Skip to content

Page010

Introduction

Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. We work in various roles: firewall engineers, penetration testers, auditors, management, etc. The common thread is risk: it is part of our job description.

The Security and Risk Management domain focuses on risk analysis and mitigation. This domain also details security governance, or the organizational structure required for a successful information security program. The difference between organizations that are successful versus those that fail in this realm is usually not tied to dollars or size of staff: it is tied to the right people in the right roles. Knowledgeable and experienced information security staff with supportive and vested leadership is the key to success.

Speaking of leadership, learning to speak the language of your leadership is another key to personal success in this industry. The ability to effectively communicate information security concepts with C-level executives is a rare and needed skill. This domain will also help you to speak their language by discussing risk in terms such as Total Cost of Ownership (TCO) and Return on Investment (ROI).

Cornerstone Information Security Concepts

Before we can explain access control, we must define cornerstone information security concepts. These concepts provide the foundation upon which the 8 domains of the Common Body of Knowledge are built.

Note
Cornerstone information security concepts will be repeated throughout this book. This repetition is by design: we introduce the concepts at the beginning of the first domain, and then reinforce them throughout the later domains, while focusing on issues specific to that domain. If you do not understand these cornerstone concepts, you will not pass the exam.

Confidentiality, Integrity, and Availability

Confidentiality, Integrity, and Availability are referred to as the “CIA triad,” the cornerstone concept of information security. The triad, shown in Fig. 2.1, forms the three-legged stool information security is built upon. The order of the acronym may change (some prefer “AIC,” perhaps to avoid association with a certain intelligence agency), which is not important: understanding each concept is critical. This book will use the “CIA” acronym.