CISSP Module 01-Security and Risk Management

Security and Risk Management

Interested in becoming a CISSP? Your path should begin when you enter the computer world. Every professional you can meet in this area would recommend you to take a look at least into the certification process. Let’s take a look at the requirements for a CISSP certification first!

To complete and achieve the CISSP certification, through your CISSP course you will need to obtain a 5 years’ full-time experience (in two or more domains in the ISC2), pass the exam with a 700 score and to subscribe to the ISC2 Code of Ethics. But don’t let this discourage you because finishing the CISSP tutorial course would be the best you can do for your business.


Let’s start with the Module 01 CISSP tutorial!


What is our starting point? We need to address how we’re going to satisfy the CIA. Availability, confidentiality, and integrity are the musts! We will also address the other security areas but we’re starting with this. Confidentiality? We want to keep secrets – secrets.


So, we come to the point of encrypting data. We are here learning to stay safe by knowing everything about cryptography and masking. Also, in a cyber attack, we can see steganography, which is basically a message in another message. What we are going to do here is to mask our passwords and sensitive fields. Those passwords that are in rest should be stored in clear text. Using approved algorithms will protect PII against disclosure. It’s important to remember that the sensitive information should not be stored in log files.

Tenets of Secure Design

What are the tenets of secure architecture and design? Do you know how much security is enough? You can hear from people that there is no such amount of security that is enough. But let us debunk that myth! The risk analysis.

Risk intro

That’s the answer to how much security you really need. You need to find a proper balance between the cost and the value. The whole idea of the best protection is not to rely on a single mechanism for your safety. You need security that comes in layers. That’s the defense in depth. Your design should be kept simple. Do you really wanna lock the 2 doors or 30?

When it comes to an open architecture software, people think that in that way it is more secure. But that is really not true, it is exactly the same as running the openSSL.

Risk Assessment, Analysis and Mitigation

Now we are coming to a risk management. Talking about how much security is needed? As we said – just enough. But what does that mean? That means we know about the risks, we can recognize the threat and we know what to do about it. We are well educated, right? You will be, after the course. All that we are doing is looking at the needs of the business, and implementing as much security as we think there should be. You will get know with the types of risk, to react right about the risk options and all about risk management models. That is all you need. You will learn the difference between the threat, vulnerability and exploit. What are the risks that may concern you? It’s not the same for everyone.

What about if the cyber attack was successful? You should know how to implement your fallback plan or plan B. If you’re a serious business company you should never let this happen to you. You need a plan B!

Governance vs Management

Let us explain what the risk management really is and what it’s consist of? Various elements cover the risk management, and those are risk assessment, analysis, mitigation, and monitoring. The first one is about identifying assets, vulnerabilities, and threats. The second holds the value of potential risk. The third one is responding to a risk, and the last risk is risk basically forever!

Framework and Senior Management’s Role

What is worth protecting? Let’s take a look at the assessments. The methodologies that should be used are OCTAVE, FRAP and NIST 800-30. Octave identifies access and criticality and identifies the vulnerabilities reducing risks. Frap is analysis used to determine whether or not to proceed a quantitative analysis. Nist is a management guide for Information Technology System.

Policies Procedures Standards and Guidelines

Let’s take a look at the difference between governance and management. What does the governance do? It ensures that stakeholder needs and conditions are evaluated to determine, while the management runs, builds and plans activities in alignment with the direction set by the governance body. It’s all for the achieving the enterprise objectives.

Knowledge Transfer

How to secure a governance? There are some security blueprints. Those are OCTAVE, ITIL, BS 7799, ISO 17799 and more. It’s not good to forget about the COBIT and COSO. They both focus on governance security. There are 5 service management publications which include design, strategy, position and transition, operation and continual improvement.

Types of Laws and Specific Laws

Program Policy. Also known as Organizational Security Policy, is a company wide security organization. The purpose of it is to support the strategic goals of an organization. Also, it is highly recommended for it to be integrated into all business functions.

We all know that the laws are different from country to country, but let’s take a look at the laws we’re interested in here now. It’s a good thing for you to read the ISC Code of Ethics, to get introduces with these better. There is a criminal law as we know, the civil one, regulatory and intellectual property law. Let us get known better with the intellectual property law. There is piracy, counterfeiting, cybersquatting, copyright infringement and typosquatting. In this module, you will learn how to protect yourself against it, and most of all, first to recognize it.


As we mentioned earlier, the plan B for recovery is a must. BCP stands for business continuity and disaster recovery planning. And what about the BIA. What does BIA stand for? It is the business impact analysis. You will learn how to identify and prioritize all business processes based on critically. BIA establishes key metrics for use in determining appropriate countermeasures and recovery strategy.

BCP Phases, Roles, and Responsibilities

Business Continuity Planning has 4 phases. Those are an initial response, relocation, recovery, and restoration. The first one is the response to a businesses interruption, by the organization. The procedures that are used in initial response are initial notifications, BCT activation, Business Unit personnel activation, initial BTC briefing etc. The relocation phase. It involves mobilization of resources and relocation of equipment and personnel to Alternate Facilities of Redundant Sites. In this phase, the recovery can be fully implemented to sustain minimum service levels defined for each critical process. The recovery phase comes at the place after the personnel and equipment have been relocated to an alternate site. Also, when primary facilities have been restored or permanent alternate facilities have been secured. Business Continuity Resportation Phase-covers the period of time that personnel return to restored facilities, or permanent alternate facilities. It’s when the normal business operations are implemented.

The roles and the responsibilities of the BCP are achieving its business continuity objectives. Determining who will be responsible for the organization, what will be done, what are the resources that are required, how the results will be evaluated after everything is completed and more. It’s important to be sure that the persons who are responsible for the particular tasks are well educated in that field. They need to know to take several actions when needed.

 BCP Sub plans and Remaining Phases

BCP plans are organized to sub plans. Those are linked together and each for a different stage. The sub plans are:

-Emergency or Contingency Plan; used as a last option. When everything else fails, it defines the necessities and immediate actions.

-CMP or Crisis Management Plan; defining the roles and responsibilities of the teams involved in the activation of the contingency of the actions.

-DRP or Disaster Recovery Plan; planning the actions after the crisis is gone.

-OCP or Operational Continuity Plan; restoring the functioning of the primary assets that support the operations of a company.


Let’s finish everything with remaining phases. There are four of them. The first one is planning-looking closer at the state of readiness of your systems, stuff, and facilities for the event. Checking the backup systems, declaring who should be in charge when the disaster happens, making appropriate plans for different events and so on.

Execution. Providing the experienced project management capability that allows the organization to quickly implement the newly created plan or to fill the gaps identified in the existing plans.

Simulation-testing the disaster recovery plan. Sand table exercises, simulated outages, full DR failover execution…

Then we come to the documentation. The last phase. Nothing could be completed without this part. Continous updates are needed.

Now, we came to your exam! It’s called Business Continuity & Disaster Recovery Planning Skill Certification Test. Skill level is advanced, it has 40 questions and lasts 60 minutes. We wish you luck!

Hope I gave you a great introduction and interested you in this great CISSP course! We will come back, to see what we need to learn in Module 02!

Enjoy this blog? Please spread the word :)