Objective 1.01 – Explain how common business objectives map to technical capabilities

  • Business Requirements
    • Relate to a specific need that must be addressed in order to achieve an objective
    • They tell the “what” a product is supposed to do
    • It states the “why” of a project
  • Technical requirements (aka non-functional)
    • They tell “how” a product is supposed to do something
    • Specifies criteria that can be used to judge the operation of a system, rather than specific behaviors

Objective 1.02 – Explain how security domains design considerations relate to security solutions

  • ISC2 Security Domains
    1. Security and risk management
    2. Asset security
    3. Security engineering
    4. Communication and network security
    5. Identity and access management
    6. Security assessment and testing
    7. Security operations
    8. Software development security

Objective 1.03 – Explain the relationship among risks, threats, and vulnerabilities

  • Risks
    • The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
  • Vulnerability
    • Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset
  • Threat
    • Anything that can exploit a vulnerability, intentionally, or accidentally, and obtain, damage, or destroy an asset
  • Asset
    • People, property, and information

Objective 1.04 – Assess the security posture of a new application in the context of a risk analysis

  • Security Posture
    • The security status of an enterprise network, information, and systems on information assurance resources (e.g. people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes
  • Risk analysis
    • Is the review of the risks associated with a particular event or action

Objective 1.05 – Translate legal, regulatory, and compliance standards into security requirements (e.g., ISO 27001, privacy laws, PCI)

  • ISO 27001 – Information security management system framework
  • PCI DSS – Payment Card Industry Data Security Standard
    • Build and maintain a secure network
      1. Install and maintain a firewall configuration to protect cardholder data
      2. Do not use vendor-supplied defaults for system passwords and other security parameters
    • Protect cardholder data
      1. Protect stored cardholder data
      2. Encrypt transmission of cardholder data across open, public networks
    • Maintain a vulnerability management program
      1. Protect all systems against malware and regularly update anti-virus software or programs
      2. Develop and maintain secure systems and applications
    • Implement strong access control measures
      1. Restrict access to cardholder data by business need to know
      2. Assign a unique ID to each person with computer access
      3. Restrict physical access to cardholder data
    • Regularly monitor and test networks
      1. Track and monitor all access to network resources and cardholder data
      2. Regularly test security systems and processes
    • Maintain an information security policy
      1. Maintain a policy that addresses information security
  • FIPS – Federal Information Processing Standards
  • DATS – Dynamic Application Security Testing

Objective 1.06 – Predict how usability is affected by security controls

  • Usability
    • Quality attribute that assesses how easy user interfaces are to use
  • Security controls
    • Technical or administrative safeguards or counter measures to avoid, counteract or minimize loss or unavailability due to threats acting on their matching vulnerability, i.e., security risk.

Objective 1.07 – Evaluate network and application architectures to determine appropriate security controls