1.1 Understand the security concepts of information assurance
» Confidentiality
» Integrity
» Availability
» Authentication (e.g., methods of authentication, multi-factor authentication (MFA))
» Non-repudiation
» Privacy
1.2 Understand the risk management process
» Risk management (e.g., risk priorities, risk tolerance)
» Risk identification, assessment and treatment
1.3 Understand security controls
» Technical controls
» Administrative controls
» Physical controls
1.4 Understand (ISC)² Code of Ethics
» Professional code of conduct
1.5 Understand governance processes

» Policies
» Procedures
» Standards
» Regulations and laws

Understand business continuity (BC)
» Purpose
» Importance
» Components

2.2 Understand disaster recovery (DR)
» Purpose
» Importance
» Components

2.3 Understand incident response
» Purpose
» Importance
» Components

3.1 Understand physical access controls
» Physical security controls (e.g., badge systems, gate entry, environmental design)
» Monitoring (e.g., security guards, closed-circuit television (CCTV), alarm systems, logs)
» Authorized versus unauthorized personnel
3.2 Understand logical access controls
» Principle of least privilege
» Segregation of duties
» Discretionary access control (DAC)
» Mandatory access control (MAC)
» Role-based access control (RBAC)

4.1 Understand computer networking
» Networks (e.g., Open Systems Interconnection (OSI) model, Transmission Control Protocol/Internet Protocol (TCP/IP) model, Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6), WiFi)
» Ports
» Applications

4.2 Understand network threats and attacks
» Types of threats (e.g., distributed denial-of-service (DDoS), virus, worm, Trojan, man-in-the-middle (MITM), side-channel)
» Identification (e.g., intrusion detection system (IDS), host-based intrusion detection system (HIDS), network intrusion detection system (NIDS))
» Prevention (e.g., antivirus, scans, firewalls, intrusion prevention system (IPS))

4.3 Understand network security infrastructure
» On-premises (e.g., power, data center/closets, Heating, Ventilation, and Air Conditioning (HVAC), environmental, fire suppression, redundancy, memorandum of understanding (MOU)/memorandum of agreement (MOA))
» Design (e.g., network segmentation (demilitarized zone (DMZ), virtual local area network (VLAN), virtual private network (VPN), micro-segmentation), defense in depth, Network Access Control (NAC) (segmentation for embedded systems, Internet of Things (IoT))
» Cloud (e.g., service-level agreement (SLA), managed service provider (MSP), Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), hybrid)

5.1 Understand data security
» Encryption (e.g., symmetric, asymmetric, hashing)
» Data handling (e.g., destruction, retention, classification, labeling)
» Logging and monitoring security events
5.2 Understand system hardening
» Configuration management (e.g., baselines, updates, patches)
5.3 Understand best practice security policies
» Data handling policy
» Password policy
» Acceptable Use Policy (AUP)
» Bring your own device (BYOD) policy
» Change management policy (e.g., documentation, approval, rollback)
» Privacy policy
5.4 Understand security awareness training
» Purpose/concepts (e.g., social engineering, password protection)
» Importance