What’s new in Security Architecture & Design

ISC2 published the 3rd edition of their CISSP CBK in late 2012.  I ordered my copy in December 2012 and said, “So what’s new in Architecture?”

First, let me say that all quoted material in this article is from the “Official (ISC)2 Guide to the CISSP® CBK Third Edition.”

Generally, with respect to all the domains, ISC2 and the authors of the 3rd Edition have placed emphasis (by bolding, bullet-pointing, or indenting) on some of the material that was in the 2nd Edition.  You can take that for what it is worth.  For example, in the section on “Common Security Services”, the 2nd Edition simply had them listed as:

Boundary Control Services –

Where the 3rd Edition has them listed as:

  • Boundary Control Services –

As I said, you can take that for what it is worth; the information remains the same.

One thing I noticed different about this domain is that instead of “Section Summaries”, that information has been moved to the beginning of the section and has various titles, all of which mean “Section Introduction.”  The information is relatively the same.

Here are the things that I found different in Security Architecture & Design.

  • The section on “Security Zones of Control” now has diagram (Figure 6.2) from NIST which illustrates the concept of using a subsystem guard.  Part of the work of the (Joint Task Force Transformation Initiative Feb, 2010)
  • In the 2nd Edition, where they were talking about “Multilevel Lattice Models” there was a second paragraph which explained how noninterference models could be considered a type of multilevel model.  For some reason, in the 3rd Edition, rather that include that as a second paragraph, it got its own bullet-point, but it isn’t bolded, because the very next bullet-point is bolded and it is Noninterference Model.  I think someone just did an “oops” on this.
  • Finally, something we can say is “NEW.”  They added a couple of pages on the Payment Card Industry Data Security Standard in the section on “Industry and International Security Implementation Guidelines.”
  • Other new material which has been added, includes a section on “Virtualization”; and four pages on “Vulnerabilities of Security Architecture” which includes:
    • System design
    • Emanations
    • State Attacks
    • Covert Channels
  • Also included is a complete section on Software and System Vulnerabilities and Threats, which includes:
  • Web-based
    • XML
    • SAML
    • OWASP
  • Client-Based Vulnerabilities
    • Desktops, Laptops and Thin clients
    • Mobile Devices
  • Server-Based Vulnerabilities
  • Data Flow Control
  • Database Security
    • Warehousing
    • Inference
    • Aggregation
    • Data Mining
  • In the section on Distributed Systems, a lot of good information has been added, including sections on:
    • Grid Computing
    • Cloud Computing
      • On-demand Self-Services
      • Broad Network Access
      • Resource Pooling
      • Rapid Elasticity
      • Measured Service
  • Service Models
    • Software as a Service (SaaS)
    • Platform as a Service (PaaS)
    • Infrastructure as a Service (IaaS)
  • Deployment models
    • Private Cloud
    • Community Cloud
    • Public Cloud

As always, InfoSec is updating the courseware to reflect this new material and re-sequencing of the Security Architecture & Design domain.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.