CISSP 2015 Update – Security and Risk Management

February 6, 2015 by Kurt Ellzey

The CISSP 2015 Update brings new viewpoints on the key domains covered in this certification. The CISSP is already one of the broadest of all certs in that the amount of information it covers in different fields is staggering. However, breaking this down into its component domains or fields can help to chop at it bit by bit. With the new updates, each domain is a bit more streamlined – a bit easier to manage in the overall picture – and becomes easier to understand.

We will be diving into each domain over the course of the coming weeks, to see what you need to know if you have just started studying for the CISSP. Right off the bat we can say that with very few exceptions the old domains are gone. That’s not to say the information isn’t there anymore, its just that the perspectives on that information have shifted. The CISSP certification has always been a managerial-level certification – understanding is required for a lot of topics across a wide range of requirements. With the new update, it zeroes in on that concept: making it easier to look at things from particular scenarios with a bird’s eye view.

With that in mind, let’s take a look at our first domain: Security and Risk Management: Security, Risk Compliance, Law, Regulations, Business Continuity.

Boy, that’s a mouthful.

As is usual for the CISSP, there is an awful lot of information to cover – and although a full study guide is beyond the scope of this article, it is easier to see where they are going with this domain. Five domains contribute to Security and Risk Management, all dealing with different aspects of risk and bringing them together into a single high level point.

Security Architecture and Design

Risk is a fundamental concept for security – you can throw money at something to make it go away, but only so far until the costs outweigh the potential benefits. Knowing that breaking point is a critical requirement for organizations, and having an informed decision is vital. To that end, knowing what the company values most regarding its information can help more easily draw conclusions on where to focus resources such as staff and funding. While all information needs to be kept safe to a certain degree, knowing what information needs to be kept under lock and key versus what can be put behind a friends-only filter on Facebook is a huge distinction.

Legal Regulations, Investigations and Compliance

In the Global Reality that is the information age, knowing the specifics that you have to deal with if you choose to do business in a particular country can drastically change what level of funding is available for projects. Not only that, it can completely alter where and what information is stored, depending on laws and regulations that need to be followed in order to stay on the law’s good side. Despite the fact that some of these items can be fudged on papers (quite a lot of them actually), it is very important to have strong ethical requirements to keep honest users and admins. Without these guiding principles, it can be very easy to not only end up on the wrong side of the law, but behind bars as well with very heavy fines. Is there risk involved in doing business in countries with strong information retention requirements? Absolutely. Is it worth it to the organization to take on those responsibilities? That’s a much bigger question.

Information Security Governance and Risk Management

Risk is not a static entity. It is fluid, ever changing and evolving. That being said, at the organizational level, risk needs to be quantified in order to plan for it. Natural Disasters, Information Accidents, Annoyed Former Employees, the list for potential risks can seem to go on forever sometimes. Yet a proper assessment can give values to these risks – how LIKELY is it that there is going to be an earthquake in the city in the next 20 years? How LIKELY is it that there is going to be a very annoyed and motivated ex-user that wants to make their employer pay? Being able to gauge these risks and put in place not only major insurance policies, but also passive protections can make a huge difference. For example, would the company benefit from getting a dedicated security department? Or would it be more cost effective to hire an outside contractor to be site security? Would that open more potential problems than it would solve?

Business Continuity

Just like we mentioned in the previous section, major events can happen. But that does not mean that everybody just runs around screaming after the fact. Known Risks means that they can be planned for ahead of time, and plans mean contingencies and reserved resources. Does the organization require a fully-staffed backup facility at all times? Or do they just need a set of backup tapes off-site? Is there a proper chain-of-command? Are there plans in place for situations where the weather is catastrophically bad? The Risks around Business Continuity can be big-numbers, but they must be addressed for the good of all involved.

Access Control

Allowing Access to a facility, whether in the physical or information realms, is a risky business. You need to know that only authorized users are walking your halls, accessing your data and not just handing it over to your competitors. Being able to plan accordingly for potential threats to your people and your resources is not only a requirement for the good of the organization, but also for the health of your employees. The organization needs to be a safe place, or else no work would ever be done. Once these factors are accounted for, the employees must be able to be held accountable for breaches in these situations. Did somebody just open a door for someone who forgot their access token? Did another person just login for somebody else because they forgot their password? These events can cause dire consequences if not handled properly, which is why proper training for users is vital. There is an old saying that “No battle plan survives first contact with the enemy.” The other side of that coin is “No security plan survives without user assistance.” Without people understanding exactly why they have to jump through hoops to access the building’s vending machine outside the secured area, they have no reason to respect those policies or requirements.

Risk Management is a vital component of security, but one that may often times be overlooked. Do you have to have a guard? Well sure, that’s just what organizations do. Why? How many guards do you need? Where are the weak points in monitoring? How difficult would it be for someone to gain access unnoticed? How much would it be worth to the underpaid cleaning staff to take the night off and lend somebody their access codes? What’s the going rate for Security Cards and cloning gear right now on eBay? How much trouble would the organization be in if the local authorities came in to investigate a breach in security? These are all things that need to be taken into consideration when trying to manage Risk, along with a hundred more concerns.


Posted: February 6, 2015
Articles Author
Kurt Ellzey
View Profile

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled “Security 3.0” which is currently available on Amazon and other retailers.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117