OBJECTIVE
|
1.0 ACCESS CONTROL
1.1 Control access by applying the following concepts/methodologies/ techniques
1.1.1 Policies
1.1.2 Types of controls (preventive, detective, corrective, etc.)
1.1.3 Techniques (e.g., non-discretionary, discretionary and mandatory)
1.1.4 Identification and Authentication
1.1.5 Decentralized/distributed access control techniques
1.1.6 Authorization mechanisms
1.1.7 Logging and monitoring
1.2 Understand access control attacks
1.2.1 Threat modeling
1.2.2 Asset valuation
1.2.3 Vulnerability analysis
1.2.4 Access aggregation
1.3 Assess effectiveness of access controls
1.3.1 User entitlement
1.3.2 Access review & audit
1.4 Identity and access provisioning lifecycle (e.g., provisioning, review,revocation)
2.0 TELECOMMUNICATIONS AND NETWORK SECURITY
2.1 Understand secure network architecture and design (e.g., IP & non-IPprotocols, segmentation)
2.1.1 OSI and TCP/IP models
2.1.2 IP networking
2.1.3 Implications of multi-layer protocols
2.2 Securing network components
2.2.1 Hardware (e.g., modems, switches, routers, wireless access points)
2.2.2 Transmission media (e.g., wired, wireless, fiber)
2.2.3 Network access control devices (e.g., firewalls, proxies)2.2.4 End-point security
2.3 Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)
2.3.1 Voice (e.g., POTS, PBX, VoIP)
2.3.2 Multimedia collaboration (e.g., remote meeting technology, instant messaging)
2.3.3 Remote access (e.g., screen scraper, virtual application/desktop, telecommuting)
2.3.4 Data communications
2.3.1 Voice (e.g., POTS, PBX, VoIP)
2.3.2 Multimedia collaboration (e.g., remote meeting technology, instant messaging)
2.3.3 Remote access (e.g., screen scraper, virtual application/desktop, telecommuting)
2.3.4 Data communications
2.4 Understand network attacks (e.g., DDoS, spoofing)
3.0 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT
3.1 Understand and align security function to goals, mission and objectives of the organization
3.2 Understand and apply security governance
3.2.1 Organizational processes (e.g., acquisitions, divestitures, governance committees)
3.2.2 Security roles and responsibilities
3.2.3 Legislative and regulatory compliance
3.2.4 Privacy requirements compliance
3.2.5 Control frameworks
3.2.6 Due care
3.2.7 Due diligence
3.3 Understand and apply concepts of confidentiality, integrity and availability
3.4 Develop and implement security policy
3.4.1 Security policies
3.4.2 Standards/baselines
3.4.3 Procedures
3.4.4 Guidelines
3.4.5 Documentation
3.5 Manage the information life cycle (e.g., classification, categorization,and ownership)
3.6 Manage third-party governance (e.g., on-site assessment, documentexchange and review, process/policy review)
3.7 Understand and apply risk management concepts
3.7.1 Identify threats and vulnerabilities
3.7.2 Risk assessment/analysis (qualitative, quantitative, hybrid)
3.7.3 Risk assignment/acceptance
3.7.4 Countermeasure selection
3.7.5 Tangible and intangible asset valuation
3.8 Manage personnel security
3.8.1 Employment candidate screening (e.g., reference checks, education verification)
3.8.2 Employment agreements and policies
3.8.3 Employee termination processes
3.8.4 Vendor, consultant and contractor controls
3.9 Develop and manage security education, training and awareness
3.10 Manage the Security Function
3.10.1 Budget
3.10.2 Metrics
3.10.3 Resources
3.10.4 Develop and implement information security strategies
3.10.5 Assess the completeness and effectiveness of the security program
4.0 SOFTWARE DEVELOPMENT SECURITY
4.1 Understand and apply security in the software development life cycle
4.1.1 Development Life Cycle
4.1.2 Maturity models
4.1.3 Operation and maintenance
4.1.4 Change management
4.2 Understand the environment and security controls
4.2.1 Security of the software environment
4.2.2 Security issues of programming languages
4.2.3 Security issues in source code (e.g., buffer overflow, escalation of privilege,backdoor)
4.2.4 Configuration management
4.3 Assess the effectiveness of software security
3.0 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT
3.1 Understand and align security function to goals, mission and objectives of the organization
3.2 Understand and apply security governance
3.2.1 Organizational processes (e.g., acquisitions, divestitures, governance committees)
3.2.2 Security roles and responsibilities
3.2.3 Legislative and regulatory compliance
3.2.4 Privacy requirements compliance
3.2.5 Control frameworks
3.2.6 Due care
3.2.7 Due diligence
3.3 Understand and apply concepts of confidentiality, integrity and availability
3.4 Develop and implement security policy
3.4.1 Security policies
3.4.2 Standards/baselines
3.4.3 Procedures
3.4.4 Guidelines
3.4.5 Documentation
3.5 Manage the information life cycle (e.g., classification, categorization,and ownership)
3.6 Manage third-party governance (e.g., on-site assessment, documentexchange and review, process/policy review)
3.7 Understand and apply risk management concepts
3.7.1 Identify threats and vulnerabilities
3.7.2 Risk assessment/analysis (qualitative, quantitative, hybrid)
3.7.3 Risk assignment/acceptance
3.7.4 Countermeasure selection
3.7.5 Tangible and intangible asset valuation
3.8 Manage personnel security
3.8.1 Employment candidate screening (e.g., reference checks, education verification)
3.8.2 Employment agreements and policies
3.8.3 Employee termination processes
3.8.4 Vendor, consultant and contractor controls
3.9 Develop and manage security education, training and awareness
3.10 Manage the Security Function
3.10.1 Budget
3.10.2 Metrics
3.10.3 Resources
3.10.4 Develop and implement information security strategies
3.10.5 Assess the completeness and effectiveness of the security program
4.0 SOFTWARE DEVELOPMENT SECURITY
4.1 Understand and apply security in the software development life cycle
4.1.1 Development Life Cycle
4.1.2 Maturity models
4.1.3 Operation and maintenance
4.1.4 Change management
4.2 Understand the environment and security controls
4.2.1 Security of the software environment
4.2.2 Security issues of programming languages
4.2.3 Security issues in source code (e.g., buffer overflow, escalation of privilege,backdoor)
4.2.4 Configuration management
4.3 Assess the effectiveness of software security
5.0 CRYPTOGRAPHY
5.1 Understand the application and use of cryptography
5.1.1 Data at rest (e.g., Hard Drive)
5.1.2 Data in transit (e.g., On the wire )
5.2 Understand the cryptographic life cycle (e.g., cryptographic limitations,algorithm/protocol governance)
5.3 Understand encryption concepts
5.3.1 Foundational concepts
5.3.2 Symmetric cryptography
5.3.3 Asymmetric cryptography
5.3.4 Hybrid cryptography
5.3.5 Message digests
5.3.6 Hashing
5.4 Understand key management processes
5.4.1 Creation/distribution
5.4.2 Storage/destruction
5.4.3 Recovery
5.4.4 Key escrow
5.5 Understand digital signatures
5.6 Understand non-repudiation
5.7 Understand methods of cryptanalytic attacks
5.7.1 Chosen plain-text
5.7.2 Social engineering for key discovery
5.7.3 Brute Force (e.g., rainbow tables, specialized/scalable architecture)
5.7.4 Cipher-text only
5.7.5 Known plaintext
5.7.6 Frequency analysis
5.7.7 Chosen cipher-text
5.7.8 Implementation attacks
5.8 Use cryptography to maintain network security
5.9 Use cryptography to maintain application security
5.10 Understand Public Key Infrastructure (PKI)
5.11 Understand certificate related issues
5.12 Understand information hiding alternatives (e.g., steganography,watermarking)
6.0 SECURITY ARCHITECTURE & DESIGN
6.1 Understand the fundamental concepts of security models(e.g., Confidentiality, Integrity, and Multi-level Models)
6.2 Understand the components of information systems security evaluation models
6.2.1 Product evaluation models (e.g., common criteria)
6.2.2 Industry and international security implementation guidelines (e.g., PCI-DSS, ISO)
6.3 Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module)
6.4 Understand the vulnerabilities of security architectures
6.4.1 System (e.g., covert channels, state attacks, emanations)
6.4.2 Technology and process integration (e.g., single point of failure, service oriented architecture)
6.5 Understand software and system vulnerabilities and threats
6.5.1 Web-based (e.g., XML, SAML, OWASP)
6.5.2 Client-based (e.g., applets)
6.5.3 Server-based (e.g., data flow control)
6.5.4 Database security (e.g., inference, aggregation, data mining, warehousing)
6.5.5 Distributed systems (e.g., cloud computing, grid computing, peer to peer)
6.6 Understand countermeasure principles (e.g., defense in depth)
7.0 OPERATIONS SECURITY
7.1 Understand security operations concepts
7.1.1 Need-to-know/least privilege
7.1.2 Separation of duties and responsibilities
7.1.3 Monitor special privileges (e.g., operators, administrators)
7.1.4 Job rotation
7.1.5 Marking, handling, storing and destroying of sensitive information
7.1.6 Record retention
7.2 Employ resource protection
7.2.1 Media management
7.2.2 Asset management (e.g., equipment life cycle, software licensing)
7.3 Manage incident response
7.3.1 Detection
7.3.2 Response
7.3.3 Reporting
7.3.4 Recovery
7.3.5 Remediation and review (e.g., root cause analysis)
7.4 Implement preventative measures against attacks (e.g., malicious code,zero-day exploit, denial of service)
7.5 Implement and support patch and vulnerability management
7.6 Understand change and configuration management (e.g., versioning,base lining)
7.7 Understand system resilience and fault tolerance requirements
8.0 BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING
8.1 Understand business continuity requirements
8.1.1 Develop and document project scope and plan
8.2 Conduct business impact analysis
8.2.1 Identify and prioritize critical business functions
8.2.2 Determine maximum tolerable downtime and other criteria
8.2.3 Assess exposure to outages (e.g., local, regional, global)
8.2.4 Define recovery objectives
8.3 Develop a recovery strategy
8.3.1 Implement a backup storage strategy (e.g., offsite storage, electronic vaulting,tape rotation)
8.3.2 Recovery site strategies
8.4 Understand disaster recovery process
8.4.1 Response
8.4.2 Personnel
8.4.3 Communications
8.4.4 Assessment
8.4.5 Restoration
8.4.6 Provide training
8.5 Exercise, assess and maintain the plan (e.g., version control, distribution)
9.0 LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE
9.1 Understand legal issues that pertain to information security internationally
9.1.1 Computer crime
9.1.2 Licensing and intellectual property (e.g., copyright, trademark)
9.1.3 Import/Export
9.1.4 Trans-border data flow
9.1.5 Privacy
9.2 Understand professional ethics
9.2.1 (ISC)² Code of Professional Ethics
9.2.2 Support organization’s code of ethics
9.3 Understand and support investigations
9.3.1 Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope)
9.3.2 Incident handling and response
9.3.3 Evidence collection and handling (e.g., chain of custody, interviewing)
9.3.4 Reporting and documenting
9.4 Understand forensic procedures
9.4.1 Media analysis
9.4.2 Network analysis
9.4.3 Software analysis
9.4.4 Hardware/embedded device analysis
9.5 Understand compliance requirements and procedures
9.5.1 Regulatory environment
9.5.2 Audits
9.5.3 Reporting
9.6 Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)
10.0 PHYSICAL (ENVIRONMENTAL) SECURITY
10.1 Understand site and facility design considerations
10.2 Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
10.3 Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
10.4 Support the implementation and operation of facilities security (e.g., technology convergence)
10.4.1 Communications and server rooms
10.4.2 Restricted and work area security
10.4.3 Data center security
10.4.4 Utilities and Heating, Ventilation and Air Conditioning (HVAC) considerations
10.4.5 Water issues (e.g., leakage, flooding)
10.4.6 Fire prevention, detection and suppression
10.5 Support the protection and securing of equipment
10.6 Understand personnel privacy and safety (e.g., duress, travel, monitoring)
7.1 Understand security operations concepts
7.1.1 Need-to-know/least privilege
7.1.2 Separation of duties and responsibilities
7.1.3 Monitor special privileges (e.g., operators, administrators)
7.1.4 Job rotation
7.1.5 Marking, handling, storing and destroying of sensitive information
7.1.6 Record retention
7.2 Employ resource protection
7.2.1 Media management
7.2.2 Asset management (e.g., equipment life cycle, software licensing)
7.3 Manage incident response
7.3.1 Detection
7.3.2 Response
7.3.3 Reporting
7.3.4 Recovery
7.3.5 Remediation and review (e.g., root cause analysis)
7.4 Implement preventative measures against attacks (e.g., malicious code,zero-day exploit, denial of service)
7.5 Implement and support patch and vulnerability management
7.6 Understand change and configuration management (e.g., versioning,base lining)
7.7 Understand system resilience and fault tolerance requirements
8.0 BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING
8.1 Understand business continuity requirements
8.1.1 Develop and document project scope and plan
8.2 Conduct business impact analysis
8.2.1 Identify and prioritize critical business functions
8.2.2 Determine maximum tolerable downtime and other criteria
8.2.3 Assess exposure to outages (e.g., local, regional, global)
8.2.4 Define recovery objectives
8.3 Develop a recovery strategy
8.3.1 Implement a backup storage strategy (e.g., offsite storage, electronic vaulting,tape rotation)
8.3.2 Recovery site strategies
8.4 Understand disaster recovery process
8.4.1 Response
8.4.2 Personnel
8.4.3 Communications
8.4.4 Assessment
8.4.5 Restoration
8.4.6 Provide training
8.5 Exercise, assess and maintain the plan (e.g., version control, distribution)
9.0 LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE
9.1 Understand legal issues that pertain to information security internationally
9.1.1 Computer crime
9.1.2 Licensing and intellectual property (e.g., copyright, trademark)
9.1.3 Import/Export
9.1.4 Trans-border data flow
9.1.5 Privacy
9.2 Understand professional ethics
9.2.1 (ISC)² Code of Professional Ethics
9.2.2 Support organization’s code of ethics
9.3 Understand and support investigations
9.3.1 Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope)
9.3.2 Incident handling and response
9.3.3 Evidence collection and handling (e.g., chain of custody, interviewing)
9.3.4 Reporting and documenting
9.4 Understand forensic procedures
9.4.1 Media analysis
9.4.2 Network analysis
9.4.3 Software analysis
9.4.4 Hardware/embedded device analysis
9.5 Understand compliance requirements and procedures
9.5.1 Regulatory environment
9.5.2 Audits
9.5.3 Reporting
9.6 Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)
10.0 PHYSICAL (ENVIRONMENTAL) SECURITY
10.1 Understand site and facility design considerations
10.2 Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)
10.3 Support the implementation and operation of internal security (e.g., escort requirements/visitor control, keys and locks)
10.4 Support the implementation and operation of facilities security (e.g., technology convergence)
10.4.1 Communications and server rooms
10.4.2 Restricted and work area security
10.4.3 Data center security
10.4.4 Utilities and Heating, Ventilation and Air Conditioning (HVAC) considerations
10.4.5 Water issues (e.g., leakage, flooding)
10.4.6 Fire prevention, detection and suppression
10.5 Support the protection and securing of equipment
10.6 Understand personnel privacy and safety (e.g., duress, travel, monitoring)
ผู้เขียน: procodeblog
ไม่มีความคิดเห็น:
แสดงความคิดเห็น