Information security and risk management are analogous to each other. The security and risk management domain forms the baseline for all information security concepts and practices. This is the first domain in CISSP CBK. Concepts on the key areas explained in this domain are across the next seven domains of CISSP, and will serve as the conceptual foundation for more complicated topics. Hence, a strong foundational knowledge in this domain will help the students in understanding the concepts in the rest of the domains.
A candidate appearing for the CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security and risk management domain:
This chapter gives an overview of Security, Compliance, and Policies using a high-level illustration. This is followed with an overview of asset and asset protection. Furthermore, the concepts of Confidentiality, Integrity, and Availability (CIA) are explained with suitable examples. Security governance principles, compliance frameworks, and legal and regulatory issues that can impact on compliance are covered from a global perspective. Management practices that relate to security policies, standards, procedures and guidelines, as well as personnel security policies, are covered toward the end.
Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.
Observe the following illustration:
Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.
Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.
If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.
An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.
To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.
Assets are generally grouped as follows:
Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.
In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.
Types of security controls include:
This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.
Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.