CISSP  Domain  #1  Cheat  Sheet:  Security  and  Risk  Management  
 
The  main  objective  of  this  domain  is  to  test  the  candidate’s  understanding  about  risk  
assessment,  risk  analysis,  data  classification  and  security  awareness.  You  may  find  
some  of  the  points  to  be  vague  or  incorrect,  but  for  CISSP  they  hold  good.  Following  
are  the  main  concepts  with  regard  to  this  domain:  
 
• Understanding  of  CIA  and  DAD  triad:  Under  the  triad  
of  confidentiality,  integrity  andavailability,  be  ready  to  face  some  questions  
about  the  violation  of  these  principles.  
 
• Confidentiality:  An  important  point  to  note  about  confidentiality  is  
that  it  is  usually  granted  with  the  principle  of  least  privilege.  
• Integrity:  Information  should  not  be  modified  by  unauthorized  means.  
• Availability:  This  principle  states  that  the  services/systems  should  be  
up  and  running  to  fulfill  business  needs.  
 
In  contrast  to  CIA,  there  is  another  triad,  DAD,  which  is  just  opposite  of  it.  Again,  it  is  
very  basic  but  you  can  get  one  question  out  of  that.  Below  list  shows  the  contrast  
between  CIA  and  DAD  
 
Confidentiality                  Disclosure  
Integrity                Alteration  
Availability                Destruction  
 
• We  all  speak  that  security  is  everyone’s  responsibility,  which  is  true,  but  
within  an  organization,  the  accountability  for  ensuring  all  the  protection  of  
all  business  information  falls  under  the  Information  Security  Officer.  It  is  
the  duty  of  the  ISO  to  ensure  that  all  the  security  policies  and  guidelines  have  
been  defined  to  meet  information  security  needs.  
 
• Concept  of  Due  Care  and  Due  Diligence:  In  simple  words,  due  care  is  the  
action  taken  by  a  personnel  in  a  particular  situation  to  protect  the  corporate  
asset.  Due  diligence  is  like  an  advanced  version  of  due  care,  i.e.,  all  the  actions  
specified  by  the  organization  to  protect  corporate  assets  are  properly  
applied.  
 
• Wassenaar  Agreement:  An  important  point  to  remember  about  the  
Wassenaar  Agreement  is  that  for  the  signees  it  defines  an  
international  cryptography  agreement.  
 
• Organization  for  Economic  Cooperation  and  Development  Guidelines  
(OECD):  An  important  point  to  note  about  these  guidelines  is  that  they  fall  

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html      
            
 
under  the  privacy  part  and  provide  all  the  guidelines  for  providing  privacy  to  
individual  information  being  collated,  such  as  the  collection  limitation  
principle,  data  safeguard  principle,  etc.  
• The  most  important  aspect  of  a  successful  business  continuity  program  is  
NOT  
 
• A  well-­‐defined  project  scope  
• Available  resources  
• Timeline  
 
But  “Senior  Management  Support.“  
 
• The  main  goal  of  a  Business  Impact  Analysis  is  to  determine  the  impact  that  
an  unwanted  event  will  have  on  organization.  A  BIA  exercise  defines  the  
criticality  of  business  functions,  maximum  tolerable  downtime  (MTD),  and  
available  resources  to  overcome  a  disruptive  event.  
 
• Another  important  point  to  note  about  BIA  is  that  the  most  overlooked  step  
in  a  BIA  exercise  is  the  last  step,  which  is  to  document  results  of  BIA  and  
presenting  recommendations.  
 
• Concept  of  RTO,  RPO,  and  MTD:  Recovery  time  objective  (RTO)  relates  with  
core  business  applications  and  is  the  maximum  downtime  after  which  those  
should  be  restored.  On  the  other  hand,  recovery  point  objective  (RPO)  is  the  
point  in  time  at  which  data  is  restored  for  further  processing.  MTD  is  the  
point  after  which  the  business  function  is  no  longer  sustainable.  
 
• Concept  of  Job  Rotation  and  Separation  of  Duties:  Job  rotation  is  done  to  
reduce  the  risk  that  individuals  may  have  prolonged  exposure  to  
assets/information.  This  is  done  to  reduce  the  risk  of  collusion  between  
individuals.  Separation  of  duties  is  done  to  prevent  an  individual  from  
executing  all  the  steps  of  a  process.  The  best  choice  for  an  organization  is  to  
combine  both  job  rotation  and  separation  of  duties.  
 
• Qualitative  Risk  Assessment  &  Quantitative  Risk  Assessment:  Qualitative  
risk  analysis  will  give  results  that  are  not  measurable.  Risk  is  usually  seen  as  
the  product  of  likelihood  and  impact.  On  the  other  hand,  quantitative  risk  
assessment  will  give  results  that  are  measurable.  It  has  a  well-­‐defined  
formula  and  surely  there  will  be  question  on  this  in  the  exam.  
 
• Single  Loss  Expectance=Asset  Value  *  Exposure  Factor  
• Annualized  Loss  Expectancy=SLE  *  annualized  rate  of  occurrence  
(ARO).  

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html      
            
 
 
Risk  Assignment:  Risk  avoidance,  risk  transfer,  risk  mitigation,  risk  
•
acceptance.  the  important  point  to  note  about  risk  transfer  is  that  not  all  the  
risk  can  be  transferred.  
• Access  Controls:  This  is  a  very  important  topic  from  this  domain,  as  some  
controls  will  be  given  and  the  question  will  be  to  find  the  type  of  controls  
they  are.  Below  are  the  main  categories  of  access  control.  
 
• Directive  Controls:  These  controls  provide  guidance  to  accepted  
behavior.  
• Deterrent  Controls:  These  controls  mostly  discourage  unwanted  
activities.  
• Preventive  Controls:  These  controls  prevent  a  user  from  performing  
an  action.  
 
Understand  the  difference  between  deterrent  &  preventive  controls:  
Preventive  controls  are  not  optional  like  deterrent  controls.  
 
• Compensating  Controls:  These  controls  come  to  the  rescue  when  the  
existing  control  capabilities  are  not  good  enough.  
• Detective  Controls:  These  controls  give  notifications  of  an  incident.  
They  fall  in  the  post-­‐incident  category.  
• Corrective  Controls:  These  control  fill  the  gaps  within  existing  
controls  that  lead  to  an  incident  
• Recovery  Controls:  These  controls  reinstate  the  state  to  normal  after  
an  incident.  
 
• All  these  access  controls  can  be  categorized  as  either  Administrative,  
physical  and  logical  controls.  
 
• Penetration  Testing  Types:  It  is  important  to  know  the  following  testing  
types  (especially  names)  
 
• Internal  Testing:  This  is  done  within  an  organization  with  full  
knowledge  of  the  whole  architecture,  deployed  controls,  etc.  
• Blind  Testing:  This  presents  more  like  an  attacker  scenario,  but  the  
internal  team  is  aware  of  it  to  defend  against  it.  
• Double  Blind  Testing:  This  presents  a  complete  attacker  scenario  but  
the  internal  team  is  NOT  aware  of  it  to  defend  against  it.  
 
• Continuous  Improvement  cycle:  Plan  >  Do  >  Act  >  Check  (PDCA).  This  is  also  
known  as  the  Deming  cycle  or  Shewhart  Cycle.  
 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html      
            
 
• Differences  between  the  following  attacks:  
• Social  Engineering  Attack  
• Pretexting  Attack  
• Phishing  Attack  
• Baiting  Attack  
• Tailgating  Attack  
 
• Understand  the  implied  risks  that  happen  over  an  acquisition.  
 
• Difference  between  SLA  and  Assurance:  SLA  provides  the  acceptable  level  
of  performance  and  penalty  between  provider  and  customer.  However,  
SLA  does  not  guarantee  compliance.  Assurance  gives  the  opportunity  to  
check  the  profile  of  the  provider  by  conducting  inspection,  review,  etc.  
 
This  draws  us  to  the  end  of  Module  1.  Please  note  that  this  is  not  a  comprehensive  
list  of  all  the  topics.  However,  this  presents  the  topics  with  high  probability  of  
appearing  in  the  exam.  

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html