Chapter 1

Domain Summary
In this domain, we covered security principles, starting with concepts of information
assurance. We highlighted the CIA triad as the primary components of information
assurance. The “C” stands for confidentiality; we must protect the data that needs
protection and prevent access to unauthorized individuals. The “I” represents
integrity; we must ensure the data has not been altered in an unauthorized manner.
The “A” symbolizes availability; we must make sure data is accessible to authorized
users when and where it is needed, and in the form and format that is required. We
also discussed the importance of privacy, authentication, non-repudiation, and
authorization.
You explored the safeguards and countermeasures prescribed for an information
system to protect the confidentiality, integrity and availability of the system and its
information. By applying risk management, we were able to assess and prioritize
the risks (asset vulnerabilities that can be exploited by threats) to an organization. An
organization can decide whether to accept the risk (ignoring the risks and continuing
risky activities), avoid the risk (ceasing the risky activity to remove the likelihood
that an event will occur), mitigate the risk (taking action to prevent or reduce the
impact of an event), or transfer the risk (passing risk to a third party).
You then learned about three types of security controls: physical, technical and
administrative. They act as safeguards or countermeasures prescribed for an
information system to protect the confidentiality, integrity and availability of the
system and its information. The implementation of security controls should reduce
risk, hopefully to an acceptable level. Physical controls address process-based
security needs using physical hardware devices, such as a badge reader,
architectural features of buildings and facilities, and specific security actions taken
by people. Technical controls (also called logical controls) are security controls that
computer
systems and networks directly implement. Administrative controls (also known as managerial
controls) are directives, guidelines or advisories aimed at the people within the organization.

You were then introduced to organizational security roles and governance, the policies and

procedures that shape organizational management and drive decision-making. As discussed,

we typically derive procedures from policies, policies from standards, standards from

regulations. Regulations are commonly issued in the form of laws, usually from government
(not to be confused with governance) and typically carry financial penalties for

noncompliance. Standards are often used by governance teams to provide a framework to

introduce policies and procedures in support of regulations. Policies are put in place by

organizationalgovernance, such as executive management, to provide guidance in all activities

to ensure that the organization supports industry standards and regulations. Procedures are the
detailedsteps to complete a task that support departmental or organizational policies.

Finally, we covered the ISC2 Code of Ethics, which members of the organization commit to

fully support. Bottom line, we must act legally and ethically in the field of cybersecurity.

Module 1: Understand the Security Concepts of Information

Assurance
Confidentiality: Protect the data that needs protection and prevent access to

unauthorized individuals.
• Integrity: Ensure the data has not been altered in an unauthorized manner.

• Availability: Ensure data is accessible to authorized users when and where it is needed,
and in the form and format that is required.

Module 2: Understand the Risk Management Process

In the Context of Cybersecurity, Typical Threat Actors Include the Following:
• Insiders (either deliberately, by simple human error, or by gross incompetence)

• Outside individuals or informal groups (either planned or opportunistic, discovering

vulnerability)
• Formal entities that are nonpolitical (such as business competitors and cybercriminals)
• Formal entities that are political (such as terrorists, nation-states, and hacktivists)

• Intelligence or information gatherers (could be any of the above)

• Technology (such as free-running bots and artificial intelligence, which could be part of

any of the above)

Risk Identification:

• Identify risk to communicate it clearly.

• Employees at all levels of the organization are responsible for identifying risk.

• Identify risk to protect against it.

Risk Assessment:

• The process of identifying, estimating and prioritizing risks to an organization’s:

Ǯ Operations (including its mission, functions, image and reputation)

Ǯ Assets

Ǯ Individuals

Ǯ Other organizations

Ǯ Even the nation

• Should result in aligning (or associating) each identified risk resulting from the

operation of an information system with the goals, objectives, assets or processes

Risk Treatment:

• Accept the Risk—Risk acceptance is taking no action to reduce the likelihood of a risk
occurring.
• Avoid the Risk—Risk avoidance is the decision to attempt to eliminate the risk entirely.

• Reduce (mitigate) the Risk—Risk mitigation is the most common type of risk

management and includes taking actions to prevent or reduce the possibility of a risk

event or its impact.

• Transfer or Share the Risk—Risk transference is the practice of passing the risk to
another party, who will accept the financial impact of the harm resulting from a risk
being realized in exchange for payment.

Module 3: Understand Security Controls

Security Controls:
Physical controls: physical hardware devices, such as a badge reader, architectural
features of buildings and facilities that address process-based security needs.

• Technical controls (also called logical controls): security controls that computer systems

and networks directly implement.

• Administrative controls (also known as managerial controls): directives, guidelines or

advisories aimed at the people within the organization

Module 4: Understand Governance Elements

Governance Elements:

• Procedures: the detailed steps to complete a task that support departmental or

organizational policies.

• Policies: put in place by organizational governance, such as executive management,

to provide guidance to all activities to ensure that the organization supports industry

standards and regulations.

• Standards: often used by governance teams to provide a framework to introduce
policies and procedures in support of regulations.

• Regulations: commonly issued in the form of laws, usually from government (not to be

confused with governance) and typically carry financial penalties for non-compliance.

Module 5: Understand ISC2 Code of Ethics

ISC2 Code of Ethics Preamble:

The safety and welfare of society and the common good, duty to our principals,

and to each other, requires that we adhere, and be seen to adhere, to the
highest ethical standards of behavior.

• Therefore, strict adherence to this Code is a condition of certification

The ISC2 member is expected to do the following:

• Protect society, the common good, necessary public trust and confidence, and the
infrastructure.
• Act honorably, honestly, justly, responsibly and legally.

• Provide diligent and competent service to principal