Certified Information Systems Security Professional

The 8 CISSP Domains:

Security and Risk Management
•   Understand and apply concepts of confidentiality, integrity and availability
•   Establish and manage information security education, training, and awareness
•   Apply security governance principles
•   Understand legal and regulatory issues that pertain to information security in a global context
•   Understand professional ethics
•   Develop and implement documented security policy, standards, procedures, and guidelines
•   Understand business continuity requirements
•   Contribute to personnel security policies
•   Understand and apply risk management concepts
•   Understand and apply threat modelling
•   Integrate security risk considerations into acquisition strategy and practice

Asset Security
•   Classify information and supporting assets (e.g., sensitivity, criticality)
•   Determine and maintain ownership (e.g., data owners, system owners, business/mission owners)
•   Protect privacy
•   Ensure appropriate retention (e.g., media, hardware, personnel)
•   Determine data security controls (e.g., data at rest, data in transit)
•   Establish handling requirements (markings, labels, storage, destruction of sensitive information)

Security Engineering
•   Implement and manage engineering processes using secure design principles
•   Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)
•   Select controls and countermeasures based upon systems security evaluation models
•   Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module, interfaces, fault tolerance)
•   Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

Communications and Network Security
•   Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation)
•   Secure network components
•   Design and establish secure communication channels
•   Prevent or mitigate network attacks

Identity and Access Management
•   Control physical and logical access to assets
•   Manage identification and authentication of people and devices
•   Integrate identity as a service (e.g., cloud identity)
•   Integrate third-party identity services (e.g., on premise)
•   Implement and manage authorization mechanisms
•   Prevent or mitigate access control attacks
•   Manage the identity and access provisioning lifecycle (e.g., provisioning, review)

Security Assessment and Testing
•   Design and validate assessment and test strategies
•   Conduct security control testing
•   Collect security process data (e.g., management and operational controls)
•   Analyse and report test outputs (e.g., automated, manual)
•   Conduct or facilitate internal and third party audits

Security Operations
•   Understand and support investigations
•   Understand requirements for investigation types
•   Conduct logging and monitoring activities
•   Secure the provisioning of resources
•   Understand and apply foundational security operations concepts
•   Employ resource protection techniques
•   Conduct incident management

Software Development Security
•   Understand and apply security in the software development lifecycle
•   Enforce security controls in development environments
•   Assess the effectiveness of software security
•   Assess security impact of acquired software