Professional Documents
Culture Documents
Certifications / CISSP / CISSP domain one: security and risk management- What you need to know for the exam
CISSP
CISSP domain
one: security and
risk
management-
What you need to
know for the Enroll in a CISSP Boot Camp and earn one of the
GET PRICING
Risk is a crucial element in all our lives. In every action
we plan to take in our personal and professional lives,
we need to analyze the risks associated with it. From a
cyber security perspective, industries such as energy, In this Series
healthcare, banking, insurance, retail, etc., involves a
lot of risks which impedes the adoption of technology
CISSP domain one: security and risk management- What you
and which needs to be effectively managed. The need to know for the exam
Average ISSMP Salary [updated 2021]
CISSP Domain 3: Security Engineering CISSP- What you need
to know for the Exam [updated 2021]
What is the CISSP-ISSEP? Information Systems Security
1 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Goals of a security
model
The two primary objectives of information security
within the organization from a risk management
perspective include:
2 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
3 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Security
fundamentals
Confidentiality, integrity and availability (the CIA triad)
is a typical security framework intended to guide
policies for information security within an
organization.
1. Confidentiality: Prevent
unauthorized disclosure
Confidentiality of information refers to protecting the
information from disclosure to unauthorized parties.
2. Integrity: Detect
modification of information
The integrity of information denotes protecting the
sensitive information from being modified by
unauthorized parties.
4 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
3. Availability: Provide
timely and reliable access
to resources
Availability of information signifies ensuring that
all the required or intended parties are able to
access the information when needed.
Best practices to
support CIA
Separation of Duties: Prevents any one
person from becoming too powerful within
an organization. This policy also provides
singleness of focus. For instance, a network
administrator who is concerned with
providing users access to resources should
never be the security administrator. This
policy also helps prevent collusion as there
are many individuals with discrete
capabilities. Separation of Duties is a
preventative control.
Mandatory Vacations: Prevents an operator
from having exclusive use of a system.
Periodically, that individual is forced to take a
vacation and relegate control of the system
to someone else. This policy is a detective
control.
Job rotation: Similar in purpose to mandatory
vacations, but with the added benefit of
cross-training employees.
Least privilege: Allowing users to have only
the required access to do their jobs.
Need to know: In addition to clearance, users
5 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Risk management
Risk management is the process of identifying,
examining, measuring, mitigating, or transferring
risk. Its main goal is to reduce the probability or
impact of an identified risk. The risk management
lifecycle includes all risk-related actions such as
Assessment, Analysis, Mitigation, and Ongoing
Risk Monitoring which we will discuss in the latter
part of this article.
6 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Risk Assessment
Categorize, Classify and Valuate Assets
Know/Identify Threats and Vulnerabilities
Risk Analysis
Qualitative
Quantitative
Risk Mitigation/Response
Reduce/Avoid
Transfer
Accept/Reject
7 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Risk assessment
Looks at risks corresponding to identified
parameters for a specific period and must be
reevaluated periodically. Managing risks is an
ongoing process.
The following steps are officially part of a Risk
Assessment as per NIST 800-30:
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendation
Results Documentation
Risk analysis
Determining a value for a risk.
Qualitative vs. Quantitative
Qualitative analysis (subjective, judgment-
based)
Subjective in nature
Uses words like “high,” “medium,”
“low” to describe likelihood and
severity of impact of a threat
exposing a vulnerability
Quantitative Analysis (objective, numbers
driven)
More experience required than with
Qualitative
Involves calculations to determine a
dollar value associated with each
risk element
Business decisions are fundamentally
driven by this type of analysis.
More experience required than
with Qualitative
Involves calculations to
determine a dollar value
associated with each risk
element
Business decisions are
8 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Mitigating risk
Three acceptable risk responses:
Reduce
Transfer
Accept
Continue to monitor for risks
How we decide to mitigate
business risks becomes the
basis for Security Governance
and Policy.
Security
governance
9 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Approach to
security
management
10 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Enroll in an upcoming
live online boot camp
and earn your
certification,
guaranteed.
Get Pricing
11 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
12 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
Website
Posted: July 6, 2019
Share:
Post Comment
Articles Author
VIEW PROFILE
Infosec Related Articles
CISSP CISSP
Author Image July 21, 2021 Author Image July 20, 2021
Daniel Brecht Daniel Brecht
13 of 14 8/29/2021, 11:16 AM
CISSP domain one: security and risk management- What you need to ... https://resources.infosecinstitute.com/certification/security-risk-mana...
CISSP CISSP
Author Image July 19, 2021 Author Image July 15, 2021
Daniel Brecht Daniel Brecht
Newsletter
Get the latest news, updates and offers straight to your inbox.
Subscribe
14 of 14 8/29/2021, 11:16 AM