- Understand, adhere to, and promote professional ethics
- (ISC)2
- Code of Professional Ethics
- Understand and apply security concepts
- Confidentiality, integrity, and availability, authenticity and nonrepudiation
- Evaluate and apply security governance principles
- Alignment of the security function to business strategy, goals, mission, and objectives
- Organizational processes (e.g., acquisitions, divestitures, governance committees)
- Organizational roles and responsibilities » Security control frameworks
- Due care/due diligence
- Determine compliance and other requirements
- Contractual, legal, industry standards, and regulatory requirements
- Privacy requirements
- Understand legal and regulatory issues that pertain to information security in a holistic context
- Cybercrimes and data breaches
- Licensing and Intellectual Property (IP) requirements
- Import/export controls
- Transborder data flow
- Privacy
- Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
- Develop, document, and implement security policy, standards, procedures, and guidelines
- Identify, analyze, and prioritize Business Continuity (BC) requirements
- Business Impact Analysis (BIA)
- Develop and document the scope and the plan
- Contribute to and enforce personnel security policies and procedures
- Candidate screening and hiring
- Employment agreements and policies
- Onboarding, transfers, and termination processes
- Vendor, consultant, and contractor agreements and controls
- Compliance policy requirements
- Privacy policy requirements
- Understand and apply risk management concepts
- Identify threats and vulnerabilities
- Risk assessment/analysis
- Risk response
- Countermeasure selection and implementation
- Applicable types of controls (e.g., preventive, detective, corrective)
- Security Control Assessment (SCA)
- Monitoring and measurement
- Asset valuation
- Reporting
- Continuous improvement
- Risk frameworks
- Apply Supply Chain Risk Management (SCRM) concepts
- Risks associated with hardware, software, and services
- Third-party assessment and monitoring
- Minimum security requirements
- Service level requirements
- Establish and maintain a security awareness, education, and training program
- Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
- Periodic content reviews
- Program effectiveness evaluation
Domain 1 - Security and Risk Management
Domain 1: Security and Risk Management
Subscribe to:
Comments (Atom)
No comments:
Post a Comment