WHAT IS NEW WITHIN EACH OF THE DOMAINS
NEW DOMAIN NAME |
NEW TOPICS THAT WERE ADDED |
Security & Risk Management | Threat Modeling
More details were added about threat modeling |
Asset Security | Acquisition
Integrate security risk consideration into acquisition and practice Hardware, Software, and services Third Party assessment and monitoring (on site assessment, document exchange and review, process/policy review) Minimum security requirements Service-level requirements |
Security Engineering | Mobile Systems
This is NOT referring to Phones and other tools. It is referring to laptop as mobile devices and the risk associated with those mobile devices. Internet of things (IoT) and and http://spectrum.ieee.org/telecom/security/how-to-build-a-safer-internet-of-things and The Cyber Defense Magazine also has some interesting articles on the challenge of IOT at: http://www.cyberdefensemagazine.com/newsletters/march-2015/index.html Embedded Systems Smart Appliance, devices with a computer. |
Communications & Network Security | Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)
Software Defined Networks see: https://www.opennetworking.org/sdn-resources/sdn-definition
Storage and Network Convergence iSCSI and FCoE http://www.redbooks.ibm.com/redbooks/pdfs/sg247986.pdf Read chapter one of the document above for a quick overview.
Content Distribution Networks Akamai Cloudflare Amazon CloudFront and Others
|
Identity and Access Management | Session Management
Desktop Sessions Desktop sessions can be controlled and protected through several means including but not limited to the following: Screensavers Timeouts Automatic Logouts Session/ Login limitation Schedule Limitations
Registration and Proofing of Identity
Cloud Identity Services |
Security Assessment and Testing |
This is mostly a new domain that goes in a lot more depth about Security Assessment and Penetration Testing. The two document below will give you most of what you need to know.
See: Penetrating Testing Guidelines from the PCI DSS Council
And
NIST SP 800-115Technical Guide to Information Security Testing and Assessment http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
|
Security Operations | Asset Management and asset inventory
https://www.sei.cmu.edu/productlines/frame_report/config.man.htm
Configuration Management http://acqnotes.com/Attachments/IEEE%20Guide%20to%20Software%20Configuration%20Management.pdf
WhiteListing and Blacklisting
Coverage of Sandboxing http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29
A bit more details on Patch Management Technologies http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf Read chapter 3 of the document above about the challenge of Patch Management
|
Software Development Security | Integrated Product Team (IPT)
http://www.acq.osd.mil/se/docs/DoD-IPPD-Handbook-Aug98.pdf
DevOps and its principles http://itrevolution.com/the-three-ways-principles-underpinning-devops/ http://theagileadmin.com/what-is-devops/
Software Assurance http://en.wikipedia.org/wiki/Software_assurance
|
Leave a comment