[Notes] CISSP Chapter 1: Security Governance Through Principles and Policies

[Notes] CISSP Chapter 1: Security Governance Through Principles and Policies

The CIA Triad


  • The secrecy of data, objects, or resources.
  • Encryption is a popular control for managing confidentiality.
  • Objects (passive elements) and subjects (active elements).

Confidentiality terms:

  • Sensitivity: The attribute that could cause harm if disclosed.
  • Discretion: Influencing or controlling data.
  • Criticality: The level to which data is mission-critical.
  • Concealment: Hiding data to prevent disclosure.
  • Privacy: Protection of personally identifiable or potentially harmful data.
  • Seclusion: Storing something in an out-of-the-way location.
  • Isolation: Keeping something separate from others.


  • Ensuring the accuracy of data.
  • Preventing unauthorized modifications.
  • Cryptographic signing is a popular control for managing integrity.

Integrity terms:

  • Accuracy: Being correct and precise.
  • Truthfulness: Reflecting reality accurately.
  • Authenticity: Being genuine.
  • Validity: Being factually or logically sound.
  • Nonrepudiation: Preventing denial of activities.
  • Accountability: Responsibility for actions and results.
  • Responsibility: Control over something.
  • Completeness: Having all needed parts.
  • Comprehensiveness: Being complete in scope.


  • Timely and uninterrupted access to objects.
  • Denial of service attacks are attacks on availability.

Availability terms:

  • Usability: Being easy to use or understand.
  • Accessibility: Assuring access regardless of capabilities.
  • Timeliness: Being prompt or on time.

Other Security Concepts

  • AAA services: Authentication, Authorization, Accounting (Auditing).
  • Identification vs. Authentication.
  • Auditing vs. Monitoring.
  • Layering (Defense in Depth).
  • Abstraction: Classifying objects.
  • Data hiding vs. Security through obscurity.
  • Encryption: Hiding communication intent.

Evaluate and Apply Security Governance Principles

  • Security governance: Directing security efforts.
  • NIST 800-53 or 800-100 standards.
  • Governance’s role in security policies.
  • Business case: Demonstrating a business-specific need.
  • Top-down approach: Effective security management planning.
  • Types of plans: Strategic, Tactical, Operational.
  • Change control/management: Ensuring security during change.

Data Classification

  • Protecting data based on need for secrecy.
  • Declassification.
  • Government/military classification.
  • Commercial business/private sector classification.
  • Ownership: Formal assignment of responsibility.

Organizational Roles and Responsibilities

  • Senior manager, Security professional, Data owner, Data custodian, User, Auditor.
  • Key responsibilities of each role.

Security Control Frameworks

  • COBIT: Control Objectives for Information and Related Technology.
  • ISO/IEC 27002, ITIL, and other standards.

Due Care and Due Diligence

  • Due care: Using reasonable care to protect organization interests.
  • Due diligence: Practicing activities maintaining due care.

Developing Documents

  • Security Policies, Acceptable Use Policy, Standards, Baselines, Guidelines, and Security Procedures.
  • Importance of not creating monolithic documents.

Threat Modeling

  • Identifying, categorizing, and analyzing potential threats.
  • Proactive vs. reactive approaches.
  • Methods for identifying threats: Focused on assets, attackers, software.
  • STRIDE, PASTA, TRIKE, DREAD, VAST methodologies.
  • Reduction analysis: Decomposing applications.

Prioritization and Response

  • Defining threat means, target, and consequences.
  • Ranking threats using probability x damage potential.
  • High-priority items require immediate attention.
  • DREAD rating system.

Apply Risk-Based Management Concepts to the Supply Chain

  • Secure supply chain: Reliability, trustworthiness, and practices disclosure.
  • Vendors’ roles in secure supply chains.

Leave a Reply

Your email address will not be published. Required fields are marked *