Today let’s take a look at the CISSP Domain that deals with Information Security Governance and Risk Management. When we speak about IS Governance we’re talking about how management views security, how the security organization is structured, who the Information Security Officer (ISO) reports to and some basic guiding principles for security. First and foremost, information security is not just about IT. The fundamental principles of security revolve around the CIA triad. No, that’s not the Central Intelligence Agency. But rather confidentiality, integrity, and availability.  Availability in the sense that the data is available when needed (think about a Denial of Service attack that stops access to your data); Integrity in the sense that the data is accurate and has not been modified (think about your checking account balance, you wouldn’t want someone changing that); and finally, Confidentiality (think PII or personal identifying information) your data is confidential, only the people who should know or have access to your private information know and have access.

There has been a lot of talk lately about DAD (Disclosure-Alteration-Destruction) vs. CIA (Confidentiality-Integrity-Availability) so for your information.

When we talk about Confidentiality, we mean the data hasn’t been Disclosed.

When we talk about Integrity, we mean the data hasn’t been Altered

And when we talk about Availability, we mean the data is there and hasn’t been Destroyed

In information risk management there are several concepts that you need to review and understand.  First let’s look at Q vs. Q or quantitative vs. qualitative risk assessment.  If you can determine a specific amount or quantity then it is a quantitative analysis, e.g. the system will be down for 24 hours.  It is an objective risk assessment, whereas on the other hand if you can’t quantify the variables and the decisions are subjective then the risk assessment is qualitative.  There are a number of risk management frameworks, including

And you should follow the links above and become familiar with these.

In risk analysis, there are a number of concepts that you will need to understand.  First, what is the value of your information and assets? (Asset Valuation or AV)  Second, what are the threats against those assets?  Third, what are the vulnerabilities associated with those assets? Finally, what is the impact or probability that the threat/vulnerability will have on the organization?

So now here are some formulas that you need to know:

1)      Single Loss Expectancy (SLE) is the cost of a single loss and can be calculated by multiplying Asset Value (AV) by Exposure Facture (EF), which is the impact the loss of this asset will have on the organization.  SLE = AV * EF

2)     Annual Rate of Occurrence (ARO) is how many times you lost an asset.

3)     Annualized Loss Expectancy (ALE) is an expression of your annual anticipated loss due to risk and can be calculated by multiplying SLE by ARO.  ALE = SLE * ARO.

4)     And finally, Risk = Asset Value * Threat * Vulnerability * Impact

Policies, Standards, Procedures and Guidelines

Policies, standards and procedures are required, i.e. you must do these.  Guidelines are suggestions, they are optional.

You should be familiar with the different roles and responsibilities in information security including; System Owner, Data Owner, Data Custodian, Security Administrator and System Administrator.

And while we’re talking about roles and responsibilities, don’t forget that all of these roles require security awareness training.  All must have the basics and then each role will have specific training for their individual position.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.