1. Response
2. Deployment
2.1. Infrastructure
2.1.1. Availability
2.1.1.1. Load balancing
2.1.1.2. Clustering
2.1.2. OS
2.1.2.1. Bastion hosts
2.1.3. Network
2.1.3.1. Firewall
2.1.3.2. Proxy
2.1.3.3. AV
2.1.3.4. Mail
2.1.3.5. WAF
2.1.3.5.1. MMOG
2.1.3.6. DLP
2.1.3.7. Bandwith management
2.1.4. Identity & Access management
2.1.4.1. SSO
2.1.4.2. ID provider
2.1.4.2.1. LDAP
2.1.4.3. AuthZ management
2.1.4.4. Access control
2.1.4.4.1. RBAC
2.1.4.5. Policy management
2.1.5. Cryptography services
2.1.5.1. KMS
2.1.5.2. PKI
2.1.5.3. Cryptographic providers
2.1.6. Database
2.1.6.1. Oracle
2.2. Monitoring
2.2.1. SIEM
2.2.1.1. QRadar
2.2.1.2. Managed services
2.2.2. Infrastructure
2.2.2.1. Nagios
2.2.3. Intrusion detection
2.2.3.1. IPS
2.2.3.2. IDS
2.3. BCP/DRP
2.3.1. Back-up
3. Awareness/education
3.1. Training
4. Process
4.1. Requirements
4.1.1. Security requirements
4.1.2. Privacy requirements
4.1.3. Bug tracking
4.1.4. Documentation
4.2. Design
4.2.1. Design techniques
4.2.1.1. Layering (defense in depth)
4.2.1.2. Least privilege
4.2.1.3. Attack surface minimization
4.2.2. Specific criteria
4.2.2.1. Cryptography
4.2.3. Threat modeling
4.2.3.1. DREAD
4.2.3.2. STRIDE
4.3. Implementation
4.3.1. Build tools
4.3.2. SAST
4.3.2.1. Fortify
4.3.3. APIs
4.3.3.1. Mandated
4.3.3.1.1. ESAPI
4.3.3.2. Banned
4.3.4. Web applications specific requirements
4.3.4.1. XSS
4.3.4.2. Injection
4.3.4.2.1. SQL
4.3.4.2.2. LDAP
4.3.4.2.3. JS
4.4. Verification
4.4.1. Security response planning
4.4.1.1. Response plans for vulns reports
4.4.2. Attack surface re-evaluation
4.4.3. Fuzz testing
4.4.4. Security push actions
4.4.4.1. Code reviews
4.4.4.2. DAST
4.4.4.2.1. AppScan Standard
4.4.4.3. Design/architecture reviews (new threats)
4.4.5. OL specific requirements
4.5. Release
4.5.1. Response Plan
4.5.1.1. SSIRP
4.5.1.2. CVE
4.5.2. Final Security review
4.5.3. Archive
4.5.3.1. Customer documentation
4.5.3.2. Source code
4.5.3.3. Threat models
4.5.3.4. Complete final signoffs