r21 - 20 Jul 2007 - 18:14:10 - AntonAylwardYou are here: Infosecwiki > 
CISSPForum Web > TheTenDomains
CISSPForum Web > TheTenDomainsThis is not intended to be the page for discussing topics, but rather it is a page for setting up links to the topics.
Most of the items are not links and many of the links are stubs. You can help by filling these stubs in, for example, with links to books, papers and other authoritative references.
Other links from the stubs should lead to topics in which these items are dicussed - please mark those items as either "Informative" or "Discussion" as appropriate using the classification scheme.
1. Access Control Systems & Methodology
Access Control is the collection of mechanisms for limiting, controlling, and monitoring system access to certain items of information, or to certain features based on a user's identity and their membership in various predefined groups. It permits the managers of a system to exercise a directing or restraining influence over the behavior, use, and content of the system for availability, integrity, and confidentiality? .- Access Control
- Discretionary access control
- Mandatory access control
- Lattice-based access control
- Role-based access control
- Task-based access control
- Access control administration
- Access control techniques
- Access Control Lists?
- Access rights and permissions
- Accountability
- Centralized Access Control
- Decentralized access control
- Domains
- Trust
- File and data ownership Monitoring
- Identification? and Authentication? techniques
- Methods of attack
- Brute force
- Denial of Service
- Dictionary
- Spoofing
- Monitoring
- Intrusion Detection?
- Alarms
- Correction
- One-time passwords?
- AllAboutPasswords?
- Complexity
- Selection?
- Management?
- Control?
- Penetration testing?
- Rule of Least Privilege?
- Single Sign-on?
2. Telecommunications? & Network Security?
The Telecommunications? and Network Security? domain includes the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality? for transmissions over private and public communications networks.- E‑mail security?
- S/MIME & relevant RFCs
- PGP? & relevant RFCs
- Facsimile security?
- Internet/Intranet/Extranet
- Gateways and Routers?
- Transport Control Protocol/Internet Protocol (TCP/IP)
- IPSEC
- Network layer security (e.g. SKIP)
- Transport layer security? (e.g. SSL? )
- Host layer security? (e.g. host hardening, port monitoring)
- Application layer security? protocols
- Secure electronic transactions (SET)
- Privacy Enhanced Mail? (PEM)
- Secure Hypertext Transfer (S-HTTP/HTTPS)
- Secure Remote Procedure call (S-RPC)
- ISO/OSI layers and characteristics?
- LAN/WAN/VPN
- Network attacks & countermeasures?
- Network monitors? and packet sniffers?
- Network Tap?
- PBX fraud and abuse
- Physical Media Characteristics?
- Fiber Optics?
- Coaxial
- Twisted pair
- Network Topologies?
- Wireless
- Star
- Bus
- Ring
- Repeated/Switched/Routed
- Remote Access/Telecommuting Techniques
- Secure voice communications
- VOIP?
- H.323
- SIP
- MGCP
- VOIP?
- TCP/IP vulnerabilities?
- Transmission protocols
3. Security Management Practices
Security entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability? . Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.- Change Control? /Management?
- Hardware configuration
- System and application software
- Change control process?
- Data classification?
- Employment policies & practices
- Policies, Standards, Guidelines & Procedures
- Risk management tools & methodologies
- Principles of Risk Management
- Threats and vulnerabilities
- Risk Assessment
- Qualitative vs. quantitative
- Annual loss expectancy calculations
- Countermeasure selection
- Risk reduction/assignment/acceptance
- Principles of Risk Management
- Roles and responsibilities
4. Applications? and Systems Development Security?
- System Development Life Cycle?
- Application Environment?
- Security Controls?
- Database Security?
- Application Vulnerabilities?
5. Cryptography
The Cryptography domain addresses the principles, means, and methods of securing information to ensure its [[CiaTriad][integrity, confidentiality, and authenticity].- Authentication?
- Certificate authority?
- Digital signatures /non‑repudiation
- Encryption Plain Text and Cypher Text
- Error detecting/correcting features
- Hash functions
- Message digests
- MD5
- SHA
- HMAC
- Kerberos?
- Private key algorithms
- Applications & uses
- Algorithm methodology
- Key distribution &management
- Key generation/distribution
- Key recovery?
- Key storage? and destruction?
- Key strength?
- Public key algorithms?
- Key escrow?
- One‑time cipher
6. Security Architecture? and Models
The Security Architecture and Models domain contains the concepts, principles, structures, and standards used to design, implement, monitor and secure operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability? .- Principles of common computer and network organizations, architectures and designs:
- Addressing ‑ physical & symbolic
- Address spare as contrasted to memory space
- Hardware, firmware, and software differences
- Machine types (real, virtual, multi‑ state, multi‑tasking, multi‑user)
- Network stack functions (OSI 7 layer model)
- Operating states
- Resource manager functions
- Storage types (primary, secondary, real, virtual)
- Common flaws and security issues associated with system architectures and designs:
- Covert channels? (memory, storage, and communications)
- Initialization and failure states
- Input and parameter checking
- Maintenance hooks & privileged programs (superzap/su)
- Programming (techniques, compilers, APIs, & library issues)
- Timing (TOC/TOU, state changes, communication disconnects)
- TEMPEST
- Principles of security models, architectures, & evaluation criteria:
- Accreditation and certification
- Common Criteria?
- Closed and open systems
- Confinement, bounds, & isolation
- Controls, mandatory & discretionary
- IETF? Security Architecture (IPSEC)
- ITSEC classes and required assurance and functionality
- Objects and subjects (purpose and relationship)
- Reference monitors and kernels (purpose and function)
- Security models? (Bell‑LaPadula, Clark‑Wilson, Biba)
- TCSEC classes & required functionality
- Tokens, capabilities, & labels (purpose & functions)
7. Operations Security?
Operations security is used to identify the controls over hardware, media, and the operators with access privileges to any of these resources.- Administrative Management
- Concepts
- Anti‑virus?
- Backup of critical information
- Changes in workstation/location
- Need‑to‑know/Least privilege
- Privileged operations functions
- Record retention
- Sensitive information and media
- Marking
- Handling
- Storage
- Destruction
- Resource protection
- Types of attacks?
- Violations, breaches, and reporting
8. Business Continuity Planning (BCP)
and Disaster Recovery Planning (DRP)
Business Continuity Planning
- Project scoping and planning
- Business organization analysis
- Resource requirements
- Business impact assessment
- Emergency assessment
- Critical business functions
- Recovery Strategy
- Business unit priorities
- Alternatives
- Cold/Warm/Hot/Mobile sites
- Electronic vaulting
- Processing agreements
- Reciprocal/Mutual
- Recovery Plan development
- Emergency response
- Personnel notification
- Backups and off‑site storage
- Communications
- Utilities
- Logistics and supplies
- Fire and water protection
- Documentation
- Implementation
- Training/testing/maintenance
Disaster Recovery Planning
- Recovery plan development
- Implementation
- Restoration
- Cleaning
- Procurement
- Data recovery
- Relocation to primary site
9. Law, Investigation & Ethics
Law, Investigations, and Ethics addresses computer crime? laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence if it has; and the ethical constraints which provide a code of conduct for the security professional.
- Investigations
- Laws
- Licensing
- Intellectual properties?
- Import/Export
- Liability
- Transborder data flow
10. Physical Security?
Physical Security? addresses the threats, vulnerabilities, and countermeasures which can be utilized to physically protect an enterprise's resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize.- Facility requirements
- Restricted areas/work areas
- Escort requirements/visitor control
- Fences, gates, turnstiles, mantraps
- Security Guards/Dogs?
- Badging
- Keys and combination locks
- Lighting
- Site selection, facility design, and configuration
- Motion detectors, sensors, and alarms
- CCTV
- Technical controls
| TopicClassificationForm | |
|---|---|
| TopicClassification | Reference |
| TopicSummary | These are the Ten Domains. Links from here to many other topics |
| InterestedParties | |
| RelatedTopics | IscTwoMatters |
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Infosecwiki? Send feedback