Evolution of Information Security 31
• Security Architecture and Models — This domain of knowledge covers
security architecture concepts from the network infrastructure to the appli-
cation level. The overall security architecture, how it ensures the confi-
dentiality, integrity, and availability of the information, and some of the
standards and methods used to achieve it are discussed. Some of the key
items in this domain include:
– Security architecture and associated technical controls
– Security issues related to system designs
– Security standards
• Access Control Systems and Methodology — This domain covers princi-
ples relating to access control and the “least privilege” principle, where
a person’s access is limited to what that individual needs to perform his
or her job. This domain requires knowledge of access control and what
is appropriate based on different factors a given environment. Some of
the key items in this domain include:
– Access control methodology, administration, and techniques
–Value of information
– File and data ownership
• Application Development Security — This domain covers security at the
application level. It covers the application development process and how
security and controls should be considered early and built into applica-
tions. It covers the risks associated with the development environment
and why the process of moving code to production needs to be properly
controlled. Some of the key items in this domain include:
– Application controls
– Systems development controls
– Change management
• Operations Security — Operations security consists of the internal control
structure of the IT infrastructure, access controls related to these resources,
and monitoring. Some of the key items in this domain include:
– Computer operations
– Administration and operational controls
• Physical Security — Before electronic security became a significant con-
cern, physical security was the main component of security. As a result,
it is perhaps the most developed area of security. Today, physical security is
still a critical part of the overall information security program, partly evi-
denced by it being one of the ten domains of the CBK. This domain covers
all aspects of physical security including perimeter security, inside secu-
rity, environmental controls, and other physical security–related concepts.
• Cryptography— The cryptography domain covers basic concepts of cryp-
tography and how they are used to ensure the confidentiality and integrity
of information. This domain covers the use of public and private key
algorithms, digital signatures, key distribution and management, and other
cryptography-related concepts.
• Telecommunications, Network, and Internet Security — This domain is
probably the most technical of the ten domains. It requires an understanding
AU1706_book.fm Page 31 Tuesday, August 17, 2004 11:02 AM