CISSP Study Notes

Domain 1: Security and Risk Management

CIA Triad

Confidentiality

Prevent unauthorized disclosure of information. Encryption, access controls, data classification

Integrity

Prevent unauthorized modification. Hashing, digital signatures, change management

Availability

Ensure authorized access when needed. Redundancy, backups, fault tolerance

Security Governance Principles

Alignment with business objectives and strategy
Due care: Doing what a reasonable person would do
Due diligence: Ongoing monitoring and improvement
Security policies, standards, procedures, guidelines
Roles: CISO, Security Architect, Administrator, Analyst

Risk Management Concepts

Term	Definition	Example
Threat	Potential cause of unwanted incident	Hacker, natural disaster
Vulnerability	Weakness that can be exploited	Unpatched software
Risk	Likelihood x Impact	Data breach probability
Asset	Something of value to protect	Customer data, systems
Control	Safeguard to reduce risk	Firewall, encryption

Risk Response Options

Risk Mitigation

Implement controls to reduce risk to acceptable level

Risk Transfer

Shift risk to third party (insurance, outsourcing)

Risk Avoidance

Eliminate the activity that creates the risk

Risk Acceptance

Accept residual risk when cost exceeds benefit

Legal and Regulatory Compliance

GDPR: EU data protection regulation, privacy rights
HIPAA: US healthcare information protection
SOX: Financial reporting and internal controls
PCI DSS: Payment card industry security standards
Criminal law vs Civil law vs Administrative law

Domain 1 represents 15 percent of the CISSP exam. Focus on understanding governance frameworks, risk concepts, and legal/regulatory requirements.