• Home
  • /
  • Resources
  • /
  • Unraveling CISSP Domain 1: Security and Risk Management
Image of a woman sitting in office chair used on cissp domain 1- security and risk management - Destination Certification

Last Updated On: April 23, 2024

The first CISSP domain focuses on the fundamentals of security and how to assess and manage risk. It makes sense since both of these concepts are an essential part of our personal and professional lives. Therefore, we have to analyze every risk associated with every action we take.

Moreover, technology adoption growth and digitalization require cybersecurity professionals to be aware of the topics discussed in CISSP Domain 1. It also focuses heavily on the critical factors of governance and compliance and how security helps by aligning and contributing to each.

Have a look at everything you need to know
for the CISSP certification exam for domain 1 in this article.

1.1 Understand, adhere to, and promote professional ethics

Ethics

Ethics are a foundational element of a successful security program and should be adhered to throughout the organization. Proper ethical behavior is based upon one belief: abide by the rules and do nothing harmful to anyone else.

Within an organization, the best way to prescribe, promote, and instill consistent ethical behavior is through corporate rules or laws, more appropriately referred to as policies, to ensure that all employees employ the same set of ethics.

As a CISSP candidate, you are responsible for understanding and complying with the
ISC2 Code of Professional Ethics, which applies to CISSP holders around the globe. In fact, the CISSP exam will most likely ask at least one question on this topic.

The Preamble and the Code of Professional Ethics Canons must be understood fully in the context of corporate and industry applications. The Canons should be memorized and adhered to in the order presented.

ISC2 Code of Ethics Preamble

  • The safety and welfare of society and the common good, the duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

The ISC2 Code of Ethics consists of the Canons outlined here:


ISC2 Code of Ethics Canons

1

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

2

Act honorably, honestly, justly, responsibly, and legally.

3

Provide diligent and competent service to principals.

4

Advance and protect the profession.

Remember, if a scenario is presented in which there's a conflict in the Canons, they need to be applied in order.


1.2 Understand and apply security concepts

Focus of security

Security focuses on anything that represents value, better referred to as assets, and implements control that ultimately increases the value of those assets.

Therefore, the focus of the security function is to:

  1. Allow and enable the organization to achieve its goals and objectives.
  2. Increase the organization's value.

Confidentiality, integrity, availability, authenticity, and nonrepudiation

The CIA triad is a foundational model that helps organizations design, structure, and implement security functions.

Image of confidentiality, integrity, availability, authenticity, and nonrepudiation - Destination Certification
Image of goals of information security on cissp domain 1 - Destination Certification

The elements of the CIA triad are as follows:

Confidentiality

Protects assets using important principles such as need-to-know and least privilege; prevents unauthorized disclosure.

Integrety

Protects and adds value to assets by making them more accurate, timely, current, and meaningful; prevents unauthorized or accidental changes to assets such as information.

Availability

Protects critical assets based on value to ensure organizational assets are available when required by stakeholders.

The traditional pillars of security have been increased to include authenticity and nonrepudiation:

Authenticity

Proves assets are legitimate and bona fide and verifies that they are trusted and verified. Proves the source and origin of important, valuable assets. Also referred to as "proof of origin."

Nonrepudiation

Assures that someone cannot dispute the validity of something; the inability to refute accountability or responsibility. Also, the inability to deny having done something.


1.3 Evaluate and apply security governance principles

Alignment of the security function to business strategy, goals, mission, and objectives

The purpose of governance is to enhance organizational value, and corporate governance is based on the goals and objectives of the organization. 

Security needs to enable the organization's goals and objectives, not just enforce information processes or fix technical issues, and must be managed top down instead of bottom up.

On the other hand, scoping and tailoring are used to align security objectives with organizational goals and objectives:

  • Scoping looks at potential control elements and determines which ones are in scope—for example, security control elements that could adhere to applicable laws and regulations—and which ones are out of scope.
  • Tailoring looks specifically at applicable—in scope—security control elements and further refines or enhances them so they're most effective and aligned with the goals and objectives of an organization.

Accountability versus responsibility

Accountable and responsible are two terms that are sometimes used mistakenly and interchangeably.

If someone is accountable for something, that
accountability can never be delegated to anyone else. That person will always remain accountable. On the other hand, responsibility can be delegated, but the delegator will remain accountable.

Even if certain organization functions are managed by a responsible third party, like a payroll or Cloud Service Provider (CSP), accountability still resides with the owner of the assets being managed. A CSP will often have a contractual-based responsibility for protecting the data. Still, the data owner is always accountable for the data and, therefore, liable if there is a data breach.

Organizational roles and responsibilities

The following table outlines some of the key functions typically found in an organization and their accountabilities and responsibilities from a security perspective:

Owners / Controllers / Functional Leaders / Senior Management

Accountable for:

  • Ensuring that appropriate security controls, consistent with the organization's security policy, are implemented to protect the organization's assets
  • Determining appropriate sensitivity or classification levels
  • Determining access privileges 

Information Systems Security Professionals / IT Security Officer

Responsible for:

  • Design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines

Information Technology (IT) Officer

Responsible for:

  • Developing and implementing technology solutions
  • Reviewing and approving new IT alternatives
  • Working closely with IS and IT Security Professionals and Officers to evaluate security strategies
  • Working closely with the Business Continuity Management (BCM) team to ensure continuity of operations should a disruption occur

IT Function

Responsible for:

  • Implementing and adhering to security policies

Operator / Administrator

Responsible for:

  • Managing, troubleshooting, and applying hardware and software patches to systems as necessary
  • Managing user permissions per the owner's specifications
  • Administering and managing specific applications and services

Network Administrator

Responsible for:

  • Maintaining computer networks and resolving issues with them
  • Installing and configuring networking equipment and systems and resolving problems

Information Systems Auditors

Responsible for:

  • Providing management with independent assurance that the security objectives are appropriate
  • Determining whether the security policy, standards, baselines, procedures, and guidelines are appropriate and effective to comply with the organization's security objectives
  • Determining whether the objectives have been met

Users

Responsible for:

  • Developing and implementing technology solutions
  • Reviewing and approving new IT alternatives
  • Working closely with IS and IT Security Professionals and Officers to evaluate security strategies
  • Working closely with the Business Continuity Management (BCM) team to ensure continuity of operations should a disruption occur

The responsibility for the corruption rests with the custodian. However, accountability for corruption rests with the asset owner.

Due care versus due diligence

Simply put:

  • Due care is the responsible protection of assets
  • Due diligence is the ability to prove due care

Personal CISSP Mentoring call ad - Destination Certification

1.4 Determine compliance and other requirements

Establishing the right security controls isn't just about the internal needs of an organization. Plenty of contractual, legal, industry and regulatory requirements should inform how different assets are protected.

The legal, privacy, and audit/compliance functions must work together to ensure compliance, and once management understands compliance needs, they can work with security to implement controls.


1.5 Understand legal and regulatory issues that pertain to information security in a holistic context

Cybercrimes and data breaches

Every organization should be asking fundamental questions like:

  • How is/are our information/assets protected?
  • What are the issues pertaining to information security for our organization in a global context?
  • What does the current threat landscape look like?

This is important because cybercrime is highly profitable. This fact explains why most organizations won't admit to being victims or prosecute the perpetrators of cybercrime.


Not every attack can be prevented, but effective security strategies can reduce attacks by making them:

  • Not worthwhile
  • Too time-consuming
  • Too expensive

Bottom line: Don't be the low-hanging fruit that can be easily picked!

Licensing and intellectual property requirements

Intellectual property laws aim to encourage the creation of intellectual goods (inventions, literary and artistic works, designs, symbols, and names) and to protect the same.

The following table will show what trade secrets, patents, copyrights, and trademarks protect.

Term

Protects

Disclosure Required

Term of Protection

Protects Against

Trade Secret

Business information

No

Potentially infinitive

Misappropriation

Patent

Functional innovations, novel idea, inventions

Yes

Set period

Making, using, or selling an invention

Copyright

Expression of an idea embodied in a fixed medium (books, movies, songs, etc.)

Yes

Set period of time

Copying or substantially similar work

Trademark

Color, sound, symbol, etc. used to distinguish one product/company from another

Yes

Potentially infinitive

Creating confusion

Import/export controls

Import and export controls are country-based rules and laws implemented to manage which products, technologies, and information can move in and out of those countries, usually meant to protect national security, individual privacy, economic well-being, and so on.

The Wassenaar Arrangement

The Wassenaar Arrangement was put in place to manage the risk that cryptography poses while still facilitating trade. It allows certain countries to exchange and use cryptography systems of any strength while also preventing the acquisition of these items by terrorists.

International Traffic in Arms Regulations (ITAR)

This is a US regulation that was built to ensure control over any export of items such as missiles, rockets, bombs, or anything else existing in the United States Munitions List (USML).

Export Administration Regulations (EAR)

EAR predominantly focuses on commercial use-related items like computers, lasers, marine items, and more. However, it can also include items that may have been designed for commercial use but actually have military applications.

Transborder data flow

Transborder data flow laws restrict the transfer of data across country borders. When sharing data across borders, applicable laws must be considered.

These laws primarily relate to personal data. The idea is to protect a country/state/province/region's citizens' personal data. If an organization is collecting citizens' data, then they are accountable for the protection of that data.

Given these laws, organizations must consider the potential implications of the flow of data across physical borders. This can be very challenging for organizations to keep track of with the proliferation of service providers and global cloud services.

Privacy

Privacy is the state or condition of being free from being observed or disturbed by other people, and personal data is information on its own or in combination that uniquely identifies an individual.

It's essential that personal data is well protected to comply with current privacy laws and to protect the value of the information and of the organization itself. This can become complex for multinational organizations since there's a significant variation around the world in both the definition of personal data and the laws that determine how to protect it.

Personal data

Depending on the location in the world, personal data may be referred to in different ways, and what constitutes personal data can vary significantly.

Personal data can be referred to as:

  • PI: Personal Information
  • PII: Personally Identifiable Information
  • SPI: Sensitive Personal Information
  • PHI: Personal Health Information
Image of personal data equation on cissp domain 1-Destination Certification
Image of personal data on cissp domain 1 - Destination Certification

On the other hand, it's important to distinguish between direct identifiers, which include information that relates specifically to an individual, such as their name, address, biometric data, government ID, or other uniquely identifying numbers, while indirect identifiers include information that on its own cannot uniquely identify an individual but can be combined with other information to identify specific individuals.

Privacy requirements

Privacy policy requirements

The following table contains a summary of the key roles within the privacy realm:

Data owners

Owners need to have clearly defined accountabilities, including:

  • Defining classification
  • Approving access
  • Retention and destruction

Different types of owners:

  • Data owners
  • Process owners
  • System owners

Companies that collect personal data about customers are accountable for the protection of the data

Data custodians

Need to have clearly defined responsibilities.
Protect data based on the input from the owners.
Custodians also need tools, training, resources, etc.

And who provides all this. Typically, the owners.

Data processors

Need to have clearly defined responsibilities.
Processes personal data on behalf of the controller/owner.

Protects critical assets based on value to ensure organizational assets are available when required by stakeholders.

Data subjects

Individuals to whom personal data relates.

One privacy law that you should have a deeper understanding of is the GDPR, which is one of the most comprehensive privacy laws in the world, and many countries have modeled or are in the process of modeling their privacy laws on GDPR or plan to in the future.

OECD privacy guidelines

The Organization for Economic Cooperation and Development (OECD) is an international organization that is focused on international standards and policies and finding solutions to social, economic, and environmental challenges. One such challenge that they have been driving for decades is privacy.

OECD privacy guidelines are not mandatory for organizations to comply with, although they are considered a prudent course of action. These guidelines are:

  • Collection limitation principle
  • Data quality principle
  • Purpose specification principle
  • Use limitation principle
  • Security safeguards principle
  • Openness principle
  • Individual participation principle
  • Accountability principle

Privacy assessments

Privacy Impact Assessment (PIA) is a process undertaken on behalf of an organization to determine if personal data is being protected appropriately and to minimize risks to personal data where appropriate.

A PIA is performed with the goal to:

  1. Identify/evaluate risks relating to privacy breaches.
  2. Identify what controls should be applied to mitigate privacy risks.
  3. Offer organizational compliance with privacy legislation.

These are the PIA steps:

  1. Identify the need for a DPIA
  2. Describe the data processing
  3. Assess necessity and proportionality
  4. Consult interested parties
  5. Identify and assess risks
  6. Identify measures to mitigate the risks
  7. Sign off and record outcomes
  8. Monitor and review

1.6 Understand requirements for investigation types

To understand the requirements for investigation types, read our domain 7 article (section 7.1.7), in which we explain everything you need to know in this regard.


1.7 Develop, document, and implement security policies, procedures, standards, baselines, and guidelines

Policies, procedures, standards, baselines, and guidelines

The compendium of functional policies will be defined, supported, and informed by many standards, procedures, baselines, and guidelines, as seen in the following model:

Image of model policies, procedures, standards baseline and guidelines on cissp domain 1 - Destination Certification

For the CISSP certification exam, you must be aware of the differences between policies, procedures, baselines, and guidelines:

Policies

  • Documents that communicate management's goals and objectives
  • Provide authority to security activity
  • Define the elements, functions, and scope of the security team
  • Must be approved and communicated
  • Corporate law

Standards

Specific hardware and software solutions, mechanisms, and products

Examples:

  • Specific antivirus software, e.g., MCAfree
  • Specific access control system, e.g., Forescout
  • Specific firewall system, e.g., Cisco ASA
  • Publishing guideline (e.g., ISO 27001) adopted by an organization as a standard

Procedure

Step-by-step descriptions on how to perform a task; mandatory actions

Examples:

  • User registration or new hire onboarding
  • Contracting for security purposes
  • Information system material destruction
  • Incident response

Baselines

Defined minimal implementation methods/levels for security mechanisms and products

Examples:

  • Configurations for intrusion detection systems
  • Configurations for access control system

Guidelines

Recommended or suggested actions

Examples:

  • Government recommendations
  • Security configuration recommendations
  • Organizational guidelines
  • Product/system evaluation criteria

(Note: Guidelines allow an organization to suggest something be done without making it a hard requirement and thus cause a negative audit finding.)

The committee, reporting to the Board of Directors and CEO, should develop an overarching security policy that is aligned with organizational goals and objectives that covers the entire organization and clearly articulates the goals and objectives of the security function.

While policies don't need to be reviewed every year, standards, procedures, baselines, and guidelines may need to be updated frequently.


Pass the CISSP exam easily ad - Destination Certification

1.8 Identify, analyze, and prioritize business continuity (BC) requirements

Please check section 7.11 of our article on Domain 7 to know more about this topic.


1.9 Contribute to and enforce personnel security policies and procedures

Personal security policies

Some of the best practices for protecting the business and its important assets are listed below.

Candidate screening and hiring

New personnel represents a risk to security; every organization needs personnel security policies that address and mitigate this risk with the right security controls.

Employment agreements and policies

As part of bringing a new employee into an organization—also referred to as onboarding—company security policies, acceptable use policies, and similar agreements should be reviewed and agreed upon prior to giving a new employee their badge and any system credentials.

Prior to an employee leaving, or in conjunction with it, user system access should be disabled, and the fact that the employee's employment is being terminated should be conveyed to all relevant parties within the organization.

Employee duress

An employee acting under duress may be forced to perform an action or set of actions that they wouldn't do under normal circumstances. One common practice to handle these stressful situations is to have keywords that denote that an employee is acting under duress.

Personnel security controls

Here is a list of important personnel security controls:

  • Job rotationJob rotation is quite useful for protecting against fraud and provides cross-training. It entails rotating staff (especially individuals in key positions) so that an individual can't commit fraud and cover it up.
  • Mandatory vocationMandatory vacation is a control also used by organizations to detect fraud. Employees are required to go on vacation for a set period of time, during which time another employee can step into the role and determine if any malicious or nefarious activity has taken place or is actively taking place.
  • Separation of dutiesSeparation of duties is used to prevent fraud by requiring more than one employee to perform critical tasks.
  • Need-to-know and Least privilege. Least privilege ensures that only the minimum permissions needed to complete the work are granted to any employee. Need to know ensures that access to sensitive assets is restricted only to those who require the information to complete the work.

Enforce personnel security controls

Enforcing personnel security controls commences with the hiring process, extends through the employment period, and ends only after the employee has left the organization.

Additionally, personnel-focused policies are often further supported by things like:

  • Nondisclosure agreements (NDA). Contracts through which the parties agree not to disclose information covered by the agreement.
  • Noncompete agreements (NCA)
  • Ethical guideline and requirement questionnaires and agreements
  • Vendor, consultant, and contractor agreements and controls

1.10 Understand and apply risk management concepts

Risk management

Risk management is the identification, assessment, and prioritization of risks and the economical application of resources to minimize, monitor, and control the probability and/or impact of these risks.



Here's an overview of the risk management process:


  • Value. identifying the assets of the organization and ranking those assets from most to least valuable. This process is referred to as asset valuation, and the ranking of assets can be achieved via two methods or, most commonly, a combination of both quantitative value analysis and qualitative value analysis.
  • Risk analysis. Determine the risks associated with each asset via the risk analysis process. The four key components are threat, vulnerability, impact, and probability/likelihood.
  • Treatment. There are four risk treatment methods: avoid, transfer, mitigate, and accept.

Asset valuation

Before risks can be identified and managed, valuable assets of the organization must first be identified.

Two different forms of analysis can be used to rank the assets of the organization from most to least valuable: qualitative and quantitative:

Qualitative analysis

Quantitative analysis

Does not attempt to assign monetary value

Assign objective monetary values

Relative ranking system, based on professional judgment

Fully quantitative process when all elements are quantified

Uses words like "Low," "Medium," "High," "1–5," "Probability," or "Likelihood" to express value

Cell

Qualitative analysis is relatively simple and efficient

Purely quantitative is difficult to achieve and time-consuming

Risk analysis

After the asset valuation process, related threats and vulnerabilities must be identified for each asset, and owners must be deeply involved in the risk analysis process.

Threats and vulnerabilities

There are three main components to risk being present:

  • Asset: anything of value to the organization
  • Threat: any potential danger; anything that causes damage to an asset, like hackers, earthquakes, ransomware, social engineering, denial-of-service attacks, disgruntled employees, and many others.
  • Vulnerability: a weakness that exists; anything that allows a threat to take advantage of it to inflict damage to the organization. Examples include open ports with vulnerable services, lack of network segregation, lack of patching, and OS updating.
Image of risk analysis on cissp domain 1 - Destination Certification
Image of risk analysis on cissp domain 1 - Destination Certification

Risk management terms

The following list contains a list of core terms used in risk management and how they fit together.

Threat Agent

The entity that has the potential to cause damage to an asset (e.g., external attackers, internal attackers, disgruntled employees)

Threat

Any potential danger

Attack

Any harmful action that exploits a vulnerability

Vulnerability

A weakness in an asset that could be exploited by a threat

Risk

Significant exposure to a threat or vulnerability (a weakness that exists in an architecture, process, function, technology, or asset)

Asset

Anything that is valued by the organization

Exposure/Impact

Negative consequences to an asset if the risk is realized (e.g., loss of life, reputational damage, downtime, etc.)

Countermeasures and Safeguards

Controls implemented to reduce threat agents, threats, and vulnerabilities and reduce the negative impact of a risk being realized

Residual Risk

The risk that remains after countermeasures and safeguards (controls) are implemented

Annualized Loss Expectancy (ALE) calculation

Quantitative analysis as part of ranking risks requires calculating how much risk is expected to cost the organization annually—the Annualized Loss Expectancy (ALE). The ALE can be calculated using this formula:

ALE = SLE (AV x EF) x ARO

The acronyms pertain to:

  • Asset Value (AV)
  • Exposure Factor (EF)
  • Single Loss Expectancy (SLE)
  • Annualized Rate of Occurrence (ARO)
  • Annualized Loss Expectancy (ALE)
Image of annualized loss expectancy (ALE) calculation on cissp domain 1 - Destination Certification
Image of annualized loss expectancy, ALE calculation on cissp domain1 - Destination Certification

Risk response/ treatment

After the risk analysis process, security should implement the most cost-effective treatments. The right approach depends on the value of the asset and the type of risk identified in the previous steps.

Although risk can never be entirely eliminated, it can be managed via the following approaches:

  • Avoid. Choosing to stop doing whatever exposes the asset to risk. Not jumping can avoid the risk, but you can miss significant opportunities (the opportunity cost).
  • Transfer. Transferring risk means sharing some risk with another party, usually an insurance company.
  • Mitigate. Mitigate risk means implementing controls that reduce the risk to an acceptable level.
  • Accept. Accepting risk simply means taking no action or no further action where the risk to a particular asset is concerned.
Image of risk response or treatment on cissp domain 1 - Destination Certification
Image of risk response treatment on cissp domain 1 _ Destination Certification

Types of controls

Seven major types of controls can be put in place, as shown in the following table:

Directive

Directive controls direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Deterrent

Deterrent controls discourage violation of security policies

Preventive

Preventive controls can prevent undesired actions or events

Detective

Detective controls are designed to identify if a risk has occurred. Importantly, detective controls operate after an event has already happened

Corrective

Corrective controls are used to minimize the negative impact of a risk occurring—minimize the damage. They are used to alleviate the effects of an event that has resulted in a loss and to respond to incidents to minimize risk.

Recovery

Restore to normal

Compensating

Make up for lack (e.g. supervision)

A concept that is pervasively used in security is complete control. Complete control is a combination of preventive, detective, and corrective controls at a minimum.

In addition, in defense-in-depth (layered security), complete control should be implemented at each layer.

Categories of controls

A way to categorize the security controls is as safeguards or as countermeasures.

Safeguards are proactive controls; they are put in place before the risk has occurred to deter or prevent it from manifesting.

Countermeasures are reactive controls. They are put in place after risk has occurred and aim to allow us to detect and respond to it accordingly.

Controls can be further classified into three main categories:

  • Administrative
  • Logical/Technical
  • Physical

Functional and assurance

A good security control should always include two aspects: the functional aspect and the assurance aspect.

Functional

Assurance

Control performs the function it was designed to address/does what it is meant to do—for example, a firewall filtering traffic between different subnets.

Control can be proven to be functioning properly on an ongoing basis, usually proven through testing, assessments, logging, monitoring, etc.

Image of functional and assurance controls on cissp domain 1 - Destination Certification
Image of functional and assurance controls on cissp domain 1 - Destination Certification

Selecting controls

Selected controls must support organizational goals and objectives and be cost-effective.

Security is usually a balancing act between achieving the maximum level of security with the least cost and, at the same time allowing proper functionality.

Security controls make systems more difficult to use, slower, more complicated, and so on.

Measuring control effectiveness and reporting

Once a control, or set of controls, has been decided upon and implemented, it is important to understand how well they're working. One of the best ways to do this is by using metrics.

To identify the metrics that will matter, the metrics that will be useful to implement and monitor, and the target audience must be identified.

Image of measuring control effectiveness and reporting on cissp domain 1 - Destination Certification
Image of metrics that matter on cissp domain 1 - Destination Certification

Continuous improvement

Risk management is a continuous, arduous, and time-consuming process that needs to be continually updated.

The Deming Cycle, sometimes also referred to as Plan Do Check Act (PDCA), shown in the next figure, outlines the cyclical nature of many processes in security, including risk management.

Image of continuous improvement on cissp domain 1 - Destination Certification
Image of continuous improvement on cissp domain 1 - Destination Certification

Plan

Determine which controls to implement based on the risks identified

Do

Implement the controls

Check

Monitoring and assurance; are the controls operating effectively?

Act

Based upon findings during the "Check" step, take additional actions as necessary (react), which leads back to planning

Apply supply chain risk management concepts

Risk management methodologies should be applied to all vendors, suppliers, and service providers, and it should include the following items:

  • Governance review
  • Site security review
  • Formal security audit
  • Penetration testing
  • Adherence to the security baseline
  • Evaluation of hardware and software
  • Adherence to security policies
  • Development of an assessment plan
  • Identification of assessment requirements and which party will perform it
  • Preparation of assessment and reporting templates

Risk management frameworks

Risk management frameworks provide comprehensive guidance for structuring and conducting risk management. The four risk management frameworks are shown in the following table:

NIST SP 800-37 (RMF)

This guide describes the risk management framework (RMF) and provides guidelines for applying the RMF to information systems and organizations.

ISO 31000

ISO 31000 is a family of standards relating to risk management.

COSO

COSO provides a definition of essential enterprise risk management components, reviews ERM principles and concepts, and provides direction and guidance for enterprise risk management.

ISACA Risk IT Framework

ISACA's Risk IT Framework contains guidelines and practices for risk optimization, security, and business value. The latest version places greater emphasis on cybersecurity and aligns with the latest version of COBIT


1.11 Understand and apply threat modeling concepts and methodologies

Threat modeling is used to systematically identify, enumerate, and prioritize threats related to an asset.

Image of threat modeling graph on cissp domain 1 - Destination Certification
Image of threat modeling on cissp domain 1 - Destination Certification

Three major threat modeling methodologies you need to know about for the exam are STRIDE, PASTA, and DREAD.

STRIDE

STRIDE is a threat-focused methodology that's less strategic and thorough than PASTA. It is an acronym of:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial-of-service
  • Elevation of privilege

PASTA

Process for Attack Simulation and Threat Analysis (PASTA), contrary to STRIDE, is an attacker-focused, risk-centric methodology. It is much more detailed than STRIDE and performs threat analysis from a strategic perspective.

The stages in PASTA are as follows:

  • Define objectives
  • Define technical scope
  • Application decomposition
  • Threat analysis
  • Vulnerability and weakness analysis
  • Attack modeling
  • Risk and impact analysis

DREAD

DREAD is a threat model primarily used to measure and rank the severity of threats. DREAD is often used in combination with the STRIDE model, where STRIDE identifies the threats, and DREAD is then used to rank the severity of threats. The acronym means:

  • Damage
  • Reproducibility
  • Exploitability
  • Affected users
  • Discoverability

Social engineering

Social engineering can be defined as using deception or intimidation to get people to provide sensitive information that they shouldn't in order to facilitate fraudulent activities.

It is a prevalent means of attack against organizations and employees (the biggest security weakness that exists in most companies) because it's very effective. Common social engineering tactics include intimidation, deception, and rapport.

Social engineering attacks can be mitigated through awareness, training, and education.


1.12 Apply supply chain risk management (SCRM) concepts

SLR, SLA, and service level reports

Security must be considered for all acquisitions and be part of the procurement process. Even if the acquisition is of a well-known brand, product, or service, risks exist and must be evaluated as part of the acquisition, or procurement, process. This evaluation should occur as early as possible and include security considerations that minimize the risk.

Service level requirements (SLR)

With the acquisition of a service, additional organizational requirements must be considered, which is done through an SLR document. Specifically, an SLR outlines:

  • Detailed service descriptions
  • Detailed service level targets
  • Mutual responsibilities

Security requirements must be clearly communicated (e.g., SLAs) to suppliers/vendors/service providers.

Service Level Agreement (SLA)

After a service is acquired, an SLA must be put in place between the customer and the service provider.

SLAs often include expectations and stipulations related to:

  • Service levels
  • Governance
  • Security
  • Compliance with law and regulations

Service level reports

Service level reports are issued by a vendor or service provider to a client and provide insight and information about the service provider's ability to deliver services as defined by the SLA.

It might contain any of the following components:

  • Achievement of metrics defined in the SLA
  • Identification of issues
  • Reporting channels
  • Management
  • Third-party SOC reports

1.13 Establish and maintain security awareness, education, and training programs

Everyone is responsible for security; however, they must know what to do. Awareness within an organization is fostered to create cultural sensitivity to a given topic or issue.

In addition, education helps people understand fundamental concepts and therefore develop decision-making skills and abilities.

Methods and techniques to provide awareness and training

Common methods to provide awareness and training are:

  • Live in-person sessions
  • Live online sessions
  • Pre-recorded sessions
  • Requirements/rewards
  • Regular communications/campaigns

The topics selected should directly align with the organization's goals and objectives. At the same time, training and education programs and materials should also evolve and be updated accordingly to be most effective.

Program effectiveness evaluation

Program participants should be surveyed from time to time. Some key metrics to consider are:

  • Total number of people completing the awareness program
  • Number of people providing feedback in comparison to total attendees
  • Number of people reporting suspicious activities after training completion
  • Tracking of how well staff members performed
  • Total number of attempts each person took the course

Destination Certification: The next step to pass the CISSP exam

The CISSP exam can seem daunting, but it all comes down to having the right information and an adequate learning process.

On Destination Certification, we offer an intelligent learning system backed by our expertise in the field that makes it much more straightforward. We continually assess your strengths and weaknesses to guide you to what you really need 
to learn to pass the exam.

Enroll now in our CISSP MasterClass and start your journey towards becoming a cybersecurity professional.