• Core Concepts
• Security Design Principles

• Define Software Security Requirements
• Identify and Analyze Compliance Requirements
• Identify and Analyze Data Classification Requirements
• Identify and Analyze Privacy Requirements
• Develop Misuse and Abuse Cases
• Develop Security Requirement Traceability Matrix (STRM)
• Ensure Security Requirements Flow Down to Suppliers/Provider

• Perform Threat Modeling
• Define the Security Architecture
• Performing Secure Interface Design
• Performing Architectural Risk Assessment
• Model (Non-Functional) Security Properties and Constraints
• Model and Classify Data
• Evaluate and Select Reusable Secure Design
• Perform Security Architecture and Design Review 3.9
• Define Secure Operational Architecture (e.g., deployment topology, operational interfaces)
• Use Secure Architecture and Design Principles, Patterns, and Tools

• Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines and regulations)
• Analyze Code for Security Risks
• Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware)
• Address Security Risks (e.g. remediation, mitigation, transfer, accept) Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))
• Securely Integrate Components
• Apply Security During the Build Process

• Develop Security Test Cases
• Develop Security Testing Strategy and Plan
• Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes)
• Identify Undocumented Functionality
• Analyze Security Implications of Test Results (e.g., impact on product management, prioritization, break build criteria)
• Classify and Track Security Errors
• Secure Test Data
• Perform Verification and Validation Testing

• Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching)
• Define Strategy and Roadmap
• Manage Security Within a Software Development Methodology
• Identify Security Standards and Frameworks
• Define and Develop Security Documentation
• Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)
• Decommission Software
• Report Security Status (e.g., reports, dashboards, feedback loops)
• Incorporate Integrated Risk Management (IRM)
• Promote Security Culture in Software Development
• Implement Continuous Improvement (e.g., retrospective, lessons learned)

• Perform Operational Risk Analysis
• Release Software Securely
• Securely Store and Manage Security Data
• Ensure Secure Installation
• Perform Post-Deployment Security Testing
• Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at appropriate level)
• Perform Information Security Continuous Monitoring (ISCM)
• Support Incident Response
• Perform Patch Management (e.g. secure release, testing)
• Perform Vulnerability Management (e.g., scanning, tracking, triaging)
• Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR))
• Support Continuity of Operations
• Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)

• Implement Software Supply Chain Risk Management
• Analyze Security of Third-Party Software
• Verify Pedigree and Provenance
• Ensure Supplier Security Requirements in the Acquisition Process
• Support contractual requirements (e.g., Intellectual Property (IP) ownership, code escrow, liability, warranty, End-User License Agreement (EULA), Service Level Agreements (SLA))

• Collect and review information, including existing documentation, regarding the organization’s internal and external business and IT environments to identify potential impacts of IT risk to the organization’s business objectives and operations.
• Identify potential threats and vulnerabilities to the organization’s people, processes and technology to enable IT risk analysis.
• Develop a comprehensive set of IT risk scenarios based on available information to determine the potential impact to business objectives and operations.
• Identify key stakeholders for IT risk scenarios to help establish accountability.
• Establish an IT risk register to help ensure that identified IT risk scenarios are accounted for and incorporated into the enterprise wide risk pro file.
• Identify risk appetite and tolerance defined by senior leader ship and key stakeholders to ensure alignment with business objectives.
• Collaborate in the development of a risk awareness program, and conduct training to ensure that stakeholders understand risk and to pro mote a risk-aware culture.

• Analyze risk scenarios based on organizational criteria (e.g., organizational structure, policies, standards, technology, architecture, controls) to determine the likelihood and impact of an identified risk.
• Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
• Review the results of risk and control analysis to assess any gaps between current and desired states of the IT risk environment.
• Ensure that risk ownership is assigned at the appropriate level to establish clear lines of accountability.
• Communicate the results of risk assessments to senior management and appropriate stakeholders to enable risk-based decision making.
• Update the risk register with the results of the risk assessment.

• Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions.
• Consult with, or assist, risk owners on the development of risk action plans to ensure that plans include key elements (e.g., response, cost, target date).
• Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level.
• Ensure that control ownership is assigned in order to establish clear lines ofaccountability.
• Assist control owners in developing control procedures and documentation to enable efficient and effective control execution.
• Update the risk register to reflect changes in risk and management’s risk response.
• Validate that risk responses have been executed according to the risk action plans.

• Define and establish key risk indicators (KRIs) and thresholds based on available data, to enable monitoring of changes in risk.
• Monitor and analyze key risk indicators (KRIs) to identify changes or trends in the IT risk profile.
• Report on changes or trends related to the IT risk profile to assist management and relevant stakeholders in decision making.
• Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of control performance.
• Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
• Review the results of control assessments to determine the effectiveness of the control environment.
• Report on the performance of, changes to, or trends in the overall risk profile and control environment to relevant stakeholders to enable decision making.

1.1 Ensure that a framework for the governance of enterprise IT is established and enables the achievement of enterprise goals and objectives to create stakeholder value, taking into account benefits realization, risk optimization, and resource optimization.

1.2 Identify the requirements and objectives for the framework for the governance of enterprise IT incorporating input from enablers such as principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies.

1.3 Ensure that the framework for the governance of enterprise IT addresses applicable internal and external requirements (for example, principles, policies and standards, laws, regulations, service capabilities and contracts).

1.4 Ensure that strategic planning processes are incorporated into the framework for the governance of enterprise IT.

1.5 Ensure the incorporation of enterprise architecture (EA) into the framework for the governance ofenterprise IT in order to optimize IT-enabled business solutions.

1.6 Ensure that the framework for the governance of enterprise IT incorporates comprehensive and repeatable processes and activities.

1.7 Ensure that the roles, responsibilities and accountabilities for information systems and IT processes are established.

1.8 Ensure issues related to the framework for the governance of enterprise IT are reviewed, monitored, reported and remediated.

1.9 Ensure that organizational structures are in place to enable effective planning and implementation of IT-enabled business investments.

1.10 Ensure the establishment of a communication channel to reinforce the value of the governance of enterprise IT and transparency of IT costs, benefits and risk throughout the enterprise.

1.11 Ensure that the framework for the governance of enterprise IT is periodically assessed, including the identification of improvement opportunities.

1.1 Knowledge of components of a framework for the governance of enterprise IT

1.2 Knowledge of IT governance industry practices, standards and frameworks

(For example, COBIT, Information Technology Infrastructure Library [ITIL],

International Organization for Standardization [ISO] 20000, ISO 38500)

1.3 Knowledge of business drivers related to IT governance (for example, legal, regulatory and contractual requirements)

1.4 Knowledge of IT governance enablers (for example, principles, policies andframeworks; processes; organizational structures; culture, ethics andbehavior; information; services, infrastructure and applications; people, skills and competencies)

1.5 Knowledge of techniques used to identify IT strategy (for example, SWOT, BCG Matrix)

1.6 Knowledge of components, principles, and concepts related to enterprise architecture (EA)

1.7 Knowledge of Organizational structures and their roles and responsibilities (for example, enterprise investment committee, program management office, IT strategy committee, IT architecture review board, IT risk management committee)

1.8 Knowledge of methods to manage organizational, process and cultural change

1.9 Knowledge of models and methods to establish accountability for information requirements, data and system ownership; and IT processes

1.10 Knowledge of IT governance monitoring processes/mechanisms (for example, balanced scorecard (BSC)

1.11 Knowledge of IT governance reporting processes/mechanisms

1.12 Knowledge of communication and promotion techniques

1.13 Knowledge of assurance methodologies and techniques

1.14 Knowledge of continuous improvement techniques and processes

2.1 Evaluate, direct and monitor IT strategic planning processes to ensure alignment with enterprise goals.
2.2 Ensure that appropriate policies and procedures are in place to support IT and enterprise strategic alignment.
2.3 Ensure that the IT strategic planning processes and related outputs are adequately documented and communicated.
2.4 Ensure that enterprise architecture (EA) is integrated into the IT strategic planning process.
2.5 Ensure prioritization of IT initiatives to achieve enterprise objectives.
2.6 Ensure that IT objectives cascade into clear roles, responsibilities and actions of IT personnel.
KNOWLEDGE STATEMENTS
2.1 Knowledge of an enterprise’s strategic plan and how it relates to IT
2.2 Knowledge of strategic planning processes and techniques
2.3 Knowledge of impact of changes in business strategy on IT strategy
2.4 Knowledge of barriers to the achievement of strategic alignment
2.5 Knowledge of policies and procedures necessary to support IT and businessstrategic alignment
2.6 Knowledge of methods to document and communicate IT strategic planning processes (for example, IT dashboard/balanced scorecard, key indicators)
2.7 Knowledge of components, principles and frameworks of enterprise architecture (EA)
2.8 Knowledge of current and future technologies
2.9 Knowledge of prioritization processes related to IT initiatives
2.10 Knowledge of scope, objectives and benefits of IT investment programs
2.11 Knowledge of IT roles and responsibilities and methods to cascade business and IT objectives to IT personnel

TASK STATEMENTS
3.1 Ensure that IT-enabled investments are managed as a portfolio of investments.
3.2 Ensure that IT-enabled investments are managed through their economic life cycle to achieve business benefit.
3.3 Ensure business ownership and accountability for IT-enabled investments are established.
3.4 Ensure that IT investment management practices align with enterprise investment management practices.
3.5 Ensure that IT-enabled investment portfolios, IT processes and IT services are evaluated and benchmarked to achieve business benefit.
3.6 Ensure that outcome and performance measures are established and evaluated to assess progress towards the achievement of enterprise and IT objectives.
3.7 Ensure that outcome and performance measures are monitored and reported to key stakeholders in a timely manner.
3.8 Ensure that improvement initiatives are identified, prioritized, initiated and managed based on outcome and performance measures.
KNOWLEDGE STATEMENTS
3.1 Knowledge of IT investment management processes, including the economic lifecycle of investments
3.2 Knowledge of basic principles of portfolio management
3.3 Knowledge of benefit calculation techniques (for example, earned value, total cost of ownership, return on investment)
3.4 Knowledge of process and service measurement techniques (for example, maturity models, benchmarking, key performance indicators [KPIs])
3.5 Knowledge of processes and practices for planning, development, transition, delivery, and support of IT solutions and services
3.6 Knowledge of continuous improvement concepts and principles
3.7 Knowledge of outcome and performance measurement techniques (for example, service metrics, key performance indicators [KPIs])
3.8 Knowledge of procedures to manage and report the status of IT investments
3.9 Knowledge of cost optimization strategies (for example, outsourcing, adoption of new technologies)
3.10 Knowledge of models and methods to establish accountability over IT investments
3.11 Knowledge of value delivery frameworks (for example, Val I T)
3.12 Knowledge of business case development and evaluation techniques

4.1 Ensure that comprehensive IT risk management processes are established to identify, analyze, mitigate, manage, monitor, and communicate I T risk.
4.2 Ensure that legal and regulatory compliance requirements are addressed through IT risk management.
4.3 Ensure that IT risk management is aligned with the enterprise risk management (ERM) framework.
4.4 Ensure appropriate senior level management sponsorship for IT risk management.
4.5 Ensure that IT risk management policies, procedures and standards are developed and communicated.
4.6 Ensure the identification of key risk indicators (KRIs).
4.7 Ensure timely reporting and proper escalation of risk events and responses to appropriate levels of management.
KNOWLEDGE STATEMENTS
4.1 Knowledge of the application of risk management at the strategic, portfolio, program, project and operations levels
4.2 Knowledge of risk management frameworks and standards (for example, RISKIT, the Committee of Sponsoring Organizations of the Treadway Commission
Enterprise Risk Management—Integrated Framework (2004) [COSO ERM],
International Organization for Standardization (ISO) 31000)
4.3 Knowledge of the relationship of the risk management approach to legal and regulatory compliance
4.4 Knowledge of methods to align IT and enterprise risk management (ERM)
4.5 Knowledge of the relationship of the risk management approach to businessresiliency (for example, business continuity planning [BCP] and disaster recovery planning [DRP])
4.6 Knowledge of risk, threats, vulnerabilities and opportunities inherent in the use of IT
4.7 Knowledge of types of business risk, exposures and threats (for example, external environment, internal fraud, information security) that can be addressed using IT resources
4.8 Knowledge of risk appetite and risk tolerance
4.9 Knowledge of quantitative and qualitative risk assessment methods
4.10 Knowledge of risk mitigation strategies related to IT in the enterprise
4.11 Knowledge of methods to monitor effectiveness of mitigation strategies and/or controls
4.12 Knowledge of stakeholder analysis and communication techniques
4.13 Knowledge of methods to establish key risk indicators (KRI s)
4.14 Knowledge of methods to manage and report the status of identified risk

5.1 Ensure that processes are in place to identify, acquire and maintain IT resources and capabilities (i.e., information, services, infrastructure and applications, and people).
5.2 Evaluate, direct and monitor sourcing strategies to ensure existing resources are taken into account to optimize IT resource utilization.
5.3 Ensure the integration of IT resource management into the enterprise’s strategic and tactical planning.
5.4 Ensure the alignment of IT resource management processes with the enterprise’s resource management processes.
5.5 Ensure that a resource gap analysis process is in place so that IT is able to meet strategic objectives of the enterprise.
5.6 Ensure that policies exist to guide IT resource sourcing strategies that include service level agreements (SLAs) and changes to sourcing strategies.
5.7 Ensure that policies and processes are in place for the assessment, training and development of staff to address enterprise requirements and personal/professional growth.
KNOWLEDGE STATEMENTS
5.1 Knowledge of IT resource planning methods
5.2 Knowledge of human resource procurement, assessment, training, and development methodologies
5.3 Knowledge of processes for acquiring application, information, and infrastructure resources
5.4 Knowledge of outsourcing and offshoring approaches that may be employedto meet the investment program and operation level agreements (OLAs) and service level agreements (SLAs)
5.5 Knowledge of methods used to record and monitor IT resource utilization and availability
5.6 Knowledge of methods used to evaluate and report on IT resource performance
5.7 Knowledge of interoperability, standardization and economies of scale
5.8 Knowledge of data management and data governance concepts
5.9 Knowledge of service level management concepts

1.1 Planning

• IS Audit Standards, Guidelines and Codes of Ethics
• Business Processes
• Types of Controls
• Risk-based Audit Planning
• Types of Audits and Assessments

1.2 Execution

• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

2.1 IT Governance and ITS Strategy

• IT-related Frameworks
• IT Standards, Policies and Procedures
• Organizational Structure
• Enterprise Architecture
• Enterprise Risk Management
• Maturity Models
• Laws, Regulations and Industry Standards Affecting the Organization

2.2 IT Management

• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• Quality Assurance and Quality Management of IT

3.1 Information Systems Acquisition and Development

• Project Governance and Management
• Business Case and Feasibility Analysis
• System Development Methodologies
• Control Identification and Design

3.2 Information Systems Implementation

• Testing Methodologies
• Configuration and Release Management
• System Migration, Infrastructure Deployment and Data Conversion
• Post-implementation Review

4.1 Information Systems Operations

• Common Technology Components
• IT Asset Management
• Job Scheduling and Production Process Automation
• System Interfaces
• End-user Computing
• Data Governance
• Systems Performance Management
• Problem and Incident Management
• Change, Configuration, Release and Patch Management
• IT Service Level Management

4.2 Business Resilience

• Business Impact Analysis
• System Resiliency
• Data Backup, Storage and Restoration
• Business Continuity Plan
• Disaster Recovery Plans

5.1 Information Asset Security Frameworks, Standards and Guidelines

• Privacy Principles
• Physical Access and Environmental Controls
• Identity and Access Management
• Network and End-point Security
• Data Classification
• Data Encryption and Encryption-related Techniques
• Public Key Infrastructure
• Web-based Communication Technologies
• Virtualized Environments
• Mobile, Wireless and Internet-of-things Devices

5.2 Security Event Management

• Security Awareness Training and Programs
• Information System Attack Methods and Techniques
• Security Testing Tools and Techniques
• Security Monitoring Tools and Techniques
• Incident Response Management
• Evidence Collection and Forensics

1.1 Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.

1.2 Establish and/or maintain an information security governance framework to guide activities that support the information security strategy.

1.3 Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.

1.4 Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives.

1.5 Develop business cases to support investments in information security.

1.6 Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy.

1.7 Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.

1.8 Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, and end users, privileged or high-risk users) and lines of authority.

1.9 Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.

KNOWLEDGE STATEMENTS

1.1 Knowledge of techniques used to develop an information security strategy (e.g., SWOT [strengths, weaknesses, opportunities, threats] analysis, gap analysis, threat research)

1.2 Knowledge of the relationship of information security to business goals, objectives, functions, processes and practices

1.3 Knowledge of available information security governance frameworks

1.4 Knowledge of globally recognized standards, frameworks and industry best practices related to information security governance and strategy development

1.5 Knowledge of the fundamental concepts of governance and ho w they relate to information security

1.6 Knowledge of methods to assess, plan, design and implement an information security governance framework

1.7 Knowledge of methods to integrate information security governance intocorporate governance

1.8 Knowledge of contributing factors and parameters (e.g., organizational structure and culture, tone at the top, regulations) for information security policy development

1.9 Knowledge of content in, and techniques to develop, business cases

1.10 Knowledge of strategic budgetary planning and reporting methods

1.11 Knowledge of the internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) and how they impact the information security strategy

1.12 Knowledge of key information needed to obtain commitment from senior leadership and support from other stakeholders (e.g., how information security supports organizational goals and objectives, criteria for determining successful implementation, business impact)

1.13 Knowledge of methods and considerations for communicating with senior leadership and other stakeholders (e.g., organizational culture, channels of communication, highlighting essential aspects of information security)

KNOWLEDGE STATEMENTS

1.14 Knowledge of roles and responsibilities of the information security manager

1.15 Knowledge of organizational structures, lines of authority and escalation points

1.16 Knowledge of information security responsibilities of staff across the organization (e.g., data owners, end users, privileged or high- risk users)

1.17 Knowledge of processes to monitor performance of information security responsibilities

1.18 Knowledge of methods to establish new, or utilize existing, reporting and communication channels throughout an organization

1.19 Knowledge of methods to select, implement and interpret key information security metrics (e.g., key performance indicators [KPIs] or key risk indicators [KRIs])

2.1 Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.

2.2 Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.

2.3 Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information.

2.4 Identify, recommend or implement appropriate risk treatment /response options to manage risk to acceptable levels based on organizational risk appetite.

2.5 Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.

2.6 Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization.

2.7 Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, and geopolitical, regulatory change) that may require re assessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately.

2.8 Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.

2.9 Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives.

TASK STATEMENTS

2.1 Knowledge of methods to establish an information asset classification model consistent with business objectives

2.2 Knowledge of considerations for assigning ownership of information assets and risk

2.3 Knowledge of methods to identify and evaluate the impact of internal or external events on information assets and the business

2.4 Knowledge of methods used to monitor internal or external risk factors

2.5 Knowledge of information asset valuation methodologies

2.6 Knowledge of legal, regulatory, organizational and other requirements related to information security

2.7 Knowledge of reputable, reliable and timely sources of information regarding emerging information security threats and vulnerabilities

2.8 Knowledge of events that may require risk reassessments and changes to information security program elements

2.9 Knowledge of information threats, vulnerabilities and exposures and their evolving nature

2.10 Knowledge of risk assessment and analysis methodologies

2.11 Knowledge of methods used to prioritize risk scenarios and risk treatment/ response options

2.12 Knowledge of risk reporting requirements (e.g., frequency, audience, content)

2.13 Knowledge of risk treatment/response options (avoid, mitigate, accept or transfer) and methods to apply them

2.14 Knowledge of control baselines and standards and their relationships to risk assessments

2.15 Knowledge of information security controls and the methods to analyze their effectiveness

2.16 Knowledge of gap analysis techniques as related to information security

KNOWLEDGE STATEMENTS

2.17 Knowledge of techniques for integrating information security risk management into business and IT processes

2.18 Knowledge of compliance reporting requirements and processes

2.19 Knowledge of cost/benefit analysis to assess risk treatment options

TASK STATEMENTS

3.1 Establish and/or maintain the information security program in alignment with the information security strategy.

3.2 Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program ad ds value to and protects the business.

3.3 Identify, acquire and manage requirements for internal and external resources to execute the information security program.

3.4 Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals.

3.5 Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies.

3.6 Establish, promote and maintain a program for information security awareness and training to foster an effective security culture.

3.7 Integrate information security requirements into organizational processes

(e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy.

3.8 Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy.

3.9 Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.

3.10 Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.

KNOWLEDGE STATEMENTS

3.1 Knowledge of methods to align information security program requirements with those of other business functions

3.2 Knowledge of methods to identify, acquire, manage and define requirements for internal and external resources

3.3 Knowledge of current and emerging information security technologies and underlying concepts

3.4 Knowledge of methods to design and implement information security controls

3.5 Knowledge of information security processes and resources (including people and technologies) in alignment with the organization’s business goals and methods to apply them

3.6 Knowledge of methods to develop information security standards, procedures and guidelines

3.7 Knowledge of internationally recognized regulations, standards, frameworks and best practices related to information security program development and management

3.8 Knowledge of methods to implement and communicate information security policies, standards, procedures and guidelines

3.9 Knowledge of training, certifications and skill set development for information security personnel

3.10 Knowledge of methods to establish and maintain effective information security awareness and training programs

3.11 Knowledge of methods to integrate information security requirements into organizational processes (e.g., access management, change management, audit processes)

3.12 Knowledge of methods to incorporate information security requirements into contracts, agreements and third-party management processes

3.13 Knowledge of methods to monitor and review contracts and agreements with third parties and associated change processes as required

3.14 Knowledge of methods to design, implement and report operational information security metrics

3.15 Knowledge of methods for testing the effectiveness and efficiency of information security controls

3.16 Knowledge of techniques to communicate information security program status to key stakeholders

TASK STATEMENTS

4.1 Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents.

4.2 Establish and maintain an incident response plan to ensure an effective andtimely response to information security incidents.

4.3 Develop and implement processes to ensure the timely identification ofinformation security incidents that could impact the business.

4.4 Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements.

4.5 Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management.

4.6 Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner.

4.7 Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.

4.8 Establish and maintain communication plans and processes to manage communication with internal and external entities.

4.9 Conduct postincident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.

4.10 Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.

KNOWLEDGE STATEMENTS

4.1 Knowledge of incident management concepts and practices

4.2 Knowledge of the components of an incident response plan

4.3 Knowledge of business continuity planning (BCP) and disaster recovery planning (DRP) and their relationship to the incident response plan

4.4 Knowledge of incident classification/categorization method s

4.5 Knowledge of incident containment methods to minimize adverse operational impact

4.6 Knowledge of notification and escalation processes

4.7 Knowledge of the roles and responsibilities in identifying and managing information security incidents

4.8 Knowledge of the types and sources of training, tools and equipment required to adequately equip incident response teams

4.9 Knowledge of forensic requirements and capabilities for collecting, preserving and presenting evidence (e.g., admissibility, quality and completeness of evidence, chain of custody)

4.10 Knowledge of internal and external incident reporting requirements and procedures

4.11 Knowledge of postincident review practices and investigative methods toidentify root causes and determine corrective actions

4.12 Knowledge of techniques to quantify damages, costs and other business impacts arising from information security incidents

4.13 Knowledge of technologies and processes to detect, log, analyze and document information security events

4.14 Knowledge of internal and external resources available to investigate information security incidents

4.15 Knowledge of methods to identify and quantify the potential impact of changes made to the operating environment during the incident response process

4.16 Knowledge of techniques to test the incident response plan

4.17 Knowledge of applicable regulatory, legal and organization requirements

4.18 Knowledge of key indicators/metrics to evaluate the effectiveness of the incident response plan