Выбрать главу

4. Identification and authentication

5. Decentralized/distributed access control techniques

6. Authorization mechanisms

7. Logging and monitoring

Understand access control attacks.

1. Threat modeling

2. Asset valuation

3. Vulnerability analysis

4. Access aggregation

Assess effectiveness of access controls.

1. User entitlement

2. Access review and audit

Identity and access provisioning life cycle such as provisioning, review, and revocation.

DOMAIN 2: TELECOMMUNICATIONS AND NETWORK SECURITY

Overview

The telecommunications and network security domain encompasses the structures, techniques, transport protocols, and security measures used to provide integrity, availability, confidentiality, and authentication for transmissions over private and public communications networks and media.

The candidate is expected to demonstrate an understanding of communications and network security as it relates to data communications in local-area and wide-area networks, remote access; Internet/intranet/extranet configurations, and other network equipment (such as switches, bridges, and routers), protocols (such as TCP/IP); VPNs and, techniques (such as the correct use and placement of firewalls and IDS) for preventing and detecting network based attacks.

Key Areas of Knowledge

Understand secure network architecture and design such as IP and non-IP protocols, and segmentation.

1. OSI and TCP/IP models

2. IP networking

3. Implications of multi-layer protocols

Secure network components.

1. Hardware such as modems, switches, routers, and wireless access points

2. Transmission media such as wired, wireless, and fiber

3. Network access control devices such as firewalls and proxies

4. End-point security

Establish secure communication channels such as VPN, TLS/SSL, and VLAN.

1. Voice such as POTS, PBX, and VoIP

2. Multimedia collaboration such as remote meeting technology and instant messaging

3. Remote access such as screen scraper, virtual application/desktop, and telecommuting

4. Data communications

Understand network attacks such as DDoS and spoofing.

DOMAIN 3: INFORMATION SECURITY GOVERNANCE AND RISK MANAGEMENT

Overview

Information security governance and risk management domain entails the identification of an organization’s information assets and the development, documentation, implementation, and updating of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.

The candidate is expected to understand the planning, organization, and roles and responsibilities of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management’s views and position on particular topics, and the use of guidelines, standards, and procedures to support the policies; security training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality, proprietary, and private information; third party management and service level agreements related to information security; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources.

Key Areas of Knowledge

Understand and align security function to goals, mission, and objectives of the organization.

Understand and apply security governance.

1. Organizational processes such as acquisitions, divestitures, and governance committees

2. Security roles and responsibilities

3. Legislative and regulatory compliance

4. Privacy requirements compliance

5. Control frameworks

6. Due care

7. Due diligence

Understand and apply concepts of confidentiality, integrity, and availability.

Develop and implement security policy.

1. Security policies

2. Standards/baselines

3. Procedures

4. Guidelines

5. Documentation

Manage the information life cycle such as classification, categorization, and ownership.

Manage third-party governance such as onsite assessment, document exchange and review, and process/poly review.

Understand and apply risk management concepts.

1. Identify threats and vulnerabilities

2. Risk assessments/analysis such as qualitative, quantitative, and hybrid

3. Risk assignment/acceptance

4. Countermeasure selection

5. Tangible and intangible asset valuation

Manage personnel security.

1. Employment candidate screening such as reference checks, education, and verification

2. Employment agreements and policies

3. Employee termination processes

4. Vendor, consultant, and contractor controls

Develop and manage security education, training, and awareness.

Manage the security function.

1. Budget

2. Metrics

3. Resources

4. Develop and implement information security strategies

5. Assess the completeness and effectiveness of the security program

DOMAIN 4: SOFTWARE DEVELOPMENT SECURITY

Overview

Software development security domain refers to the controls that are included within systems and applications software and the steps used in their development. Software refers to system software (operating systems) and application programs (agents, applets, software, databases, data warehouses, and knowledge-based systems). These applications may be used in distributed or centralized environments.

The candidate should fully understand the security and controls of the systems development process, system life cycle, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability.

Key Areas of Knowledge

Understand and apply security in the software development life cycle.

1. Development life cycle

2. Maturity models

3. Operation and maintenance

4. Change management

Understand the environment and security controls.

1. Security of the software environment

2. Security issues of programming languages

3. Security issues in source code such as buffer overflow, escalation of privilege, and backdoor

4. Configuration management

Assess the effectiveness of software security.

1. Certification and accreditation such as system authorization