The first domain of the CISSP exam is ‘Security and Risk management’. This domain of the CISSP exam expects the candidates to know the following sub-objectives:
The candidate is expected to know the three core principles of Information security – confidentiality, integrity, and availability. ‘Confidentiality’ is ensuring that the information is seen only by the intended recipients and no one else. ‘Integrity’ is ensuring that the information that is transmitted is not tampered or altered in any way. ‘Availability’ is ensuring that the information is available when needed.
The core idea behind security governance is that security programs must have the approval of the management of an organization. The security function should also be aligned with the business strategy, mission, and goals of the organization.
Since security is a joint responsibility within an organization, each person in an organization should be given a security responsibility so as to reduce the risk of security incidents.
In an increasingly interconnected world, complying with laws and regulations pertaining to one’s own country and business environment has become highly complicated. In this regard, the CISSP candidate is expected to know the contractual, legal, industry standards and regulatory requirements in addition to the privacy requirements.
With security breaches occurring all over the world, the security professional has to be aware of the legal and regulatory issues related to information security. With this in mind, the candidate is expected to know the licensing and intellectual property requirements, import-export controls, trans-border data flow, and privacy.
The test taker is expected to understand the difference between security policy, standards, procedures, and guidelines and develop and document them for an organization.
Security policy is a high-level document regarding the security of an organization. Standards are the implementation of the security policy of an organization. Guidelines are created when the certain standards are not met and exceptions arise. Procedures are step-by-step instructions of the security policies.
In the wake of floods, earthquakes, terrorist attacks, and other natural and unnatural disasters, businesses are expected to bounce back with basic and essential functions. Business continuity is the plan that is to be followed when and after a disaster strikes. The different phases of a business continuity plan are:
In more cases than one, the weakest link in the security perimeter might the employees in an organization. Since the different personnel in an organization come into direct contact with data, it is good to recruit employees after suitable employment candidate screening, reference checks, and appropriate background investigations.
Once recruited, employee agreements and policies should be drawn and signed. Termination policies should also be created to ensure that sensitive data is not permeated outside the organization. Vendors, consultants, and contractors should also have suitable controls in place to make sure that organizational data does not move outside.
In this sub-objective, the candidate is expected to understand the risk assessment process along with the risk management concepts. The risk assessment process involves preparing for assessment, conducting the assessment, communicating the results and maintaining the assessment.
The candidate is also expected to know the security and audit frameworks and methodologies such as COSO, ITIL, COBIT, ISO 27002:2013. The test taker should have knowledge of qualitative risk assessments, quantitative risk assessments and be able to identify threats and vulnerabilities. Quantitative risk assessments are more numerical than qualitative risk assessments.
The test taker should also know the countermeasures that can be applied to the risks in an environment, the different types of controls (such as directive, deterrent, preventive, compensating, detective, corrective, recovery) and tangible and intangible asset valuation, the four-step quality model for continuous improvement among other things.
Threat modeling enables organizations to reduce risk by suggesting security improvements. The candidate is expected to know the different steps in the threat modeling process along with the concepts and methodologies.
The CISSP exam expects the candidates to apply risk based management concepts to the supply chain. Supply chain today is not only tied with physical assets – it is also associated with information and communication technologies. Since these maybe subjected to malware attacks and other security incidents, it is necessary for organizations to implement a supply chain risk management program.
A good supply chain risk management program involves these points:
It is necessary for organizations to uphold the three core principles of information security (confidentiality, integrity and availability) as information travels across all elements of a business such as customer, employee and business partner.
It is not enough if security policies are just created – they have to pierce the other parts of an organization and this can be made possible only by means of security education, training and awareness programs.
The candidate should know the different methods and techniques to present the awareness and training programs (as an example, specialty classes for roles like accounting, IT and security awareness courses)
The candidate should also know the performance metrics that have to be employed after the security awareness programs are conducted.
We have seen domain 1 of the CISSP exam in this post…we will look at the next domain in subsequent posts…