CISSP Domain 1: Security and Risk Management

The Domain 1: Security and Risk Management of CISSP exam holds a total weightage of 15% in the exam.

Below are the summaries of key objectives of Domain 1: Security and Risk Management.

• Cornerstone Information Security Concepts: This section introduces the basic concepts of information security, such as confidentiality, integrity, availability, authentication, authorization, accountability, and non-repudiation. It also explains the principles of least privilege, need to know, defense-in-depth, due care, and due diligence.
• Legal and Regulatory Issues: This section covers the major legal systems and types of law that affect information security, such as civil, common, and religious law, and criminal, civil, and administrative law. It also discusses the legal aspects of investigations, such as evidence, search and seizure, computer crime, and intellectual property.
• Ethics: This section explores the ethical issues and dilemmas that information security professionals may face, such as privacy, confidentiality, integrity, and professionalism. It also presents some ethical codes and frameworks that can guide ethical decision making, such as the (ISC)2 Code of Ethics and the International Federation for Information Processing (IFIP) Code of Ethics.
• Information Security Governance: This section describes the organizational structure and processes that enable effective information security management, such as security policies, standards, procedures, guidelines, roles, and responsibilities. It also explains the concepts of security governance, risk management, and compliance.
• Access Control Defensive Categories and Types: This section provides an overview of the different categories and types of access control mechanisms that can be used to protect information assets, such as administrative, technical, and physical controls, and preventive, detective, corrective, deterrent, recovery, and compensating controls. It also introduces some access control models and methods, such as discretionary, mandatory, and role-based access control, and identification, authentication, authorization, and accountability.
• Risk Analysis: This section explains the process and methods of conducting risk analysis, which is the identification, assessment, and prioritization of risks to information assets. It also discusses the concepts of threat, vulnerability, impact, likelihood, exposure, and countermeasure, and some risk analysis techniques, such as qualitative and quantitative analysis, annualized loss expectancy, and cost-benefit analysis.
• Security and Third Parties: This section examines the security challenges and best practices of dealing with third parties, such as vendors, suppliers, contractors, and customers, who may have access to or affect the information assets of an organization. It also covers some topics related to third-party security, such as outsourcing, offshoring, cloud computing, service level agreements, and audits.
• Types of Attackers: This section categorizes and characterizes the different types of attackers who may pose a threat to information assets, such as hackers, crackers, script kiddies, hacktivists, cybercriminals, cyberterrorists, insiders, and state-sponsored actors. It also describes some of their motivations, goals, and methods.

Unique Terms and Definitions from Domain 1: Security and Risk Management

• AAA – Authentication, Authorization, and Accountability, the three processes that ensure the identity, access, and responsibility of users and systems.
• Access Matrix – A model of access control that uses rows to represent subjects and columns to represent objects, with privileges listed in each cell.
• Account Harvesting – The process of collecting all the legitimate account names on a system, often used for password guessing attacks.
• Active Content – Program code embedded in the contents of a web page that is automatically downloaded and executed on the user’s workstation, such as Java or ActiveX.
• Annualized Loss Expectancy (ALE) – The expected cost of loss due to a risk over a year, calculated by multiplying the annual rate of occurrence (ARO) of an event by the single loss expectancy (SLE) of that event.
• Asymmetric cryptography – A branch of cryptography that uses a pair of keys (a public key and a private key) for encryption and decryption, and provides confidentiality, integrity, and authentication.
• Availability – ensures that information is available when needed.
• Subject – An active entity on an information system
• CIA triad – Confidentiality, Integrity, and Availability, the cornerstone concept of information security that describes the three objectives of protecting data and systems.
• Civil law – A legal system that relies on codified laws or statutes, and a judicial branch that interprets them.
• Common law – A legal system that relies on judicial precedents and case rulings, and a legislative branch that creates new laws.
• Confidentiality – seeks to prevent the unauthorized disclosure of information: it keeps data secret.
• Integrity – seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. Integrity also seeks to ensure data that is written in an authorized manner is complete and accurate.
• Copyright – A legal right that grants the author of an original work the exclusive right to reproduce, distribute, perform, display, or license the work, for a limited period of time.
• DAD triad – Disclosure, Alteration, and Destruction, the opposite of the CIA triad that describes the three types of threats to data and systems.
• Defense-in-depth – The strategy of applying multiple layers of safeguards (controls) to protect an asset, in case one or more of them fail.
• Due care – The act of doing what a reasonable person would do in a given situation, to avoid negligence and harm.
• Due diligence – The management of due care, by following a process to ensure compliance and effectiveness of policies and controls.
• Intellectual property – The intangible creations of the human mind, such as inventions, artistic works, designs, and symbols, that can be legally protected by patents, copyrights, trademarks, and trade secrets.
• Least privilege – The principle of granting users the minimum amount of access (authorization) required to do their jobs, but no more.
• Need to know – The principle of granting users access to a specific piece of information only if they have a business need to do so.
• Non-repudiation – The ability to prove the origin and integrity of a transaction or message, and prevent the sender or receiver from denying it.
• Object – A passive entity on an information system, such as a file or a database, that can be accessed or modified by subjects.
• Patent – A legal right that grants a monopoly to the inventor of a novel and useful invention, for a limited period of time, in exchange for disclosing the invention to the public.
• Religious law – A legal system that derives from religious doctrine or interpretation, such as Sharia law in Islam.
• Return on Investment – money saved by deploying a safeguard
• Risk – a matched threat and vulnerability
• Safeguard – a measure taken to reduce risk
• Subject – An active entity on an information system, such as a user or a program, that can manipulate objects.
• Threat – a potentially negative occurrence
• Total Cost of Ownership – the cost of a safeguard
• Trade secret – A legal right that protects any confidential and valuable information that gives a competitive advantage to its owner, as long as it is not disclosed to the public.
• Trademark – A legal right that grants the owner of a distinctive sign, symbol, or slogan the exclusive right to use it to identify and distinguish their goods or services from others.
• Vulnerability—a weakness in a system