CISSP Domain - Information Security Governance and Risk Management

Kenneth Magee
February 3, 2011 by
Kenneth Magee

Note: The information in this article is out of date. Check out our CISSP hub for the most up-to-date information.

Today let’s take a look at the CISSP Domain that deals with Information Security Governance and Risk Management. When we speak about IS Governance we’re talking about how management views security, how the security organization is structured, who the Information Security Officer (ISO) reports to and some basic guiding principles for security. First and foremost, information security is not just about IT. The fundamental principles of security revolve around the CIA triad. No, that’s not the Central Intelligence Agency. But rather confidentiality, integrity, and availability.  Availability in the sense that the data is available when needed (think about a Denial of Service attack that stops access to your data); Integrity in the sense that the data is accurate and has not been modified (think about your checking account balance, you wouldn’t want someone changing that); and finally, Confidentiality (think PII or personal identifying information) your data is confidential, only the people who should know or have access to your private information know and have access.

There has been a lot of talk lately about DAD (Disclosure-Alteration-Destruction) vs. CIA (Confidentiality-Integrity-Availability) so for your information.

When we talk about Confidentiality, we mean the data hasn't been Disclosed.

When we talk about Integrity, we mean the data hasn't been Altered

And when we talk about Availability, we mean the data is there and hasn't been Destroyed

In information risk management there are several concepts that you need to review and understand.  First let’s look at Q vs. Q or quantitative vs. qualitative risk assessment.  If you can determine a specific amount or quantity then it is a quantitative analysis, e.g. the system will be down for 24 hours.  It is an objective risk assessment, whereas on the other hand if you can’t quantify the variables and the decisions are subjective then the risk assessment is qualitative.  There are a number of risk management frameworks, including

And you should follow the links above and become familiar with these.

In risk analysis, there are a number of concepts that you will need to understand.  First, what is the value of your information and assets? (Asset Valuation or AV)  Second, what are the threats against those assets?  Third, what are the vulnerabilities associated with those assets? Finally, what is the impact or probability that the threat/vulnerability will have on the organization?

So now here are some formulas that you need to know:

1)      Single Loss Expectancy (SLE) is the cost of a single loss and can be calculated by multiplying Asset Value (AV) by Exposure Facture (EF), which is the impact the loss of this asset will have on the organization.  SLE = AV * EF

2)     Annual Rate of Occurrence (ARO) is how many times you lost an asset.

3)     Annualized Loss Expectancy (ALE) is an expression of your annual anticipated loss due to risk and can be calculated by multiplying SLE by ARO.  ALE = SLE * ARO.

4)     And finally, Risk = Asset Value * Threat * Vulnerability * Impact

Policies, Standards, Procedures and Guidelines

Policies, standards and procedures are required, i.e. you must do these.  Guidelines are suggestions, they are optional.

You should be familiar with the different roles and responsibilities in information security including; System Owner, Data Owner, Data Custodian, Security Administrator and System Administrator.

And while we’re talking about roles and responsibilities, don’t forget that all of these roles require security awareness training.  All must have the basics and then each role will have specific training for their individual position.

Looking for an award-winning CISSP prep course? Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead).

Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.