Sunday, April 22, 2018

CISSP Domain 3 Changes - 2018 vs 2015


When a comparison is done between the two exam outlines the overall result, in this case, would also be  Extremely Limited.

The topics have just been moved here and there which hardly signifies any change.

2015 Exam Outline
2018 Exam Outline
Implement and manage engineering processes using secure design principles
Implement and manage engineering processes using secure design principles
Understand the fundamental concepts of security models (confidentiality, integrity )
Understand the fundamental concepts of security models
Select controls and countermeasures based upon systems security evaluation models
Select controls based upon systems security requirements
Understand security capabilities of information systems (e.g., memory protection, trusted platform module, interfaces, fault tolerance)
Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)

# No Change in all of the above.
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
  • Client-based (applets, local caches)
  • Server-based (data flow control)
  • Database security (inference, aggregation)
  • Large Scale Parallel Data Systems
  • Distributed systems
  • Cryptographic systems
  • Industrial Control Systems

Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic Systems
  • Industrial Control Systems (ICS)
  • Cloud-based systems
  • Distributed systems
  • Internet of Things (IoT)


#Removed Large-Scale Parallel Data Systems. Added Cloud-based systems & Internet of Things. (Most books cover these topics, hence the limited change. IoT was covered under embedded devices topic in 2015 outline)
Assess and mitigate vulnerabilities in web-based systems
Assess and mitigate vulnerabilities in web-based systems

# No Change
Assess and mitigate vulnerabilities in mobile systems
Assess and mitigate vulnerabilities in mobile systems

# No Change
Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, internet of things (IoT)
Assess and mitigate vulnerabilities in embedded devices
# No change. However, CISSP CBK may throw a surprise here.
Apply cryptography
  • Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)
  • Cryptographic Types (e.g., symmetric, asymmetric, elliptic curves)
  • Public Key Infrastructure (PKI)
  • Key management practices
  • Digital signatures
  • Digital Rights Management (DRM)
  • Non-repudiation
  • Integrity (hashing and salting)
  • Methods of Cryptanalytic attacks (e.g., brute  force, ciphertext only, known plaintext)

Apply cryptography
  • Cryptographic life cycle (e.g., key management, algorithm selection)
  • Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
  • Public Key Infrastructure (PKI)
  • Key management practices
  • Digital signatures
  • Non-repudiation
  • Integrity (e.g., hashing)
  • Understand methods of cryptanalytic attacks
  • Digital Rights Management (DRM)


# No Change
Apply secure principles to the site and facility design
Apply security principles to the site and facility design

# No Change
Design and Implement physical security
  • Wiring closets
  • Server rooms
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Data center security
  • Utilities and HVAC considerations
  • Water issues (e.g. leakage, flooding)
  • Fire prevention, detection, and suppression

Implement site and facility security controls
  • Wiring closets/intermediate distribution facilities
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
  • Environmental issues
  • Fire prevention, detection, and suppression

# No Change

No comments: