Determine Legal, Regulatory, Organizational and Industry Requirements.

• Ensure that the security architect is aware of legal requirements and designs (builds-in) the ability to support audit and compliance functionality into information systems and the information security framework.
• Ensure that the security architect is aware the core privacy principles adopted by the OECD.
• Understand the requirements of the General Data Protection Regulations (GDPR).
• Understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).
• Understand the requirements of the North American Electric Reliability Corporation – Critical Infrastructure Protection.
• Understand the requirements of privacy and information security laws in the United Kingdom.
• Understand the requirements of information security laws in the Asia Pacific region.
• Understand the requirements of information security laws in Latin America.
• Ensure that the security architect is aware of the requirements of the Electronic Communications Privacy Act (ECPA).
• Understand the capabilities and techniques used to develop an enterprise security architecture based on common architectural frameworks.
• Understand the requirements of information management laws: Gramm-Leach0Bliley Act (GLBA) and Sarbanes-Oxley Act.

Determine Applicable Information Security Standards and Guidelines.

• Understand the process of evaluating and selecting architectural standards.
• Understand the requirements of the National Institute of Standards and Technology for information systems protection.
• Understand the requirements of the Information Security Management System (ISMS) as documented in ISO/IEC 27001.
• Understand the capabilities and techniques used to develop an enterprise security architecture based on common architectural frameworks.
• Understand the requirements of the payment card industry for protection of payment cards.
• Understand the requirements to support audit and compliance services and demonstrate the design, implementation and management of good security practices.

Determine Applicable Sensitive/Personal Data Standards, Guidelines and Privacy Regulations.

• Introduce the importance of compliance with privacy laws in the context of the real world.

Designing Systems for Auditability

• Understand the requirements to design systems to support audit and accountability standards.
• Understand the process of Control Self-Assessment (CSA) and know how to design systems to support CSA.
• Understand the requirements to design a system for auditability.
• Understand the process of digital forensics and the examination of evidence.
• Understand the requirements of working with external entities in the event of an incident.
• Understand the process of architecting relationships with outsourcing suppliers and partners.

Manage Risk

• Review the importance of risk management in relation to the establishment of an information security program.
• Understand the process of determining the relationship between assets and business mission.
• Understand the Risk Management Framework and risk management process.
• Understand the principles of risk assessment and risk treatment.
• Be familiar with quantitative and qualitative risk assessment.
• Understand the principles and practices of asset identification and classification.
• Understand the process of determining asset value.
• Understand the types of threat actors.
• Understand the types of human threats, natural threats and supply chain risk.
• Understand the risk related to technology.
• Understand the process of determining risk.
• Understand the process of risk reporting and the risk register.

Overview of Risk Treatment

• Review the principles of risk treatment and risk response.
• Be familiar with the requirement to perform a cost–benefit analysis when considering control options.

Risk Monitoring

• Understand the principles of risk monitoring.
• Understand the impact of emerging threats and vulnerabilities on the level of risk faced by the organization.
• Understand the factors that can affect risk, such as changes to business processes.
• Understand the importance of reporting current and emerging risk to management.
• Be familiar with a risk register and how to use it.

Identify Security Architecture Approach

• Understand the various architectural approaches and identify the impact upon security of each approach.
• Understand new security challenges as the types of systems and networks evolve.
• Understand the security needs as organizations move from systems architecture to enterprise architecture.
• Be familiar with the security requirements that are unique to each of the common architectural models.
• Be familiar with the concepts of Service - Oriented Architecture (SOA).
• Understand the challenges that the Internet of Things (IoT) places on security architecture.
• Review the security considerations associated with SCADA systems.
• Review the fundamental security models and various forms of enterprise configurations.
• Understand the value of benchmarks and baseline configurations.
• Remember the benefits and types of network segmentation.
• Be familiar with the evolution of networking and network technologies.

Review Physical Security Requirements.

• Understand the importance of physical security as related to information security.
• Understand the methods used to validate physical security controls.
• Understand the generally accepted data center design tiers
• Understand the various options to control physical access to data centers.
• Understand the deployment of closed-circuit television (CCTV).
• Review the principles of perimeter-based security.
• Review the principles of fire management.

Verify and validate Design

• Understand the process of testing and validating the project deliverables.
• Understand the process of regression testing and avoiding single points of failure.
• Understand the process of independent verification and validation of infrastructure and control design.

Develop Infrastructure Security Requirements.

• Understand the process of developing infrastructure security requirements.
• Understand the security requirements of various types of system deployments.
• Understand the application of security in a cloud environment.

Design Defense-in-Depth Architecture.

• Understand the principles of defense in depth and be able to design a defense-in-depth solution for their organization.
• Understand the role of management networks in protecting and monitoring information systems and system components.
• Review the core security concepts in relation to infrastructure.
• Understand the security of various system components.
• Understand cloud security risk

Review Secure Shared Services

• Understand the Network Time Protocol (NTP), Domain Name Systems (DNS), and Voice over Internet Protocol (VoIP).

Design Boundary Protection with Enterprise Security Requirements Considered

• Understand boundary protection.
• Understand the security requirements when acquiring, deploying and managing various devices.
• Understand the need for security of mobile devices.
• Understand cloud virtualization and cloud virtual storage.

Design Infrastructure monitoring

• Understand the design of monitoring systems.
• Understand the methods of active and passive data collection.
• Design the systems to monitor network traffic.
• Understand security analytics.

Review introduction to cryptographic principles.

• Understand the legal requirements concerning the design, implementation and operation of cryptographic solutions.

Design infrastructure Cryptographic Solutions

• Understand the design of infrastructure cryptographic solutions.

Asymmetric Algorithms

• Understand the principles of asymmetric encryption.
• Understand the principles of RSA certificates.
• Understand the process of elliptic curve cryptography.
• Understand the composition and use of digital signatures.
• Understand the process of certificate validation.
• Review the processes of ensuring message integrity through the use of a hash function.
• Review the SHA3 Algorithm.
• Understand use of a VPN using Diffie-Hellman.
• Understand the ElGamal algorithm.

Internet Protocol Security (IPSec)

• Understand Internet Protocol Security (IPSec).
• Review the operations of TLS using RSA+.

Evaluate Enterprise Identity Management Requirements

• Be able to identify and evaluate the requirements for identity management.
• Understand the process of assigning identifiers to entities.
• Understand the core principle of information security based on the use of multi-factor authentication to protect systems from unauthorized access.
• Understand the principles of identification, authentication, authorization and accounting as they relate to identity management
• Understand the challenges of digital identities.
• Be able to establish processes to identify personnel and facilitate trust relationships.
• Be able to define multi-factor authentication.
• Be able to design risk-based and location-based access controls.
• Be able to design knowledge-based and object-based access controls.
• Understand biometrics.
• Be able to recognize authentication protocols and technology.
• Understand Security Assertion Markup Language (SAML), RADIUS, and Kerberos.

Access Control Concepts and Principles

• Understand access control concepts and principles.
• Be able to design access control management, including the access control management lifecycle.

Design Identity and Access Solutions

• Understand how to design an identity and access solution for an organization.
• Understand various access control protocols and technologies.
• Understand various credential management technologies.
• Understand the advantages and disadvantages of centralized versus decentralized identity and access management systems.
• Understand the different types of identity and access management implementations.
• Understand the risk and requirements for managing privileged accounts.
• Review the accounting or audit aspect of identity and access management.

Assess and Align Application Security with the Enterprise

• Understand the process of assessing and aligning application security with the enterprise.
• Understand how to use the SDLC to design resilient secure systems.
• Understand how to address security in the SDLC.
• Understand the requirements traceability matrix (RTM).
• Understand the principles of secure software coding.
• Review the principles of security architecture documentation.

Assess Code Review Methodology and Testing

• Understand the processes and methodologies used to assess software code.
• Review the principles of static code testing.
• Review the principles of dynamic code testing.
• Review the principles of creating valid test data.
• Review the security concerns associated with APIs.
• Understand the principles of protecting systems through runtime application self-protection (RASP).
• Review the principles of anti-malware tools.
• Review the implementation of encryption in an application.
• Determine appropriate cryptographic solution for applications.
• Be familiar with the methodologies used to assess software code and implementations.
• Understand the principles of a secure code repository.
• Understand the value and process of version control.

Determine Application Security Capability Requirements and Strategy

• Understand the process to determine application security requirements.
• Determine the security requirements for applications operating in a platform as a service (PaaS) deployment.
• Understand the requirements to secure the infrastructure used in supporting applications.
• Understand the role that network security plays in supporting secure operations of applications.
• Understand the requirements to secure the endpoint devices and desktops that support applications.
• Understand the requirements to secure data storage for an application.
• Evaluate applicability of security controls for system components.

Identify Common Proactive Controls for Applications

• Understand some of the common controls used to protect applications.
• Review the CIS critical security controls.

Security Operations Architecture

• Understand how to gather security operations requirements.
• Understand the architect’s role in setting up monitoring and the benefits that an effective monitoring program will provide.

Design Information Security Monitoring

• Understand the techniques of monitoring and incident identification.
• Understand the process of incident preparation.
• Understand the process of incident detection.
• Understand the process of incident response.
• Review vulnerability assessments and penetration testing.
• Work with and support audits, and benefit from the audit process.

Design Business Continuity (BC) and Resiliency Solutions

• Understand their role in designing business continuity and resiliency solutions.
• Understand the basics of gathering resource requirements used to support business continuity (BC).
• Understand their role in assisting in the creation of incident response and communications and training plans.
• Understand the process of incident response management.
• Understand the various response strategies that can be used.
• Identify continuity and availability solutions.

Validate Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Architecture

• Be able to participate in the validation of business continuity plans and disaster recovery plans.