Geek-Guy.com

Domain 1: Security and Risk Management

Exam Weight: 16% (Highest weighted domain)

This domain serves as the brain of the CISSP. It focuses on how security supports the business through governance, risk analysis, and legal compliance. As a CISSP candidate, you must think like a manager: security is not about saying no, but about enabling the business to function within an acceptable level of risk.

1. The 5 Pillars of Information Security

While the CIA Triad is the foundation, the current exam expands this to five pillars:

  • Confidentiality: Preventing unauthorized disclosure. (Encryption, access control).
  • Integrity: Preventing unauthorized modification. (Hashing, digital signatures).
  • Availability: Ensuring timely and reliable access. (Backups, redundancy, RAID).
  • Authenticity: Verifying that a user or system is who they claim to be.
  • Non-repudiation: Ensuring a subject cannot deny having performed an action.

2. Security Governance & Hierarchy

Governance is the set of responsibilities and practices exercised by the board and executive management.

  • Strategic Goal: Alignment of security with business strategy.
  • The Policy Stack:
    • Policies: High-level, mandatory statements of management intent.
    • Standards: Specific, mandatory requirements (e.g., Use AES-256).
    • Baselines: Minimum security levels.
    • Procedures: Step-by-step instructions for tasks.
    • Guidelines: Non-mandatory recommendations or best practices.

3. Legal and Regulatory Issues

  • Due Care: Acting as a reasonable person would; the act of implementing a control.
  • Due Diligence: The act of verifying that due care is being maintained (e.g., auditing).
  • Major Laws to Know:
    • GDPR: EU privacy (Right to Erasure, Data Portability).
    • HIPAA: Healthcare data privacy (US).
    • SOX: Financial reporting accuracy (US).
    • GLBA: Financial institution data privacy (US).
    • Wassenaar Arrangement: International export controls on dual-use goods/encryption.

4. The Risk Management Lifecycle

Risk cannot be eliminated; it must be managed.

  1. Assessment/Identification: Finding assets, threats, and vulnerabilities.
  2. Analysis: * Qualitative: Subjective (High/Medium/Low). Uses the Delphi Technique (expert consensus). * Quantitative: Objective/Mathematical.
  3. Response (The 4 Options): * Mitigate: Reduce the risk (add a firewall). * Transfer: Share the risk (buy insurance). * Avoid: Stop the activity causing the risk. * Accept: Acknowledge the risk (residual risk is below the risk appetite).

Key Quantitative Formulas:

SLE(SingleLossExpectancy)=AV(AssetValue)×EF(ExposureFactor)

ALE(AnnualizedLossExpectancy)=SLE×ARO(AnnualizedRateofOccurrence)

5. Personnel Security

  • Separation of Duties: No one person should have enough power to commit and conceal fraud.
  • Job Rotation: Moves employees between roles to detect fraud and cross-train.
  • Mandatory Vacations: Helps detect fraud by requiring someone else to perform the duties for a period.
  • Onboarding/Offboarding: The most critical step in offboarding is the immediate revocation of access.