This is one of the lengthiest and a relatively important domain in CISSP. People working in technical roles find this domain difficult as it is more business-focused and relates to wide concepts in Risk Management, as well as setting up an Information Security and Governance Framework. For your information, the CISSP Exam weightings are below.
|
Domains |
Weight |
|
1. Security and Risk Management |
16% |
|
2. Asset Security |
10% |
|
3. Security Engineering |
12% |
|
4. Communication and Network Security |
12% |
|
5. Identity and Access Management |
13% |
|
6. Security Assessment and Testing |
11% |
|
7. Security Operations |
16% |
|
8. Software Development Security |
10% |
|
Total |
100% |
Structure of this blog
The author will summarise this Domain in the form of a short story (at a high level only - list of topics one will learn in this Domain). The attached Review Notes checklist will elaborate on the concepts, giving you a snapshot of the Domain for your revision.
Download a copy of CISSP Domain 1 - Security and Risk Management - Review Notes
Domain 1 Summary
Domain 1 starts with information on the three pillars of Information Security - Confidentiality, Integrity and Availability, explaining the significance of each principle in the reality. Next, the Domain explains the difference between the Information Security Management and Information Security Governance concepts.
Next, the Domain explains the strategy to draft your Information Security Goals as Strategic (long term), Tactical (six months to one year) and Operational (less than months) goals. The goals should be based on the security objectives derived from the business security objectives, also called DUE CARE objectives. The Domain explains the difference between "Due Care" objectives and "Due Diligence" objectives.
The domain provides guidance on contents of an Information Security policy and how a policy is different from a procedure, a standard, a baseline and a guideline document. This includes the detailed understanding of "Information Security" roles and responsibilities for Senior Management, the Chief Information Security Officer, the Data Owner, the Data Custodian, the System Owner, the System Administrator and the Security Administrator. The concepts of these roles and responsibilities are tested quite a bit in the actual CISSP Exam.
The Domain moves on to explain the different types of controls (Administrative, Technical and Physical) and concepts including Segregation of Duties, Job Rotation, Mandatory Vacations, Spilt Knowledge and Dual Control. Next, the Domain shares information on Information Security practices in hiring new employees and employee termination. Again, these concepts are tested in the actual CISSP Exam.
As the name of the Domain suggests - "Risk Management" - this domain delves into explaining the fundamentals of Risk Management including Assets (both tangible and intangible), Vulnerability, Threat, completing a "Business Impact Analysis" exercise and creating a risk register. Thereafter, we learn to understand the risk remediation approaches (Risk Mitigation, Risk Transfer, Risk Avoidance and Risk Acceptance).
We learn the most popular Risk Management global approaches including Octave, ISO 27005 and NIST 800-30. Though these standards/risk management frameworks are not important for the CISSP exam, the expectation is that we understand them at a high level, at least the names.
Post-understanding the risk management concepts, the Domain provides information on Enterprise Architecture Frameworks like Zachman, SABSA and TOGAF. The expectation here is to understand these enterprise architecture frameworks at definition level and understand how one framework is different from the other framework. Please refer to the attached Review Notes for more detail.
The domain explains the concepts around Business Continuity Management (BCM). The reason for including the BCM concepts is that the methodology to creating a business continuity plan is derived from risk managing the organisation assets.
The next topic in the Domain is Legal Laws, Categories of Laws, concepts around Proximate Causation, Exigent Circumstances, Prudent Man Rule, Data Protection Act, Privacy Laws and Safe Harbor. The expectation is that one understands these laws at a high level.
The Domain next defines the Intellectual Property Laws, Patents, Trademark, Copyright and Trade Secrets. Along with this, we learn the concepts around IT Forensics, Chain of Custody, types of evidence, computer surveillance and finally, the ISC2 Code of Ethics.
Conclusion
This Domain is important as there are a lot of questions asked about IT policies, procedures, roles and responsibilities, types of controls, risk management concepts including risk analysis, risk evaluation and risk remediation. There will also be one numerical (calculation-based) around the calculating risk. Overall, this Domain is more business-focused and is not technical. As a result, it is deemed as difficult by people working in technical roles.
The author is a professional CISSP trainer within CMA's training pool. He is CMA's CISSP/CISA/ISO 27001/SOX/Information Risk Management/SAP Cybersecurity trainer. He has an MBA (Finance), Computer Engineering, CISSP, CISA, ITIL (expert), COBIT (foundations) and SAP security qualifications.
Drop us a line on:
Or call us on:
Show comments
Like this article?Share it with other!