|
Skill |
|
Content group/topic |
Remembering & Understanding |
Application |
Analysis |
Evaluation |
Representative Task |
A. Regulations, standards and frameworks |
|
|
|
|
|
Recall the covered entities and permitted uses and disclosures of the HIPAA Security and Privacy Rules. |
|
|
|
|
|
Recall the scope of the GDPR and the six principles and key concepts for personal data. |
|
|
|
|
|
Recall the requirements of the PCI DSS. |
|
|
|
|
|
Recall the three parts of the NIST CSF (Framework Core, Framework Implementation Tiers, Framework Profiles). |
|
|
|
|
|
Recall the three parts of the NIST Privacy Framework (Framework Core, Framework Profiles, Framework Implementation Tiers). |
|
|
|
|
|
Recall the purpose, applicability, target audience and organizational responsibilities of NIST SP 800-53. |
|
|
|
|
|
Recall the overview of each CIS Control. |
|
|
|
|
|
Recall the governance system principles, governance framework principles and the components of a governance system according to COBIT 2019. |
Content group/topic |
Remembering & Understanding |
Application |
Analysis |
Evaluation |
Representative Task |
B. Security |
1. Threats and attacks |
|
|
|
|
Classify the different types of threat agents (e.g., internal or external, nation or non-nation state-sponsored, adversary, threat actors, attacker or hacker). |
|
|
|
|
|
Identify types of attacks (e.g., physical, distributed denial of service, malware, social engineering, web application attacks, mobile device attacks). |
|
|
|
|
|
Identify techniques used in a cyber-attack (e.g., buffer overflow, mobile code, cross-site scripting, SQL injections, race conditions, covert channel, replay and return-oriented attack). |
|
|
|
|
|
Explain the stages in a cyber-attack (e.g., reconnaissance, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). |
|
|
|
|
|
Identify the cybersecurity risks related to using cloud environments, platforms and services. |
|
|
|
|
|
Identify the cybersecurity risks related to the Internet of Things (IoT). |
|
|
|
|
|
Identify the cybersecurity risks related to mobile technologies. |
|
|
|
|
|
Explain threat modeling and threat landscape. |
|
|
|
|
|
Determine the specific cybersecurity threats in an organization’s connections with customers, vendors and partner organizations. |
|
|
|
|
|
Determine the specific cybersecurity threats to an organization’s on-premise and cloud-based applications, networks and connected devices (e.g., mobile and Internet of Things (IOT) devices). |
Content group/topic |
Remembering & Understanding |
Application |
Analysis |
Evaluation |
Representative Task |
2. Mitigation |
|
|
|
|
Identify ways to protect networks and devices used to access the network remotely (e.g., isolation and segmentation, virtual private network (VPN), wireless network security, endpoint security, system hardening, intrusion prevention and detection systems). |
|
|
|
|
|
Recall the definition and purpose of vulnerability management. |
|
|
|
|
|
Explain the concepts of layered security and defense-in-depth. |
|
|
|
|
|
Define the concepts of least-privilege, zero-trust, whitelisting and the need-to-know principle. |
|
|
|
|
|
Recall the purpose and content of a technology acceptable use policy including considerations specific to mobile technologies and bring-your-own-device (BYOD). |
|
|
|
|
|
Explain how the COSO frameworks can be used to assess cyber risks and controls. |
|
|
|
|
|
Determine the common preventive, detective or corrective controls (e.g., intrusion prevention systems, device and software hardening, log analysis, intrusion detection systems, virus quarantining, patches) to mitigate risk of cyber-attacks for an organization. |
|
|
|
|
|
Determine the appropriate identification and authentication techniques and technologies (e.g., password management, single sign-on, multi-factor authentication, personal identification number (PIN) management, digital signatures, smart cards, biometrics) in a specific scenario. |
|
|
|
|
|
Determine the appropriate authorization model (e.g., discretionary, role-based, mandatory) and the controls (e.g., access control list, account restrictions, physical barriers) used to implement the model in a specific scenario. |
Content group/topic |
Remembering & Understanding |
Application |
Analysis |
Evaluation |
Representative Task |
3. Testing |
|
|
|
|
Perform procedures to obtain an understanding how the entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. |
|
|
|
|
|
Provide input into a security assessment report by documenting the issues, findings and recommendations identified while performing tests of controls. |
|
|
|
|
|
Perform a walkthrough of an organization’s procedures relevant to IT security (e.g., IT risk management, human resources, training and education) and compare the observed procedure with the documented policy requirement. |
|
|
|
|
|
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s security service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria. |
Content group/topic |
Remembering & Understanding |
Application |
Analysis |
Evaluation |
Representative Task |
C. Confidentiality and privacy |
|
|
|
|
|
Explain encryption fundamentals, techniques and applications. |
|
|
|
|
|
Recall the differences between confidentiality and privacy. |
|
|
|
|
|
Identify methods for the protection of confidential data during the design, development, testing and implementation of applications that use confidential data (e.g., data obfuscation, tokenization). |
|
|
|
|
|
Explain Data Loss Prevention (DLP). |
|
|
|
|
|
Identify financial and operational implications of a data breach. |
|
|
|
|
|
Determine controls and data management practices to securely collect, process, store, transmit and delete confidential data or data subject to privacy regulations. |
|
|
|
|
|
Detect deficiencies in the suitability or design and deviations in the operation of controls related to a service organization’s confidentiality and privacy service commitments and system requirements in a SOC 2® engagement using the Trust Services Criteria. |
Content group/topic |
Remembering & Understanding |
Application |
Analysis |
Evaluation |
Representative Task |
D. Incident response |
|
|
|
|
|
Recall the differences between security/cybersecurity events and incidents. |
|
|
|
|
|
Explain the use of insurance as a mitigation strategy for a security incident or data breach. |
|
|
|
|
|
Summarize contents commonly included in incident response plans (e.g., roles, responsibilities, methods, steps, timelines). |
|
|
|
|
|
Perform procedures to test whether the entity responded to cybersecurity
incidents in accordance with the incident response plan. |