Domain 1: Security and Risk Management
The first domain of CISSP exam is titled ‘Security and Risk management. Candidates are expected to be able to identify the following sub-objectives in this domain of the CISSP examination:
The concepts of confidentiality and integrity as well as availability.
Candidate should be familiar with the three fundamental principles of Information security: confidentiality, integrity, availability. Confidentiality is the ability to ensure that only the intended recipients have access to the information. Integrity is the ability to ensure that the information is not altered or altered in any way. Availability is the ability to make sure that the information is always available.
Security governance principles
Security governance is based on the principle that security programs must be approved by the management of an organisation. The business strategy, mission, goals, and security function must also be aligned.
Security is a shared responsibility within an organisation. Each person should be assigned a security responsibility to reduce the risk of security incidents.
Complying with laws and regulations applicable to your country and business environment in an increasingly connected world has become more difficult. The CISSP candidate must be familiar with the legal, contractual, industry standards, and regulatory requirements.
Legal and regulatory issues
Security breaches are all around the world. The security professional must be familiar with the legal and regulatory issues relating to information security. This is why the candidate must be familiar with the licensing and intellectual properties requirements, trans-border data flow, and privacy.
Documented security policy, guidelines, standards, and procedures
The test taker should be able to distinguish between security policy, standards and procedures and how to create and document them for their organization.
Security policy is a document that outlines the organization’s security. The organization’s security policy is implemented using standards. When certain standards are not met or exceptions are made, guidelines are created. These are the steps of security policies.
Business continuity requirements
Businesses are expected to recover with the essential functions they need after natural disasters such as earthquakes, floods, and terrorist attacks. Business continuity is the plan to be followed in the event of a disaster. These are the phases of a business continuity program:
Management and project initiation
Document and define the scope and plan of your project
Conduct a Business Impact Analysis (BIA)
Security policies for personnel
Employees in an organization might be the weakest link in security in more than one case. Because different employees in an organization are in direct contact with data it is important to recruit employees after a thorough job candidate screening, reference checks, background investigations, and other appropriate background checks.
Employee policies and agreements should be written and signed once a candidate is hired. To ensure that sensitive data does not get accessed outside of the organization, termination policies should be developed. Vendors, consultants, contractors, and other third parties should have appropriate controls in place to ensure that organizational data doesn’t move outside.
Risk management concepts
This sub-objective requires that the candidate understands the risk assessment process and risk management concepts. The risk assessment process includes preparing for assessment and conducting it, communicating the results, and maintaining the assessment.
The candidate should also be familiar with security and audit frameworks, methodologies, such as COSO and ITIL.