Читать книгу CASP+ Practice Tests - Nadean H. Tanner - Страница 18
Objectives Map
ОглавлениеThe following table shows where you can find an objective covered in this book.
| Objective | Chapter |
| 1.0 Risk Management | |
| 1.1 Summarize business and industry influences and associated security risks. | Chapter 1 |
| Risk Management of new products, technology, and users. Business models including partnerships, outsourcing, cloud, and strategies around mergers, divestiture, and acquisitions. Data ownership and reclassification. Rules, policies, regulations. Competitors, auditors, regulations. | |
| 1.2 Compare and contrast security, privacy policies, and procedures based on organizational requirements. | Chapter 1 |
| Policy and process life cycles. Legal compliance and advocacy by partnering with human resources, legal, and management. Common business documents supporting security including risk assessments, business impact analysis, interoperability agreement, interconnection security agreements, memorandum of understanding, service level and operating level agreements, as well as non-disclosure, business partnership, and master service agreements. Research security requirements such as requests for proposals, for quotes, and for information. Privacy requirements and development of policies containing standard security practices. | |
| 1.3 Given a scenario, execute risk mitigation strategies and controls. | Chapter 1 |
| CIA and security controls. Scenario planning and risk analysis. Risk determination using metrics, such as annual loss and single loss expectancy. Recommending a strategy based on risk avoidance, transference, mitigation, and acceptance. Risk management processes, including exemptions, deterrence, inherent, and residual. Business continuity planning. | |
| 1.4 Analyze risk metric scenarios to secure the enterprise. | Chapter 1 |
| Review effectiveness of security controls with gap analysis, lessons learned, and after-action reports. Reverse engineer existing solutions and analyze metrics. Prototype solutions, benchmarks, and baselines, and interpretation of data to anticipate cyber defense needs. Analyze possible solutions based on performance, latency, scalability, capability, usability, maintainability, availability, and recoverability. | |
| 2.0 Enterprise Security Architecture | |
| 2.1 Analyze a scenario and integrate network and security components, concepts, and architectures to meet security requirements. | Chapter 2 |
| Physical and virtual network security devices as well as application and protocol-aware technologies. Advanced network design and complex network security for data in transit. Secure configuration, baselining, and monitoring of assets. Security zones, network access control, and critical infrastructure. | |
| 2.2 Analyze a scenario to integrate security controls for host devices to meet security requirements. | Chapter 2 |
| Trusted operating systems, endpoint security software, host hardening, and hardware vulnerabilities. Terminal services and application delivery services. | |
| 2.3 Analyze a scenario to integrate security controls for mobile and small-form-factor devices to meet security requirements. | Chapter 2 |
| Enterprise mobility management, including containers, remote assistance and wiping, VPN, and mobile payment systems. Security implications and privacy concerns of data storage. Wearable technology and security implications. | |
| 2.4 Given software vulnerability scenarios, select the appropriate security controls. | Chapter 2 |
| Application security design considerations and application issues, including XSS, CSRF, SQLi, session management, input validation, buffer overflow, memory leaks, race conditions, and privilege escalation. Application sandboxing, secure encrypted enclaves, database monitoring, web application firewalls, and client-side versus server-side processing. Operating system and firmware vulnerabilities. | |
| 3.0 Enterprise Security Operations | |
| 3.1 Given a scenario, conduct a security assessment using the appropriate methods. | Chapter 3 |
| Malware, debugging, reconnaissance, fingerprinting, code review, social engineering, OSINT, and pivoting. Type of penetration testing, including black, white, and gray box. Vulnerability assessments, audits, and team exercises. | |
| 3.2 Analyze a scenario or output, and select the appropriate tool for a security assessment. | Chapter 3 |
| Network tools, such as port scanners, vulnerability scanners, protocol analyzers, fuzzers, and logging-analysis tools. Host tool types, such as password crackers, command line tools, SCAP, FIM, antivirus, and reverse-engineering tools. Physical security tools, such as lock picks, RFID tools, and IR camera. | |
| 3.3 Given a scenario, implement incident response and recovery procedures. | Chapter 3 |
| E-discovery, data retention, recovery, ownership, and handling. Data breach response, detection, mitigation, recovery, response, and disclosure. Incident detection and response, incident response tools to help determine the severity of the incident or breach, and posting incident response. | |
| 4.0 Technical Integration of Enterprise Security | |
| 4.1 Given a scenario, integrate hosts, storage, networks, and applications into a secure enterprise architecture. | Chapter 4 |
| Data flow security. Open, competing, adherence, and de facto standards. Interoperability issues, including software types, legacy systems, application requirements, protocols, and standard data formats. Resilience issues, provisioning, and deprovisioning resources, including users, servers, virtual systems, and applications. Network segmentation, security and privacy considerations, and enterprise applications. | |
| 4.2 Given a scenario, integrate cloud and virtualization technologies into a secure enterprise architecture. | Chapter 4 |
| Technical deployment models (outsourcing/insourcing/managed services/partnerships), cloud and virtualization considerations, security advantages, and disadvantages of virtualization. Cloud-augmented security services, and vulnerabilities associated with hosts with different security requirements. | |
| 4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives. | Chapter 4 |
| Authentication, authorization, attestation, identity proofing, identity propagation, federation, and trust models. | |
| 4.4 Given a scenario, implement cryptographic techniques. | Chapter 4 |
| Cryptographic techniques, such as hashing, digital signatures, code signing, data-in-transit encryption, data-in-memory processing, data-at-rest encryption, and steganography. Implementing encryption in an enterprise, such as DRM, SSH, SSL, S/MIME, and PKI. | |
| 4.5 Given a scenario, select the appropriate control to secure communications and collaboration solutions. | Chapter 4 |
| Remote access, resources and services, and remote assistance. Unified collaboration tools for video/audio/web conferencing, instant messaging, email, VoIP, and collaboration sites. | |
| 5.0 Research, Development, and Collaboration | |
| 5.1 Given a scenario, apply research methods to determine industry trends and their impact on the enterprise. | Chapter 5 |
| Ongoing research in best practices, new technologies, security systems, and services. Threat intelligence of latest attacks, current vulnerabilities, and threats; zero-day mitigation controls; and threat modeling. Research security implications of emerging business tools and the global IA industry/community. | |
| 5.2 Given a scenario, implement security activities across the technology life cycle. | Chapter 5 |
| Systems/software development lifecycles. Application frameworks, development approaches, secure coding standards, and documentation. Validation and acceptance testing. Adapting solutions to address emerging threats, security trends, and disruptive technology. Asset management and inventory control. | |
| 5.3 Explain the importance of interaction across diverse business units to achieve security goals. | Chapter 5 |
| Interpreting security requirements and goals to communicate with stakeholders, such as sales, programmers, DBA, network administrators, human resources, and legal counsel. Provide guidance and recommendations to staff and management on processes and security controls. Governance, risk, and compliance committees. |
