We would be discussing the CISSP Domain that would be dealing with Information Security Governance and Risk Management. When we would be discussing IS Governance we are going to talk about how management views security, how the security organization is going to be structured, who the ISO (Information Security Officer) reports to and some basic guiding principles for security. First and foremost, information security wouldn’t be just about IT. If you wish to acquire all the knowledge about this domain, you could have it all by joining the prep courses offered by the SPOTO.
The fundamental principles of security would be revolving around the CIA triad. No, it doesn’t mean the Central Intelligence Agency. But rather it would mean confidentiality, integrity, and availability.
Availability in the sense that the data would be available when needed, think about a Denial of Service attack which would stop access to your data; Integrity in the sense that the data is accurate as well as hasn’t been modified, think about your checking account balance, you wouldn’t be willing someone changing that; and finally, Confidentiality, think PII or personal identifying information, your data is confidential, only the people who would have the knowledge or have access to your private information know and have access.
There has been a lot of talks lately about the Disclosure-Alteration-Destruction (DAD) vs. Confidentiality-Integrity-Availability (CIA) so for your information. When we would be discussing Confidentiality, we mean the data hasn’t been disclosed. When we would be discussing Integrity, we mean that the data wouldn’t have been altered and when we would be discussing Availability, we mean that the data is there and wouldn’t have been destroyed. In Information risk management there would be several concepts that you would need to review and understand.
First, let us look towards the quantitative vs. qualitative risk assessment. If you would be able to determine a specific amount or quantity then it is considered a quantitative analysis, as for example, the system will be down for 24 hours. It is an objective risk assessment, whereas on the other hand if you couldn’t quantify the variables, as well as the decisions, are subjective then the risk assessment is considered qualitative.
There are a number of risk management frameworks, which would include:
- Factor Analysis of Information Risk shortly known as FAIR
- Operationally Critical Threat, Asset and Vulnerability Evaluation shortly known as OCTAVE
- National Institute of Standards and Technology’s shortly known as NIST, Risk Management Framework shortly known as RMF
- TARA also is known as Threat Agent Risk Assessment, a recent creation
In risk analysis, there would be a number of concepts that you will need to understand.
So now here are some formulas that you would be needed to know:
1) SLE (Single Loss Expectancy) is the cost of a single loss and can be calculated by multiplying AV (Asset Value) by EF (Exposure Facture), which is the impact the loss of this asset would have on the organization. SLE = AV * EF
2) ARO (Annual Rate of Occurrence) is how many times you lost an asset.
3) ALE (Annualized Loss Expectancy) is an expression of your annual anticipated loss due to the risk and can be calculated by multiplying SLE by ARO. ALE = SLE * ARO.
4) And finally, Risk would be equal to Asset Value * Threat * Vulnerability * Impact.
Thus there are certain details, which the candidates would need to know about the Information security governance and risk management of the CISSP Exam. There’s a lot more to learn and if you wish to learn it, you could do it by acquiring the courses which are offered by the SPOTO.