Domains of Security


Person Smiling

Far from perfect this was my attempt to combine domains of knowledge or common body of knowledge (CBK) to cover all thing in security. I do have some sub-points that are out of date like the common criteria etc… But the overall structure I think would still fit all subjects of security and divide them into domains or areas of knowledge. BTW I made this list in 2005. It is sort of a blast from the past for me.

I used the list to help guide my continuing education. I try to get classes or read books or articles in every subject area so that I remain well rounded in my career. I guess I used it as a tool for the maintenance phase of my career lifecycle.

It was a combination of the CISSP domains and the domains for the ASIS CPP certification.

  • Security Management Practices

  • Purpose of Information Security Management

  • Awareness Programs & Prevention Programs

  • Policies, Procedures, Standards, and Guidelines

  • Best Practices

  • Baselines

  • Executive Management (e.g. CIO, CISO, CSO, CPO)

  • Risk Management

  • Risk Assessment

  • Risk Analysis

  • Countermeasures Selection

  • Vulnerability Assessment

  • Countermeasures and Selection

  • Information Classification

  • Management Systems & Organizational Model

  • Business Requirements

  • Financial Management

  • Personnel Management (Moved to Personnel Domain)

  • Planning, Organization, Leading, and Communications Management

  • Project Management

  • Setting goals

  • Internal Relations & External Relations

  • Liaison

  • Types of Solutions

  • Loss Prevention

  • Security Architecture and Models

  • Security Models

  • Architecture

  • Computer (Platform) Architecture

  • System Architecture

  • Network Architecture

  • Enterprise Architecture

  • Security Models

  • Security Modes of Operation

  • System Evaluation Methods

  • Rainbow Series

  • Orange Book

  • Red Book

  • ITSEC -Information Technology Security Evaluation Criteria

  • CC - Common Criteria

  • Certification & Accreditation

  • Open & Closed Systems

  • Threats

  • Covert Channels

  • Countermeasures

  • Backdoors

  • Timing

  • Buffer Overflows

  • Access Control Systems & Methodology (Protection of Sensitive Information)

  • Authentication

  • Identification

  • Authorization

  • Accountability

  • Access Control Models

  • Techniques and Technologies

  • Administration

  • Methods

  • Types

  • Practices

  • Monitoring

  • Password Management

  • Threats to Access Control

  • Dictionary Attack

  • Brute Force Attack

  • Spoofing at Logon

  • Intrusion Detection

  • Host Based

  • Network Based

  • Penetration Testing

  • Tiger Team

  • Hacking

  • Multifactor Authentication

  • Biometrics

  • Tokens

  • Single Sign-on

  • Kerberos (MIT)

  • Centralized & Decentralized

  • RADIUS, TACACS

  • Classification & Asset Inventory (Also under Management)

  • Control

  • Identification

  • Sensitivity

  • Security Labeling

  • Application Development Security

  • Application Security

  • Defaults

  • Complexity

  • Environment Controls & Application Controls

  • Implementation

  • Development Methodology

  • Change Control (As it relates to Development Phase)

  • Program Languages

  • Assemblers, Compilers and Interpreters

  • Open Systems vs. Closed Systems

  • Data Types

  • Database Security

  • Database Management

  • Interface

  • Security Assertion Markup Language (SAML)

  • Vulnerabilities and Threats to DB

  • OS Security

  • System Development

  • SDLC - System Development Life Cycle

  • Artificial Intelligence

  • Malicious Code (Under Access Control)

  • Malware

  • Virus, Worms

  • Spyware

  • Failure States

  • Evaluation Certification and Accreditation

  • Operations Security

  • Audit

  • Internal & External

  • Fraud Control

  • Documentation & Management

  • Separation Of Duties

  • Configuration Management

  • Patch Management

  • Change Control (As it relates to Maintenance Phase)

  • Administrative Management

  • Accountability

  • Product Evaluation

  • Log Management

  • Physical Security

  • Physical Security Assessments

  • Selection of Integrated Physical Security Measures

  • Implementation of Physical Security Measures

  • Environment Control

  • Ventilation

  • Temperature

  • Humidity

  • Fire Control

  • Prevention, Detection & Suppression

  • Employee and Visitor Control

  • Alarms

  • Barriers

  • Facility Planning & Management

  • Guard Patrols and Weapons

  • Materials Control

  • Mechanical, Electrical, and Electronic Devices and Equipment

  • Perimeter Boundaries, Gates, and Lobbies

  • Perimeter Security

  • Protective Lighting

  • Security Surveys

  • Parking, Traffic Control, Communications, and Security Transportation

  • Armored Cars

  • Physical Security Risks

  • Penetration Testing

  • Drills Exercises Testing

  • Penetration Detection Systems (Intrusion Detection)

  • Maintenance and Service (OpSec)

  • Cryptography

  • Introduction and History

  • Strength of Cryptosystems

  • Symmetric Key

  • Asymmetric Key

  • Ciphers

  • Steganography

  • Methods of Encryption

  • PKI – Public Key Infrastructure

  • Message Integrity

  • Non-repudiation

  • Key Management

  • Attacks on Cryptosystems

  • Import Export Issues

  • Telecommunications, Network, & Internet Security

  • OSI – Open Systems Interconnect Model

  • Protocols

  • Networking

  • Firewalls

  • Content Filtering and Inspection

  • Wireless

  • Network Topology

  • Protocols

  • Devices

  • Segregation and isolation

  • Network Services

  • Intranet and Extranet

  • MAN, LAN, WAN

  • Remote Access

  • Resource Availability

  • Communications Security

  • Email Security

  • Content Filtering and Inspection

  • Non-repudiation

  • Confidentiality

  • Facsimile Security

  • Phone Systems

  • Threats and Attacks

  • Business Continuity Planning & Emergency Management

  • Business Impact Analysis

  • Back-ups

  • Alternate Location - Facilities

  • Incident Response

  • Recovery & Restoration

  • Testing and Drills

  • Disaster Recovery

  • Emergency Management

  • Implementation

  • Plan Development

  • Types of Emergency

  • Response and reactions

  • Law, Investigations, & Ethics

  • Ethics

  • Code of Ethics

  • Cultural differences & ethics

  • Investigation & Forensics

  • Investigative Resources

  • Methods of Investigation

  • Results and Reports of Investigation

  • Types of Investigation

  • Case Management

  • Evidence Collection

  • Case Presentation

  • Interviewing & Interrogating

  • Crime Scene Preservation

  • Privacy

  • Cyber Warfare

  • Administrative and Regulatory Agency Requirements

  • HIPPA

  • GLBA

  • Civil Liability Torts

  • Civil Rights and Fair Employment

  • Contract Considerations

  • Crimes, Criminal Procedures, and the Criminal Justice System

  • Admissible in Court

  • Due Process and Constitutional Immunities

  • Hackers & Crackers

  • Liability

  • Licensing

  • Import & Export Laws

  • External Relations – Public Liaisons

  • International Cooperation Efforts

  • Personnel Security

  • Employment Selection and Retention Standards

  • Hiring Practices

  • Screening Techniques

  • Background Checks

  • Terminations

  • Employee Reviews & Evaluation

  • Retention

  • Disciplinary Action

  • Promotion

  • Training and Qualifications

  • Security Certifications

  • Security Awareness Programs

  • Eavesdropping

  • Substance Abuse

  • Identification and Disposition of Abusers

  • Workplace Violence

  • Employee Rights (Also under Law & Ethics)

  • Executive Protection

  • Body Guard

  • Armored Cars – for principal transportation

  • Escorts

#Cybersecurity #Security #Career #Framework

Featured Posts
Recent Posts