2. Standards/baselines
3. Procedures
4. Guidelines
5. Documentation
Manage the information life cycle such as classification, categorization, and ownership.
Manage third-party governance such as onsite assessment, document exchange and review, and process/poly review.
Understand and apply risk management concepts.
1. Identify threats and vulnerabilities
2. Risk assessments/analysis such as qualitative, quantitative, and hybrid
3. Risk assignment/acceptance
4. Countermeasure selection
5. Tangible and intangible asset valuation
Manage personnel security.
1. Employment candidate screening such as reference checks, education, and verification
2. Employment agreements and policies
3. Employee termination processes
4. Vendor, consultant, and contractor controls
Develop and manage security education, training, and awareness.
Manage the security function.
1. Budget
2. Metrics
3. Resources
4. Develop and implement information security strategies
5. Assess the completeness and effectiveness of the security program
DOMAIN 4: SOFTWARE DEVELOPMENT SECURITY
Software development security domain refers to the controls that are included within systems and applications software and the steps used in their development. Software refers to system software (operating systems) and application programs (agents, applets, software, databases, data warehouses, and knowledge-based systems). These applications may be used in distributed or centralized environments.
The candidate should fully understand the security and controls of the systems development process, system life cycle, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability.
Understand and apply security in the software development life cycle.
1. Development life cycle
2. Maturity models
3. Operation and maintenance
4. Change management
Understand the environment and security controls.
1. Security of the software environment
2. Security issues of programming languages
3. Security issues in source code such as buffer overflow, escalation of privilege, and backdoor
4. Configuration management
Assess the effectiveness of software security.
1. Certification and accreditation such as system authorization
2. Auditing and logging
3. Risk analysis and mitigation
DOMAIN 5: CRYPTOGRAPHY
The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity.
Procedures and protocols that meet some or all of the above criteria are known as cryptosystems. Cryptosystems are often thought to refer only to mathematical procedures and computer programs; however, they also include the regulation of human behavior, such as choosing hard-to-guess passwords, logging off unused systems, and not discussing sensitive procedures with outsiders.
The candidate is expected to know the basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction, use of digital signatures to provide authenticity of electronic transactions, and nonrepudiation of the parties involved; and the organization and management of the public key infrastructures (PKIs) and digital certificates distribution and management.
Understand the application and use of cryptography:
1. Data at rest (e.g., Hard drive)
2. Data in transit (e.g., On the wire)
Understand the cryptographic life cycle such as cryptographic limitations, algorithm/protocol governance.
Understand encryption concepts.
1. Foundational concepts
2. Symmetric cryptography
3. Asymmetric cryptography
4. Hybrid cryptography
5. Message digests
6. Hashing
Understand key management processes.
1. Creation/distribution
2. Storage/destruction
3. Recovery
4. Key escrow
Understand digital signatures.
Understand nonrepudiation.
Understand methods of cryptanalytic attacks.
1. Chosen plaintext
2. Social engineering for key discovery
3. Brute force such as rainbow tables, specialized/scalable architecture
4. Ciphertext only
5. Known plaintext
6. Frequency analysis
7. Chosen ciphertext
8. Implementation attacks
Use cryptography to maintain network security.
Use cryptography to maintain application security.
Understand public key infrastructure (PKI).
Understand certificate-related issues.
Understand information-hiding alternatives such as steganography and watermarking.
DOMAIN 6: SECURITY ARCHITECTURE AND DESIGN