• Alignment of security function to strategy, goals, mission, and objectives
• (e.g., business case, budget and resources)
• Organizational processes (e.g., acquisitions, divestitures, governance
• committees)
• Security roles and responsibilities
• Control frameworks
• Due care
• Due diligence

• Legislative and regulatory compliance
• C.2 Privacy requirements compliance

• Computer crimes
• Licensing and intellectual property (e.g., copyright, trademark, digital rights
• Import/export controls
• Trans-border data flow
• Privacy
• Data breaches

• Exercise (ISC)² Code of Professional Ethics
• Support organization’s code of ethics

• Develop and document project scope and plan
• Conduct business impact analysis

• Employment candidate screening (e.g., reference checks, education verification)
• Employment agreements and policies
• Employment termination processes
• Vendor, consultant, and contractor controls
• Compliance
• Privacy

• Identify threats and vulnerabilities
• Risk assessment/analysis (qualitative, quantitative, hybrid)
• Risk assignment/acceptance (e.g., system authorization)
• Countermeasure selection
• Implementation
• Types of controls (preventive, detective, corrective, etc.)
• Control assessment
• Monitoring and measurement
• Asset valuation
• Reporting
• Continuous improvement
• Risk frameworks

• Identifying threats (e.g., adversaries, contractors, employees, trusted
• partners)
• Determining and diagramming potential attacks (e.g., social engineering,
• spoofing)
• Performing reduction analysis
• Technologies and processes to remediate threats (e.g., software architecture
• and operations)

• Hardware, software, and services
• Third-party assessment and monitoring (e.g., on-site assessment, document
• exchange and review, process/policy review)
• Minimum security requirements
• Service-level requirements

• Appropriate levels of awareness, training, and education required within
• organization
• Periodic reviews for content relevancy

• Data owners
• Data processers
• Data remanence
• Collection limitation

• Baselines
• Scoping and tailoring
• Standards selection
• Cryptography

Implement and manage engineering processes using secure design principles

Understand the fundamental concepts of security models (e.g., Confidentiality,

Integrity, and Multi-level Models)

Select controls and countermeasures based upon systems security evaluation models

Understand security capabilities of information systems (e.g., memory protection,

virtualization, trusted platform module, interfaces, fault tolerance)

Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

• Client-based (e.g., applets, local caches)
• Server-based (e.g., data flow control)
• Database security (e.g., inference, aggregation, data mining, data analytics, warehousing)
• Large-scale parallel data systems
• Distributed systems (e.g., cloud computing, grid computing, peer to peer)
• Cryptographic systems
• Industrial control systems (e.g., SCADA)

• Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)
• Cryptographic types (e.g., symmetric, asymmetric, elliptic curves)
• Public Key Infrastructure (PKI)
• Key management practices
• Digital signatures
• Digital rights management
• Non-repudiation
• Integrity (hashing and salting)
• Methods of cryptanalytic attacks (e.g., brute force, cipher-text only, known plaintext)

• Wiring closets
• Server rooms
• Media storage facilities
• Evidence storage
• Restricted and work area security (e.g., operations centers)
• Data center security
• Utilities and HVAC considerations
• Water issues (e.g., leakage, flooding)
• Fire prevention, detection and suppression

• OSI and TCP/IP models
• IP networking
• Implications of multilayer protocols (e.g., DNP3)
• Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)
•  Software-defined networks
• Wireless networks
• Cryptography used to maintain communication security

• Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile devices)
• Transmission media (e.g., wired, wireless, fiber)
• Network access control devices (e.g., firewalls, proxies)
• Endpoint security
• Content-distribution networks
• Physical devices

• Voice
• Multimedia collaboration (e.g., remote meeting technology, instant messaging)
• Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting)
• Data communications (e.g., VLAN, TLS/SSL)
• Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation)

• Information
• Systems
• Devices
• Facilities

• Identity management implementation (e.g., SSO, LDAP)
• Single/multi-factor authentication (e.g., factors, strength, errors, biometrics)
• Accountability
• Session management (e.g., timeouts, screensavers)
• Registration and proofing of identity
• Federated identity management (e.g., SAML)
• Credential management systems

• Role-Based Access Control (RBAC) methods
• Rule-based access control methods
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)

• Vulnerability assessment
• Penetration testing
• Log reviews
• Synthetic transactions
• Code review and testing (e.g., manual, dynamic, static, fuzz)
• Misuse case testing
• Test coverage analysis
• Interface testing (e.g., API, UI, physical)

• Account management (e.g., escalation, revocation)
• Management review
• Key performance and risk indicators
• Backup verification data
• Training and awareness
• Disaster recovery and business continuity

• Evidence collection and handling (e.g., chain of custody, interviewing)
• Reporting and documenting
• Investigative techniques (e.g., root-cause analysis, incident handling)
• Digital forensics (e.g., media, network, software, and embedded devices)

• Operational
• Criminal
• Civil
• Regulatory
• Electronic discovery (eDiscovery)

• Intrusion detection and prevention
• Security information and event management
• Continuous monitoring
• Egress monitoring (e.g., data loss prevention, steganography, watermarking)

• Asset inventory (e.g., hardware, software)
• Configuration management
• Physical assets
• Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems)
• D.5 Cloud assets (e.g., services, VMs, storage, networks)
• D.6 Applications (e.g., workloads or private clouds, web services, software as a service)

• Need-to-know/least privilege (e.g., entitlement, aggregation, transitive trust)
• Separation of duties and responsibilities
• Monitor special privileges (e.g., operators, administrators)
• Job rotation
• Information lifecycle
• Service-level agreements

• Media management
• Hardware and software asset management

• Detection
• Response
• Mitigation
• Reporting
• Recover
• Remediation
• Lessons learned

• Firewalls
• Intrusion detection and prevention systems
• Whitelisting/Blacklisting
• Third-party security services
• Sandboxing
• Honeypots/Honeynets
• Anti-malware

• Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation)
• Recovery site strategies
• Multiple processing sites (e.g., operationally redundant systems)
• System resilience, high availability, quality of service, and fault tolerance

• Response
• Personnel
• Communications
• Assessment
• Restoration
• Training and awareness

• Read-through
• Walkthrough
• Simulation
• Parallel
• Full interruption

Implement and manage physical security

• Perimeter (e.g., access control and monitoring)

• Internal security (e.g., escort requirements/visitor control, keys and locks)

• Development methodologies (e.g., Agile, Waterfall)
• Maturity models
• Operation and maintenance
• Change management
• Integrated product team (e.g., DevOps)

• Security of the software environments
• Security weaknesses and vulnerabilities at the source-code level (e.g., buffer overflow, escalation of privilege, input/output validation)
• Configuration management as an aspect of secure coding
• Security of code repositories
• Security of application programming interfaces

• Auditing and logging of changes
• Risk analysis and mitigation
• Acceptance testing