Skip to content

Chapter 2: Domain 1: Security and Risk Management

Abstract

Security and Risk Management, the topic of this chapter and Domain 1 of the CISSP®, presents numerous critically important terms and concepts that permeate several domains. This chapter introduces the CIA triad of Confidentiality, Integrity, and Availability, which are touched upon in virtually every domain and chapter. In addition to CIA, concepts such as the Principle of Least Privilege and Need to Know are presented. Key terms, concepts, and formulas related to risk management are presented within this chapter. Risk, threat, vulnerability are basic terms that must be understood to prove successful with this domain. Understanding how to perform calculations using Annualized Loss Expectancy (ALE), Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Exposure Factor (EF) are highlighted as part of quantitative risk analysis. Important concepts related to information security governance such as privacy, due care, due diligence, certification and accreditation are also a focus of this chapter.

Keywords

Confidentiality; Integrity; Availability; Subject; Object; Annualized Loss Expectancy; Threat; Vulnerability; Risk; Safeguard

EXAM OBJECTIVES IN THIS CHAPTER:

  • Cornerstone Information Security Concepts
  • Legal and Regulatory Issues
  • Ethics
  • Information Security Governance
  • Access Control Defensive Categories and Types
  • Risk Analysis
  • Security and Third Parties
  • Types of Attackers

Unique Terms and Definitions

  • Confidentiality—seeks to prevent the unauthorized disclosure of information: it keeps data secret
  • Integrity—seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. Integrity also seeks to ensure data that is written in an authorized manner is complete and accurate
  • Availability—ensures that information is available when needed
  • Subject—an active entity on an information system
  • Object—a passive data file
  • Annualized Loss Expectancy—the cost of loss due to a risk over a year
  • Threat—a potentially negative occurrence
  • Vulnerability—a weakness in a system
  • Risk—a matched threat and vulnerability
  • Safeguard—a measure taken to reduce risk
  • Total Cost of Ownership—the cost of a safeguard
  • Return on Investment—money saved by deploying a safeguard