Chapter 2. The Science of Our Business:The Eight Domains

I grew up during the time period when the security landscape was covered by the 10 domains. I’ve chosen to discuss our industry in terms of these domains (although now there are only eight) as opposed to one of the industry’s well-known frameworks because the two are fundamentally different models. The eight domains by and large discuss the theory and science of our field. The many industry frameworks—including those from the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Cloud Security Alliance (CSA), and Center for Internet Security (CIS)— discuss the numerous security controls to be implemented to protect systems and data. The eight domains provide a discussion on the content of the science of InfoSec.

My intent in this book is not to rehash the content of the eight domains, but to merely highlight those sections that I believe you’ll want to focus on when building an InfoSec program. Not all domains are of equal importance when you follow my seven-step process. Knowing which ones to focus on will help you build your program.

As a refresher, the eight domains of InfoSec are as follows:¹

1. Security and Risk Management

2. Asset Security

3. Security Engineering and Architecture

4. Communications and Network Security

5. Identity and Access Management

6. Security Assessment and Testing

7. Security Operations

8. Software Development Security