top of page
  • Donald E. Hester
    • Oct 28, 2017
    • 4 min read

Domains of Security


Person Smiling

Far from perfect this was my attempt to combine domains of knowledge or common body of knowledge (CBK) to cover all thing in security. I do have some sub-points that are out of date like the common criteria etc… But the overall structure I think would still fit all subjects of security and divide them into domains or areas of knowledge. BTW I made this list in 2005. It is sort of a blast from the past for me.

I used the list to help guide my continuing education. I try to get classes or read books or articles in every subject area so that I remain well rounded in my career. I guess I used it as a tool for the maintenance phase of my career lifecycle.

It was a combination of the CISSP domains and the domains for the ASIS CPP certification.

  • Security Management Practices

  • Purpose of Information Security Management

  • Awareness Programs & Prevention Programs

  • Policies, Procedures, Standards, and Guidelines

  • Best Practices

  • Baselines

  • Executive Management (e.g. CIO, CISO, CSO, CPO)

  • Risk Management

  • Risk Assessment

  • Risk Analysis

  • Countermeasures Selection

  • Vulnerability Assessment

  • Countermeasures and Selection

  • Information Classification

  • Management Systems & Organizational Model

  • Business Requirements

  • Financial Management

  • Personnel Management (Moved to Personnel Domain)

  • Planning, Organization, Leading, and Communications Management

  • Project Management

  • Setting goals

  • Internal Relations & External Relations

  • Liaison

  • Types of Solutions

  • Loss Prevention

  • Security Architecture and Models

  • Security Models

  • Architecture

  • Computer (Platform) Architecture

  • System Architecture

  • Network Architecture

  • Enterprise Architecture

  • Security Models

  • Security Modes of Operation

  • System Evaluation Methods

  • Rainbow Series

  • Orange Book

  • Red Book

  • ITSEC -Information Technology Security Evaluation Criteria

  • CC - Common Criteria

  • Certification & Accreditation

  • Open & Closed Systems

  • Threats

  • Covert Channels

  • Countermeasures

  • Backdoors

  • Timing

  • Buffer Overflows

  • Access Control Systems & Methodology (Protection of Sensitive Information)

  • Authentication

  • Identification

  • Authorization

  • Accountability

  • Access Control Models

  • Techniques and Technologies

  • Administration

  • Methods

  • Types

  • Practices

  • Monitoring

  • Password Management

  • Threats to Access Control

  • Dictionary Attack

  • Brute Force Attack

  • Spoofing at Logon

  • Intrusion Detection

  • Host Based

  • Network Based

  • Penetration Testing

  • Tiger Team

  • Hacking

  • Multifactor Authentication

  • Biometrics

  • Tokens

  • Single Sign-on

  • Kerberos (MIT)

  • Centralized & Decentralized

  • RADIUS, TACACS

  • Classification & Asset Inventory (Also under Management)

  • Control

  • Identification

  • Sensitivity

  • Security Labeling

  • Application Development Security

  • Application Security

  • Defaults

  • Complexity

  • Environment Controls & Application Controls

  • Implementation

  • Development Methodology

  • Change Control (As it relates to Development Phase)

  • Program Languages

  • Assemblers, Compilers and Interpreters

  • Open Systems vs. Closed Systems

  • Data Types

  • Database Security

  • Database Management

  • Interface

  • Security Assertion Markup Language (SAML)

  • Vulnerabilities and Threats to DB

  • OS Security

  • System Development

  • SDLC - System Development Life Cycle

  • Artificial Intelligence

  • Malicious Code (Under Access Control)

  • Malware

  • Virus, Worms

  • Spyware

  • Failure States

  • Evaluation Certification and Accreditation

  • Operations Security

  • Audit

  • Internal & External

  • Fraud Control

  • Documentation & Management

  • Separation Of Duties

  • Configuration Management

  • Patch Management

  • Change Control (As it relates to Maintenance Phase)

  • Administrative Management

  • Accountability

  • Product Evaluation

  • Log Management

  • Physical Security

  • Physical Security Assessments

  • Selection of Integrated Physical Security Measures

  • Implementation of Physical Security Measures

  • Environment Control

  • Ventilation

  • Temperature

  • Humidity

  • Fire Control

  • Prevention, Detection & Suppression

  • Employee and Visitor Control

  • Alarms

  • Barriers

  • Facility Planning & Management

  • Guard Patrols and Weapons

  • Materials Control

  • Mechanical, Electrical, and Electronic Devices and Equipment

  • Perimeter Boundaries, Gates, and Lobbies

  • Perimeter Security

  • Protective Lighting

  • Security Surveys

  • Parking, Traffic Control, Communications, and Security Transportation

  • Armored Cars

  • Physical Security Risks

  • Penetration Testing

  • Drills Exercises Testing

  • Penetration Detection Systems (Intrusion Detection)

  • Maintenance and Service (OpSec)

  • Cryptography

  • Introduction and History

  • Strength of Cryptosystems

  • Symmetric Key

  • Asymmetric Key

  • Ciphers

  • Steganography

  • Methods of Encryption

  • PKI – Public Key Infrastructure

  • Message Integrity

  • Non-repudiation

  • Key Management

  • Attacks on Cryptosystems

  • Import Export Issues

  • Telecommunications, Network, & Internet Security

  • OSI – Open Systems Interconnect Model

  • Protocols

  • Networking

  • Firewalls

  • Content Filtering and Inspection

  • Wireless

  • Network Topology

  • Protocols

  • Devices

  • Segregation and isolation

  • Network Services

  • Intranet and Extranet

  • MAN, LAN, WAN

  • Remote Access

  • Resource Availability

  • Communications Security

  • Email Security

  • Content Filtering and Inspection

  • Non-repudiation

  • Confidentiality

  • Facsimile Security

  • Phone Systems

  • Threats and Attacks

  • Business Continuity Planning & Emergency Management

  • Business Impact Analysis

  • Back-ups

  • Alternate Location - Facilities

  • Incident Response

  • Recovery & Restoration

  • Testing and Drills

  • Disaster Recovery

  • Emergency Management

  • Implementation

  • Plan Development

  • Types of Emergency

  • Response and reactions

  • Law, Investigations, & Ethics

  • Ethics

  • Code of Ethics

  • Cultural differences & ethics

  • Investigation & Forensics

  • Investigative Resources

  • Methods of Investigation

  • Results and Reports of Investigation

  • Types of Investigation

  • Case Management

  • Evidence Collection

  • Case Presentation

  • Interviewing & Interrogating

  • Crime Scene Preservation

  • Privacy

  • Cyber Warfare

  • Administrative and Regulatory Agency Requirements

  • HIPPA

  • GLBA

  • Civil Liability Torts

  • Civil Rights and Fair Employment

  • Contract Considerations

  • Crimes, Criminal Procedures, and the Criminal Justice System

  • Admissible in Court

  • Due Process and Constitutional Immunities

  • Hackers & Crackers

  • Liability

  • Licensing

  • Import & Export Laws

  • External Relations – Public Liaisons

  • International Cooperation Efforts

  • Personnel Security

  • Employment Selection and Retention Standards

  • Hiring Practices

  • Screening Techniques

  • Background Checks

  • Terminations

  • Employee Reviews & Evaluation

  • Retention

  • Disciplinary Action

  • Promotion

  • Training and Qualifications

  • Security Certifications

  • Security Awareness Programs

  • Eavesdropping

  • Substance Abuse

  • Identification and Disposition of Abusers

  • Workplace Violence

  • Employee Rights (Also under Law & Ethics)

  • Executive Protection

  • Body Guard

  • Armored Cars – for principal transportation

  • Escorts

Featured Posts
Recent Posts
Posts By Category
Follow Me
  • Facebook Basic Square
  • LinkedIn Social Icon
  • Twitter Basic Square
  • YouTube Social Icon
  • SlideShare
bottom of page