Domain 1: Security and Risk Management – Weightage 15% 2018
Security and Risk Management focuses on risk analysis and mitigation. This domain also covers security governance, which is the organizational structure that is required to ensure a successful information security program. It also covers IT policies and procedures, roles and responsibilities as well as types of controls and risk management concepts, including risk analysis, risk evaluation, and risk remediation.
This domain covers three pillars of Information Security, namely: Confidentiality and Integrity are the three pillars of Information Security. The 5 elements of AAA Services, i.e. Identification, Authentication, Auditing, Accounting, Non Repudiation. It includes Secure Design, protection mechanisms like layering, abstraction and data hiding, as well as encryption. Secure Design principles include:
It should be easy to accept, offer enough security to keep it affordable, and have the least privilege.
This domain also includes Threat Modelling, which aims to reduce security-related design and coding errors and reduce the severity of any remaining problems. There are three main approaches to identifying threats: Focused on assets; focused on attackers; focused on software. It also covers a threat classification scheme called STRIDE (Spoofing Tampering Repudiation, Information Disclosure Denial of Service Elevation of Privilege).
It also covers the difference between Security Governance (and Security Management). Planning includes the distinction between Operational, Strategic, and Tactical plans. The business security objectives should guide the goals. The Domain explains the differences between Due Care and Due Diligence goals. It explains the differences between policy, standards and baselines.
It also covers important Security & IT frameworks such as ISO/IEC 27000 and COBIT (Control Objectives for Information and Related Technologies), COSO (Committee of Sponsoring Organization), COSO(Committee of Sponsoring Organization), COSO(Committee of Sponsoring Organization), ITIL[Information Technology Infrastructure Library], NIST(National Institute of Standards & Technology) and Senior Manager, CISO/CIO Security Admin and Network Admin.
This domain explains the basics of Risk Management, including Assets (both intangible and tangible), Auditors, Threat and Asset Value, Threat Agent, the difference between Safeguards and Countermeasures, total risk, residual risk, and calculating control gaps. It covers both Quantitative and Qualitative Risk management. Qualitative risk analysis employs techniques such as Brainstorming, Surveys, Questionnaires, Brainstorming, Brainstorming, One-on-One meetings, Interviews.
Important Terminologies & Calculations
Total Risk: Risk before any control is applied.Residual Risk: Leftover risk after countermeasures/safeguard is applied.Control Gaps: [Total Risk – Residual Risk]Risk: [Threat * Vulnerability]
Asset Value (AV): The Value of an assetExposure Factor (EF): % of loss incurred by an asset due to realized risk.Single Loss Expectancy (SLE): Actual loss occurred if risk is realized.Annual rate of occurrence (ARO): Frequency value of risk over a year.Annual loss of Expectancy (ALE): Amount of loss annually.Cost/Benefit Analysis (CBA): The calculation before implementing countermeasures to reduce ARO.SLE=AV*EFALE=SLE*ARO
It then covers the different types of Controls: Corrective, Recovery and Directive. It also covers the most widely used global Risk Management approach NIST 800-30.
It defines the ISC2 Code of Ethics, Intellectual Property Laws and Patents, Trademarks, Copyright, Copyright, and Trade Secrets. It also explains Legal Laws and Categories of Laws as well as concepts around Proximate