with Hong Kong Institute of Bankers (HKIB) and Hong Kong Applied Science and Technology Research Institute (ASTRI) to develop a localized certification scheme – Certified Cyber Attack Simulation Professional (CCASP) and training programme for cybersecurity professionals.
CCASP is also supported by the Council of Registered Ethical Security Testers (CREST) International.
Please refer to HKMA circular on “Cybersecurity Fortification Initiative” for details.
Scope of Application
The CFI is targeted at “Relevant Practitioners”, including new entrants and existing practitioners, engaged by an authorized institution to perform cybersecurity roles in Hong Kong.
Qualification Structure and Syllabus
The qualification structure of CCASP comprises three levels:
(a) The Practitioner Level
The entry level that aims at individuals with around 2,500 hours relevant and frequent experience in IT or security area.
(b) The Registered Level
By passing the examination in this level, an individual is demonstrating his/her commitment as an information security tester. Typically, candidates wishing to sit a Registered Tester examination should have at least 6,000 hours (three years or more) relevant and frequent experience.
(c) The Certified Level
This level is designed to set the benchmark for senior testers: These are the certifications to which all testers aspire. By gaining the CCASP Certified Tester certification, one is recognized as an information security specialist.
Upon successful completion of the examination, candidates would receive certificates from both CREST and HKIB.
|Passing the Exam of||HKIB Certificates
(Certified Cyber Attack Security Professionals – CCASP)
CCASP Practitioner Security Analyst
|Certificate for CCASP Practitioner Security Analyst||Certificate for CREST Practitioner Security Analyst|
|CCASP Registered Tester||Certificate for CCASP Registered Tester||Certificate for CREST Registered Tester|
|Certified Infrastructure Tester||Certificate for CCASP Certified Infrastructure Tester||Certificate for CREST Certified Infrastructure Tester|
|Certified Web Application Tester||Certificate for CCASP Certified Web Applications Tester||Certificate for CREST Certified Web Applications Tester|
|Certified Simulated Attack Manager||Certificate for CCASP Certified Simulation Attack Manager||Certificate for CREST Certified Simulation Attack Manager|
|Certified Simulated Attack Specialist||Certificate for CCASP Certified Simulation Attack Specialist||Certificate for CREST Certified Simulation Attack Specialist|
Program and Examination Enrollment
Applicant should complete and sign the Application Form, together with the appropriate programme and/or examination fee, and return by fax or email, or by hand to HKIB Office on or before the corresponding enrollment deadline.
The Programme is open to members and non-members of the HKIB. Participants should possess a minimum of at least three (3) years of experience in IT, security area. The course is ideally suited to anyone looking to improve their career prospects or transitioning into a cybersecurity role, including:
(a) Networking engineers;
(b) Systems administrations;
(c) System architects or developers;
(d) IT security officers;
(e) Information security professionals; And/or
(f) Budding penetration testers
Candidates are suggested to take the training by CCASP accredited training providers before taking the exam. However, the training lessons are not compulsory for the exam.
The classroom based training includes group discussion, lecture with handouts and group exercise.
|Subject||Training Duration (Days)||Examination Format||Passing Mark|
|CCASP Practitioner Security Analyst||2||
|CCASP Registered Tester||2||
|Certified Infrastructure Tester||3||
|Certified Web Application Tester||3||
|Certified Simulated Attack Manager||TBC||
|Certified Simulated Attack Specialist||TBC||
|Written Examination||Peason Vue
Office B, 18/F, China Overseas Building, 139 Hennessy Road, Wanchai
|Practical Examination||Hong Kong Applied Science and Technology Research Institute Company Limited
5/F, Photonics Centre, 2 Science Park East Avenue, Hong Kong Science Park, Shatin, N.T. Hong Kong