CISSP Security and Risk Management – Bk2D1

Overview

Security and Risk Management in this Domain 1 of the (ISC)2®  CBK lays the foundation for the entire course, introducing  concepts and principles that will  be utilized  throughout. It is imperative that the candidate learn and understand these thoroughly, if the candidate is not already familiar with the material from professional practice.

NOTE: Throughout this domain and much of the rest of the course material, the term “organization” will be used to describe operational entities; an organization might be a private business operating in a market dynamic, a government entity, or a nonprofit/charitable agency of some kind. This term is used in generic fashion as a consideration that candidates may work for any type of functional unit; the material is designed to be agnostic to the type of industry or nature of work a particular unit might be involved in. When material is specific to a certain type of organization, it will be specified in context (for instance, a bank as a financial organization has specific security concerns not faced by other types of organizations).

Domain Objectives

After completing this domain, the participant will be able to:

1. Explain the concepts of confidentiality, integrity, and availability.
2. Differentiate between confidentiality, integrity, and availability.
3. Recognize security governance principles.
4. Describe how the security function of an organization aligns to that organization’s business strategy, goals, mission, and objectives.
5. Describe various typical roles and responsibilities related to security within oragnizations.
6. Identify governance processes within organizations, and explain how those may affect security.
7. Identify specific security control frameworks based on a brief description or list of framework attributes.
   challenges/benefits associated with each.
8. Discern between the concepts and meaning of “due care” and “due.
9. Describe common practices used for asset valuation and the challenges/benefits associated with each.
10. Distinguish between threats and vulnerabilities.
11. Identify common practices of risk assessment and analysis.
12. Know the four common methods of security risk management.
13. Know how to choose from the four common methods of risk management.
14. Recognize common practices for selecting security controls.
15. List the various types, classes, and categories of security controls.
16. Describe the importance of monitoring and measuring the security program and controls and why this is performed on a continuous basis.
17. Recognize common risk frameworks.
18. Apply risk-based management concepts to the supply chain and the use of third parties for risk assessment and monitoring.
19. Recognize standard threat modeling concepts.
20. Apply threat modeling methodologies.
21. Recognize common threats and risks.
22. Recognize the purpose of the service level agreement, how it augments the contract, and which items should be contained in each.
23. Determine and document minimum security requirement.
24. Recognize the various forms of compliance requirements (laws/regulations, standards, and contracts).
25. Understand the concept of regulatory compliance, especially in the context of modern privacy requirements, and identify typical regulations encountered in practice.
26. Recognize the role of digital rights management (DRM) solutions in protecting intellectual property.
27. Recognize modern international legal restrictions on import/ export of data and IT tools.
28. Identify common privacy terms used in current personal data protection laws worldwide.
29. Describe the hierarchy of written governance (policies, standards, guidelines, and processes).
30. Identify the various means to support personnel security goals, including common policies and procedures.
31. Explain how modern legal frameworks affect international data flow and how the information security industry is responsible for many compliance requirements.
32. Describe the importance of security training, education, and awareness and how to differentiate between those elements.
33. Describe the necessity of business continuity and disaster recovery (BCDR) functions, and recognize basic foundational concepts.
34. Explain the ethical standards to which a professional security practitioner will be expected to uphold, as well as the standards of behavior and performance expected of (ISC)2 members.