ABSTRACT
Summary of all the first domain of
CISSP official study guide based on the
book: ‘Destination CISSP: A concise
guide’.
Remco van der Schoot
DOMAIN ONE
EXPLAINED; CISSP
A summary of the information needed in order to achieve
certification in CISSP
, domain one explained; CISSP | Remco van der Schoot
INHOUDSOPGAVE
Introduction ............................................................................................................................................................ 4
Domain one: Security and Risk Management ....................................................................................................... 5
1. Understand, adhere to, and promote professional ethics .................................................................................. 5
2. Understand and apply security concepts ............................................................................................................ 5
2.1. Focus of security........................................................................................................................................... 5
2.2. CIA-triad ....................................................................................................................................................... 5
2.2.1. Confidentiality (need to know) ............................................................................................................. 6
2.2.2. Integrity (Correctness) .......................................................................................................................... 6
2.2.3. Availability (access) ............................................................................................................................... 6
2.3. Other security concepts ............................................................................................................................... 6
2.3.1. Triple A .................................................................................................................................................. 6
2.3.2. DAD ....................................................................................................................................................... 7
3. Evaluate and apply security governance principles ............................................................................................ 7
3.1. Planning levels .............................................................................................................................................. 8
3.1.1. Strategic plans (+/- 5 years) .................................................................................................................. 8
3.1.2. Tactical plan (1 year) ............................................................................................................................. 8
3.1.3. Operational plans (short time / < 1 year) .............................................................................................. 8
3.2. Accountability versus Responsibility ............................................................................................................ 8
3.3. Organizational roles and responsibilities ..................................................................................................... 8
3.3.1. Senior management -> Making decisions ............................................................................................. 8
3.3.2. Security Professionals -> Executing decisions ....................................................................................... 9
3.3.3. Data owners -> Managing data ............................................................................................................. 9
3.3.4. End-users -> use data ............................................................................................................................ 9
3.3.5. Auditor -> verify security (policy) .......................................................................................................... 9
3.3.6. Overview ............................................................................................................................................... 9
3.4. Due Care versus Due Dillgence .................................................................................................................. 10
4. Determine complaince and other requirements .............................................................................................. 10
5. Understanding Legal and regulatory issues that pertain to information security in a holistic context ............ 11
5.1. Licensing and intellectual property requirements ..................................................................................... 11
5.2. Import/export controls .............................................................................................................................. 11
5.3. Transborder data flow ................................................................................................................................ 11
5.4. Privacy ........................................................................................................................................................ 11
5.5. Privacy requirements ................................................................................................................................. 12
5.6. Privacy assessments ................................................................................................................................... 13
6. Understanding requirements for investigation types ....................................................................................... 15
7. Develop, document, and implement security policies, procedures, standards, baselines, and guidelines ...... 16
P a g i n a 2 | 32
, domain one explained; CISSP | Remco van der Schoot
7.1. Document hierarchy ................................................................................................................................... 16
7.2. Policies, standards, procedures, baselines, and guidelines ....................................................................... 16
8. Identify, analyze, and prioritize business conitnuity (BC) requirements .......................................................... 17
8.1. BCM, BCP, and DRP .................................................................................................................................... 17
8.2. RPO, RTO, WRT, and MTD .......................................................................................................................... 18
8.3. Business Impact Analysis (BIA) ................................................................................................................... 19
8.4. Disaster Response Process ......................................................................................................................... 19
8.5. Restoration order ....................................................................................................................................... 19
9. Contribute to and enforce personnel security policies and procedures ........................................................... 20
9.1. Personnel security controls ........................................................................................................................ 20
9.2. Enforce personnel security controls........................................................................................................... 20
10. Understand and apply risk management concepts ......................................................................................... 21
10.1. Risks Management ................................................................................................................................... 21
10.2. Asset valuation ......................................................................................................................................... 22
10.3. Risk analysis.......................................................................................................................................... 22
10.3. Types of controls ...................................................................................................................................... 23
10.4. Categories of controls .............................................................................................................................. 23
10.5. Functional and assurance ......................................................................................................................... 23
10.6. Selecting controls ..................................................................................................................................... 24
10.7. apply supply chain risk management concepts........................................................................................ 24
10.8. Risk management framework .................................................................................................................. 25
10.8.1. COBIT ................................................................................................................................................. 25
10.8.2. Other standards and guidelines ........................................................................................................ 25
11. Understand and apply threat modeling concepts and methodologies ........................................................... 26
11.1. Threat modeling methodologies .............................................................................................................. 26
11.1.1. STRIDE ............................................................................................................................................... 26
11.1.2. PASTA ................................................................................................................................................ 27
11.1.3. DREAD ............................................................................................................................................... 30
11.2. Social engineering .................................................................................................................................... 30
12. Apply supply chain risk management (SCRM) concepts ................................................................................. 31
12.1. SLR, SLA, and service level reports ........................................................................................................... 31
13. Establish and maitain a security awareness, education and training programs ............................................. 32
13.1. Awareness, training, and education ......................................................................................................... 32
P a g i n a 3 | 32
, domain one explained; CISSP | Remco van der Schoot
INTRODUCTION
The exam consists of 100-150 multiple-choice questions and 70% is needed to pass. You have three hours to
complete the exam.
Percentage on the exam
Software
Development Security Security and Risk
10% Management
15%
Security Operations
13%
Asset Security
10%
Security Assessment
and Testing
Security Architecture
12%
and Engineering
13%
Identity and Access
Management Communications and
14% Network Security
13%
P a g i n a 4 | 32
Summary of all the first domain of
CISSP official study guide based on the
book: ‘Destination CISSP: A concise
guide’.
Remco van der Schoot
DOMAIN ONE
EXPLAINED; CISSP
A summary of the information needed in order to achieve
certification in CISSP
, domain one explained; CISSP | Remco van der Schoot
INHOUDSOPGAVE
Introduction ............................................................................................................................................................ 4
Domain one: Security and Risk Management ....................................................................................................... 5
1. Understand, adhere to, and promote professional ethics .................................................................................. 5
2. Understand and apply security concepts ............................................................................................................ 5
2.1. Focus of security........................................................................................................................................... 5
2.2. CIA-triad ....................................................................................................................................................... 5
2.2.1. Confidentiality (need to know) ............................................................................................................. 6
2.2.2. Integrity (Correctness) .......................................................................................................................... 6
2.2.3. Availability (access) ............................................................................................................................... 6
2.3. Other security concepts ............................................................................................................................... 6
2.3.1. Triple A .................................................................................................................................................. 6
2.3.2. DAD ....................................................................................................................................................... 7
3. Evaluate and apply security governance principles ............................................................................................ 7
3.1. Planning levels .............................................................................................................................................. 8
3.1.1. Strategic plans (+/- 5 years) .................................................................................................................. 8
3.1.2. Tactical plan (1 year) ............................................................................................................................. 8
3.1.3. Operational plans (short time / < 1 year) .............................................................................................. 8
3.2. Accountability versus Responsibility ............................................................................................................ 8
3.3. Organizational roles and responsibilities ..................................................................................................... 8
3.3.1. Senior management -> Making decisions ............................................................................................. 8
3.3.2. Security Professionals -> Executing decisions ....................................................................................... 9
3.3.3. Data owners -> Managing data ............................................................................................................. 9
3.3.4. End-users -> use data ............................................................................................................................ 9
3.3.5. Auditor -> verify security (policy) .......................................................................................................... 9
3.3.6. Overview ............................................................................................................................................... 9
3.4. Due Care versus Due Dillgence .................................................................................................................. 10
4. Determine complaince and other requirements .............................................................................................. 10
5. Understanding Legal and regulatory issues that pertain to information security in a holistic context ............ 11
5.1. Licensing and intellectual property requirements ..................................................................................... 11
5.2. Import/export controls .............................................................................................................................. 11
5.3. Transborder data flow ................................................................................................................................ 11
5.4. Privacy ........................................................................................................................................................ 11
5.5. Privacy requirements ................................................................................................................................. 12
5.6. Privacy assessments ................................................................................................................................... 13
6. Understanding requirements for investigation types ....................................................................................... 15
7. Develop, document, and implement security policies, procedures, standards, baselines, and guidelines ...... 16
P a g i n a 2 | 32
, domain one explained; CISSP | Remco van der Schoot
7.1. Document hierarchy ................................................................................................................................... 16
7.2. Policies, standards, procedures, baselines, and guidelines ....................................................................... 16
8. Identify, analyze, and prioritize business conitnuity (BC) requirements .......................................................... 17
8.1. BCM, BCP, and DRP .................................................................................................................................... 17
8.2. RPO, RTO, WRT, and MTD .......................................................................................................................... 18
8.3. Business Impact Analysis (BIA) ................................................................................................................... 19
8.4. Disaster Response Process ......................................................................................................................... 19
8.5. Restoration order ....................................................................................................................................... 19
9. Contribute to and enforce personnel security policies and procedures ........................................................... 20
9.1. Personnel security controls ........................................................................................................................ 20
9.2. Enforce personnel security controls........................................................................................................... 20
10. Understand and apply risk management concepts ......................................................................................... 21
10.1. Risks Management ................................................................................................................................... 21
10.2. Asset valuation ......................................................................................................................................... 22
10.3. Risk analysis.......................................................................................................................................... 22
10.3. Types of controls ...................................................................................................................................... 23
10.4. Categories of controls .............................................................................................................................. 23
10.5. Functional and assurance ......................................................................................................................... 23
10.6. Selecting controls ..................................................................................................................................... 24
10.7. apply supply chain risk management concepts........................................................................................ 24
10.8. Risk management framework .................................................................................................................. 25
10.8.1. COBIT ................................................................................................................................................. 25
10.8.2. Other standards and guidelines ........................................................................................................ 25
11. Understand and apply threat modeling concepts and methodologies ........................................................... 26
11.1. Threat modeling methodologies .............................................................................................................. 26
11.1.1. STRIDE ............................................................................................................................................... 26
11.1.2. PASTA ................................................................................................................................................ 27
11.1.3. DREAD ............................................................................................................................................... 30
11.2. Social engineering .................................................................................................................................... 30
12. Apply supply chain risk management (SCRM) concepts ................................................................................. 31
12.1. SLR, SLA, and service level reports ........................................................................................................... 31
13. Establish and maitain a security awareness, education and training programs ............................................. 32
13.1. Awareness, training, and education ......................................................................................................... 32
P a g i n a 3 | 32
, domain one explained; CISSP | Remco van der Schoot
INTRODUCTION
The exam consists of 100-150 multiple-choice questions and 70% is needed to pass. You have three hours to
complete the exam.
Percentage on the exam
Software
Development Security Security and Risk
10% Management
15%
Security Operations
13%
Asset Security
10%
Security Assessment
and Testing
Security Architecture
12%
and Engineering
13%
Identity and Access
Management Communications and
14% Network Security
13%
P a g i n a 4 | 32
