Beruflich Dokumente
Kultur Dokumente
What is Changing?
There are three (ISC)2 certifications that have had changes posted in Candidate Information Bulletins (CIBs) for 2012
CISSP
One domain name change Domain order re-arranged for educational material Rewording of some domain subheadings plus new material
SSCP
NO changes to domain names Rewording of some domain subheadings plus new material
Old
1 ACCESS CONTROL 2 TELECOMMUNICATIONS & NETWORK SECURITY 3 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT 4 SOFTWARE DEVELOPMENT SECURITY 5 6 7 8 9 10 CRYPTOGRAPHY SECURITY ARCHITECTURE & DESIGN OPERATIONS SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE PHYSICAL (ENVIRONMENTAL) SECURITY
New
1.
1.B.1 1.B.2 1.B.3 1.B.4 1.C.1 1.C.2 1.D
ACCESS CONTROLS
Threat modeling Asset valuation Vulnerability analysis Access aggregation User entitlement Access review & audit Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
2.
2.A 2.A.1 2.A.2 2.A.3 2.B.1 2.B.2 2.B.3 2.C 2.C.1 2.C.3 2.C.4 2.D
3.
3.B.1 3.B.2 3.E 3.F 3.G.2 3.G.5 3.H 3.H.1 3.J 3.J.1 3.J.2
reworded
4.
5.
5.B 5.G.3 5.H 5.I
CRYPTOGRAPHY
Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) Brute Force (e.g., rainbow tables, specialized/scalable architecture, GPUs, CUDA) Use cryptography to maintain network security Use cryptography to maintain application security
6.
6.E.1 6.E.4 6.E.5
7.
7.A 7.B.2 7.C.5 7.D 7.F 7.G
OPERATIONS SECURITY
Understand security operations concepts Asset management (e.g., equipment life cycle, software licensing) Remediation and review (e.g., root cause analysis) Preventitive measures against attacks (e.g., malicious code, zero-day exploit, denial of service) Understand change and configuration management (e.g., versioning, baselining) Understand system resilience and fault tolerance requirements
9.
9.B 9.B.1 9.B.2 9.C.1 9.D.4 9.F
10.
reworded reworded reworded 10.A 10.D 10.F
NEW CODE TOPIC DESCRIPTION 1.1.D 1.D.1 1.D.2 1.E 1.F 1.F.1 1.F.2 1.F.3 1.G
ACCESS CONTROLS
Apply Access Control Concepts (e.g., least privilege, and separation of duties) Discretionary Access Control (DAC) Non-discretionary Access Control Manage Internetwork Trust Architectures (e.g., extranet, third party connections, federated access) Implement identity management Provisioning Maintenance Entitlement Understand basic security concepts related to cloud computing (e.g., virtualization, data control, storage, privacy, compliance)
2.2.B 2.B.1 2.B.2 2.B.3 2.B.4 2.B.5 2.C 2.C.1 2.C.2 2.C.3 2.D.1 2.E
New New Reworded Reworded New Reworded Reworded Reworded New Reworded Reworded Reworded Reworded Reworded Reworded New Reworded New Reworded Reworded
2.H 2.I
CRYPTOGRAPHY
Install and maintain cryptographic systems Support Certificate and Key Management Understand basic key management concepts (e.g., public key infrastructure) Administration and validation (e.g., key creation, exchange, revocation, escrow) Understand the use of Secure Protocols (e.g., differences in implementation, appropriate use)
NEW CODE 6.6.A 6.A.2 6.A.3 6.A.5 6.B.2 6.C.2 6.D.1 6.D.2 6.D.3 6.E 6.E.2 6.E.3
7.7.A 7.A.1 7.A.2 7.A.3 7.A.4 7.A.5 7.B.2 7.B.4 7.C 7.C.1 7.C.2
U.S. Government Information Assurance (IA) Domain Domain Governance (e.g., laws, regulations, policies, 4 4 guidelines, standards)
Reworded
1.A.2
Reworded
Reworded
2.
2.A
NEW CODE TOPIC DESCRIPTION 2. Certification and Accreditation (C&A) / Risk Management Framework (RMF) (continued )
Section C ( Understand Risk Management )from the previous version has been removed and the old Section D is now Section C in the 2012 CIB 2.C 2.C.1 2.C.7 2.C.9 Integrate the C&A/RMF processes with systems security engineering Understand the attributes and significance of well-defined, integrated processes (e.g., administrative security policies/procedures and its relationship to C&A/RMF) Identify and correlate C&A/RMF phases and tasks with systems engineering phases and tasks Support C&A/RMF activities as appropriate based on C&A/RMF tailoring (e.g., register system with the appropriate information assurance program, communicate results of risk analysis to certifier and accreditor, prepare and present C&A/RMF documentation to accreditor, submit reports to centralized database )
3.
Note -
Technical Management U.S. Government Information Assurance Related Policies and Issuances
Reworded
4.