12.2. Domain Confidence Checklist

Rate yourself honestly on each area before sitting for the exam. For any area below 4/5, revisit the relevant phase.

Domain 1 — Security and Risk Management

• Can explain ALE = SLE × ARO and use it to justify control cost
• Know all four valid risk responses (avoid, mitigate, transfer, accept); can explain that ignoring ≠ accepting
• Can describe NIST RMF six steps in order
• Know ISC2 canon order and when orderly escalation applies
• Can explain GDPR's 72-hour notification, eight data subject rights, and maximum penalty

Domain 2 — Asset Security

• Can distinguish data owner (business) from data custodian (IT)
• Know NIST 800-88 destruction methods: Clear / Purge / Destroy; why deleting a file is not destruction
• Can explain why cryptographic erasure is the appropriate method for cloud-stored data
• Know what legal holds override: retention schedules, auto-deletion policies

Domain 3 — Security Architecture and Engineering

• Can state Bell-LaPadula rules (No Read Up, No Write Down) and Biba rules (No Read Down, No Write Up)
• Know AES minimum key sizes, why ECB mode is dangerous, why MD5 and SHA-1 are deprecated
• Can explain why digital signatures provide non-repudiation and HMAC does not
• Know TLS version landscape: 1.0/1.1 deprecated, 1.2 acceptable, 1.3 preferred

Domain 4 — Communication and Network Security

• Can describe which OSI layer each attack targets and which control defends it
• Know IPsec AH vs ESP differences, Transport vs Tunnel mode use cases
• Can explain why WPA3 is superior to WPA2 (SAE, forward secrecy, mandatory MFP)
• Know DNS attack types and what DNSSEC protects (origin auth + integrity, not confidentiality)

Domain 5 — Identity and Access Management

• Can rank MFA mechanisms by phishing resistance (SMS worst → FIDO2 best)
• Know SAML = enterprise web SSO; OIDC = modern app authentication; OAuth 2.0 = authorization only
• Can explain Kerberos TGT flow, clock skew requirement, Golden Ticket attack and defense
• Know DAC/MAC/RBAC/ABAC tradeoffs and when each applies

Domain 6 — Security Assessment and Testing

• Can distinguish VA (identifies potential) from pentest (confirms exploitable) from audit (verifies compliance)
• Know CVSS Base / Temporal / Environmental score groups and what each measures
• Know SOC 2 Type I vs. Type II difference and why Type II is more valuable
• Can match testing methods to vulnerability classes: SAST (source code), DAST (running app), SCA (third-party)

Domain 7 — Security Operations

• Know NIST IR lifecycle phases in order; the correct sequence within Phase 3 (contain → preserve → eradicate → recover)
• Can state order of volatility for forensic collection (RAM before disk)
• Know chain of custody requirements for admissible evidence
• Know MTD > RTO is required; what RPO drives (backup frequency)
• Know BCP/DR testing types in order from least to most disruptive

Domain 8 — Software Development Security

• Know STRIDE six threat categories and a countermeasure for each
• Can explain why SQL injection is prevented by parameterized queries, not input filtering
• Know OWASP Top 10 top three: Broken Access Control, Cryptographic Failures, Injection
• Know what SAST, DAST, SCA, and manual code review each find that the others miss
• Can explain why client-side input validation is not a security control