CISSP SSCP ISSEP

Click to edit Master title style

Copyright 1989 2010, (ISC)2 All Rights Reserved

What is Changing?
There are three (ISC)2 certifications that have had changes posted in Candidate Information Bulletins (CIBs) for 2012
CISSP
One domain name change Domain order re-arranged for educational material Rewording of some domain subheadings plus new material

SSCP
NO changes to domain names Rewording of some domain subheadings plus new material

Click to edit ISSEP Master title style

Two domain name changes Rewording of some domain subheadings plus new material

Copyright 1989 2010, (ISC)2 All Rights Reserved

CISSP Domain Changes

The Application Development Security domain has now become the Software Development Security domain.
1 ACCESS CONTROL 2 APPLICATION DEVELOPMENT SECURITY 3 BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING 4 CRYPTOGRAPHY 5 6 7 8 9 10 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE OPERATIONS SECURITY PHYSICAL AND ENVIROMENTAL SECURITY SECURITY ARCHITECTURE & DESIGN TELECOMMUNICATIONS & NETWORK SECURITY

Old

1 ACCESS CONTROL 2 TELECOMMUNICATIONS & NETWORK SECURITY 3 INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT 4 SOFTWARE DEVELOPMENT SECURITY 5 6 7 8 9 10 CRYPTOGRAPHY SECURITY ARCHITECTURE & DESIGN OPERATIONS SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE PHYSICAL (ENVIRONMENTAL) SECURITY

New

Click to edit Master title style

Copyright 1989 2010, (ISC)2 All Rights Reserved

CISSP Domain Updates

NOTES new new new new new new new reworded new new new reworded reworded reworded reworded reworded reworded reworded reworded NEW CODE TOPIC DESCRIPTION

1.
1.B.1 1.B.2 1.B.3 1.B.4 1.C.1 1.C.2 1.D

ACCESS CONTROLS
Threat modeling Asset valuation Vulnerability analysis Access aggregation User entitlement Access review & audit Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

2.
2.A 2.A.1 2.A.2 2.A.3 2.B.1 2.B.2 2.B.3 2.C 2.C.1 2.C.3 2.C.4 2.D

TELECOMMUNICATIONS & NETWORK SECURITY

Understand secure network architecture and design (e.g., IP & non-IP protocols, segmentation) OSI and TCP/IP models IP networking Implications of multi-layer protocols Hardware (e.g., modems, switches, routers, wireless access points) Transmission media (e.g., wired, wireless, fiber) Network access control devices (e.g., firewalls, proxies) Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN) Voice (e.g., POTS, PBX, VoIP) Remote access (e.g., screen scraper, virtual application/desktop, telecommuting) Data communications Understand network attacks (e.g., DDoS, spoofing,session highjack)

Click to edit Master title style

Copyright 1989 2010, (ISC)2 All Rights Reserved

CISSP Domain Updates (continued)

NOTES reworded reworded reworded new reworded new reworded reworded reworded new new NEW CODE TOPIC DESCRIPTION

3.
3.B.1 3.B.2 3.E 3.F 3.G.2 3.G.5 3.H 3.H.1 3.J 3.J.1 3.J.2

INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT

Organizational processes (e.g., acquisitions, divestitures, governance committees) Security roles and responsibilities Manage the information life cycle (e.g., classification, categorization, and ownership) Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review) Risk assessment/analysis (qualitative, quantitative, hybrid) Tangible and intangible asset valuation Manage personnel security Employment candidate screening (e.g., reference checks, education verification, background checks) Manage the Security Function Budget Metrics

Click to edit Master title style

reworded reworded reworded reworded reworded reworded reworded 4.A 4.A.1 4.B 4.B.1 4.B.3 4.C 4.C.1 Understand and apply security in the software development life cycle Development Life Cycle Understand the environment and security controls Security of the software environment Assess the effectiveness of software security Certification and accreditation (i.e., system authorization)
Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor)

reworded

4.

SOFTWARE DEVELOPMENT SECURITY

Copyright 1989 2010, (ISC)2 All Rights Reserved

CISSP Domain Updates (continued)

NOTES new reworded reworded reworded reworded reworded new reworded reworded reworded reworded reworded reworded reworded reworded NEW CODE TOPIC DESCRIPTION

5.
5.B 5.G.3 5.H 5.I

CRYPTOGRAPHY
Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) Brute Force (e.g., rainbow tables, specialized/scalable architecture, GPUs, CUDA) Use cryptography to maintain network security Use cryptography to maintain application security

6.
6.E.1 6.E.4 6.E.5

SECURITY ARCHITECTURE & DESIGN

Web-based (e.g., XML, SAML, OWASP) Database security (e.g., inference, aggregation, data mining, warehousing) Distributed systems (e.g., cloud computing, grid computing, peer to peer)

7.
7.A 7.B.2 7.C.5 7.D 7.F 7.G

OPERATIONS SECURITY
Understand security operations concepts Asset management (e.g., equipment life cycle, software licensing) Remediation and review (e.g., root cause analysis) Preventitive measures against attacks (e.g., malicious code, zero-day exploit, denial of service) Understand change and configuration management (e.g., versioning, baselining) Understand system resilience and fault tolerance requirements

Click to edit Master title style

8.
8.E 10.F

BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING

Exercise, assess and maintain the plan (e.g., version control, distribution) Personnel privacy and safety (e.g., duress, travel, monitoring)

Copyright 1989 2010, (ISC)2 All Rights Reserved

CISSP Domain Updates (continued)

NOTES new new new reworded new reworded NEW CODE TOPIC DESCRIPTION

9.
9.B 9.B.1 9.B.2 9.C.1 9.D.4 9.F

LEGAL, REGULATIONS, INVESTIGATIONS AND COMPLIANCE

Understand professional ethics (ISC)2 Code of Professional Ethics Support organization's code of ethics Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope) Hardware/embedded device analysis Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

10.
reworded reworded reworded 10.A 10.D 10.F

PHYSICAL (ENVIRONMENTAL) SECURITY

Understand site and facility design considerations Support the implementation and operation of facilities security (e.g., technology, physical, and network convergence) Personnel privacy and safety (e.g., duress, travel, monitoring)

Click to edit Master title style

Copyright 1989 2010, (ISC)2 All Rights Reserved

SSCP Domain Updates

NOTES
Reworded New New Reworded New New New New New New New New New New New Reworded Reworded Reworded New New Reworded

NEW CODE TOPIC DESCRIPTION 1.1.D 1.D.1 1.D.2 1.E 1.F 1.F.1 1.F.2 1.F.3 1.G

ACCESS CONTROLS
Apply Access Control Concepts (e.g., least privilege, and separation of duties) Discretionary Access Control (DAC) Non-discretionary Access Control Manage Internetwork Trust Architectures (e.g., extranet, third party connections, federated access) Implement identity management Provisioning Maintenance Entitlement Understand basic security concepts related to cloud computing (e.g., virtualization, data control, storage, privacy, compliance)

2.2.B 2.B.1 2.B.2 2.B.3 2.B.4 2.B.5 2.C 2.C.1 2.C.2 2.C.3 2.D.1 2.E

SECURITY OPERATIONS & ADMINISTRATION

Perform Security Administrative Duties Maintain adherence to security policies, baselines, standards, and procedures Validate security controls Data classification (e.g., control, handling, categorization) Asset management (e.g., hardware, software, data) Develop and maintain systems and security control documentation Perform Change Management Duties Assist with implementation of Configuration Management Plan Understand the impact of changes to the environment Test patches, fixes, and updates (e.g., operating system, applications, SDLC) Support certification and accreditation (i.e., security authorization) Participate in Security Awareness Education

Click to edit Master title style

Copyright 1989 2010, (ISC)2 All Rights Reserved

SSCP Domain Updates (continued)

NOTES
New Reworded

NEW CODE TOPIC DESCRIPTION 2.2.F.1 2.G

SECURITY OPERATIONS & ADMINISTRATION (Continued)

Understand impact of security testing Understand concepts of endpoint device security (e.g., virtualization, thin clients, thick clients, USB devices, mobile devices) Comply with data management policies (e.g., storage media (paper or electronic), transmission, archiving, retention requirements, destruction, deduplication, data loss prevention, social network usage, information rights management (IRM)) Understand security concepts (e.g., confidentiality, integrity, availability, privacy)

New New Reworded Reworded New Reworded Reworded Reworded New Reworded Reworded Reworded Reworded Reworded Reworded New Reworded New Reworded Reworded

2.H 2.I

3.3.A 3.A.3 3.A.5

MONITORING AND ANALYSIS

Maintain Effective Monitoring Systems (e.g., continuous monitoring) Review systems for unauthorized changes (e.g., file integrity checkers, honeypots, unauthorized connections) Install and configure agents and management systems

4.4.A 4.A.1 4.A.3 4.A.4 4.B 4.B.4 4.C.2

RISK, RESPONSE, AND RECOVERY

Understand Risk Management Process Understand risk management concepts (e.g., impacts, threats, vulnerabilities) Support mitigation activity (e.g., safeguards, countermeasures) Address audit findings Perform Security Assessment Activities Interpret results of scanning and testing Understand the concepts of forensic investigations (e.g., first responder, evidence handling, chain of custody, preservation of scene) Understand and support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Understand the Components of a Business Continuity Plan (BCP) Understand and support Disaster Recovery Plan (DRP)

Click to edit Master title style

4.D 4.D.1 4.D.2

5.5.A.1 5.C 5.C.1 5.C.2 5.D

CRYPTOGRAPHY
Install and maintain cryptographic systems Support Certificate and Key Management Understand basic key management concepts (e.g., public key infrastructure) Administration and validation (e.g., key creation, exchange, revocation, escrow) Understand the use of Secure Protocols (e.g., differences in implementation, appropriate use)

Copyright 1989 2010, (ISC)2 All Rights Reserved

SSCP Domain Updates (continued)

NOTES
Reworded New Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded Reworded New New

NEW CODE 6.6.A 6.A.2 6.A.3 6.A.5 6.B.2 6.C.2 6.D.1 6.D.2 6.D.3 6.E 6.E.2 6.E.3

TOPIC DESCRIPTION NETWORKS AND COMMUNICATIONS

Understand security issues related to Networks Network topographies and relationships (e.g., token ring, star, bus, ethernet) Commonly used ports and protocols Network security concepts (e.g., address translation, defense in depth, IP addressing) Common Vulnerabilities Common Vulnerabilities Methods (e.g., application filtering, packet filtering, stateful/stateless inspection) Types (e.g., host based, network based) Common Vulnerabilities Understand Wireless and Cellular Technologies Technology (e.g., Bluetooth, RFID, 802.11, WiMax, GSM, 3G, NFC) Common Vulnerabilities

7.7.A 7.A.1 7.A.2 7.A.3 7.A.4 7.A.5 7.B.2 7.B.4 7.C 7.C.1 7.C.2

MALICIOUS CODE & ACTIVITY

Identify Malicious Code (e.g., virus, worms, trojan horses, logic bombs) Understand concepts of rootkits Understand types of malware (e.g., spyware, scareware, ransomware) Understand concepts of Trapdoors & Backdoors Understand concepts of Botnets Understand concepts of Mobile Code Deploy and manage anti-malware Software Security (e.g., code signing, application review, server side input validation) Identify Malicious Activity (e.g., social engineering, insider threat, data theft, DDoS, spoofing, phishing, pharming, spam) Understand malicious web activity (e.g., cross site scripting, cross site request forgery, injection, social networking attacks) Understand the concept of zero day exploits

Click to edit Master title style

Copyright 1989 2010, (ISC)2 All Rights Reserved

ISSEP Domain Changes

A. The Certification and Accreditation (C&A) domain has now become the Certification and Accreditation (C&A)/Risk Management Framework (RMF) domain. B. The U.S. Government Information Assurance (IA) Governance (e.g., laws regulations, policies, guidelines, standards) domain has now become the U.S. Government Information Assurance Related Policies and Issuances domain.
OLD ISSEP Domains (Effective: March 13, 2010)
Domain 1 Domain 2 Domain 3 System Security Engineering Certification and Accreditation (C&A) Technical Management

NEW ISSEP Domains (Effective: March 2012 Notice: July 1, 2011

Domain 1 Domain 2 Domain 3 Systems Security Engineering Certification and Accreditation (C&A) / Risk Management Framework (RMF) Technical Management

Click to edit Master title style

U.S. Government Information Assurance (IA) Domain Domain Governance (e.g., laws, regulations, policies, 4 4 guidelines, standards)

U.S. Government Information Assurance Related Policies and Issuances

Copyright 1989 2010, (ISC)2 All Rights Reserved

ISSEP Domain Updates

NOTES
Reworded

NEW CODE TOPIC DESCRIPTION 1.

1.A.1 Understand security and systems engineering methodologies (e.g., Institute of Electrical and Electronics Engineers , (IEEE) 1220, INCOSE Systems Engineering Handbook) Understand process models (e.g., lifecycle models, Systems Security Engineering Capability Maturity Model (ISO/IEC 21827), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 15288) Identify data types and determine additional legal / regulatory requirements Develop system security context (e.g., support system, application) Review design constraints Assess information protection effectiveness Support security implementation, integration and test

Systems Security Engineering

Reworded

1.A.2

Reworded Reworded Reworded Reworded Reworded

1.B.3 1.C.1 1.C.4 1.C.5 1.F.1

Reworded
Reworded

2.
2.A

Certification and Accreditation (C&A) / Risk Management Framework (RMF)

Understand the U.S. Government C&A/RMF process to be applied (e.g., National Information Assurance Certification and Accreditation Process (NIACAP), DoD Information Assurance Certification and Accreditation Process (DIACAP), National Institute of Standards and Technology Special Publication(NIST SP) 800-37 rev 1) Understand the purpose of C&A/RMF Identify and understand criteria used to determine applicability of U.S. Government C&A/RMF processes Understand the roles and responsibilities of stakeholders identified within the C&A/RMF process

Click to edit Master title style

Reworded Reworded Reworded 2.A.1 2.A.2 2.B

Copyright 1989 2010, (ISC)2 All Rights Reserved

ISSEP Domain Updates (continued)

NOTES Reworded
Note Reworded Reworded Reworded Reworded

NEW CODE TOPIC DESCRIPTION 2. Certification and Accreditation (C&A) / Risk Management Framework (RMF) (continued )
Section C ( Understand Risk Management )from the previous version has been removed and the old Section D is now Section C in the 2012 CIB 2.C 2.C.1 2.C.7 2.C.9 Integrate the C&A/RMF processes with systems security engineering Understand the attributes and significance of well-defined, integrated processes (e.g., administrative security policies/procedures and its relationship to C&A/RMF) Identify and correlate C&A/RMF phases and tasks with systems engineering phases and tasks Support C&A/RMF activities as appropriate based on C&A/RMF tailoring (e.g., register system with the appropriate information assurance program, communicate results of risk analysis to certifier and accreditor, prepare and present C&A/RMF documentation to accreditor, submit reports to centralized database )

3.
Note -

Technical Management U.S. Government Information Assurance Related Policies and Issuances

No changes in Domain 3 from the previous version

Click to edit Master title style

Reworded Reworded Reworded Reworded 4.A 4.B 4.C 4.D Understand national laws and policies Understand civil agency policies and guidelines Understand DoD policies and guidelines Understand applicable international standards

Reworded

4.

Copyright 1989 2010, (ISC)2 All Rights Reserved