Series: CISSP Study Sheet
Entry: Information Security and Risk Management

The CISSP Study Sheet Series will identify the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a “brain dump” of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. Let’s begin with the Information Security and Risk Management Domain.

Information Security and Risk Management Study Sheet

Confidentiality – the security objective to protect from improper disclosure of sensitive information.
Availability – the requirement of business to have access to systems and data.
Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.

Known as the CIA or AIC Triad, Confidentiality, Availability, and Integrity have to work in concert to keep data not only protected and accurate, but accessible to authorized users.

Policy – management stating the role security plays in an organization.
Procedure – a mandated series of steps to accomplish a task, such as software installation.
Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.

The Organization’s Security Policy is an abstract statement from management which is implemented through the IT staff. For example, the following of a procedure, to install a standard, in accordance with a guideline, and is setup referencing the baseline, is an instance of adhering to policy.

Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
Threat – a potential accidental or intentional danger to an information system.
Exposure – an opportunity for a threat to cause damage.
Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
Risk Transference – the passing on of risk to a third party, such as insurance.
Countermeasure – reactive controls applied after an incident.

Safeguards are installed to protect against threats, but if a vulnerability exists in a safeguard an exposure to a threat surfaces resulting in a risk which either has to be countered or transferred.

Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
Operational Planning – a mid term plan focusing on an organization’s functional plans.
Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.

The Planning Horizon is the compilation of strategic, operational, and tactical planning.

Job Rotation – movement of employees to expose collusion and policy violations.
Mandatory Vacations – forced leave to detect elements of fraud.
Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
Need to Know – only those persons absolutely requiring information should have access to such information.
Least Privilege – allowing processes and users only enough permission to accomplish their job.
Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
Due Care – responsible acts reducing the probability of being held liable or negligent.

Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
Data Custodian – is the security enforcer for the data owner, such as an email server admin.
Auditor – independent assurance that the security controls are being implemented correctly and are operational.
Application Owners – addresses user permissions and security controls on data specific to a particular application.

Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
Asset Identification – are tangible, such as the facility, and intangible, such as data.
Assurance – a level of confidence that a particular security level is being upheld.
CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate.

Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management, and appropriate use of enterprise resources.
Organization for Economic Co-operation and Development (OECD) – an international group assisting governments with economic, social, and governance challenges worldwide.

Project Sizing – a pre risk analysis documentation of the scope of the project.
Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
Quantitative Risk Analysis – a monetary determination of risk.
Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
Delphi Technique – an anonymously communicated group decision.
Single Loss Expectancy (SLE) – amount that could be lost if a threat is executed upon, such as the value of data, cost to replace data, and potential opportunities missed.

Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.

Risk Analysis Formulas

Total Risk = Threats X Vulnerability X Asset Value
Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year

More CISSP Study Sheets and other CISSP resources.