Skip to content

Domain 3 Security Architecture and Engineering 13%

3.1 Research, implement, and manage engineering processes using secure design principles

  • Threat modeling Chapter 1

  • Least privilege Chapter 16

  • Defense in depth Chapter 1

  • Secure defaults Chapter 8

  • Fail securely Chapter 8

  • Segregation of Duties (SoD) Chapter 16

  • Keep it simple and small Chapter 8

  • Zero trust or trust but verify Chapter 8

  • Privacy by design Chapter 8

  • Shared responsibility Chapter 9

  • Secure access service edge ???

3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)

Chapter 8

3.3 Select controls based upon systems security requirements

Chapter 8

3.4 Understand security capabilities of Information Systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)

Chapter 8

3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

  • Client-based systems Chapter 9

  • Server-based systems Chapter 9

  • Database systems Chapter 20

  • Cryptographic systems Chapter 7

  • Operational Technology/industrial control systems (ICS) Chapter 9

  • Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

  • Distributed systems Chapter 16

  • Internet of Things (IoT) Chapter 9

  • Microservices (e.g., application programming interface (API)) Chapter 9

  • Containerization Chapter 9

  • Serverless Chapter 9

  • Embedded systems Chapter 9

  • High-Performance Computing systems Chapter 9

  • Edge computing systems Chapter 9

  • Virtualized systems Chapter 9

3.6 Select and determine cryptographic solutions

  • Cryptographic life cycle (e.g., keys, algorithm selection) Chapter 6,7

  • Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum) Chapter 6,7

  • Public key infrastructure (PKI) (e.g., quantum key distribution) Chapter 7

  • Key management practices (e.g., rotation) Chapter 7

  • Digital signatures and digital certificates (e.g., non-repudiation, integrity) Chapter 7

3.7 Understand methods of cryptanalytic attacks

  • Brute force Chapter 7

  • Ciphertext only Chapter 7

  • Known plaintext Chapter 7

  • Frequency analysis Chapter 7

  • Chosen ciphertext Chapter 7

  • Implementation attacks Chapter 7

  • Side-channel Chapter 7

  • Fault injection Chapter 7

  • Timing Chapter 7

  • Man-in-the-middle (MITM) Chapter 7

  • Pass the hash Chapter 14

  • Kerberos exploitation Chapter 14

  • Ransomware Chapter 21

3.8 Apply security principles to site and facility design

Chapter 10

3.9 Design site and facility security controls

Chapter 10

  • Wiring closets/intermediate distribution frame
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
  • Environmental issues (e.g., natural disasters, man-made)
  • Fire prevention, detection, and suppression
  • Power (e.g., redundant, backup)

3.10 Manage the information system lifecycle (???)

  • Stakeholders needs and requirements
  • Requirements analysis
  • Architectural design
  • Development /implementation
  • Integration
  • Verification and validation
  • Transition/deployment
  • Operations and maintenance/sustainment
  • Retirement/disposal