The Security and Risk Management domain focuses on risk analysis and mitigation. This domain also details security governance, or the organizational structure required for a successful information security program. It also covers IT policies, procedures, roles and responsibilities, types of controls, risk management concepts including risk analysis, risk evaluation and risk remediation.
This domain covers the three pillars of Information Security i.e. Confidentiality, Integrity and Availability. And the 5 elements of AAA Services i.e. Identification, Authentication, Auditing, Accounting, Non Repudiation. It covers the Secure Design, protection mechanisms such as layering, abstraction, data hiding and encryption. The principles of Secure Design includes:
Design acceptability, provide just enough security to make it cost effective, weakest link, defense in depth, need to know, least privilege, separation of duties, job rotation, Redundancy, avoid security through obscurity, abstraction & dual control.
This domain also covers Threat Modelling with goals to reduce the number of security-related design and coding defects and to reduce the severity of any remaining defects. The approaches towards identifying threats such as Focused on assets, focused on attackers, focused on software. It also covers a threat categorization scheme called STRIDE(Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
Next it covers the difference between Security Governance and Security Management. The planning includes the difference between Strategic, Tactical and Operational plans. The goals should be based on the security objectives derived from the business security objectives. The Domain explains the difference between Due Care objectives and Due Diligence objectives. It explains the difference between policy, standards, baselines, guidelines and procedures.
Next it covers important Security & IT frameworks like ISO/IEC 27000, COBIT(Control Objectives for Information and Related Technologies), COSO(Committee of Sponsoring Organization), ITIL(Information Technology Infrastructure Library), NIST(National Institute of Standards & Technology).The important security roles and responsibilities such as Data Owner, Data Custodian, Senior Manager, CISO/CIO, Security Admin, and Network Admin are covered and explained.
This domain delves into explaining the fundamentals of Risk Management including Assets (both tangible and intangible), Auditors, Threat, Asset Value, Threat Agent, difference between countermeasures and Safeguards, total risk, residual risks and calculating the control gaps. It deals both with Qualitative and Quantitative Risk management. The Qualitative risk analysis uses techniques such as Delphi technique, Brainstorming, Survey, Questionnaires, One on one meetings, Interviews.
Important Terminologies and Calculations:
Total Risk: Risk before any control is applied.
Residual Risk: Leftover risk after countermeasures/safeguard is applied.
Control Gaps: [Total Risk – Residual Risk]
Risk: [Threat * Vulnerability]
Asset Value (AV): The Value of an asset
Exposure Factor (EF): % of loss incurred by an asset due to realized risk.
Single Loss Expectancy (SLE): Actual loss occurred if risk is realized.
Annual rate of occurrence (ARO): Frequency value of risk over a year.
Annual loss of Expectancy (ALE): Amount of loss annually.
Cost/Benefit Analysis (CBA): The calculation before implementing countermeasures to reduce ARO.
SLE=AV*EF
ALE=SLE*ARO
Next it covers the different type of Controls: Deterrent, Detective, Preventive, Corrective, Recovery, Directive, and Compensating. The most popular Risk Management global approach NIST 800-30 is covered.
The domain defines the ISC2 Code of Ethics and Intellectual Property Laws, Patents, Trademark, Copyright and Trade Secrets. It also explains Legal Laws, Categories of Laws, concepts around Proximate Causation, Exigent Circumstances, Prudent Man Rule, Data Protection Act, Privacy Laws and Safe Harbor.
Next it covers various Computer Crime Acts such as Computer Fraud and Abuse Act, 1994 CFAA Amendments, Computer Security Act of 1987, Federal Sentencing Guidelines, National Information Infrastructure Protection Act of 1996, Paperwork Reduction Act of 1995, Government Information Security Reform Act of 2000, Federal Information Security Management Act, U.S. Privacy Law, European Union Privacy Law, Compliance, Contracting and Procurement.