Description should include the following:
- Industry-standard frameworks and reference architectures
- Regulatory
- Non-regulatory
- National vs. international
- Industry-specific frameworks
- Benchmarks/secure configuration guides
- Platform/vendor-specific guides
- Web server
- Operating system
- Application server
- Network infrastructure devices
- General purpose guides
- Defense-in-depth/layered security
- Vendor diversity
- Control diversity
- User training
Process/Skill Questions:
- Why is one layer of security not effective enough? Why is there a need for multiple layers?
- Why must vendors provide proprietary configuration guides?
- What is the difference between national and international architectures?