Security Architecture and Engineering – Third CISSP Objective

Security Architecture and Engineering domain has been divided into further 11 objectives in CISSP.

1. You must be able to know secure design principals in order to design and implement engineering processes and be able to incorporate security requirements at early stages in order to improve overall control’s effectiveness.
2. You should be able to have comprehensive knowledge of different confidentiality and integrity models and how to apply these models in multilevel information processing organizations.
3. You should be able to assess systems security requirements and be able to select appropriate security countermeasures and controls.
4. You should be able to exhibit the knowledge of security capabilities of an information system e.g., How to protect memory leaks, how and why use trusted platform module, how to enable fault tolerant systems, interfaces between different systems and how to apply certain security controls in virtualized computer environments,
5. How to design and implement a security system architecture by assessing and mitigating vulnerabilities in the design and what kind of security vulnerabilities or design flaws can be inherited in client and server-based environments. You should not only be able to create controls for large scale environments like distributed systems or cloud-based environments, or peer-to-peer or grid computing or industrial control systems (e.g., SCADA) environments but you should also be able to secure and manage issues of a database systems, data analytics, data warehousing and data’s aggregation.
6. Security of web systems, assessing their risks and vulnerabilities and mitigating those risks is the sixth objective. You should be able to know top ten Open Web Application Security Project (OWASP ) vulnerabilities and how these vulnerabilities can be exploited over HTTP Exchanges, on using the XML or the Extensible Markup Language.
7. Mobile Devices and Embedded Systems, can also have vulnerabilities and CISSP professional assume to have the knowledge of their analysis and mitigating them.
8. It is similar to objective seven but just covers Network-enabled Devices and Internet of Things with vulnerabilities and how to mitigate them.
9. Cryptographic life cycle and how this life cycle can be designed and implemented for organizational needs including public key infrastructure, strong key management practices, digital rights management and intellectual property management.
10. Knowledge of cryptographic attacks, cipher-text, brute force, plaintext attacks and how to protect and mitigate them by applying the different security controls on-site or off-site facilities etc.
11. HVAC design, Fire protection, Water/smoke issues are covered in the last objective of Security Architecture and Engineering domain.