CISSP Domain-1 Security Governance and Risk Management CISSP-training-in-bangalore

CISSP Domain-1 Security Governance and Risk Management

Pratima Sharma
Pratima SharmaCISSP | CCSP

Security Governance and Risk Management

Cybersecurity is a structured approach toward Risk Mitigation of Cybersecurity Risks. This Blog will help you understand the Risk Management from a CISSP Exam perspective.

Learning Target

CISSP Objective: 1.10 Understand and apply risk management concepts.

Risk Management Terms

Asset: An asset is any data, personnel, devices, facilities, systems, or another component of an organization's systems that is valuable and enables the organization to enable the business purpose.


Asset Valuation: Asset Valuation (Cost of developing or acquiring, Value to the Business, Value to the adversaries, Competitive value (others are ready to pay) maintenance cost, impact if the asset is not available – financial and reputational (Brand), cost of replacement, Legal/Regulatory liabilities

Why do we need to calculate the asset Value?

Perform Cost/Benefit Analysis | Effective Control Selection | Purchase of insurance | Understand the loss | Comply with legal requirements.


Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Vulnerability severity is based on: Ease of Discovery, Ease of exploitation, Awareness (publicly known or obvious) & Propensity for Violence Detection

Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat needs an actor and a vector.

Threat Source: A malicious person with harmful intent or an unintended or unavoidable situation (such as a natural disaster, technical failure, or human error) may trigger a vulnerability

Threat Actor:

An independent agent with the capability to do harm. Type of threat Actors:

Cybercriminals – Hackers groups (Greed), Script Kiddies

Nation-State Actors – Selective | Advanced | Can compromise organizations to meet their ultimate goals

Hacktivists: Motivated by some ideology | Seek for high visibility | Aim to embarrass government entities or undermine public trust in them.

Internal Actors: People within the organization (High opportunity) | Two types - negligent and malicious

Nature: Covid, Flood, Political situation

Threat vector

A threat vector is a path or a means by which malicious attacks may take to get past the defenses and affect the organization

Impact : Risk impact is an estimate of the potential losses associated with an identified risk. Technical Impact: Loss of CIA, Loss of accountability. Business Impact: Financial, Reputational (Brand), Non-Compliance, People

Risk : Risk is defined as the potential for loss or damage when a threat exploits a vulnerability

Risk Calculation: Risk = Impact x Likelihood

Exposure Factor – the Percentage of damage if risk gets realized once

Inherent Risk

Risk before implementing the security controls (or without risk treatment)

Residual Risk

Risk Remaining after control implementing (risk treatment)

Risk Methodology:

Quantitative – Risk is calculated based on an assumed scale (E.g., 1-5) and the outcome of Risk analysis is represented in terms of Critical, high, Medium or low.

Quantitative – The risk calculation is based on currency value and the output risk calculation is also in Quantitative (currency) terms

Common types of risk for an enterprise?

  • Physical damage Fire, water, vandalism, power loss, and natural disasters
  • Human interaction Accidental or intentional action or inaction that can disrupt productivity.
  • Equipment malfunction Failure of systems and peripheral devices
  • Inside and outside attacks Hacking, cracking, and attacking.
  • Misuse of data Sharing trade secrets, fraud, espionage, and theft
  • Loss of data Intentional or unintentional loss of information to unauthorized parties
  • Application errors Computation errors, input errors, and software defects

Risk Management Policy

The Information Security Risk Management (ISRM) policy should align with the Organization’s Enterprise risk management policy. Most companies have an Enterprise Risk Management (ERM) policy to manager overall risk of the organization (including risk from Information systems)


Information Security Risk Management Policy should include.

• The level of risk the organization will accept and what is considered an acceptable level of risk

• Formal processes of risk identification

• The connection between the ISRM policy and the organization’s strategic planning processes

• Responsibilities that fall under ISRM and the roles to fulfill them

• The mapping of risk to internal controls

• The approach toward changing staff behaviors and resource allocation in response to risk analysis

• The mapping of risks to performance targets and budgets

Key metrics and performance indicators to monitor the effectiveness of controls

Risk can be managed at various levels (Strategic, Tactical and operational level). The below snip is taken from NIST 800-39 to explain the concept

Risk Management Process

Risk Management is a structured approach to Identify, Analyze, Respond and Monitor risk in an organization.

Each step is interrelated and must be performed in sequence to achieve the desired outcome. In CISSP Exam, you may be asked about the sequence or activities pertaining to each step in a logical order. This section is highly testable.

Let’s understand these steps:

Step1: Risk Assessment or Identification

Before starting the risk assessment, the First step is to identity the purpose of Risk Assessment. E.g., The purpose may to meet the compliance requirements or to routinely identify internal gaps.

The Scope of Risk Assessment will include Infrastructure, Application, Network, and Third parties. If the risk assessment is performed on a particular business process, in that case all elements (Infra, Network etc.) pertaining to that process will be in scope.

How to start the process: You can’t be an expert in all areas as a risk analyst. The way to take up this task is to start communication and collaborate with the stakeholders (Project managers, Subject matter experts etc.) to understand the risk pertaining to their process. this communication and collaboration can be in the form of internal surveys, interviews, or workshops | Questionnaires | Delhi Technique. Delphi methods is an anonymous survey in which no names are revealed during the process. This helps stakeholders to provide open feedback and inputs.

Popular Risk Assessment Frameworks?

Irrespective of you are going with Qualitative or Quantitative Risk Assessment, you can take guidance from some well-established frameworks (Guidelines).

There are so many well-established methodologies available to access the Risk. Examples include:

Operationally Critical Threat and Vulnerability Evaluation (OCTAVE)

  • Organization-wide Risk Assessment
  • Prepared by Carnegie Mellon University’s Software Engineering Institute (SIE)
  • Self-Directed team approach - Focus on Operational SMEs to evaluate and participate in Risk decisions
  • The risk Assessment Team performs workshops to educate
  • The scope is wide (Access all systems, applications, and business processes)

NIST SP 800- 30

NIST SP 800-30 suggest the Risk Assessment approach which is focused on IT Security Risk and include the following steps:

Prepare for the Assessment

Conduct the assessment (Identify Threat sources and events – Risk scenarios | identify Vulnerabilities | likelihood assessment | Evaluate Impact Rating | Evaluate Risk

Facilitated Risk Analysis Process (FRAP)

FRAM is best suited if you have limited budget. This is much focused assessments on individual Systems/Processes to save cost. steps involve

Pre-screening to limit assessment to the system which is really required to reduce cost and effort.

One system or process or application at a time

Evaluate Risk based on SME experience and not risk calculation

Failure Mode and Effect Analysis (FMEA)

Understand how a security flow in a system can impact negatively

Method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process (E.g., Identify SPOF)

What we do:

1. Failure Mode (how a system can fail)

2. Evaluate impact

Review block diagram of a system/control | what if one block fails | prepare a matrix on failure and effect | Document controls | Peer and management review

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

OCTAVE is a risk-based strategic assessment and planning method. OCTAVE focuses on assessing organizational risks only and does not address technological risks. OCTAVE has three phases:

Building asset-based threat profiles. (Organizational evaluation). Identifying infrastructure vulnerabilities. (Information infrastructure evaluation) Developing and planning a security strategy. (Evaluation of risks to the company's critical assets and decision-making.)

Step 2: Risk Analysis (Calculation, prioritization and Recommendations)

Risk Analyze includes the Risk Scenario, validate applicability, and examine existing controls for effectiveness, Cost-effectiveness, Timeliness, relevance, and responsiveness.

Risk = Likelihood X Impact

Likelihood: possibility that a risk may occur

Impact: Loss to the organization in terms of Finance, Reputation or regulatory fines, or the morale of the employees

Risk Analysis Methodologies

Qualitative Risk Analysis:

In Qualitative Risk analysis, both the Factors (Likelihood and impact) are not measured in terms of currency, instead, they can be measured (rated) based on a scale of 1-5. where 5 is the highest level of likelihood or impact.


Quantitative Risk Analysis:

In this approach, the outcome of the risk is derived in terms of currency (dollar value), hence the inputs also are taken in Quantitative terms (currency)

Asset Value (Cost of purchase including maintenance or Cost of replacement of the asset, Cost of the financial/reputational/competitive loss if the asset is not available)
Exposure Factor (Represented in Percentage and indicates the loss/damage to the asset if the risk realize only once)
Single Loss Expectancy (SLE): impact/loss due to one single Loss event

Annual Rate of Occurrence (ARO): How many times a risk has occurred in a year or is expected to occur in a year. i.e., If a flood hits once in 5 years ARO will be 1/5; If Flood hits twice in a year, then ARO = 2

Annual Loss Expectancy (ALE): Total loss in financial terms in a year due to a particular risk. Remember the risk Formula: Risk = Impact * Likelihood; Implementing the same here:

  • ALE = SLE X ARO
    • ALE = Total Risk
    • SLE= Impact (single occurrence)
    • ARO (Likelihood) = Number of times the Risk is repeated in a year. E.g., If 10 laptops are stolen in a year from IT dept, then the ARO becomes 10, but if a laptop is stolen once in 1 years, the ARO becomes 1/10.

But how to evaluate the SLE?

  • SLE = Asset Value X Exposure Factor
  • E.g., Asset value = 10,000 USD
  • Exposure factor = 20%
  • SLE = 10,000 X 20% = 2000 USD

Step3: Risk Reporting:

In a Qualitative Risk Analysis, both the values once derived are multiplied to evaluate the risk. Once evaluated; to make it easy for leadership to understand, the values are mapped on a heat map (shown below).

This helps leadership to prioritize investment and efforts for risks that are exceeding the risk appetite levels (those in dark orange and red).

Step 3: Risk Response

There are 4 ways in which a risk can be responded. This is important from an exam perspective.

Risk Avoidance: Leadership tries to avoid the risk by recommending alternate means to achieve the business goal or stop the activity altogether if the risk is very high and the outcome is low.

Risk Transfer: Leadership decided to Transfer the risk to other parties. Please note, a complete transfer of risk is never possible, hence we use a risk-sharing method. E.g., purchasing a Cyber Breach Insurance, or outsourcing operations to a third party with due contract (with appropriate liability clauses)

Risk Mitigation: Leadership decided to mitigate risk. This may happen through a set plan of action and may also require approval of funds for starting a new project. In most organizations, a Management Action plan with milestones is approved by the management with allocation of funds, resources with a central team monitoring the progress on remediation.

Risk Acceptance: Least preferred method. However, if the risk is within the risk appetite level of the organization, leadership may decide to accept the risk. however, since the risk is dynamic in nature, such risk must be monitored periodically to ensure it remains within the acceptance level.

Step 4: Risk Monitoring

Risk monitoring is the ongoing process of adding new risks, evaluating existing ones, removing moot ones, and continuously assessing the effectiveness of our controls in mitigating all risks to tolerable levels. Risk has to be monitored on a continuous / Periodic basis to evaluate if the risk is under control. A Risk which is within acceptable level today can turn out of risk Appetite due to change in environment.


Continuously monitor the effectiveness of our controls against the risks for which we designed them. This can be achieved through periodically evaluating the Balanced security scorecard | Service Level Agreement (SLA) | Return on Investment (ROI)


Effectiveness monitoring: good indicator is Incidents being reported. However, the effectiveness of controls may change over time.

Control Selection and Implementation

A control is an arrangement which can prevent, reduce the risk or its impact to the organization. A control may also be referred to as countermeasure or safeguard.

Safeguard – proactive control to prevent the risk from happening.

Countermeasure – relative control to reduce the impact, remediate the root case or recover from the risk.

Based on the Nature of Control, it can be categorized under any of the below category:

  • Administrative control: Also called as management controls are the kind of controls which are more of management. E.g., Policies, Warnings, Acceptable use policy (AUP), Privacy Policy, Awareness Trainings
  • Physical Control: Those controls which assist in physical security of assets. E.g., Fire prevention controls, locks, door, Guard, CCTV etc.
  • Technical or logical Controls – these are technical controls in security like Access control, Encryption, Antimalware, Firewall etc.

Based on the Function (working) of the control, they can be categorized as followings:

Deterrent: A control intended to discourage an attacker.

Preventive: keeps an incident from occurring.

Detective: Identifies the occurrence of an event and possibly the actor

Corrective: Fixes things after the incident

Recovery: A control which returns the environment back to normal operations.

Compensating: A control that provides an alternative means when another control isn’t/can’t be used.

Please note that a control can be part of multiple categories above. E.g., An Antivirus can be preventive, detective and corrective control too. Its is just a concept.

Control Selection

Control selection is important, and it depends on multiple criteria like.

Selection of the right control also is critical, which means a selected control should have the following characteristics:

  • Cost: Benefit Analysis (Explained below)
  • Other criteria
    • Overriding functionality: ability to manually bypass the control
    • default to least privilege: Should support min level of default privileges
    • flexibility and security: Should be flexible in term of configuration and features and should be secure (prevent tempering etc.)
    • easily upgradable: vendor support and ability to receive updates
    • auditing functionality: should be able to log events for tracing back any bypass or breach of control.

Always perform a Cost: Benefit Analysis before recommending/selecting a control

Cost: Benefit Analysis

Cost Calculation: The cost calculation here should be the Total Cost of Ownership (TCO), which may include the cost of the control (e.g., Purchasing a Firewall), Designing / Planning cost, implementation cost, Modification or upgrade cost, testing, Repair, Operating or replacement, subscription cost or even manhours spent on monitoring and responding to alerts.

Benefit Calculation: Benefit calculation will be decided based on how much risk has been reduced after implementing the control (Residual Risk)

If the Cost of the Control is more than the Benefit – it’s a bad Decision!

If the Cost of the Control is less than the Benefit – it’s a good Decision!

Which means:

Total risk reduction (per year) - TCO of the Control (per year) = should be a (+) positive value for a good decision.

Control Effectiveness: Control Assessments to determine whether the controls are effective as set in their control objective. A control objective is a documented statement mentioning what is expected out of a control with defined metrics for measuring the effectiveness.

Verification answers the question “did we implement the control right?” while validation answers the question “did we implement the right control?”

Congratulations! you have done a great job in completing your daily target. It’s time to Reward yourself! Hope you are enjoying your CISSP Journey 😊. For any feedback, please write to us: manoj@cybernous.com