1. Security and Risk Management (e.g., Security, Risk, Compliance, Law, Regulations, Business Continuity)

• Understand and Apply Concepts of Confidentiality, Integrity, and Availability
• Apply Security Governance Principles
• Compliance
• Understand Legal and Regulatory Issues that Pertain to Information Security in a Global Context
• Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines
• Understand Business Continuity Requirements
• Contribute to Personnel Security Policies
• Understand and Apply Risk Management Concepts
• Understand and Apply Threat Modeling
• Integrate Security Risk Considerations into Acquisitions Strategy and Practice
• Establish and Manage Security Education, Training, and Awareness

2. Asset Security (Protecting Security of Assets)

• Classify Information and Supporting Assets
• Determine and Maintain Ownership
• Protect Privacy
• Ensure Appropriate Retention
• Determine Data Security Controls
• Establish Handling Requirements

3. Security Engineering (Engineering and Management of Security)

• Implement and Manage an Engineering Life Cycle Using Security Design Principles
• Understand Fundamental Concepts of Security Models
• Select Controls and Countermeasures Based Upon Information Systems Security Standards
• Understand the Security Capabilities of Information Systems
• Assess and Mitigate the Vulnerabilities of Security Architectures, Designs, and Solution Elements
• Assess and Mitigate Vulnerabilities in Web-based Systems
• Assess and Mitigate Vulnerabilities in Mobile Systems
• Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems
• Apply Cryptography
• Apply Secure Principles to Site and Facility Design
• Design and Implement Facility Security

4. Communications and Network Security (Designing and Protecting Network Security)

• Apply Secure Design Principles to Network Architecture
• Securing Network Components
• Design and Establish Secure Communication Channels
• Prevent or Mitigate Network Attacks

5. Identity and Access Management (Controlling Access and Managing Identity)

• Control Physical and Logical Access to Assets
• Manage Identification and Authentication of People and Devices
• Integrate Identity as a Service (IDaaS)
• Integrate Third-Party Identity Services
• Implement and Manage Authorization Mechanisms
• Prevent or Mitigate Access Control Attacks
• Manage the Identity and Access Provisioning Life Cycle

6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

• Design and Validate Assessment and Test Strategies
• Conduct Security Control Testing
• Collect Security Process Data
• Conduct or Facilitate Internal and Third-Party Audits

7. Security Operations (e.g., Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

• Understand and Support Investigations
• Understand Requirements for Investigation Types
• Conduct Logging and Monitoring Activities
• Secure the Provisioning of Resources through Configuration Management
• Understand and Apply Foundational Security Operations Concepts
• Employ Resource Protection Techniques
• Conduct Incident Response
• Operate and Maintain Preventative Measures
• Implement and Support Patch and Vulnerability Management
• Participate in and Understand Change Management Processes
• Implement Recovery Strategies
• Implement Disaster Recovery Processes
• Test Disaster Recovery Plan
• Participate in Business Continuity Planning
• Implement and Manage Physical Security
• Participate in Personnel Safety

8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

• Understand and Apply Security in the Software Development Life Cycle
• Enforce Security Controls in the Development Environment
• Assess the Effectiveness of Software Security
• Assess Software Acquisition Security