Chapter 1.  Day 1 – Security and Risk Management - Security, Compliance, and Policies

Information security and risk management are analogous to each other. The security and risk management domain forms the baseline for all information security concepts and practices. This is the first domain in CISSP CBK. Concepts on the key areas explained in this domain are across the next seven domains of CISSP, and will serve as the conceptual foundation for more complicated topics. Hence, a strong foundational knowledge in this domain will help the students in understanding the concepts in the rest of the domains.

A candidate appearing for the CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security and risk management domain:

• Asset protection
• Confidentiality, Integrity, and Availability (CIA)
• Security governance principles
• Compliance
• Legal and regulatory issues that pertain to information security in the global context
• Professional ethics
• Personnel security policies
• Risk management principles
• Threat modeling
• Business continuity planning
• Security risk considerations in acquisition strategy and practice
• Security education training and awareness

This chapter gives an overview of Security, Compliance, and Policies using a high-level illustration. This is followed with an overview of asset and asset protection. Furthermore, the concepts of Confidentiality, Integrity, and Availability (CIA) are explained with suitable examples. Security governance principles, compliance frameworks, and legal and regulatory issues that can impact on compliance are covered from a global perspective. Management practices that relate to security policies, standards, procedures and guidelines, as well as personnel security policies, are covered toward the end.