Click to edit Master title style



Similar documents
CompTIA Security+ (Exam SY0-410)

Domain 1 The Process of Auditing Information Systems

A Systems Engineering Approach to Developing Cyber Security Professionals

BUY ONLINE FROM:

LINUX / INFORMATION SECURITY

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

The Next Generation of Security Leaders

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Network Security Administrator

Cisco Advanced Services for Network Security

Network System Design Lesson Objectives

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Eleventh Hour Security+

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Enterprise Computing Solutions

Defending Against Data Beaches: Internal Controls for Cybersecurity

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

SECURITY. Risk & Compliance Services

Certified Ethical Hacker Exam Version Comparison. Version Comparison

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Introduction p. 2. Introduction to Information Security p. 1. Introduction

Ohio Supercomputer Center

APPENDIX C - PRICING INDEX DIR-SDD-2514 VERIZON BUSINESS NETWORK SERVICES, INC SERVICES

IT Networking and Security

Cyber Security Metrics Dashboards & Analytics

Certified Information Security Manager (CISM)

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Security and Privacy Controls for Federal Information Systems and Organizations

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Fundamentals of Network Security - Theory and Practice-

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Higher National Unit specification: general information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Certified Information Systems Auditor (CISA)

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Weighted Total Mark. Weighted Exam Mark

CompTIA Security+ Certification Study Guide. (Exam SYO-301) Glen E. Clarke. Gravu Hill

Tenzing Security Services and Best Practices

Intrusion Detection and Threat Vectors Michael Arent EDS-Global Information Security

External Supplier Control Requirements

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Central Agency for Information Technology

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Bachelor of Information Technology (Network Security)

Section 12 MUST BE COMPLETED BY: 4/22

Security + Certification (ITSY 1076) Syllabus

How To Protect A Network From Attack From A Hacker (Hbss)

STATE OF NEW JERSEY Security Controls Assessment Checklist

Network Security: A Practical Approach. Jan L. Harrington

How To Manage Security On A Networked Computer System

Through the Security Looking Glass. Presented by Steve Meek, CISSP

Chapter 15: Computer and Network Security

Guideline on Auditing and Log Management

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Certified Cyber Security Analyst VS-1160

ICANWK406A Install, configure and test network security

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

External Supplier Control Requirements

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Networking: EC Council Network Security Administrator NSA

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

CTR System Report FISMA

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

John Essner, CISO Office of Information Technology State of New Jersey

Stephen Coty Director, Threat Research

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

CEH Version8 Course Outline

Security aspects of e-tailing. Chapter 7

Local Area Networks (LANs) Blueprint (May 2012 Release)

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

How are we keeping Hackers away from our UCD networks and computer systems?

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Information security controls. Briefing for clients on Experian information security controls

How to Secure Your Environment

Making your web application. White paper - August secure

Payment Card Industry Data Security Standard

Basics of Internet Security

Transcription:

CISSP SSCP ISSEP

What is Changing? There are three (ISC) 2 certifications that have had changes posted in Candidate Information Bulletins (CIBs) for 2012 CISSP One domain name change order re-arranged for educational material Rewording of some domain subheadings plus new material SSCP NO changes to domain names Rewording of some domain subheadings plus new material ISSEP Two domain name changes Rewording of some domain subheadings plus new material

CISSP Changes The Application Development Security domain has now become the Software Development Security domain. Old New 1 ACCESS CONTROL 1 ACCESS CONTROL 2 APPLICATION DEVELOPMENT SECURITY 2 TELECOMMUNICATIONS & NETWORK SECURITY 3 BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING 3 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT 4 CRYPTOGRAPHY 4 SOFTWARE DEVELOPMENT SECURITY 5 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT 5 CRYPTOGRAPHY 6 LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE 6 SECURITY ARCHITECTURE & DESIGN 7 OPERATIONS SECURITY 7 OPERATIONS SECURITY 8 PHYSICAL AND ENVIROMENTAL SECURITY 8 BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING 9 SECURITY ARCHITECTURE & DESIGN 9 LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE 10 TELECOMMUNICATIONS & NETWORK SECURITY 10 PHYSICAL (ENVIRONMENTAL) SECURITY

NOTES CISSP Updates 1. ACCESS CONTROLS new 1.B.1 Threat modeling new 1.B.2 Asset valuation new 1.B.3 Vulnerability analysis new 1.B.4 Access aggregation new 1.C.1 User entitlement new 1.C.2 Access review & audit new 1.D Identity and access provisioning lifecycle (e.g., provisioning, review, revocation) 2. TELECOMMUNICATIONS & NETWORK SECURITY reworded 2.A Understand secure network architecture and design (e.g., IP & non-ip protocols, segmentation) new 2.A.1 OSI and TCP/IP models new 2.A.2 IP networking new 2.A.3 Implications of multi-layer protocols reworded 2.B.1 Hardware (e.g., modems, switches, routers, wireless access points) reworded 2.B.2 Transmission media (e.g., wired, wireless, fiber) reworded 2.B.3 Network access control devices (e.g., firewalls, proxies) reworded 2.C Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN) reworded 2.C.1 Voice (e.g., POTS, PBX, VoIP) reworded 2.C.3 Remote access (e.g., screen scraper, virtual application/desktop, telecommuting) reworded 2.C.4 Data communications reworded 2.D Understand network attacks (e.g., DDoS, spoofing,session highjack)

NOTES CISSP Updates (continued) 3. INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT reworded 3.B.1 Organizational processes (e.g., acquisitions, divestitures, governance committees) reworded 3.B.2 Security roles and responsibilities reworded 3.E Manage the information life cycle (e.g., classification, categorization, and ownership) new 3.F Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review) reworded 3.G.2 Risk assessment/analysis (qualitative, quantitative, hybrid) new 3.G.5 Tangible and intangible asset valuation reworded 3.H Manage personnel security reworded 3.H.1 Employment candidate screening (e.g., reference checks, education verification, background checks) reworded 3.J Manage the Security Function new 3.J.1 Budget new 3.J.2 Metrics reworded 4. SOFTWARE DEVELOPMENT SECURITY Click reworded to 4.A edit Understand and Master apply security in the software title development style life cycle reworded 4.A.1 Development Life Cycle reworded 4.B Understand the environment and security controls reworded 4.B.1 Security of the software environment reworded 4.B.3 Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor) reworded 4.C Assess the effectiveness of software security reworded 4.C.1 Certification and accreditation (i.e., system authorization)

NOTES CISSP Updates (continued) 5. CRYPTOGRAPHY new 5.B Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) reworded 5.G.3 Brute Force (e.g., rainbow tables, specialized/scalable architecture, GPUs, CUDA) reworded 5.H Use cryptography to maintain network security reworded 5.I Use cryptography to maintain application security 6. SECURITY ARCHITECTURE & DESIGN reworded 6.E.1 Web-based (e.g., XML, SAML, OWASP) reworded 6.E.4 Database security (e.g., inference, aggregation, data mining, warehousing) new 6.E.5 Distributed systems (e.g., cloud computing, grid computing, peer to peer) 7. OPERATIONS SECURITY reworded 7.A Understand security operations concepts reworded 7.B.2 Asset management (e.g., equipment life cycle, software licensing) reworded 7.C.5 Remediation and review (e.g., root cause analysis) reworded 7.D Preventitive measures against attacks (e.g., malicious code, zero-day exploit, denial of service) reworded 7.F Understand change and configuration management (e.g., versioning, baselining) reworded 7.G Understand system resilience and fault tolerance requirements 8. BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING reworded 8.E Exercise, assess and maintain the plan (e.g., version control, distribution) reworded 10.F Personnel privacy and safety (e.g., duress, travel, monitoring)

CISSP Updates (continued) NOTES 9. LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE new 9.B Understand professional ethics new 9.B.1 (ISC)2 Code of Professional Ethics new 9.B.2 Support organization's code of ethics reworded 9.C.1 Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope) new 9.D.4 Hardware/embedded device analysis reworded 9.F Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance) 10. PHYSICAL (ENVIRONMENTAL) SECURITY reworded 10.A Understand site and facility design considerations reworded 10.D Support the implementation and operation of facilities security (e.g., technology, physical, and network convergence) reworded 10.F Personnel privacy and safety (e.g., duress, travel, monitoring)

NOTES SSCP Updates 1.- ACCESS CONTROLS Reworded 1.D Apply Access Control Concepts (e.g., least privilege, and separation of duties) New 1.D.1 Discretionary Access Control (DAC) New 1.D.2 Non-discretionary Access Control Reworded 1.E Manage Internetwork Trust Architectures (e.g., extranet, third party connections, federated access) New 1.F Implement identity management New 1.F.1 Provisioning New 1.F.2 Maintenance New 1.F.3 Entitlement New 1.G Understand basic security concepts related to cloud computing (e.g., virtualization, data control, storage, privacy, compliance) 2.- SECURITY OPERATIONS & ADMINISTRATION New 2.B Perform Security Administrative Duties New 2.B.1 Maintain adherence to security policies, baselines, standards, and procedures New 2.B.2 Validate security controls New 2.B.3 Data classification (e.g., control, handling, categorization) New 2.B.4 Asset management (e.g., hardware, software, data) New 2.B.5 Develop and maintain systems and security control documentation Reworded 2.C Perform Change Management Duties Reworded 2.C.1 Assist with implementation of Configuration Management Plan Reworded 2.C.2 Understand the impact of changes to the environment New 2.C.3 Test patches, fixes, and updates (e.g., operating system, applications, SDLC) New 2.D.1 Support certification and accreditation (i.e., security authorization) Reworded 2.E Participate in Security Awareness Education

SSCP Updates (continued) NOTES 2.- SECURITY OPERATIONS & ADMINISTRATION (Continued) New 2.F.1 Understand impact of security testing Reworded 2.G Understand concepts of endpoint device security (e.g., virtualization, thin clients, thick clients, USB devices, mobile devices) New 2.H Comply with data management policies (e.g., storage media (paper or electronic), transmission, archiving, retention requirements, destruction, deduplication, data loss prevention, social network usage, information rights management (IRM)) New 2.I Understand security concepts (e.g., confidentiality, integrity, availability, privacy) 3.- MONITORING AND ANALYSIS Reworded 3.A Maintain Effective Monitoring Systems (e.g., continuous monitoring) Reworded 3.A.3 Review systems for unauthorized changes (e.g., file integrity checkers, honeypots, unauthorized connections) New 3.A.5 Install and configure agents and management systems 4.- RISK, RESPONSE, AND RECOVERY Reworded 4.A Understand Risk Management Process Reworded 4.A.1 Understand risk management concepts (e.g., impacts, threats, vulnerabilities) Reworded 4.A.3 Support mitigation activity (e.g., safeguards, countermeasures) New 4.A.4 Address audit findings Reworded 4.B Perform Security Assessment Activities Reworded 4.B.4 Interpret results of scanning and testing Understand the concepts of forensic investigations (e.g., first responder, evidence Reworded 4.C.2 handling, chain of custody, preservation of scene) Understand and support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Reworded 4.D Reworded 4.D.1 Understand the Components of a Business Continuity Plan (BCP) Reworded 4.D.2 Understand and support Disaster Recovery Plan (DRP) 5.- CRYPTOGRAPHY New 5.A.1 Install and maintain cryptographic systems Reworded 5.C Support Certificate and Key Management New 5.C.1 Understand basic key management concepts (e.g., public key infrastructure) Reworded 5.C.2 Administration and validation (e.g., key creation, exchange, revocation, escrow) Reworded 5.D Understand the use of Secure Protocols (e.g., differences in implementation, appropriate use)

SSCP Updates (continued) NOTES 6.- NETWORKS AND COMMUNICATIONS Reworded 6.A Understand security issues related to Networks New 6.A.2 Network topographies and relationships (e.g., token ring, star, bus, ethernet) Reworded 6.A.3 Commonly used ports and protocols Reworded 6.A.5 Network security concepts (e.g., address translation, defense in depth, IP addressing) Reworded 6.B.2 Common Vulnerabilities Reworded 6.C.2 Common Vulnerabilities Reworded 6.D.1 Methods (e.g., application filtering, packet filtering, stateful/stateless inspection) Reworded 6.D.2 Types (e.g., host based, network based) Reworded 6.D.3 Common Vulnerabilities Reworded 6.E Understand Wireless and Cellular Technologies Reworded 6.E.2 Technology (e.g., Bluetooth, RFID, 802.11, WiMax, GSM, 3G, NFC) Reworded 6.E.3 Common Vulnerabilities 7.- MALICIOUS CODE & ACTIVITY Reworded 7.A Identify Malicious Code (e.g., virus, worms, trojan horses, logic bombs) Reworded 7.A.1 Understand concepts of rootkits Reworded 7.A.2 Understand types of malware (e.g., spyware, scareware, ransomware) Reworded 7.A.3 Understand concepts of Trapdoors & Backdoors Reworded 7.A.4 Understand concepts of Botnets Reworded 7.A.5 Understand concepts of Mobile Code Reworded 7.B.2 Deploy and manage anti-malware Reworded 7.B.4 Software Security (e.g., code signing, application review, server side input validation) Reworded 7.C Identify Malicious Activity (e.g., social engineering, insider threat, data theft, DDoS, spoofing, phishing, pharming, spam) New 7.C.1 Understand malicious web activity (e.g., cross site scripting, cross site request forgery, injection, social networking attacks) New 7.C.2 Understand the concept of zero day exploits

1 ISSEP Changes System Security Engineering 1 Systems Security Engineering Certification and Accreditation (C&A) / Risk Management Framework (RMF) Click Certification to and Accreditation (C&A) Master title style 2 2 3 4 A. The Certification and Accreditation (C&A) domain has now become the Certification and Accreditation (C&A)/Risk Management Framework (RMF) domain. B. The U.S. Government Information Assurance (IA) Governance (e.g., laws regulations, policies, guidelines, standards) domain has now become the U.S. Government Information Assurance Related Policies and Issuances domain. OLD ISSEP s (Effective: March 13, 2010) Technical Management U.S. Government Information Assurance (IA) Governance (e.g., laws, regulations, policies, guidelines, standards) NEW ISSEP s (Effective: March 2012 Notice: July 1, 2011 3 4 Technical Management U.S. Government Information Assurance Related Policies and Issuances

NOTES ISSEP Updates 1. Systems Security Engineering Reworded 1.A.1 Understand security and systems engineering methodologies (e.g., Institute of Electrical and Electronics Engineers, (IEEE) 1220, INCOSE Systems Engineering Handbook) Reworded 1.A.2 Understand process models (e.g., lifecycle models, Systems Security Engineering Capability Maturity Model (ISO/IEC 21827), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 15288) Reworded 1.B.3 Identify data types and determine additional legal / regulatory requirements Reworded 1.C.1 Develop system security context (e.g., support system, application) Reworded 1.C.4 Review design constraints Reworded 1.C.5 Assess information protection effectiveness Reworded 1.F.1 Support security implementation, integration and test Reworded 2. Certification and Accreditation (C&A) / Risk Management Framework (RMF) Reworded 2.A Understand the U.S. Government C&A/RMF process to be applied (e.g., National Information Assurance Certification and Accreditation Process (NIACAP), DoD Information Assurance Certification and Accreditation Process (DIACAP), National Institute of Standards and Technology Special Publication(NIST SP) 800-37 rev 1) Reworded 2.A.1 Understand the purpose of C&A/RMF Reworded 2.A.2 Identify and understand criteria used to determine applicability of U.S. Government C&A/RMF processes Reworded 2.B Understand the roles and responsibilities of stakeholders identified within the C&A/RMF process

ISSEP Updates (continued) NOTES Reworded 2. Certification and Accreditation (C&A) / Risk Management Framework (RMF) (continued ) Note - Reworded 2.C Integrate the C&A/RMF processes with systems security engineering Reworded 2.C.1 Understand the attributes and significance of well-defined, integrated processes (e.g., administrative security policies/procedures and its relationship to C&A/RMF) Reworded 2.C.7 Identify and correlate C&A/RMF phases and tasks with systems engineering phases and tasks Reworded 2.C.9 Support C&A/RMF activities as appropriate based on C&A/RMF tailoring (e.g., register system with the appropriate information assurance program, communicate results of risk analysis to certifier and accreditor, prepare and present C&A/RMF documentation to accreditor, submit reports to centralized database ) Note - Section C (Understand Risk Management )from the previous version has been removed and the old Section D is now Section C in the 2012 CIB 3. Technical Management No changes in 3 from the previous version Reworded 4. U.S. Government Information Assurance Related Policies and Issuances Click Reworded 4.A to Understand edit national laws Master and policies title style Reworded 4.B Understand civil agency policies and guidelines Reworded 4.C Understand DoD policies and guidelines Reworded 4.D Understand applicable international standards

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information