CISSP Domain 1 Study notes and Resources

Security Governance


(insert photo)               


Parkerian Hexad

(insert photo)







Possession or Control


Confidentiality Terms

sensitivity – The Level of damage or harm that could occur if the asset is revealed or disclosed.

Discretion – The ability for a person to control the level of access to, or disclosure of and asset.

Criticality – The level of importance of an asset to the mission or objective.

Concealment – The act of hiding or preventing disclosure of an asset.

Secrecy – The practice of preventing or limiting information disclosure.

Privacy – The protection of confidential or personal information.

Seclusion – The act of storing something in a location that is out of the way and thus not easily observed or found.

Isolation – The act of keeping something separate from other things that are similar in nature.


Integrity Terms

Accuracy – The degree to which the data is correct and precise.

Truthfulness – The quality of a source of information being factual and realistic.

Validity – The quality of an asset being genuine.

Accountability – The condition of a person or entity being held responsible for their actions.

Responsibility – The obligation of a person or entity to take ownership or components.

Completeness – The quality of an asset that has all its necessary parts or components.

Comprehensiveness – The quality of an asset being complete in scope, and fully inclusive or all relevant elements.


Availability Terms

Usability – Learned, understood, utilized or controlled by a subject

Accessibility – Under a wide range of circumstances an asset can be used by a subject regardless of capabilities or limitations.

Timeliness – Asset ( for example information ) needs to be prompt and available within a reasonable frame of time with low latency.


Auditing and Accounting

  • Auditing – internal process of providing a manual or systematic, measurable technical assessment of a system or application
  • Accounting – logging of access and use of information resources.
  • Accountability – tracing actions to the source
  • Non-Repudiation – the assurance that an action taken cannot be denied
  • Identification – Claiming an identity – ie username
  • Authentication – Proving your identity – ie password, fingerprint, pin number
  • Authorization – What are you allowed to do / have access to after you are Authenticated


Security Terms – P4 and P5

Asset – Anything of Value

Threat – event or action that could potentially cause damage to an asset or an interruption of service.

Threat Actor – Person/group or other entity that could potentially damage attack or compromise a system resource.

  • ||| Finish this section |||


IT Governance


Security Control Frameworks


ISO/IEC 27000 Series

  • Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
  • 27000:2018 – Overview of ISMSs and vocabulary
  • 27001:2013 – ISMS Requirements
  • 27002:2013 – Code of Practice for IS controls
  • 27003:2017 – Guidance on the requirements for an ISMS
  • 27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines


Zachman Framework

  • Six Communications Questions
  • What
  • Where
  • When
  • Why
  • Who
  • How
  • Perspectives
    • Executive
    • Business Management
    • Architect
    • Engineer
    • Technician
    • Enterprise


TOGAF – The open architecture group framework

  • Technology
  • Applications
  • Data
  • Business


DoDAF – Department of Defense Architecture Framework

  • AV – All Viewpoint
  • CV – Capability Viewpoint
  • DIV = Data and Information Viewpoint
  • OV – Operation ViewPoint
  • PV – Project Viewpoint
  • SvcV – Services Viewpoint
  • STDV – Standards Viewpoint
  • SV – Sytems Viewpoint



  • Strategic StV
  • Operational OV
  • Service-Oriented SOV
  • Systems Viewpoint SV
  • Acquisition AcV
  • Technical TV
  • All Viewpoint AV



  • Sherwood Applied Business Security Architecture

(insert photo)


COBIT – Control Objectives for Information and Related Technology

  • Five Principles

o             Meeting Stakeholder Needs

o             Covering the Enterprise end-to-end

o             Applying a single integrated framework

o             Enabling a holistic approach

o             Separating governance from management

  • Seven Enablers

o             Principles, Policies, and frameworks

o             Processes

o             Organization Structures

o             Culture, Ethics, and behavior

o             Information

  • Services, infrastructure, and applications
  • People, skills, and competencies





NIST – National Institute of Standards and Technology – 800 Special Publication Series


HITRUST CSF (Common Security Framework)

  • 14 control categories

o             0.0: Information Security Management Program

o             1.0: Access Control

o             2.0: Human Resources Security

o             3.0: Risk Management

o             4.0: Security Policy

o             5.0: Organization of Information Security

o             6.0: Compliance

o             7.0: Asset Management

o             8.0: Physical and Environmental Security

o             9.0: Communications and Operations Management

o             10.0: Information Systems Acquisition, Development, and Maintenance

o             11.0: Information Security Incident Management

o             12.0: Business Continuity Management

o             13.0: Privacy Practices



Center for Internet Security – CIS – Critical Security Controls

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous vulnerability management
  4. Controlled use of administrative privileges
  5. Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
  6. Maintenance, monitoring, and analysis of audit logs
  7. Email and web browser protections
  8. Malware defenses
  9. Limitation and control of network ports, protocols, and services
  10. Data recovery capabilities
  11. Secure configurations for network devices, such as firewalls, routers, and Switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on the need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Implement a security awareness training program
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises



COSO – Committee of Sponsoring Organizations of the Treadway Commission Framework

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and communication
  • Monitoring Activities


OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation

(insert photo)


ITIL – Information Technology Infrastructure Library

  • These certifications are GREAT add-ons for CISSP
  • Currently at v4


Six Sigma

(insert photo) and example


CMMI – Capability Maturity Model Integration


CRAMM – CCTA Risk Analysis and Management Method

  • Qualitative Risk Analysis Management tool
  • Three Steps
  • Identify and Value Assets
  • Identify threats and vulnerabilities and calculate risks
  • Identify and prioritize countermeasures



Due Care vs Due Diligence

[write definitions]


Major Legal Systems

  • Civil Code Law
    • Napoleonic
  • Common Law
    • Criminal Law
    • Civil Tort Law
    • Administrative Law
  • Customary Law
  • Religious
  • Mixed


US Information Privacy Law – page 19  

  • ECPA
  • GLBA
    • USA Freedom Act
  • SOX
  • FCRA


Licensing and Intellectual Property




Trade Secrets

2 Issues

  • Piracy / Licensing
  • DRM – Digital Rights Management



CCCA – Comprehensive Crime Control Act of 1984


CFAA – Computer Fraud and Abuse Act – 1986

Raised threshold of damage from $1000 to $5000

  • Any computer used exclusively by the US gov
  • Any computer used exclusively by a financial institution
  • Any computer .., when the offense impedes the ability of the gov or inst. To use that system
  • Any combination of computers used to commit an offense when they are not all located in the same state
  • Amended in 1986, 1994 (Computer Abuse Amendments), 1996, 2001, 2002, 2008


Federal Sentencing Guidelines

  • Formalized the Prudent Man Rule
  • Minimize punishment by demonstrating due diligence
  • Three burdens of proof for negligence
    • Legally recognized obligation
    • Failed to comply with recognized standards
    • Causal relationship between the negligent act and damages


National Information Infrastructure Protection Act of 1996 -NIIPA

                Set of amendments to CFAA



FISMA – Federal Information Security Management Act – 2002

Replaced and Repealed

  • Computer Security Act of 1987 (CSA)
  • GISRA – General Information Security Reform Act of 2000


FISMA – Federal Information Systems Modernization Act – 2014


Cybersecurity Enhancement Act – 2014

                NIST SP 800-53

                NIST SP 800-171

                NIST CSF

National Cybersecurity Protection Act – 2014


Risk Terminology

  • Asset
  • Asset Valuation
  • Threats
    • Threat Agent – usually people – intentional
    • Threat Event – Accidental (but could be intentional)
  • Vulnerability
  • Exposure
  • Risk
    • Risk = threat * vulnerability
  • Safeguard
  • Attack
  • Breach


Quantitative Risk Analysis


AV – Asset Value

EF – Exposure Factor

SLE – Single Loss Expectancy

ARO- Annualized Rate of Occurrence

ALE – Annualized Loss Expectancy


Single Loss Expectancy


SLE = $20,000 X 25%

SLE = 20000 x .25 = 5000

SLE = $5,000


Annualized Loss Expectancy


ALE = 5000 x .5 = 2500

ALE= $2,500


Value of the Safeguard

(ALE before Safeguard) – (ALE After Safeguard) – (Annual Cost of the Safeguard) = Value of Safeguard


(ALE1 – ALE2) – ACS = Cost Benefit / Value

(2500 – 500) – 1000 = 1000


Residual Risk = Inherent Risk – Countermeasures

Residual Risk = Total Risk x Controls gap

Residual risk = total risk – security controls


A Great Resource for Risk Analysis by Thor –