| Security and Risk Management |
15% |
1.1 Understand, adhere to, and promote professional ethics
- (ISC)2 Code of Professional Ethics
- Organizational code of ethics
1.2 Understand and apply security concepts
- »Confidentiality, integrity, and availability, authenticity and nonrepudiation
1.3 Evaluate and apply security governance principles
- Alignment of the security function to business strategy, goals, mission, and objectives
- Organizational processes (e.g., acquisitions, divestitures, governance committees)
- Organizational roles and responsibilities
- Security control frameworks
- Due care/due diligence
1.4 Determine compliance and other requirements
- Contractual, legal, industry standards, and regulatory requirements
- Privacy requirements
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
- Cybercrimes and data breaches
- Licensing and Intellectual Property (IP) requirements
- Import/export controls
- Transborder data flow»Privacy
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
1.7 Develop, document, and implement security policy, standards, procedures, and guidelines |
| Asset Security |
10% |
2.1 Identify and classify information and assets
- Data classification
- Asset Classification
2.2 Establish information and asset handling requirements
2.3 Provision resources securely
- Information and asset ownership
- Asset inventory (e.g., tangible, intangible)
- Asset management
2.4 Manage data lifecycle
- Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
- Data collection
- Data location
- Data maintenance
- Data retention
- Data remanence
- Data destruction
2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
2.6 Determine data security controls and compliance requirements
- Data states (e.g., in use, in transit, at rest)
- Scoping and tailoring
- Standards selection
- Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP),Cloud Access Security Broker (CASB))
|
| Security Architecture and Engineering |
13% |
3.1 Research, implement and manage engineering processes using secure design principles
- Threat modeling
- Least privilege
- Defense in depth
- Secure defaults
- Fail securely
- Separation of Duties (SoD)
- Keep it simple
- Zero Trust
- Privacy by design
- Trust but verify
- Shared responsibility
3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) 3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Client-based systems
- Server-based systems
- Database systems
- Cryptographic systems
- Industrial Control Systems (ICS)
- Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
- Distributed systems
- Internet of Things (IoT)
- Microservices
- Containerization
- Serverless
- Embedded systems
- High-Performance Computing (HPC) systems
- Edge computing systems
- Virtualized systems
3.6 Select and determine cryptographic solutions
- Cryptographic life cycle (e.g., keys, algorithm selection)
- Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
- Public Key Infrastructure (PKI)
- Key management practices
- Digital signatures and digital certificates
- Non-repudiation
- Integrity (e.g., hashing)
3.7 Understand methods of cryptanalytic attacks
- Brute force
- Ciphertext only
- Known plaintext
- Frequency analysis
- Chosen ciphertext
- Implementation attacks
- Side-channel
- Fault injection
- Timing
- Man-in-the-Middle (MITM)
- Pass the hash»Kerberos exploitation»Ransomware
3.8 Apply security principles to site and facility design
3.9 Design site and facility security controls
- Wiring closets/intermediate distribution facilities
- Server rooms/data centers
- Media storage facilities
- Evidence storage
- Restricted and work area security
- Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
- Environmental issues
- Fire prevention, detection, and suppression
- Power (e.g., redundant, backup)
|
| Communication and Network Security |
13% |
4.1 Assess and implement secure design principles in network architectures
- Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
- Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)
- Secure protocols
- Implications of multilayer protocols
- Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE),Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP))
- Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
- Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite)
- Cellular networks (e.g., 4G, 5G)
- Content Distribution Networks (CDN)
4.2 Secure network components
- Operation of hardware(e.g., redundant power, warranty, support)
- Transmission media
- Network Access Control (NAC) devices
- Endpoint security
4.3 Implement secure communication channels according to design
- Voice
- Multimedia collaboration
- Remote access
- Data communications
- Virtualized networks
- Third-party connectivity
|
| Identity and Access Management (IAM) |
13% |
5.1 Control physical and logical access to assets
- Information
- Systems
- Devices
- Facilities
- Applications
5.2 Manage identification and authentication of people, devices, and services
- Identity Management (IdM) implementation
- Single/Multi-Factor Authentication (MFA)
- Accountability
- Session management
- Registration, proofing, and establishmentof identity
- Federated Identity Management (FIM)
- Credential management systems
- Single Sign On (SSO)
- Just-In-Time (JIT)
5.3 Federated identity with a third-party service
5.4 Implement and manage authorization mechanisms
- Role Based Access Control (RBAC)
- Rule based access control
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Attribute Based Access Control (ABAC)
- Risk based access control
5.5 Manage the identity and access provisioning lifecycle
- Account access review (e.g., user, system, service)
- Provisioning and deprovisioning(e.g., on /off boarding and transfers)
- Role definition (e.g., people assigned to new roles)
- Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
5.6 Implement authentication systems
- OpenID Connect (OIDC)/Open Authorization (Oauth)
- Security Assertion Markup Language (SAML)
- Kerberos
- Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
|
| Security Assessment and Testing |
12% |
6.1 Design and validate assessment, test, and audit strategies
- Internal
- External
- Third-party
6.2 Conduct security control testing
- Vulnerability assessment
- Penetration testing
- Log reviews
- Synthetic transactions
- Code review and testing
- Misuse case testing
- Test coverage analysis
- Interface testing
- Breach attack simulations
- Compliance checks
6.3 Collect security process data (e.g., technical and administrative)
- Account management
- Management review and approval
- Key performance and risk indicators
- Backup verification data
- Training and awareness
- Disaster Recovery (DR) and Business Continuity (BC)
6.4 Analyze test output and generate report
- Remediation
- Exception handling
- Ethical disclosure
6.5 Conduct or facilitate security audits
- Internal
- Externa
- Third-party
|
| Security Operations |
13% |
7.1 Understand and comply with investigations
- Evidence collection and handling
- Reporting and documentation
- Investigative techniques
- Digital forensics tools, tactics, and procedures
- Artifacts (e.g., computer, network, mobile device)
7.2 Conduct logging and monitoring activities
- Intrusion detection and prevention
- Security Information and Event Management (SIEM)
- Continuous monitoring
- Egress monitoring
- Log management
- Threat intelligence (e.g., threat feeds, threat hunting)
- User and Entity Behavior Analytics (UEBA)
7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
7.4 Apply foundational security operations concepts
- Need-to-know/least privilege
- Separation of Duties (SoD) and responsibilities
- Privileged account management
- Job rotation
- Service Level Agreements (SLAs)
7.5 Apply resource protection
- Media management
- Media protection techniques
7.6 Conduct incident management
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned
7.7 Operate and maintain detective and preventative measures
- Firewalls (e.g., next generation, web application, network)
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Whitelisting/blacklisting
- Third-party provided security services
- Sandboxing
- Honeypots/honeynets
- Anti-malware
- Machine learning and Artificial Intelligence (AI) based tools
7.8 Implement and support patch and vulnerability management
7.9 Understand and participate in change management processes
7.10 Implement recovery strategies
- Backup storage strategies
- Recovery site strategies
- Multiple processing sites
- System resilience, High Availability (HA), Qualityof Service (QoS), and fault tolerance
7.11 Implement Disaster Recovery (DR) processes
- Response
- Personnel
- Communications
- Assessment
- Restoration
- Training and awareness
- Lessons learned
7.12 Test Disaster Recovery Plans (DRP)
- Read-through/tabletop
- Walkthrough
- Simulation
- Parallel
- Full interruption
7.13 Participate in Business Continuity (BC) planning and exercises
7.14 Implement and manage physical security
- Perimeter security controls
- Internal security controls
7.15 Address personnel safety and security concerns
- Travel
- Security training and awareness
- Emergency management
- Duress
|
| Software Development Security |
11% |
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
- Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
- Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
- Operation and maintenance
- Change management
- Integrated Product Team (IPT)
8.2 Identify and apply security controls in software development ecosystems
- Programming languages
- Libraries
- Tool sets
- Integrated Development Environment (IDE)
- Runtime
- Continuous Integration and Continuous Delivery (CI/CD)
- Security Orchestration, Automation, and Response (SOAR)
- Software Configuration Management (SCM)
- Code repositories»Application security testing (e.g., Static Application Security Testing (SAST), Dynamic ApplicationSecurity Testing (DAST))
8.3 Assess the effectiveness of software security
- Auditing and logging of changes
- Risk analysis and mitigation
8.4 Assess security impact of acquired software
- Commercial-off-the-shelf (COTS)
- Open source
- Third-party
- Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platformas a Service (PaaS))
8.5 Define and apply secure coding guidelines and standards
- Security weaknesses and vulnerabilities at the source-code level
- Security of Application Programming Interfaces (APIs)
- Secure coding practices
- Software-defined security
|
