Domain 1: Security and Risk Management

# Domain 1: Security and Risk Management

**Weight: 16% of exam**

This domain encompasses the fundamental security concepts, governance principles, risk management practices, and legal/regulatory frameworks that form the foundation of information security management. As the highest-weighted domain, it requires deep understanding of security principles and their practical application in organizational contexts.

## 1.1 - Understand, adhere to, and promote professional ethics

### ISC2 Code of Professional Ethics
The foundation of the CISSP profession, these four canons guide all professional activities:

1. **Protect society, the common good, necessary public trust and confidence, and the infrastructure**
   - Highest priority - society comes before employer or self
   - Maintaining public trust in information systems
   - Protecting critical infrastructure

2. **Act honorably, honestly, justly, responsibly, and legally**
   - Personal integrity in all professional activities
   - Compliance with applicable laws and regulations
   - Ethical decision-making processes

3. **Provide diligent and competent service to principals**
   - Maintaining professional competence through education
   - Providing accurate and honest advice
   - Avoiding conflicts of interest

4. **Advance and protect the profession**
   - Mentoring others in the profession
   - Contributing to the body of knowledge
   - Maintaining professional standards

**Memory Aid**: **S**ociety, **H**onor, **D**iligence, **A**dvance the profession

### Organizational Code of Ethics
- **Organizational-specific guidelines**: Tailored to company culture and industry
- **Professional conduct standards**: Expected behaviors and accountability measures
- **Conflict of interest policies**: Guidelines for identifying and managing conflicts
- **Whistleblower protections**: Safe reporting mechanisms for ethical violations

## 1.2 - Understand and apply security concepts

### Five Pillars of Information Security
The cornerstone of information security, these principles must be maintained throughout all security activities:

1. **Confidentiality**
   - **Definition**: Preventing unauthorized disclosure of information
   - **Controls**: Encryption, access controls, data classification, steganography
   - **Violations**: Human error, admin mistakes, policy oversights, misconfiguration
   - **Concepts**: Sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, isolation
   - **Key Point**: Use network traffic padding to prevent traffic analysis attacks

2. **Integrity**
   - **Definition**: Preventing unauthorized modification and maintaining data accuracy
   - **Controls**: Hash verification, digital signatures, input validation, change management, interface restrictions
   - **Threats**: Unauthorized changes, mistakes by authorized users, malicious modifications
   - **Conditions**: Accuracy, truthfulness, validity, accountability, responsibility, completeness, comprehensiveness
   - **Key Point**: Integrity includes maintaining internal consistency of data objects

3. **Availability**
   - **Definition**: Ensuring authorized access to resources when needed
   - **Controls**: Redundancy, backups, fault tolerance, DoS prevention, monitoring
   - **Threats**: System failures, attacks, natural disasters, human error
   - **Conditions**: Usability, accessibility, timeliness
   - **Metrics**: Uptime percentages (99.9%, 99.99%, 99.999%)

4. **Authenticity**
   - **Definition**: Data is genuine and originates from its claimed source
   - **Implementation**: Digital certificates, cryptographic signatures, chain of custody
   - **Relationship**: Closely tied to integrity and non-repudiation
   - **Verification**: Strong confidence in data source and unchanged state

5. **Non-repudiation**
   - **Definition**: Ensures subjects cannot deny their actions or involvement
   - **Requirements**: Strong identification, authentication, authorization, auditing, accounting
   - **Technical Controls**: Digital signatures, timestamps, cryptographic proofs
   - **Legal Aspect**: Provides evidence for legal proceedings

**Memory Aid**: **C**onfidentiality **I**ntegrity **A**vailability = **CIA**, plus **A**uthenticity and **N**on-repudiation

### AAA Services (Foundation of Access Control)
- **Identification**: Subject claims an identity (username, account number)
- **Authentication**: Proving the claimed identity (password, biometric, certificate)
- **Authorization**: Determining what the authenticated subject may access
- **Auditing**: Recording activities and events for later review and accountability
- **Accounting**: Reviewing audit logs to ensure compliance and investigate violations

**Extended Model**: Some frameworks include **Identification** as a separate first step (I-AAA)
- **Accounting**: Reviewing logs to hold users accountable

### Protection Mechanisms
- **Defense in Depth**: Multiple layered controls
- **Abstraction**: Grouping similar elements for collective security controls
- **Data Hiding**: Logical compartmentalization to prevent access
- **Encryption**: Hiding meaning of communications

## 1.3 - Evaluate and apply security governance principles

### Security Governance Overview
- Collection of practices for supporting, evaluating, defining, and directing security efforts
- Should be performed by board of directors or governance committee
- Aligns security policies, solutions, and management practices
- Closely related to corporate and IT governance

### Top-Down vs Bottom-Up Approach
- **Top-Down (Preferred)**:
  - Senior management initiates and defines policies
  - Middle management creates standards and guidelines
  - Operations implements configurations
  - End users comply with policies

- **Bottom-Up (Avoid)**:
  - IT staff makes security decisions without senior management input

### Organizational Processes

#### Acquisitions and Divestitures
- **Risks in Acquisitions**:
  - Unknown state of new company's IT environment
  - Due diligence is critical
  - Integration challenges with different security standards
  
- **Evaluation Methods**:
  - On-site assessment
  - Third-party audit
  - Review of existing documentation

- **Divestitures Considerations**:
  - How to split IT infrastructure
  - What to do with identities and credentials
  - Data ownership and transfer

#### Governance Committees
- Vendor governance
- Project governance
- Architecture governance
- Executives, managers, and appointed individuals
- Review architecture, projects, incidents
- Provide approvals for new strategies

### Organizational Roles and Responsibilities

#### Senior Manager
- Responsibility for organizational security
- Maximize profits and shareholder value
- Ultimate accountability for security decisions

#### Security Professional
- Day-to-day security management
- Policy implementation
- Risk assessment and mitigation

#### Asset Owner
- Responsible for asset classification
- Determines access requirements
- Accountable for asset protection

#### Custodian
- Day-to-day protection of assets
- Implements controls as directed by owner
- Maintains and operates security controls

#### User
- Follows security policies and procedures
- Reports security incidents
- Responsible for protecting assigned resources

#### Auditor
- Reviews and verifies policy implementation
- Independent assessment of security controls
- Reports compliance status

### Security Control Frameworks

#### ISO 27000 Series
- International security standard
- Basis for implementing organizational security
- Systematic approach to managing information security risks
- ISO 27001: ISMS requirements
- ISO 27701: Privacy extension for GDPR compliance

#### NIST Framework
- Risk Management Framework (RMF)
- Cybersecurity Framework
- Special Publications (800 series)

#### COBIT (Control Objectives for Information and Related Technologies)
- Framework created by ISACA
- Focuses on enterprise IT alignment with business strategies
- Comprehensive framework for managing risks
- Commonly used as audit/compliance framework

#### SABSA (Sherwood Applied Business Security Architecture)
- Business-driven, risk and opportunity focused
- Series of integrated frameworks, models, methods, and processes
- Can be used independently or as holistic enterprise solution

#### PCI DSS
- Protects credit and debit card information
- Building and maintaining network security
- Maintaining information security policies
- Regular compliance audits required

#### FedRAMP
- Government-wide program for cloud services
- Standardizes security assessment, authorization, monitoring
- Benefits: reduced costs, improved visibility, accelerated adoption

#### CIS Critical Security Controls
- Prioritized set of actions to defend against threats
- Practical steps to reduce attack surface
- Focuses on secure configurations, admin privileges, log monitoring

#### ITIL (Information Technology Infrastructure Library)
- Practices for IT Service Management
- Aligns IT services with business needs
- Includes security governance elements

#### COSO (Committee of Sponsoring Organizations)
- Framework to reduce financial fraud
- Enhances internal control networks

### Due Care vs Due Diligence

#### Due Diligence
- Establishing a plan, policy, process to protect organizational interests
- Knowing what should be done and planning for it
- Understanding security governance principles and organizational risks
- Actions taken by vendor to demonstrate due care
- Developing formalized security structure

#### Due Care
- Practicing individual activities that maintain due diligence
- Legal responsibility to implement organizational controls
- Following policy and making reasonable choices
- Continued application of security structure
- Doing the right action at the right time

## 1.4 - Understand legal, regulatory, and compliance issues

### Cybercrimes and Data Breaches

#### Computer Fraud and Abuse Act (CFAA) - 1986
- Protects government and interstate commerce computers
- Prohibits:
  - Accessing computer without authorization
  - Exceeding authorized access
  - Threatening computer damage or extortion

#### National Information Infrastructure Protection Act - 1996
- Amendment to CFAA
- Covers international commerce systems
- Protects additional national infrastructure
- Treats damage to national infrastructure as felony

### Licensing and Intellectual Property

#### Types of Intellectual Property
1. **Trademarks**
   - Words, slogans, logos identifying company/products
   - Identify company and its products or services

2. **Patents**
   - Protection for new inventions
   - Temporary monopoly for specific items
   - Must be novel and unique
   - Types: Utility patents, Software patents (controversial)

3. **Copyright**
   - Protects original works of authorship
   - Books, articles, poems, songs

4. **Trade Secrets**
   - Operating secrets critical to business
   - Significant damage if disclosed to competitors
   - Protected by trade secret laws

5. **Licensing**
   - Contract between software producer and consumer
   - Limits use or distribution of software

### Import/Export Controls

#### ITAR (International Traffic in Arms Regulations)
- US regulation for military and defense systems
- Controls manufacture, export, import of munitions

#### EAR (Export Administration Regulations)
- Focuses on commercial use items
- Computers, lasers, marine items
- Items with potential military applications

#### Wassenaar Arrangement
- Multinational agreement
- Voluntary export control regime

### Transborder Data Flow
- Organizations must adhere to origin country laws
- Consider applicable laws where data is stored
- Different countries have different privacy requirements

### Privacy Regulations

#### GDPR (General Data Protection Regulation)
- European Union regulation
- Strict privacy and data protection requirements
- Significant penalties for non-compliance

#### California SB 1386
- Requires immediate disclosure for PII breaches
- Model for other state breach notification laws

#### PIPEDA (Personal Information Protection and Electronic Documents Act)
- Canadian law governing personal information use

### Additional Regulatory Requirements

#### Gramm-Leach-Bliley Act
- Applies to insurance and financial organizations
- Requires breach notification to regulators, law enforcement, customers

#### CALEA (Communications Assistance to Law Enforcement Act)
- Requires communication carriers enable wiretaps when court ordered

#### USA PATRIOT Act (2001)
- Tightened US national security post-9/11
- Expanded surveillance abilities of law enforcement

### Types of Law

#### Criminal Law
- Protects society against acts violating basic principles
- Violations prosecuted by federal and state governments

#### Administrative Law
- Used by government agencies for day-to-day business

### Compliance Requirements
- PCI DSS, Sarbanes-Oxley, GLBA, HIPAA, FISMA, ECPA, DMCA
- Organizations subject to various laws and regulations
- Contractual obligations may also apply

## 1.5 - Understand requirements for investigation types

### Administrative Investigation
- Internal investigations of operational issues
- Policy violations
- Often tied to HR scenarios
- Technical troubleshooting
- Lowest formality and documentation standards
- Focus on finding root cause

### Criminal Investigation
- Crime has been committed
- Working with law enforcement
- Goal to convict perpetrator
- Gathering evidence for court
- High standards for evidence handling
- Chain of custody critical

### Civil Investigation
- Private party disputes
- Preponderance of evidence standard
- Financial damages typically sought

### Regulatory Investigation
- Government agency enforcement
- Industry-specific regulations
- Administrative penalties possible

### Industry Standards Investigation
- Professional organization requirements
- Peer review processes
- Professional sanctions possible

## 1.6 - Develop, document, and implement security policy, standards, procedures, and guidelines

### Policy Hierarchy
1. **Policies**: High-level statements of management intent
2. **Standards**: Mandatory requirements supporting policies
3. **Baselines**: Minimum security requirements
4. **Guidelines**: Recommended practices
5. **Procedures**: Step-by-step instructions

### Security Planning Types

#### Strategic Plan
- Long-term plan (5 years)
- Establishes security purpose
- Aligns security with organizational goals
- Updated annually

#### Tactical Plan
- Mid-term plan (1 year)
- Provides detailed implementation
- Prescribes specific tasks

#### Operational Plan
- Short-term plan
- Resource allocations
- Budgetary requirements
- Staffing assignments
- Standard Operating Procedures

## 1.7 - Identify, analyze, assess, prioritize, and implement Business Continuity requirements

### Business Impact Analysis (BIA)
#### Process Steps
1. **Project scope and planning**
   - Organizational review
   - BCP team selection
   - Resource requirements
   - External dependencies

2. **Business impact analysis**
   - Identify assets and asset value
   - Critical business functions
   - Priorities identification
   - Risk identification
   - Assess likelihood (quantitative vs qualitative)
   - Assess impact (ALE calculations)
   - Resource prioritization

3. **Continuity strategy development**
   - Determine which risks to address
   - How to address identified risks

4. **Provisions and processes**
   - Specific procedures for risk mitigation

5. **Plan approval and implementation**
   - Plan approval process
   - Implementation procedures
   - Communication, training, education
   - Documentation requirements

### BCP Documentation Requirements
- BCP goals and objectives
- Statement of importance
- Statement of priorities
- Organizational responsibility statements
- Urgency and timing requirements
- Risk assessment recap
- Risk acceptance/mitigation decisions
- Vital records program
- Emergency response guidelines
- Maintenance procedures
- Testing and exercises

### External Dependencies
- Third-party service providers
- Supply chain dependencies
- Utility services
- Communication services
- Transportation systems

## 1.8 - Contribute to and enforce personnel security policies and procedures

### Candidate Screening and Hiring
- Background checks
- Reference verification
- Education verification
- Criminal history checks
- Credit checks (where appropriate)
- Social media screening

### Employment Agreements
- Confidentiality agreements
- Non-disclosure agreements
- Acceptable use policies
- Code of conduct
- Security responsibilities

### Onboarding Process
- Security orientation
- Policy acknowledgment
- Access provisioning
- Training requirements
- Badge/credential issuance

### Transfers
- Access review and modification
- New role responsibilities
- Additional training if needed
- Privilege adjustments

### Termination Process
- Access revocation immediately
- Asset return procedures
- Exit interviews
- Final security briefing
- Account deactivation

### Vendor, Consultant, and Contractor Controls
- Third-party agreements
- Security requirements
- Access limitations
- Monitoring requirements
- Regular assessments

## 1.9 - Understand and apply risk management concepts

### Risk Management Process
1. **Risk identification**
   - Identify assets and asset value
   - Identify threats
   - Identify vulnerabilities

2. **Risk analysis**
   - Assess likelihood
   - Assess impact
   - Calculate risk levels

3. **Risk evaluation**
   - Compare against risk tolerance
   - Prioritize risks

4. **Risk treatment**
   - Accept, avoid, mitigate, or transfer
   - Select appropriate controls

5. **Monitor and review**
   - Continuous monitoring
   - Periodic reassessment

### Risk Assessment Types

#### Quantitative Risk Assessment
- Uses monetary values
- Objective calculations
- Metrics: SLE, ARO, ALE
- Provides financial justification
- Time-consuming and data-intensive

#### Qualitative Risk Assessment
- Descriptive terms (Low, Medium, High)
- Expert judgment based
- Risk matrices
- Quick and cost-effective
- Can be subjective

### Risk Response Strategies
1. **Accept**: Acknowledge risk and take no action
2. **Avoid**: Eliminate the risk by not engaging in risky activity
3. **Mitigate**: Reduce likelihood or impact through controls
4. **Transfer**: Share risk with third party (insurance, outsourcing)

### Types of Controls

#### By Function
- **Preventive**: Stop incidents before they occur
- **Detective**: Identify incidents as they happen
- **Corrective**: Fix problems after they occur
- **Deterrent**: Discourage attacks
- **Recovery**: Restore systems after incidents
- **Compensating**: Alternative controls when primary controls fail

#### By Implementation
- **Administrative**: Policies, procedures, training
- **Technical**: Firewalls, encryption, access controls
- **Physical**: Guards, locks, cameras

### Control Assessments
- Security control testing
- Privacy control assessment
- Gap analysis
- Compliance verification
- Effectiveness measurement

### Continuous Monitoring
- Real-time security monitoring
- Regular vulnerability scans
- Performance metrics tracking
- Incident trend analysis
- Risk posture updates

### Reporting
#### Internal Reporting
- Executive dashboards
- Risk registers
- Incident reports
- Compliance status

#### External Reporting
- Regulatory submissions
- Third-party assessments
- Customer reports
- Industry benchmarking

### Risk Frameworks
- Already covered in section 1.3 (ISO, NIST, COBIT, SABSA, PCI)

## 1.10 - Understand and apply threat modeling concepts and methodologies

### Threat Modeling Process
1. **Identify assets/components**
2. **Identify threats**
3. **Identify vulnerabilities**
4. **Analyze risks**
5. **Determine mitigations**
6. **Prioritize actions**

### STRIDE Methodology
- **Spoofing**: Impersonating users or systems
- **Tampering**: Modifying data or code
- **Repudiation**: Denying actions
- **Information Disclosure**: Exposing information
- **Denial of Service**: Disrupting availability
- **Elevation of Privilege**: Gaining unauthorized access

### PASTA (Process for Attack Simulation and Threat Analysis)
1. **Define objectives**
2. **Define technical scope**
3. **Application decomposition**
4. **Threat analysis**
5. **Vulnerability analysis**
6. **Attack modeling**
7. **Risk and impact analysis**

### When to Perform Threat Modeling
- Early in SDLC
- When introducing new changes
- New technologies implementation
- New regulatory compliance requirements
- Post-incident analysis

## 1.11 - Apply Supply Chain Risk Management (SCRM) concepts

### Supply Chain Risks
- **Product tampering**: Malicious modification during manufacturing
- **Counterfeits**: Fake components with unknown security properties
- **Implants**: Hardware or software backdoors
- **Substandard components**: Poor quality affecting security
- **Third-party dependencies**: Risks from vendors and suppliers

### Risk Mitigation Strategies

#### Third-party Assessment
- Vendor security assessments
- On-site evaluations
- Security questionnaires
- Compliance verification

#### Minimum Security Requirements
- Contractual security standards
- Technical specifications
- Compliance mandates
- Regular auditing

#### Service Level Requirements
- Availability guarantees
- Performance standards
- Security incident response times
- Breach notification requirements

#### Technical Controls
- **Silicon Root of Trust**: Hardware-based security foundation
- **Physically Unclonable Function (PUF)**: Unique hardware identifiers
- **Software Bill of Materials (SBOM)**: Inventory of software components

#### Monitoring and Oversight
- Continuous supplier monitoring
- Regular assessments
- Performance metrics
- Incident tracking

## 1.12 - Establish and maintain a security awareness, education, and training program

### Program Development Steps
1. **Evaluate current security posture**
   - Understand organizational security limits
   - Identify training needs
   - Assess current awareness levels

2. **Define program objectives**
   - Align with business goals
   - Address identified gaps
   - Set measurable targets

3. **Develop content and methods**
4. **Implement training programs**
5. **Evaluate effectiveness**

### Methods and Techniques

#### Social Engineering Awareness
- Phishing simulation exercises
- Pretexting scenarios
- Tailgating awareness
- Vishing (voice phishing) training

#### Training Methods
- **Security Champions**: Peer advocates in each department
- **Gamification**: Points, badges, competitions
- **Interactive workshops**: Hands-on exercises
- **E-learning modules**: Self-paced online training
- **Simulations**: Real-world scenario practice

### Content Areas

#### Emerging Technologies
- **Cryptocurrency**: Security implications and risks
- **Artificial Intelligence**: AI security concerns and opportunities
- **Blockchain**: Distributed ledger security considerations
- **IoT devices**: Internet of Things security challenges
- **Cloud computing**: Shared responsibility models

#### Traditional Security Topics
- Password security
- Email security
- Physical security
- Data handling
- Incident reporting

### Periodic Content Reviews
- Regular curriculum updates
- Emerging threat landscape
- New technology adoption
- Regulatory changes
- Lesson learned integration

### Program Effectiveness Evaluation

#### Metrics
- Training completion rates
- Phishing simulation click rates
- Security incident reduction
- Knowledge retention testing
- Behavioral change indicators

#### Assessment Methods
- Pre/post training assessments
- Simulated attacks
- Surveys and feedback
- Incident analysis
- Performance indicators

#### Continuous Improvement
- Regular program review
- Stakeholder feedback
- Industry benchmarking
- Best practice adoption
- Resource optimization

---

## Key Memorization Items

### Risk Management Process
1. Identify assets and threats
2. Assess likelihood and impact
3. Calculate risk levels
4. Select risk treatment
5. Monitor and review

### AAA Services
- Identification → Authentication → Authorization → Auditing → Accounting

### CIA Triad Plus
- Confidentiality, Integrity, Availability, Authenticity, Non-repudiation

### Investigation Types
- Administrative (lowest formality)
- Civil (preponderance of evidence)
- Criminal (beyond reasonable doubt)
- Regulatory (agency enforcement)

### BCP Process
1. Project scope and planning
2. Business impact analysis
3. Continuity strategy development
4. Provisions and processes
5. Plan approval and implementation