CISSP Domain 1 Review – Security and Risk Management

This post serves as a review for the domain 1 of the CISSP. This domain covers security and risk management.

Before we start, here is a list that will help you navigate through the different sections of this domain review.

CIA Triad

  • Confidentiality: Preventing unauthorized access to data.
    • How? Access control and Encryption.
  • Integrity: Ensuring that data was not altered (intentionally or accidentally).
    • How? Hashing/Message digests.
  • Availability: Having the information accessible for authorized individuals.
    • How? Redundancy, backups and fault-tolerance.

Security Governance

  • Align security with the organization’s mission, goals and objectives.
  • Governance is the process how decisions are made within an organization.
  • Governance committee: A group of personnel who determine how decisions should be made within the organization.
  • Organizational roles:
    • Senior Management (C-level) : CEO, CFO, COO, CIO.
    • Security Manager : Responsible for advising senior management on security matters.
  • Due Care/Due Diligence
    • Due Care : Address any risk as would a reasonable person given the same set of facts. Do the right thing (The prudent man rule)
    • Due Diligence : Making sure that the right thing was done. Ex: Performing audits and investigations.

Organizational Documents

  • Policies :
    • High-level document.
    • Should include : Scope, purpose, responsibilities, and compliance.
    • Three types: Regulatory (Mandatory), advisory and Informative.
  • Standards
    • Tied directly to the organization’s policies.
    • Mandatory.
  • Procedures
    • Step by step instructions. Highly detailed.
    • Can be mandatory or optional.
  • Guidelines
    • Not mandatory.
    • When flexibility is necessary.
    • Often rely on best practices.

Security Risk Management

  • Assets contain vulnerabilities.
  • Threats exploit vulnerabilities
  • Risk exists when both vulnerability and threat are present.
  • Exposure = attack surface OR exploitable area. Our goal is to reduce exposure.
  • Two types of risk assessment methodologies:
    • Quantitative:
      • SLE = Asset Value x Exposure Factor
      • ALE = SLE x ARO.
      • if ALE is less than the price of the mitigation control, then risk can be accepted.
    • Qualitative:
      • Ex: Rating from 1 to 5
      • When budget, time and trained personnel are not available.
  • Risk Management :
    • Risk acceptance : Do nothing.
    • Risk mitigation : Apply measures to reduce risk.
    • Risk transfer : Transfer the risk to an external entity (Like an insurance).
    • Risk avoidance : Remove the thing that is creating the risk.
  • Residual risk: The remaining risk after risk mitigation is performed.
  • Frameworks:
    • ISO 31000 : Holistic
    • ISO 27005
    • COSO
    • NIST SP 800-37
    • ISACA RiskIT

Threat Modeling

  • System-centric : STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege).
  • Attacker-centric : PASTA (Process for Attack Simulation and Threat Analysis).
  • Data-centric : NIST SP 800-154.

Personnel Security

  • Candidate screening and hiring
    • What skills are needed
    • Interviewing : Never interview a candidate alone.
    • Background investigations: Financial info, social media, criminal history, driving records, drug testing, prior employment.
    • Employment agreement and policies: NDA, Acceptable use, conflict of interest (Actual or potential), gift handling, mandatory vacations.
  • On-boarding : Orientation, tribal knowledge.
  • Employment : Periodic investigations and screening.
  • Termination : Voluntary or involuntary.
  • Key control principles:
    • Separation of Duties: Ensure one person does not act alone.
    • Least Privilege: Privileges necessary to do the work but no more.
    • Need-to-Know: Information is shared with a person only if it is needed to do the work.

Awareness, Training and Education

  • Awareness : Issue-specific. Generally for all employees.
  • Training : Teaching specific skills to address known circumstances.
  • Education : Developing a conceptual understanding of a Common Body of Knowledge.


  • (ISC)² Code of Ethics
    • Two Preambles
    • Four Canons:
      1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
      2. Act honorably, honestly, justly, responsibly, and legally.
      3. Provide diligent and competent service to principals.
      4. Advance and protect the profession.
  • Other standards for ethical conduct
    • IAB (Internet Architecture Board) “Ethics and the Internet”.
    • CEI (Computer Ethics Institute) “The Ten Commandments of Computer Ethics”.
  • Common Law : Relies on precedent.
  • Civil Law : Relies on a legal code.
  • Religious Law : Based on religion.
  • Mixed Law : Combines a mix of all other legal systems.


  • Computer-assisted crimes.
  • Computer as target.
  • Computers incidental.

Intellectual Property

  • Types :
    • Copyright : Protects the artistic expression of an idea. Protection duration varies. It generally extends for at least 50 years after the author’s death.
    • Patent : Generally protected for about 20 years. It should be registered.
    • Trademark : Registered, and can be renewed indefinitely as long as the organization is in business.
    • Trade Secret : Not registered, should be kept secret.
  • Enforcement :
    • WIPO :World International Property Organization.
    • WTO : World Trade Organization.
    • DMCA : Digital Millennium Copyright Act.
  • Licenses : Freeware / Shareware (Trialware) / Commercial Software / Academic Software.

Privacy Laws

  • International
    • OECD : Organization for Economic Cooperation and Development.
      • 8 privacy principles:
        1. Collection Limitation.
        2. Data Quality.
        3. Purpose Specification.
        4. Use Limitation.
        5. Security Safeguards.
        6. Openness.
        7. Individual Participation.
        8. Accountability.
  • EU :
    • GDPR : Protects EU Citizens outside the boundaries of the EU.
      • Roles:
        • Data controller.
        • Data processor.
        • Supervisory authority.
      • Principles:
        1. Lawfulness, fairness and transparency.
        2. Purpose limitation.
        3. Data minimization.
        4. Accuracy.
        5. Storage limitation.
        6. Integrity and confidentiality.
      • Fines:
        • Lower level : Up to 10 Million Euro or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
        • Upper level : Up to 20 Million Euro or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
  • US :
    • Federal Privacy Act : Applies to federal institutions.
    • FTC Act : The Federal Trade Commission Act.
    • GLBA : For Financial Institutions.
    • FCRA : The Fair Credit Reporting Act.
    • HIPAA : For medical and healthcare information.
    • ECPA : The Electronica Communications Privacy Act (How the government may access electronic communications).
    • GINA : Genetic Information Non-discrimination Act.

Business Continuity and Disaster Recovery

  • Main reference : NIST SP 800-34
  • BCM policy : Failing to have a BCM policy violates the fiduciary standard of due care.
  • Process:
    1. Contingency planning.
    2. Business Impact Analysis.
      • Define CBFs : Critical Business Functions.
      • Measures of impact : MTD, RPO, RTO. (RTO < MTD).
      • Identify dependencies.
    3. Identify preventive controls.
    4. Create contingency strategies.
    5. Develop information systems contingency plan.
    6. Plan testing, training and exercises.
    7. Plan maintenance.

We have now gone through all items that are covered in the domain 1 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.


Leave a Reply

Your email address will not be published. Required fields are marked *