Domains of Security

Far from perfect this was my attempt to combine domains of knowledge or common body of knowledge (CBK) to cover all thing in security. I do have some sub-points that are out of date like the common criteria etc… But the overall structure I think would still fit all subjects of security and divide them into domains or areas of knowledge. BTW I made this list in 2005. It is sort of a blast from the past for me.

I used the list to help guide my continuing education. I try to get classes or read books or articles in every subject area so that I remain well rounded in my career. I guess I used it as a tool for the maintenance phase of my career lifecycle.

It was a combination of the CISSP domains and the domains for the ASIS CPP certification.

• Security Management Practices

• Purpose of Information Security Management

• Awareness Programs & Prevention Programs

• Policies, Procedures, Standards, and Guidelines

• Best Practices

• Baselines

• Executive Management (e.g. CIO, CISO, CSO, CPO)

• Risk Management

• Risk Assessment

• Risk Analysis

• Countermeasures Selection

• Vulnerability Assessment

• Countermeasures and Selection

• Information Classification

• Management Systems & Organizational Model

• Business Requirements

• Financial Management

• Personnel Management (Moved to Personnel Domain)

• Planning, Organization, Leading, and Communications Management

• Project Management

• Setting goals

• Internal Relations & External Relations

• Liaison

• Types of Solutions

• Loss Prevention

• Security Architecture and Models

• Security Models

• Architecture

• Computer (Platform) Architecture

• System Architecture

• Network Architecture

• Enterprise Architecture

• Security Models

• Security Modes of Operation

• System Evaluation Methods

• Rainbow Series

• Orange Book

• Red Book

• ITSEC -Information Technology Security Evaluation Criteria

• CC - Common Criteria

• Certification & Accreditation

• Open & Closed Systems

• Threats

• Covert Channels

• Countermeasures

• Backdoors

• Timing

• Buffer Overflows

• Access Control Systems & Methodology (Protection of Sensitive Information)

• Authentication

• Identification

• Authorization

• Accountability

• Access Control Models

• Techniques and Technologies

• Administration

• Methods

• Types

• Practices

• Monitoring

• Password Management

• Threats to Access Control

• Dictionary Attack

• Brute Force Attack

• Spoofing at Logon

• Intrusion Detection

• Host Based

• Network Based

• Penetration Testing

• Tiger Team

• Hacking

• Multifactor Authentication

• Biometrics

• Tokens

• Single Sign-on

• Kerberos (MIT)

• Centralized & Decentralized

• RADIUS, TACACS

• Classification & Asset Inventory (Also under Management)

• Control

• Identification

• Sensitivity

• Security Labeling

• Application Development Security

• Application Security

• Defaults

• Complexity

• Environment Controls & Application Controls

• Implementation

• Development Methodology

• Change Control (As it relates to Development Phase)

• Program Languages

• Assemblers, Compilers and Interpreters

• Open Systems vs. Closed Systems

• Data Types

• Database Security

• Database Management

• Interface

• Security Assertion Markup Language (SAML)

• Vulnerabilities and Threats to DB

• OS Security

• System Development

• SDLC - System Development Life Cycle

• Artificial Intelligence

• Malicious Code (Under Access Control)

• Malware

• Virus, Worms

• Spyware

• Failure States

• Evaluation Certification and Accreditation

• Operations Security

• Audit

• Internal & External

• Fraud Control

• Documentation & Management

• Separation Of Duties

• Configuration Management

• Patch Management

• Change Control (As it relates to Maintenance Phase)

• Administrative Management

• Accountability

• Product Evaluation

• Log Management

• Physical Security

• Physical Security Assessments

• Selection of Integrated Physical Security Measures

• Implementation of Physical Security Measures

• Environment Control

• Ventilation

• Temperature

• Humidity

• Fire Control

• Prevention, Detection & Suppression

• Employee and Visitor Control

• Alarms

• Barriers

• Facility Planning & Management

• Guard Patrols and Weapons

• Materials Control

• Mechanical, Electrical, and Electronic Devices and Equipment

• Perimeter Boundaries, Gates, and Lobbies

• Perimeter Security

• Protective Lighting

• Security Surveys

• Parking, Traffic Control, Communications, and Security Transportation

• Armored Cars

• Physical Security Risks

• Penetration Testing

• Drills Exercises Testing

• Penetration Detection Systems (Intrusion Detection)

• Maintenance and Service (OpSec)

• Cryptography

• Introduction and History

• Strength of Cryptosystems

• Symmetric Key

• Asymmetric Key

• Ciphers

• Steganography

• Methods of Encryption

• PKI – Public Key Infrastructure

• Message Integrity

• Non-repudiation

• Key Management

• Attacks on Cryptosystems

• Import Export Issues

• Telecommunications, Network, & Internet Security

• OSI – Open Systems Interconnect Model

• Protocols

• Networking

• Firewalls

• Content Filtering and Inspection

• Wireless

• Network Topology

• Protocols

• Devices

• Segregation and isolation

• Network Services

• Intranet and Extranet

• MAN, LAN, WAN

• Remote Access

• Resource Availability

• Communications Security

• Email Security

• Content Filtering and Inspection

• Non-repudiation

• Confidentiality

• Facsimile Security

• Phone Systems

• Threats and Attacks

• Business Continuity Planning & Emergency Management

• Business Impact Analysis

• Back-ups

• Alternate Location - Facilities

• Incident Response

• Recovery & Restoration

• Testing and Drills

• Disaster Recovery

• Emergency Management

• Implementation

• Plan Development

• Types of Emergency

• Response and reactions

• Law, Investigations, & Ethics

• Ethics

• Code of Ethics

• Cultural differences & ethics

• Investigation & Forensics

• Investigative Resources

• Methods of Investigation

• Results and Reports of Investigation

• Types of Investigation

• Case Management

• Evidence Collection

• Case Presentation

• Interviewing & Interrogating

• Crime Scene Preservation

• Privacy

• Cyber Warfare

• Administrative and Regulatory Agency Requirements

• HIPPA

• GLBA

• Civil Liability Torts

• Civil Rights and Fair Employment

• Contract Considerations

• Crimes, Criminal Procedures, and the Criminal Justice System

• Admissible in Court

• Due Process and Constitutional Immunities

• Hackers & Crackers

• Liability

• Licensing

• Import & Export Laws

• External Relations – Public Liaisons

• International Cooperation Efforts

• Personnel Security

• Employment Selection and Retention Standards

• Hiring Practices

• Screening Techniques

• Background Checks

• Terminations

• Employee Reviews & Evaluation

• Retention

• Disciplinary Action

• Promotion

• Training and Qualifications

• Security Certifications

• Security Awareness Programs

• Eavesdropping

• Substance Abuse

• Identification and Disposition of Abusers

• Workplace Violence

• Employee Rights (Also under Law & Ethics)

• Executive Protection

• Body Guard

• Armored Cars – for principal transportation

• Escorts

#Cybersecurity #Security #Career #Framework