WHAT IS NEW WITHIN EACH OF THE DOMAINS
Below you have the list of new domains on the left and the new topics that were introduced within each of the domains on the left. I welcome your help to complete it with even more details. If you know of topics and links that could be added, please send an email to [email protected] and let me know.
NEW DOMAIN NAME |
NEW TOPICS THAT WERE ADDED |
Security & Risk Management |
Threat Modeling More details were added about threat modeling |
Asset Security |
Acquisition Integrate security risk consideration into acquisition and practice Hardware, Software, and services Third Party assessment and monitoring (on site assessment, document exchange and review, process/policy review) Minimum security requirements Service-level requirements
|
Security Engineering |
Mobile Systems This is NOT referring to Phones and other tools. It is referring to laptop as mobile devices and the risk associated with those mobile devices.
Internet of things (IoT)
and
and
http://spectrum.ieee.org/telecom/security/how-to-build-a-safer-internet-of-things
and
The Cyber Defense Magazine also has some interesting articles on the challenge of IOT at: http://www.cyberdefensemagazine.com/newsletters/march-2015/index.html
Embedded Systems Smart Appliance, devices with a computer.
|
Communications & Network Security |
Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)
Software Defined Networks see: https://www.opennetworking.org/sdn-resources/sdn-definition Video to watch: https://www.youtube.com/watch?v=DiChnu_PAzA and If you wish to learn more: https://www.youtube.com/watch?v=l25Ukkmk6Sk
Storage and Network Convergence iSCSI and FCoE http://www.redbooks.ibm.com/redbooks/pdfs/sg247986.pdf Read chapter one of the document above for a quick overview.
Content Distribution Networks Akamai Cloudflare Amazon CloudFront and Others
|
Identity and Access Management |
Session Management Desktop Sessions Desktop sessions can be controlled and protected through several means including but not limited to the following: Screensavers Timeouts Automatic Logouts Session/ Login limitation Schedule Limitations
Registration and Proofing of Identity
Cloud Identity Services |
Security Assessment and Testing |
This is mostly a new domain that goes in a lot more depth about Security Assessment and Penetration Testing. The two document below will give you most of what you need to know.
See: Penetrating Testing Guidelines from the PCI DSS Council
And
NIST SP 800-115Technical Guide to Information Security Testing and Assessment http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
|
Security Operations |
Asset Management and asset inventory https://www.sei.cmu.edu/productlines/frame_report/config.man.htm
Configuration Management http://acqnotes.com/Attachments/IEEE%20Guide%20to%20Software%20Configuration%20Management.pdf
WhiteListing and Blacklisting
Coverage of Sandboxing http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29
A bit more details on Patch Management Technologies http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf Read chapter 3 of the document above about the challenge of Patch Management
|
Software Development Security |
Integrated Product Team (IPT) http://www.acq.osd.mil/se/docs/DoD-IPPD-Handbook-Aug98.pdf
DevOps and its principles http://itrevolution.com/the-three-ways-principles-underpinning-devops/ http://theagileadmin.com/what-is-devops/
Software Assurance http://en.wikipedia.org/wiki/Software_assurance
|
Clement and Nathalie
Site owners and Founders