CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

Certifications / CISSP / CISSP domain one: security and risk management- What you need to know for the exam

CISSP

CISSP domain
one: security and
risk
management-
What you need to
know for the Enroll in a CISSP Boot Camp and earn one of the

exam industry’s most respected certifications —

guaranteed.

July 6, 2019 by Infosec  Live expert CISSP instruction

 Exam Pass Guarantee
Share:  CISSP exam voucher

GET PRICING
Risk is a crucial element in all our lives. In every action
we plan to take in our personal and professional lives,
we need to analyze the risks associated with it. From a
cyber security perspective, industries such as energy, In this Series
healthcare, banking, insurance, retail, etc., involves a
lot of risks which impedes the adoption of technology 
CISSP domain one: security and risk management- What you
and which needs to be effectively managed. The need to know for the exam

associated risks which need to be addressed evolve


CISSP certification – The ultimate guide [updated 2021]
quickly and must be handled in a short period of time.

The CISSP domains: An overview [2021 update]

 What is the CISSP-ISSAP? Information Systems Security

Architecture Professional [updated 2021]

 Average ISSEP Salary in 2021


Average ISSMP Salary [updated 2021]


CISSP Domain 3: Security Engineering CISSP- What you need
to know for the Exam [updated 2021]

 Average CISSP salary [updated 2021]

 CISSP Job Outlook [updated 2021]

 Understanding the CISSP exam schedule: duration, format,

scheduling and scoring [updated 2021]


What is the CISSP-ISSEP? Information Systems Security

1 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

Computing technology is not restricted to Mainframes

Related Bootcamps
and PCs anymore. Both simple and advanced devices
are now part of our everyday lives, ranging from road
(ISC)² CISSP
signs to intelligent vending machines to advanced
(ISC)² CISSP-ISSAP
diagnosing medical services. Each of these new types
of devices needs to be secured since they all have (ISC)² CISSP-ISSEP

their own requirements regarding Confidentiality, (ISC)² CISSP-ISSMP

Integrity, and Availability of the data or resources they
provide.

Risk management involves comprehensive

understanding, analysis and risk mitigating techniques
to ascertain that organizations achieve their
information security objective. Risk is fundamentally
inherent in every aspect of information security
decisions and thus risk management concepts help aid
each decision to be effective in nature.
Get a first-hand look at the training content,
phishing simulations and integrations that make
Infosec IQ an industry leader.
We’ll customize the demo to your:

The major components of Security and Risk  Security awareness goals

Management crucial for CISSP are:
 Existing security & employee training tools

 Information security within the organization /  Industry & compliance requirements

Security Model
 The triad of information security – Confidentiality, DEMO NOW

Integrity and Availability

 Security governance principles
 Business continuity requirements
 Policies, standards, procedures, and guidelines
 Risk management concepts
 Threat modeling

Goals of a security
model
The two primary objectives of information security
within the organization from a risk management
perspective include:

 Have controls in place to support the mission of the

organization.
 All the decisions should be based on risk tolerance
of organization, cost and benefit.

Ready to take your skills to the next level? Consider

enrolling in a hands-on CISSP class. Fill out the form
below for InfoSec Institute’s boot camp pricing.

2 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

Figure 1: Security Model

 Strategy leads to Tactics; Tactics lead to

Operations.

Operational goals may include patching computers as

needed, supporting users, updating anti-virus
signatures, and maintaining the overall network on a
daily basis. Corresponding tactical goals could involve
moving computers into domains, installing firewalls,
and segregating the network by creating a
demilitarized zone. Then, the strategic goals may refer
to having all domains centrally administered and
implementing VPNs and RADIUS servers to provide a
highly secure environment that provides a good
amount of assurance to the management and
employees.

 A security model has different layers, but it also has

different types of goals to accomplish in different
time frames. Daily goals, or operational goals,
focus on productivity and task-oriented activities
to ensure the company’s functionality in a smooth
and predictable manner. Mid-term goals, or
tactical goals, could mean integrating all
workstations and resources into one domain so
more central control can be achieved. A long-term
goal, or strategic goal, may involve moving all the
branches from dedicated communication lines to
frame relay, implementing IPSec virtual private
networks (VPNs) for all remote users instead of
dial-up entry, and integrating wireless technology
with the comprehensive security solutions and
controls existing within the environment.
 This technique and approach to strategy is called
the planning horizon. A company cannot usually
implement all changes at once, and some
changes are larger than others. Several times
there arises a situation wherein certain changes
cannot happen until some other changes take
place. If an organization whose network is
currently decentralized, and works in workgroups
without any domain trust, wants to implement its
own certificate authority (CA) and public key
infrastructure (PKI) enterprise wide, this cannot
happen in a week’s time. The operational goals
are to keep production running smooth and make
small steps towards readying the environment for
a domain structure. The tactical goal would be to

3 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

put all workstations and resources into a domain

structure and centralize access control and
authentication. The strategic goal is to have all
workstations, servers, and devices within the
enterprise use the public key infrastructure to
deliver authentication, encryption, and additional
secure communication channels.

Generally, security works best if it’s Operational,

Tactical, and Strategic goals are defined and work to
support each other. This can be more difficult than it
appears.

Security
fundamentals
Confidentiality, integrity and availability (the CIA triad)
is a typical security framework intended to guide
policies for information security within an
organization.

1. Confidentiality: Prevent
unauthorized disclosure
Confidentiality of information refers to protecting the
information from disclosure to unauthorized parties.

Key areas for maintaining confidentiality:

 Social Engineering: Training and awareness,

defining Separation of Duties at the tactical level,
enforcing policies and conducting Vulnerability
Assessments
 Media Reuse: Proper Sanitization Strategies
 Eavesdropping: Use of encryption and keeping
sensitive information off the network with
adequate access controls

2. Integrity: Detect
modification of information
The integrity of information denotes protecting the
sensitive information from being modified by
unauthorized parties.

Key areas for maintaining confidentiality:

4 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

 Encryption – Integrity based algorithms

 Intentional or Malicious Modification
 Message Digest (Hash)
 MAC
 Digital Signatures

3. Availability: Provide
timely and reliable access
to resources
Availability of information signifies ensuring that
all the required or intended parties are able to
access the information when needed.

Key areas for maintaining availability:

 Prevent single point of failure

 Comprehensive fault tolerance (Data, Hard
Drives, Servers, Network Links, etc.)

Best practices to
support CIA
 Separation of Duties: Prevents any one
person from becoming too powerful within
an organization. This policy also provides
singleness of focus. For instance, a network
administrator who is concerned with
providing users access to resources should
never be the security administrator. This
policy also helps prevent collusion as there
are many individuals with discrete
capabilities. Separation of Duties is a
preventative control.
 Mandatory Vacations: Prevents an operator
from having exclusive use of a system. 
Periodically, that individual is forced to take a
vacation and relegate control of the system
to someone else. This policy is a detective
control.
 Job rotation: Similar in purpose to mandatory
vacations, but with the added benefit of
cross-training employees.
 Least privilege: Allowing users to have only
the required access to do their jobs.
 Need to know: In addition to clearance, users

5 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

must also have “need to know” to access

classified data.
 Dual control: Requiring more than one user
to perform a task.

Risk management
Risk management is the process of identifying,
examining, measuring, mitigating, or transferring
risk. Its main goal is to reduce the probability or
impact of an identified risk. The risk management
lifecycle includes all risk-related actions such as
Assessment, Analysis, Mitigation, and Ongoing
Risk Monitoring which we will discuss in the latter
part of this article.

The success of a security program can be traced

to a thorough understanding of risk. Without
proper consideration and evaluation of risks, the
correct controls may not be implemented. Risk
assessment ensures that we identify and evaluate
our assets, then identify threats and their
corresponding vulnerabilities.

Risk analysis allows us to prioritize these risks and

ultimately assign a dollar value to each risk event.
Once we have a dollar value for a particular risk,
we can then make an informed decision as to
which mitigation method best suits our needs.
And finally, as with all elements of a security
policy, ongoing evaluation is essential. New
attacks and other threats are always emerging,
and security professionals must stay informed
and up to date.

Risk – Key points to

be aware of
 Every decision starts with looking at risk.
 Determine the value of your assets.
 Evaluate and identify cost effective solutions to
reduce risk to an acceptable level (rarely can
we eliminate risk).
 Keep in mind that Safeguards are proactive
and Countermeasures are reactive.

The following definitions are crucial for risk

management:

6 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

 Asset: Anything of value to the company

 Vulnerability: A weakness; the absence of a
safeguard
 Threat: Things that could pose a risk to all or
part of an asset
 Threat Agent: The entity which carries out the
attack
 Exploit: An instance of compromise
 Risk: The probability of a threat materializing
 Controls: Physical, Administrative and
Technical Protections
 Safeguards
 Countermeasures

Multiple scenario-based use cases are evaluated

in CISSP, based on the following general sources
of risk:

 Weak, unpatched or non-existing anti-virus

software
 Disgruntled employees posing internal threat
 Poor physical security controls
 Weak access controls
 Lack of change management
 Lack of formal processes for hardening
systems
 Poorly trained users and lack of awareness

The following outline represents the lifecycle of

Risk Management

 Risk Assessment
 Categorize, Classify and Valuate Assets
 Know/Identify Threats and Vulnerabilities
 Risk Analysis
 Qualitative
 Quantitative
 Risk Mitigation/Response
 Reduce/Avoid
 Transfer
 Accept/Reject

Each section within the lifecycle is crucial for CISSP

and has been further defined below:

7 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

Risk assessment
 Looks at risks corresponding to identified
parameters for a specific period and must be
reevaluated periodically. Managing risks is an
ongoing process.
 The following steps are officially part of a Risk
Assessment as per NIST 800-30:
 System Characterization
 Threat Identification
 Vulnerability Identification
 Control Analysis
 Likelihood Determination
 Impact Analysis
 Risk Determination
 Control Recommendation
 Results Documentation

Risk analysis
 Determining a value for a risk.
 Qualitative vs. Quantitative
 Qualitative analysis (subjective, judgment-
based)
 Subjective in nature
 Uses words like “high,” “medium,”
“low” to describe likelihood and
severity of impact of a threat
exposing a vulnerability
 Quantitative Analysis (objective, numbers
driven)
 More experience required than with
Qualitative
 Involves calculations to determine a
dollar value associated with each
risk element
 Business decisions are fundamentally
driven by this type of analysis.
 More experience required than
with Qualitative
 Involves calculations to
determine a dollar value
associated with each risk
element
 Business decisions are

8 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

fundamentally driven by this

type of analysis.
 Essential for a cost/benefit
analysis
 Key pointers to be remembered
 AV – Asset Value
 EF – Exposure Factor
 ARO – Annual Rate of
Occurrence
 Single Loss Expectancy = AV
* EF
 Annual Loss Expectancy =
SLE*ARO
 Cost of control should be
the same or less than the
potential for loss.

 Risk Value = Probability * Impact

 Probability: How likely is it to
materialize the threat?
 Impact: What is the extent of
damage?
 Could also be referred to as
likelihood and severity.

Mitigating risk
 Three acceptable risk responses:
  Reduce
 Transfer
 Accept
 Continue to monitor for risks
 How we decide to mitigate
business risks becomes the
basis for Security Governance
and Policy.

Security
governance

9 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

The goal of security governance is to

ensure that security strategies,
goals, risks and objectives are
assessed according to a top-down
model. By doing so, we ensure that
those ultimately responsible for the
success or failures of a security
program are directly involved.

To achieve security governance,

security blueprints have to be
created to allow organizations to
implement practices and
procedures to support their
security goals and the overall
mission of the organizations.
Various industry consortiums have
provided insight into the goals,
objectives, and means of
developing successful Information
Security Management Systems
(ISMS).

The following industry standards are

some of those which provides
multiple frameworks that could be
reviewed when creating security
baselines to achieve security
governance.

 BS 7799, ISO 17799, and 27000

Series
 COBIT and COSO
 OCTAVE
 ITIL

Approach to
security
management

10 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

Poor security management causes

the majority of a company’s security
problems. Security needs to be
directed and supported by top
management, referred to as the
top-down approach, because
without that, any security efforts
will be doomed. Unfortunately,
most companies follow a bottom-
up approach, where the IT
department takes security seriously
and attempts to develop a security
program. This approach usually will
not provide those individuals with
the necessary funds, support,
resources, or attention. Thus, it is
often doomed from the start.

Information Management Security

Program primarily consists of the
following key areas to be aware of:

Get live, expert

instruction from
anywhere!

Enroll in an upcoming
live online boot camp
and earn your
certification,
guaranteed.

Get Pricing

 Roles and Responsibilities

 Policies/Standards/Procedures
/Guidelines
 SLA’s Service Level
Agreements/Outsourcing
 Data Classification/Security
 Auditing

11 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

Senior management’s roles and

responsibilities across the following
areas are generally evaluated for
CISSP and are crucial for the overall
understanding of the security risk
management for any organization.

 Development and Support of

Policies: Senior management is
responsible for the company-
wide policies within an
organization. These policies
should be high-level
statements from management
that detail the company’s
philosophy and commitment to
security. Additionally, it is the
management’s responsibility to
ensure the enforcement of
these policies, and to lead by
example.

 Allocations of Resources: Senior

management is also
responsible for providing the
necessary resources to enable
policies to be carried out. A
true understanding of issues
regarding liability is necessary
in order to justify the
resources.

 Decisions based on Risk: It is

senior management’s task to
be the ultimate decision-
makers for the organization.
Once provided with the facts
from a risk analysis, it is up to
management to make
decisions on forms of Risk
Mitigation.

 Security Policy: The

organization’s security policy is
a high-level document that
contains generalized terms of
the management’s directive
pertaining to security’s role
within the organization. It
establishes how a security
program will be set up, dictates

12 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

the program’s goals, assigns

responsibility, shows the
background, and explains the
strategic and tactical values of
security. It explains how
enforcement will be carried out
and addresses laws and
regulations that it fulfills. It will

Leave a Replyprovide scope and direction for

all future activities within the
Your email address will not be published. Required fields are marked *
organization. After the security
Comment policy is defined, the next step
is creating the standards,
guidelines, procedures,
Name * baselines, etc. The Security
Policy should always support
the strategic goals of the
Email * organization.

Website
Posted: July 6, 2019

Share:
Post Comment

Articles Author
VIEW PROFILE
Infosec Related Articles

CISSP CISSP

What is the CISSP-ISSAP? Average ISSEP Salary in 2021

Information Systems Security
Architecture Professional
[updated 2021]

Author Image July 21, 2021 Author Image July 20, 2021
Daniel Brecht Daniel Brecht

13 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...

CISSP CISSP

Average ISSMP Salary [updated CISSP Domain 3: Security

2021] Engineering CISSP- What you need
to know for the Exam [updated
2021]

Author Image July 19, 2021 Author Image July 15, 2021
Daniel Brecht Daniel Brecht

Topics Certifications Careers Company

Hacking CISSP IT auditor Contact us

Penetration testing CCSP Cybersecurity architect About Infosec
Cyber ranges CGEIT Cybercrime investigator Work at Infosec
Capture the flag CEH Penetration tester Newsroom
Malware analysis CCNA Cybersecurity consultant Partner program
Professional development CISA Cybersecurity analyst
General security CISM Cybersecurity engineer
News CRISC Cybersecurity engineer
Security awareness A+ Incident responder
Phishing Network+ Information security auditor
Management, compliance & Security+ Information security manager
auditing CASP+
Digital forensics PMP
Threat intelligence CySA+
DoD 8570 CMMC
Microsoft Azure

Newsletter

Get the latest news, updates and offers straight to your inbox.

Enter your email address...

Subscribe

14 of 14 8/29/2021, 11:16 AM