Spend Less & Save More with our Exciting End-of-Year offers (BUY 1 GET 1 FREE) | Offer ending in:
D H M S Grab Now

Domain 1: Security and Risk Management

The first domain of the CISSP exam is ‘Security and Risk management’. This domain of the CISSP exam expects the candidates to know the following sub-objectives:

  1. The concepts of confidentiality, integrity, and availability

The candidate is expected to know the three core principles of Information security – confidentiality, integrity, and availability. ‘Confidentiality’ is ensuring that the information is seen only by the intended recipients and no one else. ‘Integrity’ is ensuring that the information that is transmitted is not tampered or altered in any way. ‘Availability’ is ensuring that the information is available when needed.

  1. Security governance principles

The core idea behind security governance is that security programs must have the approval of the management of an organization. The security function should also be aligned with the business strategy, mission, and goals of the organization.

Since security is a joint responsibility within an organization, each person in an organization should be given a security responsibility so as to reduce the risk of security incidents.

  1. Compliance

In an increasingly interconnected world, complying with laws and regulations pertaining to one’s own country and business environment has become highly complicated. In this regard, the CISSP candidate is expected to know the contractual, legal, industry standards and regulatory requirements in addition to the privacy requirements.

  1. Legal and regulatory issues

With security breaches occurring all over the world, the security professional has to be aware of the legal and regulatory issues related to information security. With this in mind, the candidate is expected to know the licensing and intellectual property requirements, import-export controls, trans-border data flow, and privacy.

  1. Documented security policy, standards, procedures, and guidelines

The test taker is expected to understand the difference between security policy, standards, procedures, and guidelines and develop and document them for an organization.

Security policy is a high-level document regarding the security of an organization. Standards are the implementation of the security policy of an organization. Guidelines are created when the certain standards are not met and exceptions arise. Procedures are step-by-step instructions of the security policies.

  1. Business continuity requirements

In the wake of floods, earthquakes, terrorist attacks, and other natural and unnatural disasters, businesses are expected to bounce back with basic and essential functions. Business continuity is the plan that is to be followed when and after a disaster strikes. The different phases of a business continuity plan are:

  1. Project initiation and management
  2. Develop and document project scope and plan
  3. Conduct BIA or Business impact analysis
  1. Personnel security policies

In more cases than one, the weakest link in the security perimeter might the employees in an organization. Since the different personnel in an organization come into direct contact with data, it is good to recruit employees after suitable employment candidate screening, reference checks, and appropriate background investigations.

Once recruited, employee agreements and policies should be drawn and signed. Termination policies should also be created to ensure that sensitive data is not permeated outside the organization. Vendors, consultants, and contractors should also have suitable controls in place to make sure that organizational data does not move outside.

  1. Risk management concepts

In this sub-objective, the candidate is expected to understand the risk assessment process along with the risk management concepts. The risk assessment process involves preparing for assessment, conducting the assessment, communicating the results and maintaining the assessment.

The candidate is also expected to know the security and audit frameworks and methodologies such as COSO, ITIL, COBIT, ISO 27002:2013. The test taker should have knowledge of qualitative risk assessments, quantitative risk assessments and be able to identify threats and vulnerabilities.  Quantitative risk assessments are more numerical than qualitative risk assessments.

The test taker should also know the countermeasures that can be applied to the risks in an environment, the different types of controls (such as directive, deterrent, preventive, compensating, detective, corrective, recovery) and tangible and intangible asset valuation, the four-step quality model for continuous improvement among other things.

  1. Threat modeling

Threat modeling enables organizations to reduce risk by suggesting security improvements. The candidate is expected to know the different steps in the threat modeling process along with the concepts and methodologies.

  1. Integrating security risk considerations into acquisitions strategy and practice

The CISSP exam expects the candidates to apply risk based management concepts to the supply chain. Supply chain today is not only tied with physical assets – it is also associated with information and communication technologies. Since these maybe subjected to malware attacks and other security incidents, it is necessary for organizations to implement a supply chain risk management program.

A good supply chain risk management program involves these points:

  1. A baseline cyber security requirement contract should be created and this should be used when making appropriate acquisitions
  2. Businesses should consider cyber security insurance to recover from cyber attacks
  3. Supply chain requirements should be embedded in contracts and service level agreements
  4. In a supply chain management system, it is critical to engage with multiple suppliers than with a single supplier
  5. A security audit is necessary for crucial suppliers

It is necessary for organizations to uphold the three core principles of information security (confidentiality, integrity and availability) as information travels across all elements of a business such as customer, employee and business partner.

  1. Security education, training, and awareness

It is not enough if security policies are just created – they have to pierce the other parts of an organization and this can be made possible only by means of security education, training and awareness programs.

The candidate should know the different methods and techniques to present the awareness and training programs (as an example, specialty classes for roles like accounting, IT and security awareness courses)

The candidate should also know the performance metrics that have to be employed after the security awareness programs are conducted.

We have seen domain 1 of the CISSP exam in this post…we will look at the next domain in subsequent posts…

Jayanthi Manikandan ( )
Cyber Security Analyst
Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train.