8.5 Define and apply secure coding guidelines and standards

• 8.5.1 Security weaknesses and vulnerabilities at the source-code level
• 8.5.2 Security of application programming interfaces (API)
• 8.5.3 Secure Coding Practices
• 8.5.4 Software-defined security

8.3 Assess the effectiveness of software security

• 8.3.1 Auditing and logging of changes
• 8.3.2 Risk analysis and mitigation

8.4 Assess security impact of acquired software

• 8.4.1 Commercial-off-the-shelf (COTS)
• 8.4.2 Open Source
• 8.4.3 Third-Party
• 8.4.4 Managed Services (e.g.., enterprise applications)
• 8.4.5 Cloud Services (e.g.., SaaS, IaaS, PaaS)

1.3 Evaluate, apply, and sustain security governance principles.

• 1.3.1 Alignment of the security function to business strategy
• 1.3.2 Organizational processes (e.g., acquisitions, divestitures, etc.,)
• 1.3.3 Organizational roles and responsibilities
• 1.3.4 Security Control Frameworks
• 1.3.5 Due Care and Due Diligence

8.1 Understand and integrate security in the software development lifecycle

• 8.1.1 Development Methodologies
• 8.1.2 Maturity Models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
• 8.1.3 Operations & Maintenance
• 8.1.4 Change Management
• 8.1.5 Integrated Product Team (IPT)

1.4 Understanding of Info Security legal and regulatory problems

• 1.4.1 Cybercrimes and data breaches
• 1.4.2 Licensing and intellectual property requirements
• 1.4.3 Import/export controls
• 1.4.4 Transborder data flow.
• 1.4.5 Issues Related to Privacy
• 1.4.6 Contractual, Legal, Industry Standards, & Regulatory Requirements

7.12 Test Disaster Recovery Plans

• 7.12.1 Read-through/Checklist
• 7.12.2 Walk-through/Tabletop
• 7.12.3 Simulation
• 7.12.4 Parallel
• 7.12.5 Full Interruption
• 7.12.6 Communications (e.g., stakeholders, test status, regulators)

7.11 Implement Disaster Recovery Process

• 7.11.1 Response
• 7.11.2 Personnel
• 7.11.3 Communications
• 7.11.4 Assessment
• 7.11.5 Restoration
• 7.11.6 Training & Awareness
• 7.11.7 Lessons Learned

1.9 Understand and apply risk management concepts

• 1.9.1 Threat and Vulnerability Identification
• 1.9.2 Risk Analysis, assessment, and scope
• 1.9.3 Risk response and treatment
• 1.9.4 Applicable Types of Controls
• 1.9.5 Control Assessments
• 1.9.6 Continuous monitoring and measurement
• 1.9.7 Reporting (e.g., Internal, External)
• 1.9.8 Continuous improvement (e.g., risk maturity modeling)
• 1.9.9 Risk Frameworks