1.1 Understand and apply concepts of confidentiality, integrity and availability
1.2 Evaluate and apply security governance principles

• Alignment of security function to business strategy, goals, mission, andobjectives
• Organizational processes (e.g., acquisitions, divestitures, governance committees)
• Organizational roles and responsibilities
• Security control frameworks
• Due care/due diligence

1.3 Determine compliance requirements

• Contractual, legal, industry standards, and regulatory requirements
• Privacy requirements

1.4 Understand legal and regulatory issues that pertain to information security in a global context

• Cybercrimes and data breaches
• Licensing and intellectual property requirements
• Import/export controls
• Trans-border data flow
• Privacy

1.5 Understand, adhere to, and promote professional ethics

• (ISC)² Code of Professional Ethics
• Organizational code of ethics

1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements

• Develop and document scope and plan
• Business Impact Analysis (BIA)

1.8 Contribute to and enforce personnel security policies and procedures

• Candidate screening and hiring
• Employment agreements and policies
• Onboarding and termination processes
• Vendor, consultant, and contractor agreements and controls
• Compliance policy requirements
• Privacy policy requirements

1.9 Understand and apply risk management concepts

• Identify threats and vulnerabilities
• Risk assessment/analysis
• Risk response
• Countermeasure selection and implementation
• Applicable types of controls (e.g., preventive, detective, corrective)
• Security Control Assessment (SCA)
• Monitoring and measurement
• Asset valuation
• Reporting
• Continuous improvement
• Risk frameworks

1.10 Understand and apply threat modeling concepts and methodologies

• Threat modeling methodologies
• Threat modeling concepts

1.11 Apply risk-based management concepts to the supply chain

• Risks associated with hardware, software, and services
• Third-party assessment and monitoring
• Minimum security requirements
• Service-level requirements

1.12 Establish and maintain a security awareness, education, and training program

• Methods and techniques to present awareness and training
• Periodic content reviews
• Program effectiveness evaluation

2.1 Identify and classify information and assets

• Data classification
• Asset Classification

2.2 Determine and maintain information and asset ownership
2.3 Protect privacy

• Data owners
• Data processers
• Data remanence
• Collection limitation

2.4 Ensure appropriate asset retention
2.5 Determine data security controls

• Understand data states
• Scoping and tailoring
• Standards selection
• Data protection methods

2.6 Establish information and asset handling requirements

Domain 3: Security Architecture and Engineering

3.1 Implement and manage engineering processes using secure design principles
3.2 Understand the fundamental concepts of security models
3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

• Client-based systems
• Server-based systems
• Database systems
• Cryptographic systems
• Industrial Control Systems (ICS)
• Cloud-based systems
• Distributed systems
• Internet of Things (IoT)

3.6 Assess and mitigate vulnerabilities in web-based systems
3.7 Assess and mitigate vulnerabilities in mobile systems
3.8 Assess and mitigate vulnerabilities in embedded devices
3.9 Apply cryptography

• Cryptographic life cycle (e.g., key management, algorithm selection)
• Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
• Public Key Infrastructure (PKI)
• Key management practices
• Digital signatures
• Non-repudiation
• Integrity (e.g., hashing)
• Understand methods of cryptanalytic attacks
• Digital Rights Management (DRM)

3.10 Apply security principles to site and facility design
3.11 Implement site and facility security controls

• Wiring closets/intermediate distribution facilities
• Server rooms/data centers
• Media storage facilities
• Evidence storage
• Restricted and work area security
• Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
• Environmental issues

• Fire prevention, detection, and suppression

3.1 Implement and manage engineering processes using secure design principles
3.2 Understand the fundamental concepts of security models
3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

• Client-based systems
• Server-based systems
• Database systems
• Cryptographic systems
• Industrial Control Systems (ICS)
• Cloud-based systems
• Distributed systems
• Internet of Things (IoT)

3.6 Assess and mitigate vulnerabilities in web-based systems
3.7 Assess and mitigate vulnerabilities in mobile systems
3.8 Assess and mitigate vulnerabilities in embedded devices
3.9 Apply cryptography

• Cryptographic life cycle (e.g., key management, algorithm selection)
• Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
• Public Key Infrastructure (PKI)
• Key management practices
• Digital signatures
• Non-repudiation
• Integrity (e.g., hashing)
• Understand methods of cryptanalytic attacks
• Digital Rights Management (DRM)

3.10 Apply security principles to site and facility design
3.11 Implement site and facility security controls

• Wiring closets/intermediate distribution facilities
• Server rooms/data centers
• Media storage facilities
• Evidence storage
• Restricted and work area security
• Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
• Environmental issues
• Fire prevention, detection, and suppression

4.1 Implement secure design principles in network architectures

• Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
• Internet Protocol (IP) networking
• Implications of multilayer protocols
• Converged protocols
• Software-defined networks
• Wireless networks

4.2 Secure network components

• Operation of hardware
• Transmission media
• Network Access Control (NAC) devices
• Endpoint security
• Content-distribution networks

4.3 Implement secure communication channels according to design

• Voice
• Multimedia collaboration
• Remote access
• Data communications
• Virtualized networks

5.1 Control physical and logical access to assets

• Information
• Systems
• Devices
• Facilities

5.2 Manage identification and authentication of people, devices, and services

• Identity management implementation
• Single/multi-factor authentication
• Accountability
• Session management
• Registration and proofing of identity
• Federated Identity Management (FIM)
• Credential management systems

5.3 Integrate identity as a third-party service

• On-premise
• Cloud
• Federated

5.4 Implement and manage authorization mechanisms

• Role Based Access Control (RBAC)
• Rule-based access control
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Attribute Based Access Control (ABAC)

5.5 Manage the identity and access provisioning lifecycle

• User access review
• System account access review
• Provisioning and DE provisioning

6.1 Design and validate assessment, test, and audit strategies

• Internal
• External
• Third-party

6.2 Conduct security control testing

• Vulnerability assessment
• Penetration testing
• Log reviews
• Synthetic transactions
• Code review and testing
• Misuse case testing
• Test coverage analysis
• Interface testing

6.3 Collect security process data (e.g., technical and administrative)

• Account management
• Management review and approval
• Key performance and risk indicators
• Backup verification data
• Training and awareness
• Disaster Recovery (DR) and Business Continuity (BC)

6.4 Analyze test output and generate report
6.5 Conduct or facilitate security audits

• Internal
• External
• Third-party

7.1 Understand and support investigations

• Evidence collection and handling
• Reporting and documentation
• Investigative techniques
• Digital forensics tools, tactics, and procedures

7.2 Understand requirements for investigation types

• Administrative
• Criminal
• Civil
• Regulatory
• Industry standards

7.3 Conduct logging and monitoring activities

• Intrusion detection and prevention
• Security Information and Event Management (SIEM)
• Continuous monitoring
• Egress monitoring

7.4 Securely provisioning resources

• Asset inventory
• Asset management
• Configuration management

7.5 Understand and apply foundational security operations concepts

• Need-to-know/least privileges
• Separation of duties and responsibilities
• Privileged account management

7.6 Apply resource protection techniques

• Media management
• Hardware and software asset management

7.7 Conduct incident management

• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons learned

7.8 Operate and maintain detective and preventative measures

• Firewalls
• Sandboxing
• Intrusion detection and prevention systems
• Whitelisting/blacklisting
• Third-party provided security services

7.9 Implement and support patch and vulnerability management
7.10 Understand and participate in change management processes
7.11 Implement recovery strategies

• Backup storage strategies
• Recovery site strategies
• Multiple processing sites
• System resilience, high availability, Quality of Service (QoS), and fault tolerance

7.12 Implement Disaster Recovery (DR) processes

• Response
• Personnel
• Communications
• Assessment
• Restoration
• Training and awareness

7.13 Test Disaster Recovery Plans (DRP)

• Read-through/tabletop
• Walkthrough
• Simulation
• Parallel
• Full interruption

7.14 Participate in Business Continuity (BC) planning and exercises
7.15 Implement and manage physical security

• Perimeter security controls
• Internal security controls

7.16 Address personnel safety and security concerns

• Travel
• Security training and awareness
• Emergency management
• Duress

8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

• Development methodologies
• Maturity models
• Change management
• Integrated product team
• Operation and maintenance

8.2 Identify and apply security controls in development environments

• Security of the software environments
• Configuration management as an aspect of secure coding
• Security of code repositories

8.3 Assess the effectiveness of software security

• Auditing and logging of changes
• Risk analysis and mitigation

8.4 Assess security impact of acquired software
8.5 Define and apply secure coding guidelines and standards

• Security weaknesses and vulnerabilities at the source-code level
• Security of application programming interfaces
• Secure coding practices

1.1 Understand Cloud Computing Concepts

• Cloud Computing Definitions
• Cloud Computing Roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker)
• Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)
• Building Block Technologies (e.g., virtualization, storage, networking, databases, orchestration)

1.2 Describe Cloud Reference Architecture

• Cloud Computing Activities
• Cloud Service Capabilities (e.g., application capability types, platform capability types, infrastructure capability types)
• Cloud Service Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
• Cloud Deployment Models (e.g., public, private, hybrid, community)
• Cloud Shared Considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and Service Level Agreements (SL A), auditability, regulatory)
• Impact of Related Technologies (e.g., machine learning, artificial intelligence,

1.3 Understand Security Concepts Relevant to Cloud Computing

• Cryptography and Key Management
• Access Control
• Data and Media Sanitization (e.g., overwriting, cryptographic erase)
• Network Security (e.g., network security groups)
• Virtualization Security (e.g., hypervisor security, container security)
• Common Threats

1.4 Understand Design Principles of Secure Cloud Computing

• Cloud Secure Data Lifecycle
• Cloud based Disaster Recovery (DR) and Business Continuity (B C) planning
• Cost Benefit Analysis
• Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)
• Security Considerations for Different Cloud Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

1.5 Evaluate Cloud Service Providers

• Verification Against Criteria(e.g., International Organization for Standardization/ International Electro technical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))
• System/subsystem Product Certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)

2.1 Describe Cloud Data Concepts

• Cloud Data Life Cycle Phases
• Data Dispersion

2.2 Design and Implement Cloud Data Storage Architectures

• Storage Types (e.g. long term, ephemeral, raw-disk)
• Threats to Storage Types

2.3 Design and Apply Data Security Technologies and Strategies

Encryption and Key Management

• Hashing
• Masking
• Tokenization
• Data Loss Prevention (DLP)
• Data Obfuscation
• Data De-identification (e.g., anonymization)

2.4 Implement Data Discovery

• Structured Data
• Unstructured Data

2.5 Implement Data Classification

• Mapping
• Labeling
• Sensitive data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII), card holder data)

2.6 Design and Implement Information Rights Management (IRM)

• Objectives (e.g., data rights, provisioning, access models)
• Appropriate Tools (e.g., issuing and revocation of certificates)

2.7 Plan and Implement Data Retention, Deletion and Archiving Policies

• Data Retention Policies
• Data Deletion Procedures and Mechanisms
• Data Archiving Procedures and Mechanisms
• Legal Hold

2.8 Design and Implement Auditability, Traceability and Accountability of Data Events

• Definition of Event Sources and Requirement of Identity Attribution
• Logging, Storage and Analysis of Data Events
• Chain of Custody and Non-repudiation

3.1 Comprehend Cloud Infrastructure Components

• Physical Environment
• Network and Communications
• Compute Virtualization
• Storage
• Management Plane

3.2 Design a Secure Data Center

• Logical Design (e.g., tenant partitioning, access control)
• Physical Design (e.g. location, buy or build)
• Environmental Design (e.g., Heating, Ventilation and Air Conditioning (HVAC), multi-vendor pathway connectivity

3.3 Analyze Risks Associated with Cloud Infrastructure

• Risk Assessment and Analysis
• Cloud Vulnerabilities, Threats and Attacks Virtualization Risks
• Counter-measure Strategies

3.4 Design and Plan Security Controls

• Physical and Environmental Protection (e.g., on premise)
• System and Communication Protection
• Virtualization Systems Protection
• Identification, Authentication and Authorization in Cloud Infrastructure
• Audit Mechanisms (e.g., log collection, packet capture)

3.5 Plan Disaster Recovery (DR) and Business Continuity (BC) Risks Related to the Cloud Environment

• Business Requirements (e.g., Recovery Time Objective (RTO), Recovery Point Objective (RPO), Recovery Service Level (RSL)) Business Continuity/Disaster Recovery Strategy
• Creation, Implementation and Testing of Plan

4.1 Advocate Training and Awareness for Application Security

• Cloud Development Basics
• Common Pitfalls
• Common Cloud Vulnerabilities

4.2 Describe the Secure Software Development Life Cycle (SDLC) Process

• Business Requirements
• Phases and Methodologies

4.3 Apply the Secure Software Development Life Cycle (SDLC)

Avoid Common Vulnerabilities during Development

• Cloud-specific Risks
• Quality Assurance Threat Modeling
• Software Configuration Management and Versioning

4.4 Apply Cloud Software Assurance and Validation

• Functional Testing
• Security Testing Methodologies

4.5 Use Verified Secure Software

• Approved Application Programming Interfaces (API)
• Supply-chain Management
• Third Party Software Management
• Validated Open Source Software

4.6 Comprehend the Specifics of Cloud Application Architecture

• Supplemental Security components (e.g., Web Application Firewall (WAF), Database Activity Monitoring (DAM), Extensible Markup Language (XML) firewalls, Application Programming Interface (API) gateway)
• Cryptography
• Sandboxing
• Application Virtualization and Orchestration

4.7 Design Appropriate Identity and Access Management (IAM) Solutions

• Federated Identity
• Identity Providers
• Single Sign-On (SSO)
• Multi-factor Authentication

• Cloud Access Security Broker (CASB)

5.1 Implement and Build Physical and Logical Infrastructure for Cloud Environment

• Hardware Specific Security Configuration Requirements (e.g., Basic Input Output System (BIOS), settings for virtualization and Trusted Platform Module (TPM), storage controllers, network controllers)
• Installation and Configuration of Virtualization Management Tools
• Virtual Hardware Specific Security Configuration Requirements (e.g., network, storage, memory, Central Processing Unit (CPU))
• Installation of Guest Operating System (OS) Virtualization Toolsets

5.2 Operate Physical and Logical Infrastructure for Cloud Environment

• Configure Access Control for Local and Remote Access (e.g., Secure Keyboard Video Mouse (KVM), console-based access mechanisms, Remote Desk top Protocol (RDP))
• Secure Network Configuration (e.g., Virtual Local Area Networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Virtual Private Network (VPN))
• Operating System (OS) Hardening through the Application of Baselines (e.g., Windows, Linux, VMware)
• Availability of Stand-Alone Hosts
• Availability of Clustered Hosts (e.g., Distributed Resource Scheduling (DRS), Dynamic Optimization (DO), storage clusters, maintenance mode, High Availability)
• Availability of Guest Operating System (OS)

5.3 Manage Physical and Logical Infrastructure for Cloud Environment

• Access Controls for Remote Access (e.g., Remote Desktop Proto col (RDP), Secure Terminal Access, Secure Shell (SSH))
• Operating System (OS) Baseline Compliance Monitoring and Remediation
• Patch Management
• Performance and Capacity Monitoring (e.g., network, compute, storage, response time)
• Hardware Monitoring (e.g., Disk, Central Processing Unit (CPU), fan speed, temperature)
• Configuration of Host and Guest Operating System (OS) Backup and Restore Functions
• Network Security Controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, and network security groups)
• Management Plane (e.g., scheduling, orchestration, maintenance)

5.4 Implement Operational Controls and Standards (e.g., Information Technology

Infrastructure Library (ITIL), International Organization for Standardization/ International Electro technical Commission (ISO/IEC) 20000-1)

Change Management

• Continuity Management
• Information Security Management
• Continual Service Improvement Management
• Incident Management
• Problem Management

Release Management

• Deployment Management
• Configuration Management
• Service level Management
• Availability Management
• Capacity Managemen

5.5 Support Digital Forensics

• Forensic Data Collection Methodologies
• Evidence Management
• Collect, Acquire and Preserve Digital Evidence

5.6 Manage Communication with Relevant Parties

Vendors

• Customers
• Partners

Regulators

• Other Stakeholders

5.7 Manage Security Operations

• Security Operations Center (SOC)
• Monitoring of Security Controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)
• Log Capture and Analysis (e.g., Security Information and Event Management (SIEM), log management)
• Incident Management

6.1 Articulate Legal Requirements and Unique Risks within the Cloud Environment Conflicting International Legislation

• Evaluation of Legal Risks Specific to Cloud Computing
• Legal Framework and Guidelines eDiscovery (e.g., International Organization for Standardization/ International Electro technical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)
• Forensics Requirements

6.2 Understand Privacy Issues

• Difference between Contractual and Regulated Private Data (e. g., Protected Health Information (PHI), Personally Identifiable Information (PII))
• Country-Specific Legislation Related to Private Data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))
• Jurisdictional Differences in Data Privacy
• Standard Privacy Requirements (e.g., International Organization for Standardization /International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR))

6.3 Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

• Internal and External Audit Controls
• Impact of Audit Requirements
• Identify Assurance Challenges of Virtualization and Cloud
• Types of Audit Reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Service Organization Control (SOC), International Standard on Assurance Engagements (ISAE))
• Restrictions of Audit Scope Statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))

Gap Analysis

• Audit Planning
• Internal Information Security Management System (ISMS)
• Internal Information Security Controls System
• Policies (e.g., organizational, functional, cloud computing)
• Identification and Involvement of Relevant Stakeholders
• Specialized Compliance Requirements for Highly-Regulated Industries (e.g., North American Electric Reliability Corporation/ Critical Infra structure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))
• Impact of Distributed Information Technology (IT) Model (e.g. , diverse geographical locations and crossing over legal jurisdictions)

6.4 Understand Implications of Cloud to Enterprise Risk Management Assess Providers Risk Management Programs (e.g., controls, methodologies, policies)

• Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile, risk appetite, responsibility)
• Regulatory Transparency Requirements (e.g., breach notification, Sarbanes-Oxley (SOX), General Data Protection Regulation Risk Treatment (i.e., avoid, modify, share, retain)
• Different Risk Frameworks
• Metrics for Risk Management
• Assessment of Risk Environment (e.g., service, vendor, infrastructure)

6.5 Understand Outsourcing and Cloud Contract Design

Business Requirements (e.g., Service Level Agreement (SLA), M aster Service Agreement (MSA), Statement of Work (SOW))

• Vendor Management
• Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data, cyber risk insurance)
• Supply-Chain Management (e.g., International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27036)

• Core Concepts
• Security Design Principles

• Define Software Security Requirements
• Identify and Analyze Compliance Requirements
• Identify and Analyze Data Classification Requirements
• Identify and Analyze Privacy Requirements
• Develop Misuse and Abuse Cases
• Develop Security Requirement Traceability Matrix (STRM)
• Ensure Security Requirements Flow Down to Suppliers/Provider

• Perform Threat Modeling
• Define the Security Architecture
• Performing Secure Interface Design
• Performing Architectural Risk Assessment
• Model (Non-Functional) Security Properties and Constraints
• Model and Classify Data
• Evaluate and Select Reusable Secure Design
• Perform Security Architecture and Design Review 3.9
• Define Secure Operational Architecture (e.g., deployment topology, operational interfaces)
• Use Secure Architecture and Design Principles, Patterns, and Tools

• Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines and regulations)
• Analyze Code for Security Risks
• Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware)
• Address Security Risks (e.g. remediation, mitigation, transfer, accept) Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))
• Securely Integrate Components
• Apply Security During the Build Process

• Develop Security Test Cases
• Develop Security Testing Strategy and Plan
• Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes)
• Identify Undocumented Functionality
• Analyze Security Implications of Test Results (e.g., impact on product management, prioritization, break build criteria)
• Classify and Track Security Errors
• Secure Test Data
• Perform Verification and Validation Testing

• Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching)
• Define Strategy and Roadmap
• Manage Security Within a Software Development Methodology
• Identify Security Standards and Frameworks
• Define and Develop Security Documentation
• Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)
• Decommission Software
• Report Security Status (e.g., reports, dashboards, feedback loops)
• Incorporate Integrated Risk Management (IRM)
• Promote Security Culture in Software Development
• Implement Continuous Improvement (e.g., retrospective, lessons learned)

• Perform Operational Risk Analysis
• Release Software Securely
• Securely Store and Manage Security Data
• Ensure Secure Installation
• Perform Post-Deployment Security Testing
• Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at appropriate level)
• Perform Information Security Continuous Monitoring (ISCM)
• Support Incident Response
• Perform Patch Management (e.g. secure release, testing)
• Perform Vulnerability Management (e.g., scanning, tracking, triaging)
• Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR))
• Support Continuity of Operations
• Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)

• Implement Software Supply Chain Risk Management
• Analyze Security of Third-Party Software
• Verify Pedigree and Provenance
• Ensure Supplier Security Requirements in the Acquisition Process
• Support contractual requirements (e.g., Intellectual Property (IP) ownership, code escrow, liability, warranty, End-User License Agreement (EULA), Service Level Agreements (SLA))

• Collect and review information, including existing documentation, regarding the organization’s internal and external business and IT environments to identify potential impacts of IT risk to the organization’s business objectives and operations.
• Identify potential threats and vulnerabilities to the organization’s people, processes and technology to enable IT risk analysis.
• Develop a comprehensive set of IT risk scenarios based on available information to determine the potential impact to business objectives and operations.
• Identify key stakeholders for IT risk scenarios to help establish accountability.
• Establish an IT risk register to help ensure that identified IT risk scenarios are accounted for and incorporated into the enterprise wide risk pro file.
• Identify risk appetite and tolerance defined by senior leader ship and key stakeholders to ensure alignment with business objectives.
• Collaborate in the development of a risk awareness program, and conduct training to ensure that stakeholders understand risk and to pro mote a risk-aware culture.

• Analyze risk scenarios based on organizational criteria (e.g., organizational structure, policies, standards, technology, architecture, controls) to determine the likelihood and impact of an identified risk.
• Identify the current state of existing controls and evaluate their effectiveness for IT risk mitigation.
• Review the results of risk and control analysis to assess any gaps between current and desired states of the IT risk environment.
• Ensure that risk ownership is assigned at the appropriate level to establish clear lines of accountability.
• Communicate the results of risk assessments to senior management and appropriate stakeholders to enable risk-based decision making.
• Update the risk register with the results of the risk assessment.

• Consult with risk owners to select and align recommended risk responses with business objectives and enable informed risk decisions.
• Consult with, or assist, risk owners on the development of risk action plans to ensure that plans include key elements (e.g., response, cost, target date).
• Consult on the design and implementation or adjustment of mitigating controls to ensure that the risk is managed to an acceptable level.
• Ensure that control ownership is assigned in order to establish clear lines ofaccountability.
• Assist control owners in developing control procedures and documentation to enable efficient and effective control execution.
• Update the risk register to reflect changes in risk and management’s risk response.
• Validate that risk responses have been executed according to the risk action plans.

• Define and establish key risk indicators (KRIs) and thresholds based on available data, to enable monitoring of changes in risk.
• Monitor and analyze key risk indicators (KRIs) to identify changes or trends in the IT risk profile.
• Report on changes or trends related to the IT risk profile to assist management and relevant stakeholders in decision making.
• Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of control performance.
• Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
• Review the results of control assessments to determine the effectiveness of the control environment.
• Report on the performance of, changes to, or trends in the overall risk profile and control environment to relevant stakeholders to enable decision making.

1.1 Ensure that a framework for the governance of enterprise IT is established and enables the achievement of enterprise goals and objectives to create stakeholder value, taking into account benefits realization, risk optimization, and resource optimization.

1.2 Identify the requirements and objectives for the framework for the governance of enterprise IT incorporating input from enablers such as principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies.

1.3 Ensure that the framework for the governance of enterprise IT addresses applicable internal and external requirements (for example, principles, policies and standards, laws, regulations, service capabilities and contracts).

1.4 Ensure that strategic planning processes are incorporated into the framework for the governance of enterprise IT.

1.5 Ensure the incorporation of enterprise architecture (EA) into the framework for the governance ofenterprise IT in order to optimize IT-enabled business solutions.

1.6 Ensure that the framework for the governance of enterprise IT incorporates comprehensive and repeatable processes and activities.

1.7 Ensure that the roles, responsibilities and accountabilities for information systems and IT processes are established.

1.8 Ensure issues related to the framework for the governance of enterprise IT are reviewed, monitored, reported and remediated.

1.9 Ensure that organizational structures are in place to enable effective planning and implementation of IT-enabled business investments.

1.10 Ensure the establishment of a communication channel to reinforce the value of the governance of enterprise IT and transparency of IT costs, benefits and risk throughout the enterprise.

1.11 Ensure that the framework for the governance of enterprise IT is periodically assessed, including the identification of improvement opportunities.

1.1 Knowledge of components of a framework for the governance of enterprise IT

1.2 Knowledge of IT governance industry practices, standards and frameworks

(For example, COBIT, Information Technology Infrastructure Library [ITIL],

International Organization for Standardization [ISO] 20000, ISO 38500)

1.3 Knowledge of business drivers related to IT governance (for example, legal, regulatory and contractual requirements)

1.4 Knowledge of IT governance enablers (for example, principles, policies andframeworks; processes; organizational structures; culture, ethics andbehavior; information; services, infrastructure and applications; people, skills and competencies)

1.5 Knowledge of techniques used to identify IT strategy (for example, SWOT, BCG Matrix)

1.6 Knowledge of components, principles, and concepts related to enterprise architecture (EA)

1.7 Knowledge of Organizational structures and their roles and responsibilities (for example, enterprise investment committee, program management office, IT strategy committee, IT architecture review board, IT risk management committee)

1.8 Knowledge of methods to manage organizational, process and cultural change

1.9 Knowledge of models and methods to establish accountability for information requirements, data and system ownership; and IT processes

1.10 Knowledge of IT governance monitoring processes/mechanisms (for example, balanced scorecard (BSC)

1.11 Knowledge of IT governance reporting processes/mechanisms

1.12 Knowledge of communication and promotion techniques

1.13 Knowledge of assurance methodologies and techniques

1.14 Knowledge of continuous improvement techniques and processes

2.1 Evaluate, direct and monitor IT strategic planning processes to ensure alignment with enterprise goals.
2.2 Ensure that appropriate policies and procedures are in place to support IT and enterprise strategic alignment.
2.3 Ensure that the IT strategic planning processes and related outputs are adequately documented and communicated.
2.4 Ensure that enterprise architecture (EA) is integrated into the IT strategic planning process.
2.5 Ensure prioritization of IT initiatives to achieve enterprise objectives.
2.6 Ensure that IT objectives cascade into clear roles, responsibilities and actions of IT personnel.
KNOWLEDGE STATEMENTS
2.1 Knowledge of an enterprise’s strategic plan and how it relates to IT
2.2 Knowledge of strategic planning processes and techniques
2.3 Knowledge of impact of changes in business strategy on IT strategy
2.4 Knowledge of barriers to the achievement of strategic alignment
2.5 Knowledge of policies and procedures necessary to support IT and businessstrategic alignment
2.6 Knowledge of methods to document and communicate IT strategic planning processes (for example, IT dashboard/balanced scorecard, key indicators)
2.7 Knowledge of components, principles and frameworks of enterprise architecture (EA)
2.8 Knowledge of current and future technologies
2.9 Knowledge of prioritization processes related to IT initiatives
2.10 Knowledge of scope, objectives and benefits of IT investment programs
2.11 Knowledge of IT roles and responsibilities and methods to cascade business and IT objectives to IT personnel

TASK STATEMENTS
3.1 Ensure that IT-enabled investments are managed as a portfolio of investments.
3.2 Ensure that IT-enabled investments are managed through their economic life cycle to achieve business benefit.
3.3 Ensure business ownership and accountability for IT-enabled investments are established.
3.4 Ensure that IT investment management practices align with enterprise investment management practices.
3.5 Ensure that IT-enabled investment portfolios, IT processes and IT services are evaluated and benchmarked to achieve business benefit.
3.6 Ensure that outcome and performance measures are established and evaluated to assess progress towards the achievement of enterprise and IT objectives.
3.7 Ensure that outcome and performance measures are monitored and reported to key stakeholders in a timely manner.
3.8 Ensure that improvement initiatives are identified, prioritized, initiated and managed based on outcome and performance measures.
KNOWLEDGE STATEMENTS
3.1 Knowledge of IT investment management processes, including the economic lifecycle of investments
3.2 Knowledge of basic principles of portfolio management
3.3 Knowledge of benefit calculation techniques (for example, earned value, total cost of ownership, return on investment)
3.4 Knowledge of process and service measurement techniques (for example, maturity models, benchmarking, key performance indicators [KPIs])
3.5 Knowledge of processes and practices for planning, development, transition, delivery, and support of IT solutions and services
3.6 Knowledge of continuous improvement concepts and principles
3.7 Knowledge of outcome and performance measurement techniques (for example, service metrics, key performance indicators [KPIs])
3.8 Knowledge of procedures to manage and report the status of IT investments
3.9 Knowledge of cost optimization strategies (for example, outsourcing, adoption of new technologies)
3.10 Knowledge of models and methods to establish accountability over IT investments
3.11 Knowledge of value delivery frameworks (for example, Val I T)
3.12 Knowledge of business case development and evaluation techniques

4.1 Ensure that comprehensive IT risk management processes are established to identify, analyze, mitigate, manage, monitor, and communicate I T risk.
4.2 Ensure that legal and regulatory compliance requirements are addressed through IT risk management.
4.3 Ensure that IT risk management is aligned with the enterprise risk management (ERM) framework.
4.4 Ensure appropriate senior level management sponsorship for IT risk management.
4.5 Ensure that IT risk management policies, procedures and standards are developed and communicated.
4.6 Ensure the identification of key risk indicators (KRIs).
4.7 Ensure timely reporting and proper escalation of risk events and responses to appropriate levels of management.
KNOWLEDGE STATEMENTS
4.1 Knowledge of the application of risk management at the strategic, portfolio, program, project and operations levels
4.2 Knowledge of risk management frameworks and standards (for example, RISKIT, the Committee of Sponsoring Organizations of the Treadway Commission
Enterprise Risk Management—Integrated Framework (2004) [COSO ERM],
International Organization for Standardization (ISO) 31000)
4.3 Knowledge of the relationship of the risk management approach to legal and regulatory compliance
4.4 Knowledge of methods to align IT and enterprise risk management (ERM)
4.5 Knowledge of the relationship of the risk management approach to businessresiliency (for example, business continuity planning [BCP] and disaster recovery planning [DRP])
4.6 Knowledge of risk, threats, vulnerabilities and opportunities inherent in the use of IT
4.7 Knowledge of types of business risk, exposures and threats (for example, external environment, internal fraud, information security) that can be addressed using IT resources
4.8 Knowledge of risk appetite and risk tolerance
4.9 Knowledge of quantitative and qualitative risk assessment methods
4.10 Knowledge of risk mitigation strategies related to IT in the enterprise
4.11 Knowledge of methods to monitor effectiveness of mitigation strategies and/or controls
4.12 Knowledge of stakeholder analysis and communication techniques
4.13 Knowledge of methods to establish key risk indicators (KRI s)
4.14 Knowledge of methods to manage and report the status of identified risk

5.1 Ensure that processes are in place to identify, acquire and maintain IT resources and capabilities (i.e., information, services, infrastructure and applications, and people).
5.2 Evaluate, direct and monitor sourcing strategies to ensure existing resources are taken into account to optimize IT resource utilization.
5.3 Ensure the integration of IT resource management into the enterprise’s strategic and tactical planning.
5.4 Ensure the alignment of IT resource management processes with the enterprise’s resource management processes.
5.5 Ensure that a resource gap analysis process is in place so that IT is able to meet strategic objectives of the enterprise.
5.6 Ensure that policies exist to guide IT resource sourcing strategies that include service level agreements (SLAs) and changes to sourcing strategies.
5.7 Ensure that policies and processes are in place for the assessment, training and development of staff to address enterprise requirements and personal/professional growth.
KNOWLEDGE STATEMENTS
5.1 Knowledge of IT resource planning methods
5.2 Knowledge of human resource procurement, assessment, training, and development methodologies
5.3 Knowledge of processes for acquiring application, information, and infrastructure resources
5.4 Knowledge of outsourcing and offshoring approaches that may be employedto meet the investment program and operation level agreements (OLAs) and service level agreements (SLAs)
5.5 Knowledge of methods used to record and monitor IT resource utilization and availability
5.6 Knowledge of methods used to evaluate and report on IT resource performance
5.7 Knowledge of interoperability, standardization and economies of scale
5.8 Knowledge of data management and data governance concepts
5.9 Knowledge of service level management concepts

1.1 Planning

• IS Audit Standards, Guidelines and Codes of Ethics
• Business Processes
• Types of Controls
• Risk-based Audit Planning
• Types of Audits and Assessments

1.2 Execution

• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

 

2.1 IT Governance and ITS Strategy

• IT-related Frameworks
• IT Standards, Policies and Procedures
• Organizational Structure
• Enterprise Architecture
• Enterprise Risk Management
• Maturity Models
• Laws, Regulations and Industry Standards Affecting the Organization

2.2 IT Management

• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• Quality Assurance and Quality Management of IT

 

3.1 Information Systems Acquisition and Development

• Project Governance and Management
• Business Case and Feasibility Analysis
• System Development Methodologies
• Control Identification and Design

3.2 Information Systems Implementation

• Testing Methodologies
• Configuration and Release Management
• System Migration, Infrastructure Deployment and Data Conversion
• Post-implementation Review

 

4.1 Information Systems Operations

• Common Technology Components
• IT Asset Management
• Job Scheduling and Production Process Automation
• System Interfaces
• End-user Computing
• Data Governance
• Systems Performance Management
• Problem and Incident Management
• Change, Configuration, Release and Patch Management
• IT Service Level Management

4.2 Business Resilience

• Business Impact Analysis
• System Resiliency
• Data Backup, Storage and Restoration
• Business Continuity Plan
• Disaster Recovery Plans

5.1 Information Asset Security Frameworks, Standards and Guidelines

• Privacy Principles
• Physical Access and Environmental Controls
• Identity and Access Management
• Network and End-point Security
• Data Classification
• Data Encryption and Encryption-related Techniques
• Public Key Infrastructure
• Web-based Communication Technologies
• Virtualized Environments
• Mobile, Wireless and Internet-of-things Devices

5.2 Security Event Management

• Security Awareness Training and Programs
• Information System Attack Methods and Techniques
• Security Testing Tools and Techniques
• Security Monitoring Tools and Techniques
• Incident Response Management
• Evidence Collection and Forensics