Table of Contents
Introduction The CASP Exam
The Goals of the CASP Certification
Sponsoring Bodies
Other Security Exams
Stated Goals
The Value of the CASP Certification
To the Security Professional
Department of Defense Directive 8140 and 8570 (DoDD 8140 and 8570)
To the Enterprise
CASP Exam Objectives
1.0 Risk Management
1.1 Summarize business and industry influences and associated security risks.
1.2 Compare and contrast security, privacy policies and procedures based on organizational requirements.
1.3 Given a scenario, execute risk mitigation strategies and controls.
1.4 Analyze risk metric scenarios to secure the enterprise.
2.0 Enterprise Security Architecture
2.1 Analyze a scenario and integrate network and security components, concepts and architectures to meet security requirements.
2.2 Analyze a scenario to integrate security controls for host devices to meet security requirements.
2.3 Analyze a scenario to integrate security controls for mobile and small form factor devices to meet security requirements.
2.4 Given software vulnerability scenarios, select appropriate security controls.
3.0 Enterprise Security Operations
3.1 Given a scenario, conduct a security assessment using the appropriate methods.
3.2 Analyze a scenario or output, and select the appropriate tool for a security assessment.
3.3 Given a scenario, implement incident response and recovery procedures.
4.0 Technical Integration of Enterprise Security
4.1 Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture.
4.2 Given a scenario, integrate cloud and virtualization technologies into a secure enterprise architecture.
4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.
4.4 Given a scenario, implement cryptographic techniques.
4.5 Given a scenario, select the appropriate control to secure communications and collaboration solutions.
5.0 Research, Development and Collaboration
5.1 Given a scenario, apply research methods to determine industry trends and their impact to the enterprise.
5.2 Given a scenario, implement security activities across the technology life cycle.
5.3 Explain the importance of interaction across diverse business units to achieve security goals.
Steps to Becoming a CASP
Qualifying for the Exam
Signing Up for the Exam
About the Exam
CompTIA Authorized Materials Use Policy
Chapter 1 Business and Industry Influences and Associated Security Risks
Risk Management of New Products, New Technologies, and User Behaviors
New or Changing Business Models/Strategies
Partnerships
Outsourcing
Cloud
Acquisition/Merger and Divestiture/Demerger
Data Ownership
Data Reclassification
Security Concerns of Integrating Diverse Industries
Rules
Policies
Regulations
Export Controls
Legal Requirements
Geography
Data Sovereignty
Jurisdictions
Internal and External Influences
Competitors
Auditors/Audit Findings
Regulatory Entities
Internal and External Client Requirements
Top-Level Management
Impact of De-perimeterization (e.g., Constantly Changing Network Boundary)
Telecommuting
Cloud
Mobile
BYOD
Outsourcing
Ensuring Third-Party Providers Have Requisite Levels of Information Security
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 2 Security, Privacy Policies, and Procedures
Policy and Process Life Cycle Management
New Business
New Technologies
Environmental Changes
Regulatory Requirements
Emerging Risks
Support Legal Compliance and Advocacy
Common Business Documents to Support Security
Risk Assessment (RA)
Business Impact Analysis (BIA)
Interoperability Agreement (IA)
Interconnection Security Agreement (ISA)
Memorandum of Understanding (MOU)
Service-Level Agreement (SLA)
Operating-Level Agreement (OLA)
Non-Disclosure Agreement (NDA)
Business Partnership Agreement (BPA)
Master Service Agreement (MSA)
Security Requirements for Contracts
Request for Proposal (RFP)
Request for Quote (RFQ)
Request for Information (RFI)
Agreement or Contract
General Privacy Principles for Sensitive Information
Support the Development of Policies Containing Standard Security Practices
Separation of Duties
Job Rotation
Mandatory Vacation
Least Privilege
Incident Response
Events Versus Incidents
Rules of Engagement, Authorization, and Scope
Forensic Tasks
Employment and Termination Procedures
Continuous Monitoring
Training and Awareness for Users
Auditing Requirements and Frequency
Information Classification and Life Cycle
Commercial Business Classifications
Military and Government Classifications
Information Life Cycle
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 3 Risk Mitigation Strategies and Controls
Categorize Data Types by Impact Levels Based on CIA
Incorporate Stakeholder Input into CIA Impact-Level Decisions
Determine the Aggregate CIA Score
Determine Minimum Required Security Controls Based on Aggregate Score
Select and Implement Controls Based on CIA Requirements and Organizational Policies
Access Control Categories
Compensative
Corrective
Detective
Deterrent
Directive
Preventive
Recovery
Access Control Types
Administrative (Management) Controls
Logical (Technical) Controls
Physical Controls
Security Requirements Traceability Matrix (SRTM)
Security Control Frameworks
ISO/IEC 27000 Series
Zachman Frameworkâ„¢
The Open Group Architecture Framework (TOGAF)
Department of Defense Architecture Framework (DoDAF)
British Ministry of Defence Architecture Framework (MODAF)
Sherwood Applied Business Security Architecture (SABSA)
Control Objectives for Information and Related Technology (COBIT)
National Institute of Standards and Technology (NIST) Special Publication (SP) 800 Series
HITRUST CSF
CIS Critical Security Controls
Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
Information Technology Infrastructure Library (ITIL)
Six Sigma
Capability Maturity Model Integration (CMMI)
CCTA Risk Analysis and Management Method (CRAMM)
Extreme Scenario Planning/Worst-Case Scenario
Conduct System-Specific Risk Analysis
Make Risk Determination Based upon Known Metrics
Qualitative Risk Analysis
Quantitative Risk Analysis
Magnitude of Impact Based on ALE and SLE
SLE
ALE
Likelihood of Threat
Motivation
Source
ARO
Trend Analysis
Return on Investment (ROI)
Payback
Net Present Value (NPV)
Total Cost of Ownership
Translate Technical Risks in Business Terms
Recommend Which Strategy Should Be Applied Based on Risk Appetite
Avoid
Transfer
Mitigate
Accept
Risk Management Processes
Information and Asset (Tangible/Intangible) Value and Costs
Vulnerabilities and Threats Identification
Exemptions
Deterrence
Inherent
Residual
Continuous Improvement/Monitoring
Business Continuity Planning
Business Continuity Scope and Plan
Personnel Components
Project Scope
Business Continuity Steps
Develop Contingency Planning Policy
Conduct the BIA
Identify Preventive Controls
Create Contingency Strategies
Plan Testing, Training, and Exercises (TT&E)
Maintain the Plan
IT Governance
Adherence to Risk Management Frameworks
NIST
Organizational Governance Components
Policies
Processes
Procedures
Standards
Guidelines
Baselines
Enterprise Resilience
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 4 Risk Metric Scenarios to Secure the Enterprise
Review Effectiveness of Existing Security Controls
Gap Analysis
Lessons Learned and After-Action Reports
Reverse Engineer/Deconstruct Existing Solutions
Creation, Collection, and Analysis of Metrics
KPIs
KRIs
Prototype and Test Multiple Solutions
Create Benchmarks and Compare to Baselines
Analyze and Interpret Trend Data to Anticipate Cyber Defense Needs
Analyze Security Solution Metrics and Attributes to Ensure They Meet Business Needs
Performance
Latency
Scalability
Capability
Usability
Maintainability
Availability
Recoverability
Cost/Benefit Analysis
ROI
TCO
Use Judgment to Solve Problems Where the Most Secure Solution Is Not Feasible
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 5 Network and Security Components, Concepts, and Architectures
Physical and Virtual Network and Security Devices
UTM
IDS/IPS
HIDS/HIPS
NIPS
NIDS
INE
NAC
SIEM
Switch
Firewall
Types of Firewalls
NGFWs
Firewall Architecture
Wireless Controller
Router
Proxy
Load Balancer
HSM
MicroSD HSM
Application and Protocol-Aware Technologies
WAF
Firewall
Passive Vulnerability Scanners
Active Vulnerability Scanners
DAM
Advanced Network Design (Wired/Wireless)
Remote Access
VPN
SSH
RDP
VNC
VDI
Reverse Proxy
IPv4 and IPv6 Transitional Technologies
Network Authentication Methods
802.1x
Mesh Networks
Application of Solutions
Placement of Hardware, Applications, and Fixed/Mobile Devices
Complex Network Security Solutions for Data Flow
DLP
Deep Packet Inspection
Data-Flow Enforcement
Network Flow (S/flow)
Network Flow Data
Data Flow Diagram
Secure Configuration and Baselining of Networking and Security Components
ACLs
Creating Rule Sets
Change Monitoring
Configuration Lockdown
Availability Controls
Software-Defined Networking
Network Management and Monitoring Tools
Alert Definitions and Rule Writing
Tuning Alert Thresholds
Alert Fatigue
Advanced Configuration of Routers, Switches, and Other Network Devices
Transport Security
Trunking Security
Port Security
Limiting MAC Addresses
Implementing Sticky Mac
Ports
Route Protection
DDoS Protection
Remotely Triggered Black Hole
Security Zones
DMZ
Separation of Critical Assets
Network Segmentation
Network Access Control
Quarantine/Remediation
Persistent/Volatile or Non-persistent Agent
Agent vs. Agentless
Network-Enabled Devices
System on a Chip (SoC)
Secure Booting
Secured Memory
Runtime Data Integrity Check
Central Security Breach Response
Building/Home Automation Systems
IP Video
HVAC Controllers
Sensors
Physical Access Control Systems
A/V Systems
Scientific/Industrial Equipment
Critical Infrastructure
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 6 Security Controls for Host Devices
Trusted OS (e.g., How and When to Use It)
SELinux
SEAndroid
TrustedSolaris
Least Functionality
Endpoint Security Software
Anti-malware
Antivirus
Anti-spyware
Spam Filters
Patch Management
IDS/IPS
HIPS/HIDS
Data Loss Prevention
Host-Based Firewalls
Log Monitoring
Endpoint Detection Response
Host Hardening
Standard Operating Environment/Configuration Baselining
Application Whitelisting and Blacklisting
Security/Group Policy Implementation
Command Shell Restrictions
Patch Management
Manual
Automated
Configuring Dedicated Interfaces
Out-of-Band Management
ACLs
Management Interface
Data Interface
External I/O Restrictions
USB
Wireless
Drive Mounting
Drive Mapping
Webcam
Recording Mic
Audio Output
SD Port
HDMI Port
File and Disk Encryption
TPM
Firmware Updates
Boot Loader Protections
Secure Boot
Measured Launch
Integrity Measurement Architecture
BIOS/UEFI
Attestation Services
TPM
Virtual TPM
Vulnerabilities Associated with Hardware
Terminal Services/Application Delivery Services
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 7 Security Controls for Mobile and Small Form Factor Devices
Enterprise Mobility Management
Containerization
Configuration Profiles and Payloads
Personally Owned, Corporate-Enabled
Application Wrapping
Remote Assistance Access
VNC
Screen Mirroring
Application, Content, and Data Management
Over-the-Air Updates (Software/Firmware)
Remote Wiping
SCEP
BYOD
COPE
VPN
Application Permissions
Side Loading
Unsigned Apps/System Apps
Context-Aware Management
Geolocation/Geofencing
User Behavior
Security Restrictions
Time-Based Restrictions
Frequency
Security Implications/Privacy Concerns
Data Storage
Non-Removable Storage
Removable Storage
Cloud Storage
Transfer/Backup Data to Uncontrolled Storage
USB OTG
Device Loss/Theft
Hardware Anti-Tamper
eFuse
TPM
Rooting/Jailbreaking
Push Notification Services
Geotagging
Encrypted Instant Messaging Apps
Tokenization
OEM/Carrier Android Fragmentation
Mobile Payment
NFC-Enabled
Inductance-Enabled
Mobile Wallet
Peripheral-Enabled Payments (Credit Card Reader)
Tethering
USB
Spectrum Management
Bluetooth 3.0 vs. 4.1
Authentication
Swipe Pattern
Gesture
PIN Code
Biometric
Malware
Unauthorized Domain Bridging
Baseband Radio/SOC
Augmented Reality
SMS/MMS/Messaging
Wearable Technology
Devices
Cameras
Watches
Fitness Devices
Glasses
Medical Sensors/Devices
Headsets
Security Implications
Unauthorized Remote Activation/Deactivation of Devices or Features
Encrypted and Unencrypted Communication Concerns
Physical Reconnaissance
Personal Data Theft
Health Privacy
Digital Forensics on Collected Data
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 8 Software Vulnerability Security Controls
Application Security Design Considerations
Secure: By Design, By Default, By Deployment
Specific Application Issues
Unsecure Direct Object References
XSS
Cross-Site Request Forgery (CSRF)
Click-Jacking
Session Management
Input Validation
SQL Injection
Improper Error and Exception Handling
Privilege Escalation
Improper Storage of Sensitive Data
Fuzzing/Fault Injection
Secure Cookie Storage and Transmission
Buffer Overflow
Memory Leaks
Integer Overflows
Race Conditions
Time of Check/Time of Use
Resource Exhaustion
Geotagging
Data Remnants
Use of Third-Party Libraries
Code Reuse
Application Sandboxing
Secure Encrypted Enclaves
Database Activity Monitor
Web Application Firewalls
Client-Side Processing vs. Server-Side Processing
JSON/REST
Browser Extensions
ActiveX
Java Applets
HTML5
AJAX
SOAP
State Management
JavaScript
Operating System Vulnerabilities
Firmware Vulnerabilities
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 9 Security Assessments
Methods
Malware Sandboxing
Memory Dumping, Runtime Debugging
Reconnaissance
Fingerprinting
Code Review
Social Engineering
Phishing/Pharming
Shoulder Surfing
Identity Theft
Dumpster Diving
Pivoting
Open Source Intelligence
Social Media
Whois
Routing Tables
DNS Records
Search Engines
Test Types
Penetration Test
Black Box
White Box
Gray Box
Vulnerability Assessment
Self-Assessment
Tabletop Exercises
Internal and External Audits
Color Team Exercises
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 10 Select the Appropriate Security Assessment Tool
Network Tool Types
Port Scanners
Network Vulnerability Scanners
Protocol Analyzer
Wired
Wireless
SCAP Scanner
Permissions and Access
Execute Scanning
Network Enumerator
Fuzzer
HTTP Interceptor
Exploitation Tools/Frameworks
Visualization Tools
Log Reduction and Analysis Tools
Host Tool Types
Password Cracker
Host Vulnerability Scanners
Command Line Tools
netstat
ping
tracert/traceroute
ipconfig/ifconfig
nslookup/dig
Sysinternals
OpenSSL
Local Exploitation Tools/Frameworks
SCAP Tool
File Integrity Monitoring
Log Analysis Tools
Antivirus
Reverse Engineering Tools
Physical Security Tools
Lock Picks
Locks
RFID Tools
IR Camera
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 11 Incident Response and Recovery
E-Discovery
Electronic Inventory and Asset Control
Data Retention Policies
Data Recovery and Storage
Data Ownership
Data Handling
Legal Holds
Data Breach
Detection and Collection
Data Analytics
Mitigation
Minimize
Isolate
Recovery/Reconstitution
Response
Disclosure
Facilitate Incident Detection and Response
Internal and External Violations
Privacy Policy Violations
Criminal Actions
Insider Threats
Non-malicious Threats/Misconfigurations
Hunt Teaming
Heuristics/Behavioral Analytics
Establish and Review System, Audit and Security Logs
Incident and Emergency Response
Chain of Custody
Evidence
Surveillance, Search, and Seizure
Forensic Analysis of Compromised System
Media Analysis
Software Analysis
Network Analysis
Hardware/Embedded Device Analysis
Continuity of Operations
Disaster Recovery
Data Backup Types and Schemes
Electronic Backup
Incident Response Team
Order of Volatility
Incident Response Support Tools
dd
tcpdump
nbtstat
netstat
nc (Netcat)
memcopy
tshark
foremost
Severity of Incident or Breach
Scope
Impact
System Process Criticality
Cost
Downtime
Legal Ramifications
Post-incident Response
Root-Cause Analysis
Lessons Learned
After-Action Report
Change Control Process
Update Incident Response Plan
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 12 Host, Storage, Network, and Application Integration
Adapt Data Flow Security to Meet Changing Business Needs
Standards
Open Standards
Adherence to Standards
Competing Standards
Lack of Standards
De Facto Standards
Interoperability Issues
Legacy Systems and Software/Current Systems
Application Requirements
Software Types
In-house Developed
Commercial
Tailored Commercial
Open Source
Standard Data Formats
Protocols and APIs
Resilience Issues
Use of Heterogeneous Components
Course of Action Automation/Orchestration
Distribution of Critical Assets
Persistence and Non-persistence of Data
Redundancy/High Availability
Assumed Likelihood of Attack
Data Security Considerations
Data Remnants
Data Aggregation
Data Isolation
Data Ownership
Data Sovereignty
Data Volume
Resources Provisioning and Deprovisioning
Users
Servers
Virtual Devices
Applications
Data Remnants
Design Considerations During Mergers, Acquisitions and Demergers/Divestitures
Network Secure Segmentation and Delegation
Logical Deployment Diagram and Corresponding Physical Deployment Diagram of All Relevant Devices
Security and Privacy Considerations of Storage Integration
Security Implications of Integrating Enterprise Applications
CRM
ERP
CMDB
CMS
Integration Enablers
Directory Services
DNS
SOA
ESB
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 13 Cloud and Virtualization Technology Integration
Technical Deployment Models (Outsourcing/Insourcing/Managed Services/Partnership)
Cloud and Virtualization Considerations and Hosting Options
Public
Private
Hybrid
Community
Multitenancy
Single Tenancy
On-Premise vs. Hosted
Cloud Service Models
Security Advantages and Disadvantages of Virtualization
Type 1 vs. Type 2 Hypervisors
Type 1 Hypervisor
Type 2 Hypervisor
Container-Based
vTPM
Hyperconverged Infrastructure
Virtual Desktop Infrastructure
Secure Enclaves and Volumes
Cloud Augmented Security Services
Hash Matching
Anti-malware
Vulnerability Scanning
Sandboxing
Content Filtering
Cloud Security Broker
Security as a Service
Managed Security Service Providers
Vulnerabilities Associated with Comingling of Hosts with Different Security Requirements
VMEscape
Privilege Elevation
Live VM Migration
Data Remnants
Data Security Considerations
Vulnerabilities Associated with a Single Server Hosting Multiple Data Types
Vulnerabilities Associated with a Single Platform Hosting Multiple Data Types/Owners on Multiple Virtual Machines
Resources Provisioning and Deprovisioning
Virtual Devices
Data Remnants
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 14 Authentication and Authorization Technology Integration
Authentication
Authentication Factors
Knowledge Factors
Ownership Factors
Characteristic Factors
Additional Authentication Concepts
Identity and Account Management
Password Types and Management
Physiological Characteristics
Behavioral Characteristics
Biometric Considerations
Dual-Factor and Multi-Factor Authentication
Certificate-Based Authentication
Single Sign-on
802.1x
Context-Aware Authentication
Push-Based Authentication
Authorization
Access Control Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Rule-Based Access Control
Content-Dependent Access Control
Access Control Matrix
ACLs
Access Control Policies
Default to No Access
OAuth
XACML
SPML
Attestation
Identity Proofing
Identity Propagation
Federation
SAML
OpenID
Shibboleth
WAYF
Trust Models
RADIUS Configurations
LDAP
AD
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 15 Cryptographic Techniques
Techniques
Key Stretching
Hashing
MD2/MD4/MD5/MD6
SHA/SHA-2/SHA-3
HAVAL
RIPEMD-160
Digital Signature
Message Authentication
Code Signing
Pseudo-Random Number Generation
Perfect Forward Secrecy
Data-in-Transit Encryption
SSL/TLS
HTTP/HTTPS/SHTTP
SET and 3-D Secure
IPsec
Data-in-Memory/Processing
Data-at-Rest Encryption
Symmetric Algorithms
Asymmetric Algorithms
Hybrid Ciphers
Disk-Level Encryption
Block-Level Encryption
File-Level Encryption
Record-Level Encryption
Port-Level Encryption
Steganography
Implementations
Crypto Modules
Crypto Processors
Cryptographic Service Providers
DRM
Watermarking
GNU Privacy Guard (GPG)
SSL/TLS
Secure Shell (SSH)
S/MIME
Cryptographic Applications and Proper/Improper Implementations
Strength Versus Performance Versus Feasibility to Implement Versus Interoperability
Feasibility to Implement
Interoperability
Stream vs. Block
Stream Ciphers
Block Ciphers
Modes
Known Flaws/Weaknesses
PKI
Wildcard
OCSP vs. CRL
Issuance to Entities
Key Escrow
Certificate
Tokens
Stapling
Pinning
Cryptocurrency/Blockchain
Mobile Device Encryption Considerations
Elliptic Curve Cryptography
P256 vs. P384 vs. P512
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 16 Secure Communication and Collaboration
Remote Access
Dial-up
VPN
SSL
Remote Administration
Resource and Services
Desktop and Application Sharing
Remote Assistance
Unified Collaboration Tools
Web Conferencing
Video Conferencing
Audio Conferencing
Storage and Document Collaboration Tools
Unified Communication
Instant Messaging
Presence
Email
IMAP
POP
SMTP
Email Spoofing
Spear Phishing
Whaling
Spam
Captured Messages
Disclosure of Information
Malware
Telephony and VoIP Integration
Collaboration Sites
Social Media
Cloud-Based Collaboration
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 17 Industry Trends and Their Impact to the Enterprise
Perform Ongoing Research
Best Practices
New Technologies, Security Systems and Services
Technology Evolution (e.g., RFCs, ISO)
Threat Intelligence
Latest Attacks
Knowledge of Current Vulnerabilities and Threats
Zero-Day Mitigation Controls and Remediation
Threat Model
Research Security Implications of Emerging Business Tools
Evolving Social Media Platforms
End-User Cloud Storage
Integration Within the Business
Big Data
AI/Machine Learning
Global IA Industry/Community
Computer Emergency Response Team (CERT)
Conventions/Conferences
Research Consultants/Vendors
Threat Actor Activities
Topology Discovery
OS Fingerprinting
Service Discovery
Packet Capture
Log Review
Router/Firewall ACLs Review
Email Harvesting
Social Media Profiling
Social Engineering
Phishing
Emerging Threat Sources
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 18 Security Activities Across the Technology Life Cycle
Systems Development Life Cycle
Requirements
Acquisition
Test and Evaluation
Commissioning/Decommissioning
Operational Activities
Monitoring
Maintenance
Configuration and Change Management
Asset Disposal
Asset/Object Reuse
Software Development Life Cycle
Plan/Initiate Project
Gather Requirements
Design
Develop
Test/Validate
Release/Maintain
Certify/Accredit
Change Management and Configuration Management/Replacement
Application Security Frameworks
Software Assurance
Auditing and Logging
Risk Analysis and Mitigation
Regression and Acceptance Testing
Security Impact of Acquired Software
Standard Libraries
Industry-Accepted Approaches
Web Services Security (WS-Security)
Forbidden Coding Techniques
NX/XN Bit Use
ASLR Use
Code Quality
Code Analyzers
Development Approaches
Build and Fix
Waterfall
V-Shaped
Prototyping
Incremental
Spiral
Rapid Application Development (RAD)
Agile
JAD
Cleanroom
DevOps
Security Implications of Agile, Waterfall, and Spiral Software Development Methodologies
Continuous Integration
Versioning
Secure Coding Standards
Documentation
Security Requirements Traceability Matrix (SRTM)
Requirements Definition
System Design Document
Testing Plans
Validation and Acceptance Testing
Unit Testing
Adapt Solutions
Address Emerging Threats
Address Disruptive Technologies
Address Security Trends
Asset Management (Inventory Control)
Device-Tracking Technologies
Geolocation/GPS Location
Object Tracking and Containment Technologies
Geotagging/Geofencing
RFID
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Chapter 19 Business Unit Interaction
Interpreting Security Requirements and Goals to Communicate with Stakeholders from Other Disciplines
Sales Staff
Programmer
Database Administrator
Network Administrator
Management/Executive Management
Financial
Human Resources
Emergency Response Team
Facilities Manager
Physical Security Manager
Legal Counsel
Provide Objective Guidance and Impartial Recommendations to Staff and Senior Management on Security Processes and Controls
Establish Effective Collaboration Within Teams to Implement Secure Solutions
Governance, Risk, and Compliance Committee
Exam Preparation Tasks
Review All Key Topics
Define Key Terms
Review Questions
Appendix A Answers
Glossary
Index
Online-only Elements:
Appendix B Memory Tables
Appendix C Memory Table Answers
Appendix D Study Planner