From "Information Technology Competency Model: September 2012"
Employment and Training Administration, United States Department of Labor

8. Risk Management, Security, and Information Assurance: The standards, issues, and applications used to protect the confidentiality, integrity and availability of information and information systems.

Critical Work Functions:
Risk Management
* Explain the concepts and use of risk management frameworks and how to determine threat levels using concepts of vulnerabilities, threat source, motivation, likelihood, and impact
* Explain concepts of risk-avoidance, transference, acceptance, mitigation, and deterrence in the context of an organization’s risk threshold
* Understand the importance and use of personnel security and background investigations
* Understand the concept of inherent risk in end user behavior
* Understand “insider threat”
* Understand the importance of organization-wide awareness of risk management policies
Security and Information Assurance Fundamentals
* Explain the concepts of Governance, Risk and Compliance (GRC)
* Explain the need for an organization security program and the use and importance of organizational security policies
* Explain the importance of ensuring accurate data and keeping information systems available to authorized uses
* Explain concepts of Confidentiality, Integrity, and Availability (CIA)
* Understand legal and regulatory requirements and justifications for maintaining information security including the importance of maintaining working knowledge of laws, regulations, directives, and standards for information security
* Understand the importance of protecting data and information systems from accidental disclosure or destruction, unauthorized access or modification, and inappropriate use or malicious compromise
* Describe methods for secure use of social media
* Explain the use and importance of security awareness programs
* Explain importance of configuration management to security operations
* Understand the need for separation of duties and other business controls
* Understand the need for controls and privileges based on an individual’s job duties
Security Operations
* Describe major access control systems and their function
* Explain concepts involved in IT security technologies, including cyber terrorism and its countermeasures, and various auditing and monitoring tools and techniques
* Recognize potential IT security threats and risks, including common attacks, vulnerabilities, and methods used to compromise systems
* Understand value and limitations of user education
* Identify common measures used to protect privacy and confidential data
* Explain the need for regular backup procedures
* Demonstrate knowledge of vulnerability identification techniques and tools
* Explain the importance and application of physical security measures
* Demonstrate knowledge of system protection services like intrusion detection/prevention, communications filtering, firewall management, malware detection
* Explain common communications protocols and how to apply security to them, e.g., IPSEC, SSL, TLS
* Demonstrate knowledge of methods to protect web services
* Demonstrate knowledge of security concepts for cloud services
* Explain use of encryption technology, e.g., PKI, hard drive encryption, data encryption, encryption-at-rest, and secure communications protocols
* Describe issues with unsecured User devices on secured systems
Business Resiliency
* Explain the concept of business continuity
* Understand the difference and use of types of contingency plans (e.g., Business Continuity Plan, Continuity of Operations Plan, Crisis Communications Plan, Disaster Recovery Plan, and Information Systems Contingency Plans
* Identify the types of IT/technology disaster scenarios that may impact an organization
* Recognize opportunities for strategic improvement or mitigation of business interruption and other risks caused by business, regulatory, or industry-specific initiatives
* Explain business impact assessments and their use
* Identify concepts and techniques for disaster recovery and business restoration
* Identify typical roles and responsibilities in disaster recovery planning activities and scenarios
Incident Management
* Describe incident identification, reporting, management, and investigation
* Describe the use of computer forensics to prevent and solve information technology crimes and security breaches
* Describe the impact of existing legislation on the practice of digital forensics
* Explain the concept of electronic discovery (e-discovery)
* Explain the importance of maintaining evidence integrity and chain of custody during the forensic examination process
* Identify criminal activity in relationship to cybercrime, the Internet, and Internet trafficking
Secure Information System Development
* Explain Secure Development Life Cycle
* Explain concepts of Secure Architecture and design
* Explain concepts and techniques for secure software coding and defensive programming
* Explain concepts of module, unit and system security testing
* Understand concepts of system and human interaction that could affect security

Technical Content Areas:
Program Management
* Auditing
* Business impact assessment
* Business recovery and continuity
* Capital planning and investment
* Configuration management
* Governance
* Incident management and privacy breach reporting
* Performance management
* Policy development
* Policy enforcement
* Risk management
* Security awareness program
* Security planning
* System accreditation
* System acquisition
Data Accessibility
* Access controls (physical and logical)
* Fundamentals of data security
* Mandatory access control (MAC) vs. Discretionary access control (DAC) vs. Role based access control (RBAC)
* Operational issues
* Protecting private, proprietary, or confidential data
* Remote access controls
* User and customer support
Data Integrity
* Data Input Validation Intrusion Detection Encryption
* ID management
* Information states
* Interconnection agreements
* Redundancy
Data Protection
* Data encryption, “encryption at rest”
* Data loss prevention techniques and tools
* Data masking
* Privacy impact assessments
* System security controls
* Test data management
Development
* Configuration/change management
* Insure Business analysis/Use cases address business process security
* Secure coding and defensive programming
* Security architecture design
* Security development life cycle
* Security testing
Operations
* Incident reporting
* Log management
* Penetration testing
* Security Information and Event Management (SIEM)
* Security monitoring
* System and security documentation
* Testing and Application of software patches/errata/updates
* Vulnerability assessments
Legal, Regulations, Investigations and Compliance, such as
* Federal Laws (FISMA, GLBA, Telecommunications)
* HIPAA
* ISO standards
* Payment Card Industry Standard
* Sarbanes-Oxley
Security Classification
* Government
  o Classified
  o Controlled but Unclassified (CUI)Unclassified
  o Secret
  o Top Secret
  o Unclassified
  o Unclassified For Official Use Only (UNCLASSIFIED/FOUO)
* Industry
  o Confidential
  o Do Not Forward
  o Need-to-know
  o Proprietary
  o Restricted
  o Sensitive
Networking and Communications
* Bluetooth
* Firewalls
* Intrusion detection/protection
* IPSEC
* PKI (Public Key Infrastructure)
* Secure protocols (SSL, TLS, HTTPS, WPA
* VOIP
* Wireless
Physical Security
* Access Barriers
* Biometrics
* Climate control
* Fire protection
* Key card technologies
* Power protection
Threats
* Application
* Attacks, such as
  o Malware
  o Denial of Service
  o Social engineering
* Insider Threat
* Social Media
* Threat analysis model
* Wireless
Forensics
* Chain of custody
* E-discovery
* Investigation techniques
* Investigation tools