Everything you need to know about the May 2021 CISSP exam update.
Every three years, (ISC)2 releases a new edition of the CISSP exam. Starting May 1, 2021, CISSP exam candidates will only be able to take the exam that is based on the 2021 objectives. The last day to take the CISSP exam based on the 2018 objectives is April 30, 2021.
The exam outline details the domains and objectives that are covered, including the domain weighting and objective bullet points. We’ve taken the time to analyze and compare the 2021 Exam Outline to the 2018 Exam Outline as a service to our instructors and students.
First, let’s discuss what has changed and what has not changed while answering some common questions along the way. If you need more details, you can drill down into each domain and review domain, objective, and topic changes in greater detail.
What’s changing in the 2021 CISSP update?
The weighting distribution for the 8 Domains has been slightly adjusted. For a more detailed view per domain, please follow the links within each domain label.
- Domain 1: Security and Risk Management (15%) – No weighting change.
- Domain 2: Asset Security (10%) – No weighting change.
- Domain 3: Security Architecture and Engineering (13%) – No weighting change.
- Domain 4: Communication and Network Security (13%) – Reduced 1%.
- Domain 5: Identity and Access Management (IAM) (13%) – No weighting change.
- Domain 6: Security Assessment and Testing (12%) – No weighting change.
- Domain 7: Security Operations (13%) – No weighting change.
- Domain 8: Software Development Security (11%) – Increased 1%.
If a candidate takes the Computerized Adaptive Testing (CAT) form of the exam, this weighting change reflects a 1-2 question increase for Domain 8 and decrease for Domain 4. If a candidate takes the linear form of the exam, this weighting change reflects a 2-5 question increase for Domain 8 and decrease for Domain 4.
Within each domain, objectives and bullet points were revised, added, moved, and removed. These changes are discussed in the Domain sections later in this document.
Finally, the registration price for the exam will increase from USD $699 to USD $749.
What’s NOT changing in this update?
OK. Now that we’ve talked about what’s changing, let’s call out what is staying the same from the previous version. Here is a list of the things that are unchanged:
- Domain names
- Exam candidate’s experiential requirements
- Exam format: CAT for English, linear for all other languages
- Exam length: 100-150 questions for CAT; 250 questions for linear
- Exam duration: 3 hours CAT; 6 hours linear
- Question types: multiple choice and advanced innovative (hotspot and drag-and-drop) questions
- Passing score: 700/1000
- Testing centers: (ISC)2 Authorized PPC and PVTC and select Pearson VUE testing centers
How should I prepare for this new CISSP exam version?
Regardless if you are just beginning to prepare or have been studying diligently for the CISSP for months, don’t fret. Overall, these exam changes are significant but not necessarily substantial. That said, the CISSP exam remains a difficult test of knowledge (and perhaps will). (ISC)2 estimates that a student should put in approximately 300 hours of preparation leading up to the exam. CyberVista has prepared learners for the CISSP for several years as an Official (ISC)2 Training Provider. Are you looking for quality training to ensure your success on the latest CISSP exam? Look no further than CyberVista and learn more about our Live Online and On-Demand CISSP training courses today. Classes are actively enrolling though space is limited.
What are the changes within each domain?
Want to get down to the details? Review each section below to learn about the specific changes within each domain for the 2021 CISSP exam update. These differences are highlighted directly from (ISC)2 and changes to the exam outlines from the outgoing (2018) exam edition as compared to the new 2021 variant.
Domain 1: Security and Risk Management Changes
Domain 1: Security and Risk Management includes very few, mostly minor changes. The new objective in this domain (Objective 1.6) was just moved into Domain 1 from the old Domain 7.
Here is a breakdown of the Domain 1 changes by Objective:
- 1.1 Understand, adhere to, and promote professional ethics – No topic changes. (This objective was 1.5 in the 2018 edition.)
- 1.2 Understand and apply security concepts – Two topics were added to the objective:
- Authenticity – This is covered in our current course in relation to the integrity of evidence in Domain 7. Authenticity is assurance that a message, transaction, or other exchange of information is from its source. Not verifying authenticity is tied to spam, phishing, web site redirection, browser hijacking, and man-in-the-middle attacks.
- Nonrepudiation – This is discussed in our current course in relation to digital signatures in Domain 3. Nonrepudiation ensures that a sender cannot deny he sent a message.
- 1.3 Evaluate and apply security governance principles – No topic changes.
- 1.4 Determine compliance and other requirements – No topic changes.
- 1.5 Understand legal and regulatory issues that pertain to information security in a holistic context – No topic changes.
- 1.6 Understand requirements for investigation types – This objective is new to Domain 1, but was moved here from the old Domain 7 (Objective 7.2). No topic changes.
- 1.7 Develop, document, and implement security policy, standards, procedures, and guidelines – No topic changes.
- 1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements – No topic changes.
- 1.9 Contribute to and enforce personnel security policies and procedures – The Onboarding and termination processes bullet point was revised to include a new topic:
- Transfers – This is not discussed in our current course. Students need to understand that inter-company transfers should be handled appropriately to ensure that permissions not needed from the old job role should be removed from the transferred personnel to prevent privilege creep.
- 1.10 Understand and apply risk management concepts – One bullet point was removed and another was edited a bit:
- Asset valuation – This is no longer listed as a bullet point. However, our SMEs believe that students still need to understand this term as it applies to risk.
- Control assessments (security and privacy) – This Objective was Security Control Assessment (SCA) in the old edition. This change was made to acknowledge that assessments can be completed for privacy. Security is about the safeguarding of data, whereas privacy is about the safeguarding of user identity.
- 1.11 Understand and apply threat modeling concepts and methodologies – No topic changes.
- 1.12 Apply Supply Chain Risk Management (SCRM) concepts – This objective was edited to include the term Supply Chain Risk Management (SCRM), but this is not an actual topic change. It is just a change to include a popularly used term.
- 1.13 Establish and maintain a security awareness, education, and training program – The Methods and techniques to present awareness and training bullet point was modified to include the following examples:
- Social engineering – This is covered in our current course in Domain 5.
- Phishing – This is covered in our current course in Domain 5.
- Security champions – This is not discussed in our current course. Security champions are personnel who take the lead within their teams and projects on security objectives. This term is used most commonly in the context of application development.
- Gamification – This is not discussed in our current course. Gamification is the adding of game principles, game thinking, or game logic to a task to encourage participation.
Domain 2: Asset Security Changes
Domain 2: Asset Security changes mainly affect the bulleted lists in some of the main objectives. One new objective was added to this domain, but it is not new content; it was moved here from Domain 7 in the 2018 edition.
Here is a breakdown of the Domain 2 changes by Objective:
- 2.1 Identify and classify information and assets – No topic changes.
- 2.2 Establish information and asset handling requirements – Old Objective 2.2 “Determine and maintain information and asset ownership” was merged with old Objective 2.6 (same name as new 2.2). No topic changes.
- 2.3 Provision resources securely – This topic was moved from Domain 7 (Objective 7.4). This objective was expanded to add several bullet points.
- Information and asset ownership – This topic is covered in our current course as Data ownership in Domain 2. However, we did not specifically mention the term asset ownership. Asset ownership refers to the process of assigning an owner to each asset, thereby ensuring accountability for the asset’s maintenance and security.
- Asset inventory (e.g., tangible, intangible) – Tangible and intangible assets are covered in our current course in Domain 2 and 7. However, we did not sufficiently cover the term asset inventory. Asset inventory is a process undertaken to identify and classify every asset, both tangible and intangible.
- Asset management – This topic is covered in our current course in Domain 2 and 7.
- 2.4 Manage data lifecycle – Changed from “Protect privacy” and expanded to include new bullet points, mostly from Domain 7.
- Data roles (i.e., owners, controllers, custodians, processors, users/subjects) – The terms data controllers and data processors are not sufficiently covered in our current course. A data controller is a person, company, or other entity that determines the purpose and means of personal data processing, and may assign permissions for users based on the data owner’s recommendations. A data processor is a person, company, or other entity that processes data on behalf of the controller or owner.
- Data collection – Changed from “Collection limitation”. This topic now encompasses more than just limiting the data collected. Data collection is the process of gathering and measuring information in a systematic fashion that enables an organization to answer stated research questions, test hypotheses, and evaluate outcomes. Data should only be collected as dictated or limited by laws and regulations, and only if the organization has need for it.
- Data location – This is a completely new topic. Data location can be an issue that can affect the security requirements of data. When data is moved across the globe, it may come under various governmental jurisdictions. In addition, organizations must consider the location of the actual data owner or subject.
- Data maintenance – This is a completely new topic. Data maintenance is the process of organizing, updating, and curating data according to an organization’s needs. Properly maintaining and caring for data is essential to ensure that data remains accessible and usable for its intended purposes.
- Data retention – This is a completely new topic. Data retention is the process of retaining data until it is no longer needed by an organization. Data policies should clearly state how long data should be retained and the process whereby data should be assessed to determine whether it is still needed.
- Data destruction – This is covered in our current course in Domain 2 as data removal.
- 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) – This objective was edited to include the terms End-of-Life (EOL) and End-of-Support (EOS).
- An end-of-life (EOL) product is a product at the end of the product lifecycle, indicating the end of its useful life (from the vendor’s point of view). EOL products will no longer be updated or supported.
- The end-of-support (EOS) date is the last day a company will provide technical support and other types of support services to a particular product. Updates may or may not be made after this date.
- The end-of-sale date is the last day a product can be ordered from a vendor. After this date, the product can no longer be purchased, but updates to the product will still be released.
- 2.6 Determine data security controls and compliance requirements – This was expanded to include compliance requirements. In addition, bullets were edited or added.
- Compliance requirements are any asset security requirements that are dictated by laws and regulations. Any applicable laws and regulations must be analyzed to see how they affect asset security.
- Data states (e.g., in use, in transit, at rest) – This bullet was changed to specifically list the states. These states are covered in our current course.
- Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB)) – This bullet was changed to specifically list several data protection methods.
- Digital Rights Management (DRM) is a set of access control technologies for restricting the use of proprietary hardware and copyrighted works.
- Data Loss Prevention (DLP) is covered in our current course in Domain 7.
- A Cloud Access Security Broker (CASB) is an on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies.
Domain 3: Security Architecture and Engineering Changes
Domain 3: Security Architecture and Engineering changes mostly affect the bulleted lists and example topics. There are two fewer objectives, but this is due to combining several old objectives into a single one.
Here is a breakdown of the Domain 3 changes by Objective:
- 3.1 Research, implement and manage engineering processes using secure design principles – The word “Research” was added to more correctly reflect the actions that must be taken. A bulleted list of specific principles was also added to this objective.
- Threat modeling – This is covered in our current course in Domain 1.
- Least privilege – This is covered in our current course in Domain 7.
- Defense in depth – This is covered in our current course in Domain 1.
- Secure defaults is a term used to describe a condition wherein an application’s or device’s default settings are set to the most secure setting possible. If the application or device is reset, these secure defaults should be maintained.
- Fail securely is a term that means a component, application, or device is configured to fail in a controlled manner that prevents exploitation while the component, application, or device is in an inconsistent state.
- Separation of Duties (SoD) – This is covered in our current course in Domain 7.
- Keep it simple, also referred to as keep it simple, stupid (KISS), is a design principle that states a design and/or system should be as simple as possible and avoid unneeded complexity—as simplicity guarantees the greatest levels of user acceptance and interaction.
- Zero trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even users inside the network perimeter.
- Privacy by design is a term that implies data protection through technology design. Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created. It is a concept in the General Data Protection Regulation (GDPR).
- Trust but verify is a principle that is used when communicating entities trust each other but verify that such trust should be provided through the verification of an established relationship.
- Shared responsibility is a principle that requires that each user is accountable for different aspects of security and all must work together to ensure full coverage.
- 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) – No topic changes. (ISC)2 did add examples to this Objective, but those listed are covered in our current course.
- 3.3 Select controls based upon systems security requirements – No topic changes.
- 3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) – No topic changes.
- 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements – This Objective now combines Objectives 3.5, 3.6, 3.7, and 3.8 from the old edition. However, it does include some revisions and new bullet points:
- Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) – This bullet point was revised to include cloud system examples. Software as a Service (SaaS) provides consumers access to the provider’s applications running on a cloud infrastructure from various client devices using either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. Infrastructure as a Service (IaaS) provides consumers access to provision processing, storage, networks, and other fundamental computing resources in order to deploy and run arbitrary software, which can include operating systems and applications. Platform as a Service (PaaS) provides the consumer with the ability to deploy their own consumer-created or acquired applications onto a cloud infrastructure using the provider’s supported programming languages, libraries, services, and tools.
- Microservices is a term for an application design technique whereby developers design highly scalable, flexible applications by decomposing the application into discrete services that implement specific business functions. These services, often referred to as “loosely coupled,” can then be built, deployed, and scaled independently.
- Containerization is the use of containers to isolate and maintain an application. All resources that the application requires to run are placed inside that container. Once an application is contained, you can pick it up and move it around regardless of the host operating system.
- Serverless is a term used for a model wherein applications rely on managed services that do away with the need to manage, patch, and secure infrastructure and virtual machines.
- Embedded systems are programmable hardware components with a minimal operating system and software. Embedded systems are designed to perform a dedicated function or functions, such as environmental management. Embedded system security is a strategic approach to protecting software running on embedded systems from attack.
- High-Performance Computing (HPC) systems process data and perform complex calculations at high speeds. One of the best-known types of HPC solutions is the supercomputer.
- Edge computing systems are part of a distributed computing topology that brings computation and data storage closer to the devices where it’s being gathered, primarily the edge of the network perimeter, rather than relying on a central location far away.
- Virtualized systems rely on virtualized computing to run more than one virtual system (including multiple operating systems and applications) on a single server. The virtualization is provided through a hypervisor that manages all virtual machines.
- 3.6 Select and determine cryptographic solutions – This was previously Objective 3.9. No topic changes.
- 3.7 Understand methods of cryptanalytic attacks – This was previously listed as a bullet point in Objective 3.9. While a list of possible attacks have been added in this edition, these attacks are covered in our current course in Domain 3.
- 3.8 Apply security principles to site and facility design – This was previously Objective 3.10. No topic changes.
- 3.9 Design site and facility security controls – This was previously Objective 3.11 and used the verb “implement” instead of “design.” No topic changes.
Domain 4: Communication and Network Security Changes
Domain 4: Communication and Network Security changes mainly affect the bulleted lists in some of the main objectives. No objectives were added or removed.
Here is a breakdown of the Domain 4 changes by Objective:
- 4.1 Assess and implement secure design principles in network architectures – This Objective includes several new bullet points or revisions to existing bullet points.
- Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6) – While examples have been added to this bullet point, these topics are covered in our current course in Domain 4.
- Secure protocols – While this bullet was added to this Objective, this topic is covered in our current course in Domain 4.
- Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP)) – While examples have been added to this bullet point, these examples are covered in our current course in Domain 4.
- Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN)) – This is a new bullet point. Microsegmentation is a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually. Also included are two examples of micro-segmentation:
- A Virtual eXtensible Local Area Network (VXLAN) is a VLAN created in a virtual environment using software-defined (virtual) switches. So while a VLAN is created with physical switches, a VXLAN is created with virtual switches.
- A Software-Defined Wide Area Network (SD-WAN) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services, including MPLS, LTE and broadband internet service, to securely connect users to applications.
- Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite) – Examples have been added to this bullet point:
- Li-Fi is a wireless communication technology that utilizes light to transmit data and position between devices.
- Zigbee is an IEEE 802.15.4-based specification used to create personal area networks with small, low-power, low-bandwidth devices, such as for home automation, medical device data collection, and small-scale projects that need a wireless connection.
- Satellite uses satellites in the atmosphere to transmit data.
- Cellular networks (e.g., 4G, 5G) – Cellular networks can operate using a variety of technologies, including 4G and 5G. 4G networks use frequencies below 6 GHz while 5G networks use higher frequencies, typically 30 GHz or more. These high frequencies have a number of advantages, one of the most important being that they have a huge capacity for fast data transfer.
- Content Distribution Networks (CDN) – This was a bullet point under Objective 4.2 in the previous exam. This topic is covered in our current course.
- 4.2 Secure network components – The only change in this Objective is that a few examples were added to one of the bullet points.
- Operation of hardware (e.g., redundant power, warranty, support) – The examples were added to this bullet.
- Redundant power – This topic is covered in our current course.
- Warranty is the guarantee provided with a purchased device that ensures replacement or repair if the device fails within a certain period of time.
- Support involves documenting the appropriate contact information so that the vendor or seller can be contacted during the warranty period for service.
- Operation of hardware (e.g., redundant power, warranty, support) – The examples were added to this bullet.
- 4.3 Implement secure communication channels according to design – The only change to this Objective is that a bullet point was added.
- Third-party connectivity is the ability of an outside party to communicate on an organization’s local network. Security professionals should ensure that the appropriate security controls are in place to protect such communications.
Domain 5: Identity and Access Management (IAM) Changes
Domain 5: Identity and Access Management (IAM) changes mainly affect the bulleted lists in some of the main objectives. One new objective was added to this domain, although the content is not necessarily completely new.
Here is a breakdown of the Domain 5 changes by Objective:
- 5.1 Control physical and logical access to assets – A new bullet point was added to this objective:
- Applications may require that security professionals use IAM solutions to permit or deny access to users and roles. These applications may use enterprise IAM or an in-application mechanism.
- 5.2 Manage identification and authentication of people, devices, and services – The applicable acronym for two terms in this Objective have been added: IdM for Identity Management and MFA for Multi-Factor Authentication. One bullet point was revised and two new bullet points were added:
- Registration, proofing, and establishment of identity – Establishment was added to this bullet point. Establishment is the process of determining what that user’s identity will be. Proofing is the act of ensuring that a person is who he claims to be, and registration is the act of entering the identity into the IAM solution.
- Single Sign On (SSO) – This topic is covered in our current course in Domain 5.
- Just In Time (JIT) access enables organizations to grant access to applications or systems for predetermined periods of time, on an as-needed basis. With JIT provisioning, if a user doesn’t already have an account in a target application, the IAM system creates the account for a user on the fly when the user first accesses the application.
- 5.3 Federated identity with a third-party service – This Objective was changed from “Integrate identity as a third-party service” to better reflect topic coverage. A new bullet point was added:
- Hybrid federated identity combines both on-premises and cloud solutions to provide federated identity services.
- 5.4 Implement and manage authorization mechanisms – A new bullet point was added to this objective:
- Risk-based access control uses risk to make access decisions. It performs a risk analysis to estimate the risk value related to each access request. The estimated risk value is then compared against access policies to determine the access decision.
- 5.5 Manage the identity and access provisioning lifecycle – New bullet points were added to this Objective. One bullet point was revised.
- Account access review (e.g., user, system, service) – This bullet point was edited to better reflect that accounts can be created for services. In the previous version, user account review and system account review were separate bullet points. Service accounts are those that are assigned to services, such as the FTP or SQL service.
- Provisioning and deprovisioning (e.g., on/off boarding and transfers) – This bullet point was edited to include examples. The majority of these topics are covered in our current course. Transfer of accounts is the process of moving an account from one role, group, or department to another and ensuring that the principle of least privilege is enforced after the transfer is complete.
- Role definition (e.g., people assigned to new roles) – This is a new bullet point. In the role-based security model, a security role represents a certain level of authorization and includes the set of actions that users or groups can perform. Role definition includes determining which roles will be needed and which permissions each role should be granted.
- Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use) – This is a new bullet point. Privilege escalation and privilege creep are covered in our current course.
- Managed service accounts include any accounts that are used to run and manage services that have been deployed. Most service accounts have passwords that do not expire. It is important to carefully manage, audit, and monitor service accounts.
- The sudo command is a program for Unix/Linux systems that allows users to run programs with the security privileges of another user, by default the superuser. The use of sudo can allow users to issue commands as a superuser. Minimizing its use is recommended.
- 5.6 Implement authentication systems – While this is a new Objective, some of the bullet points are already covered in our current course.
- OpenID Connect (OIDC)/Open Authorization (Oauth) – OAuth is an access delegation standard that apps can use to provide client applications with secure delegated access over HTTPS. It authorizes devices, APIs, servers, and applications with access tokens rather than credentials. OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end user and to obtain basic user profile information. While OAuth 2.0 is about resource access and sharing, OIDC is about user authentication.
- Security Assertion Markup Language (SAML) – This topic is covered in our current course in Domain 5.
- Kerberos – This topic is covered in our current course in Domain 5.
- Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) – These topics are covered in our current course in Domains 3 and 5.
Domain 6: Security Assessment and Testing Changes
Domain 6: Security Assessment and Testing changes are few and mostly minor.
Here is a breakdown of the Domain 6 changes by Objective:
- 6.1 Design and validate assessment, test, and audit strategies – No topic changes.
- 6.2 Conduct security control testing – This objective includes new bullet points:
- Breach attack simulations are automated pen tests that combine red and blue team techniques (a practice known as “purple teaming”) and automate them. Breach and attack platforms provide continuous coverage and can be run on a 24/7/365 basis, which ensures that organizations maintain much deeper visibility into the true state of their defense readiness.
- Compliance checks are audits designed to identify areas of noncompliance with any administrative regulations to which the organization must adhere.
- 6.3 Collect security process data (e.g., technical and administrative) – No topic changes.
- 6.4 Analyze test output and generate report – This objective now has new bullet points under it.
- Remediation reports provide action items to be completed to mitigate any identified vulnerabilities.
- Exceptions are any cases wherein identified vulnerabilities are not addressed or mitigated because of a variety of reasons, including politics or cost issues. Exception management is the process whereby exceptions to a vulnerability item are requested, reviewed, approved, or rejected. Exception handling should be clearly identified in the report.
- Ethical disclosure, also referred to as ethical vulnerability disclosure, is the practice of publishing information related to a discovered security vulnerability.
- 6.5 Conduct or facilitate security audits – No topic changes.
Domain 7: Security Operations Changes
Domain 7: Security Operations changes include a very few, mostly minor changes. One objective was removed from this Domain and placed in the new Domain 1.
Here is a breakdown of the Domain 7 changes by Objective:
- 7.1 Understand and comply with investigations – This Objective was revised to include “comply with” just to clarify that compliance with investigations is important as well. One new bullet point was added:
- Artifacts (e.g., computer, network, mobile device) – An artifact in a digital forensics investigation includes things like registry keys, files, timestamps, and event logs. These are the traces security professionals follow in digital forensic work. They will vary depending on the device type, operating system, and other factors.
- 7.2 Conduct logging and monitoring activities – Three new bullet points were added to this Objective:
- Log management – This topic is covered in our current course in Domain 6.
- Threat intelligence (e.g., threat feeds, threat hunting) – Threat intelligence is information about threats and threat actors that helps organizations implement controls to protect against the threats. A threat intelligence feed (TI feed), also referred to as a threat feed, is an ongoing stream of data related to identified potential threats to an organization’s security, usually provided by threat intelligence sources. Threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, and technical intelligence, including intelligence from the dark web. Threat hunting is a cyber defense activity that proactively and iteratively searches networks to detect and isolate advanced threats that evade existing security solutions.
- User and Entity Behavior Analytics (UEBA) – This is not discussed in our current course. User and entity behavior analytics (UEBA), also known as user behavior analytics (UBA), is the process of gathering data regarding daily user network events. Once collected and analyzed, it will aid in detecting the use of compromised credentials, lateral movement, and other malicious behavior.
- 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation) – This was a bullet point under Objective 7.4 in the old edition. This topic is covered in our current course in Domain 7. However, examples were added to this Objective:
- Provisioning in configuration management is the process of setting up IT infrastructure. It can also refer to the steps that must be completed to manage access to data and resources. Once a device has been provisioned, the next step is configuration.
- Baselining is the process of documenting the attributes of a configuration item (device) at a point in time, which serves as a basis for defining change.
- Automation is a feature in a configuration management tool that allows an administrator to quickly manage configuration items, including provisioning a new server within minutes with less room for error.
- 7.4 Apply foundational security operations concepts – This topic is covered in our current course in Domain 7. The Information Lifecycle bullet point was moved from this Objective to Domain 2.
- 7.5 Apply resource protection – A new bullet point was added to this Objective. Media protection techniques should be deployed to ensure that all forms of media are secured, including magnetic hard drives, solid state drives, flash drives, DVDs, and tapes. Security professionals should ensure that the appropriate media protection policies and procedures are documented for media on all device types, including computers, mobile devices, and network hardware.
- 7.6 Conduct incident management – No topic changes.
- 7.7 Operate and maintain detective and preventative measures – A new bullet point was added to this Objective. Machine learning and Artificial Intelligence (AI) based tools are tools that give systems the ability to learn and improve without much human input.
- 7.8 Implement and support patch and vulnerability management – No topic changes.
- 7.9 Understand and participate in change management processes – No topic changes.
- 7.10 Implement recovery strategies – No topic changes.
- 7.11 Implement Disaster Recovery (DR) processes – A new bullet point was added to this Objective. Lessons learned is the process of documenting anything learned during the testing or implementation of DR processes.
- 7.12 Test Disaster Recovery Plans (DRP) – No topic changes.
- 7.13 Participate in Business Continuity (BC) planning and exercises – No topic changes.
- 7.14 Implement and manage physical security – No topic changes.
- 7.15 Address personnel safety and security concerns – No topic changes.
Domain 8: Software Development Security Changes
Domain 8: Software Development Security changes include a very few, mostly minor changes at the bullet level.
Here is a breakdown of the Domain 8 changes by Objective:
- 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) – Two bullet points were edited to include an example list of topics:
- Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps) – This bullet point had a list of examples added to it. Agile, Waterfall, and DevOps are covered in our current course in Domain 8. DevSecOps is a set of practices that combines software development IT operations. It aims to shorten the SDLC and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from the Agile methodology.
- Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM)) – This bullet point had a list of examples added to it. CMM is covered in our current course in Domain 8. Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
- Operation and maintenance – No topic changes.
- Change management – No topic changes.
- Integrated Product Team (IPT) – No topic changes.
- 8.2 Identify and apply security controls in software development ecosystems – This Objective was revised to replace the word environments with ecosystems. This Objective was extensively revised to include new bullet points.
- Programming languages – This topic is covered in our current course in Domain 8, but uses the term software languages.
- Libraries are suites of data and programming code that are used to develop software programs and applications. They are designed to assist both the programmer and the programming language compiler with building and executing software.
- Tool sets are groups of utility programs, subroutines, or similar software that aid in the development of software.
- Integrated Development Environment (IDE) software provides users with an environment for performing programming and development, as well as for testing and debugging the application.
- Runtime is the software’s state when executing. Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
- Continuous Integration and Continuous Delivery (CI/CD) – CI is the process of automating the building and testing of code every time a team member commits changes to version control. CD is the process of ensuring that code is always in a deployable state, even when thousands of developers make changes on a daily basis.
- Security Orchestration, Automation, and Response (SOAR) applications enable an organization to collect data about security threats and respond to security events without human assistance.
- Software Configuration Management (SCM) – This bullet point was revised to specifically include the word software and to give its acronym. This topic is covered in our current course in Domain 8.
- Code repositories – No topic changes.
- Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)) – Application security testing (AST) is the process of reviewing an application or its source code to identify sources of vulnerabilities. It includes two main methods: static application security testing and dynamic application security testing. Static application security testing (SAST) is a white-box method of testing that examines code to find application flaws and weaknesses. Dynamic application security testing (DAST) is a black-box method that examines a running application to find vulnerabilities that an attacker could exploit.
- 8.3 Assess the effectiveness of software security – No topic changes.
- 8.4 Assess security impact of acquired software – This Objective has been edited to add bullet points.
- Commercial-off-the-shelf (COTS) software packages are purchased from a vendor by an organization needing the features provided by the vendor’s application.
- Open source software is software where the source code is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software to anyone and for any purpose. With this license, an organization can edit the code as needed.
- Third-party software developed by a third party for a fee. The company needing the application enters a contract with the provider. The contract should include specific clauses addressing security.
- Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) – Managed services is the practice of outsourcing the responsibility for maintaining certain processes functions to improve operations and cut expenses. Software as a Service (SaaS) is a cloud service model that includes the hosting hardware, platform, and software. Infrastructure as a Service (IaaS) is a cloud service model that helps organizations build and manage their servers, network, operating systems, and data storage. Platform as a Service (PaaS) is a cloud service model that provides developers with a framework they can use to build custom applications.
- 8.5 Define and apply secure coding guidelines and standards – A bullet point was added to this Objective:
- Software-defined security is a software-managed, policy-driven and governed security environment where most of the security controls, such as intrusion detection, network segmentation and access controls, are automated and monitored through software.