By the end of this course you will be able to
- Use the core vocabulary (CIA, IAAAA, risk triad, due care/diligence) without confusion.
- Apply the (ISC)² Code of Ethics and resolve a dilemma through the canon order.
- Distinguish governance, management and operations, and the documentation hierarchy.
- Classify an obligation (law, regulation, contract, standard) and choose the right investigation type.
- Run qualitative and quantitative risk analysis (SLE, ALE, ARO) and choose a treatment.
- Conduct threat modeling, manage supplier risk (SCRM) and frame a BIA (MTD, RTO, RPO).
Prerequisites : No formal prerequisite. General IT background helps. This domain is the conceptual bedrock for the other seven.
Suggested path
Suggested path: 4 sessions of about 3 to 4 hours, spread over 2 to 3 weeks. Redo the checkpoints before moving to the next session, then the full quiz (150+ Q) as a final review.
-
Session 1 - Foundations
MODULE 1 · MODULE 2
Vocabulary, CIA, IAAAA, risk triad, ethics and the 4 canons.
-
Session 2 - Governance & law
MODULE 3 · MODULE 4
Roles, frameworks, documentation hierarchy, compliance, law, IP, privacy, investigations.
-
Session 3 - Risk & threats
MODULE 5 · MODULE 6
Qualitative/quantitative analysis, treatment, threat modeling, supply chain.
-
Session 4 - Continuity & review
MODULE 7
BIA, RTO/RPO, personnel security, awareness, then glossary + summary + full quiz.
Fundamental security concepts
Prerequisites : None. Starting point of the domain.
Before any discussion of policies, frameworks, or technical controls, the CISSP candidate must master a shared vocabulary. This module lays the building blocks underpinning all of Domain 1: the CIA triad and its extensions (authenticity, nonrepudiation), the IAAAA access lifecycle, the risk triangle (asset, threat, vulnerability), and structuring principles such as defense in depth.
These notions look simple, but the exam tests them through fine distinctions: confidentiality vs integrity, due care vs due diligence, identification vs authentication. Confusing these terms costs points even for seasoned practitioners. The goal here is not to memorize isolated definitions, but to understand how they fit together.
By the end of the module, you will be able to link a security objective (e.g., prevent unauthorized modification) to the right attribute (integrity), the right control type (technical), and the right governance reasoning (due care).
1.1 The CIA triad, authenticity and nonrepudiation
The CIA triad is the foundational mental model of information security. Confidentiality ensures information is disclosed only to authorized parties with a need to know: a customer-data leak violates confidentiality. Integrity ensures information stays complete and accurate, free from unauthorized modification: if an attacker alters an amount in a banking database, integrity is affected, even though the data remains readable by all. Availability ensures information is accessible when and where it is needed: ransomware that encrypts files attacks availability.
ISC2 expanded this model to five pillars by adding authenticity and nonrepudiation. Authenticity ensures information is genuine: it comes from a trusted, verifiable source, and its originator had the authority to act (whaling attacks specifically exploit a lack of authenticity). Nonrepudiation prevents an actor from later denying an action they performed: a digital signature on a medical order or a trading contract guarantees the originator cannot say "it wasn't me."
Classic trap: confidentiality concerns disclosure (who can read), integrity concerns modification (who can write). A single incident may touch several attributes, but the exam expects you to identify the primary attribute at stake.
- Confidentiality = disclosure; Integrity = modification; Availability = access
- Authenticity and nonrepudiation extend CIA to the ISC2 five pillars
- Nonrepudiation relies on authentication, accountability, and digital signatures
- An incident may touch several attributes; identify the primary one
1.2 The IAAAA lifecycle and its distinction from AAA
Every access to a resource follows a logical sequence summarized by the acronym IAAAA: Identification, Authentication, Authorization, Accountability, Auditing. Identification is the claim of an identity: the user states "I am alice" (a username, a card identifier). Authentication proves that claim: alice provides a password, a token, or a biometric. Until authentication succeeds, no identity is validated.
Authorization then determines what the authenticated identity is allowed to do: which objects it can read, write, or execute, following the principle of least privilege. Accountability ties each action to the responsible identity: it is the ability to attribute an action to an individual, an essential condition for nonrepudiation. Auditing reviews logs after the fact to verify, detect anomalies, and provide evidence.
The access-control AAA model (triple-A) groups Authentication, Authorization, and Accounting (often equated with accountability). IAAAA is thus a more complete view that explicitly adds Identification upstream and Auditing downstream. Exam trap: do not confuse Identification (claiming who you are) with Authentication (proving it); and remember that accountability depends on a unique, reliable identification, otherwise an action cannot be attributed.
- Strict order: Identification -> Authentication -> Authorization -> Accountability -> Auditing
- Identification claims the identity, Authentication proves it
- AAA = Authentication, Authorization, Accounting; IAAAA adds Identification and Auditing
- Without unique identification, there is no accountability or nonrepudiation
1.3 The risk triad: asset, vulnerability, threat, and risk
Risk does not exist in a vacuum: it arises from the meeting of three elements called the risk triad. An asset is a valuable resource to protect (data, system, personnel, reputation); its value or criticality dictates the safeguards you deploy. A vulnerability is an exploitable weakness (an unpatched system, a datacenter without backup power, a non-earthquake-resistant building). A threat is a potentially harmful event (earthquake, outage, malware, malicious employee).
Two intermediate actors sharpen the picture. The threat agent (or threat actor) is the entity that triggers the threat: a cybercriminal, a natural disaster, an insider. The exploit is the concrete means by which a vulnerability is used to realize the threat. Risk is the probability that a threat exploits a vulnerability against an asset, multiplied by the resulting impact.
The conceptual formula Risk = Threat × Vulnerability × Asset captures the essence: if any factor equals zero, risk is zero. A Linux system has no vulnerability to Conficker, so it carries no risk from that worm, even though the threat exists elsewhere. Exam trap: a threat with no matching vulnerability creates no risk, and a worthless asset deserves no safeguard. Clearly distinguish threat (the event) from threat agent (who carries it) and vulnerability (the weakness).
- Risk = Threat × Vulnerability × Asset: a null factor cancels the risk
- Threat (event) is not threat agent (actor) nor vulnerability (weakness)
- Asset value dictates the level of safeguard
- An exploit is the concrete means of activating a vulnerability
1.4 Defense in depth and the three control types
Defense in depth rests on a simple principle: no single control is infallible, so you stack several independent protection layers. If an attacker breaches one layer, the next stops them or at least slows them and makes them detectable. This is also called layered security. An example: a firewall (technical), complemented by an access policy (administrative) and a badge at the datacenter entrance (physical).
CISSP classifies controls into three broad categories by their nature. Administrative (or managerial) controls are policies, procedures, training, employment contracts, separation of duties: they shape human behavior. Technical (or logical) controls are implemented in systems: encryption, firewalls, ACLs, authentication, logging. Physical controls protect the material environment: fences, lighting, locks, guards, fire-suppression systems.
These categories by nature combine with control functions (preventive, detective, corrective, etc.), covered in a later module. Exam trap: a surveillance camera is a physical control by nature but detective by function; encryption is technical and preventive. The exam often tests your ability to classify a single control along two different axes. Defense in depth precisely requires mixing the three natures so as not to depend on a single barrier.
- Defense in depth = several independent layers, no single barrier
- Three natures: administrative, technical/logical, physical
- Nature (what) is distinct from function (preventive, detective...)
- A single control is classified on both the nature axis AND the function axis
1.5 Due care vs due diligence and negligence
Due care and due diligence are two governance and legal-liability concepts that are often confused. The most useful mnemonic: due diligence is knowing what is right, due care is doing the right thing. In other words, due diligence means investigating, assessing, planning, and understanding risks; due care means acting prudently and continuously to address them.
Concretely, conducting a risk analysis, auditing a vendor, or studying regulatory obligations is due diligence. Applying patches, enforcing the security policy, training employees, and continuous monitoring is due care. Due diligence precedes and feeds due care: you cannot act properly on risks you have not first identified.
The link to negligence is central for the exam. An organization that shows neither due care nor due diligence exposes itself to negligence lawsuits: it did not act as a prudent person would have under the same circumstances. The prudent man rule (or prudent person rule) is the comparison standard. Exam trap: if the question is about investigating, assessing, or understanding, think due diligence; if it is about acting, maintaining, or enforcing over time, think due care. Together they protect executives from accusations of negligence.
- Due diligence = knowing what is right; due care = doing the right thing
- Due diligence precedes and feeds due care
- The absence of both constitutes negligence (prudent person rule)
- Question keywords: investigate/assess -> diligence; act/maintain -> care
1.6 Privacy and safety: the attributes beyond the five pillars
The ISC2 manual objectives (1.2) list seven attributes to explain: confidentiality, integrity, availability, authenticity, nonrepudiation, but also privacy and safety. The last two are often forgotten even though they are testable. Privacy is not a synonym for confidentiality: confidentiality protects information against unauthorized disclosure, whereas privacy protects an individual's right (the data subject) to control the collection and use of data about them. You can keep data confidential while still violating privacy, for example by processing it for an unconsented purpose. Privacy relies on frameworks such as the eight OECD principles (collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability) and the GDPR, which governs any data about a person in the EU/EEA.
Safety concerns preventing or controlling unwanted or unauthorized harm to persons or property: it belongs to the physical world. Safety of information relates to ensuring that the use of information does not endanger people. The manual's example: leaking a list of employees with their home addresses while they are all at the annual corporate retreat compromises the safety of those employees and their families, beyond a mere confidentiality breach.
Exam trap: do not confuse privacy (the individual's right over their data) with confidentiality (non-disclosure), nor safety (protection of persons/property, physical world) with security (protection of the asset). PII (personally identifiable information) is the data whose protection underpins the data subject's right to privacy.
- Manual 1.2 lists seven attributes: CIA + authenticity + nonrepudiation + privacy + safety
- Privacy (individual's right) is not confidentiality (non-disclosure)
- Safety protects persons and property in the physical world
- Privacy relies on the 8 OECD principles, the GDPR, and protecting the data subject's PII
1.7 The value of information and the status of security models
The ISC2 manual opens section 1.2 with a structuring idea often overlooked: information has value because it is used to make decisions, which lead to actions, which produce results. Information security is the science and practice of ensuring information is correct, complete, and available to support those decisions, that it is produced in reliable and repeatable ways, and that what must stay secret stays secret. Insecure information can lead to actions causing property damage, injury, or even death. This framing justifies why an information asset is protected: it is not the data in itself that matters, but the decision-making use it enables.
A second nuance is essential for the exam: the CIA triad and the five pillars are not the source of security requirements; they are memory-joggers meant to keep these concerns at the forefront of designers' and analysts' thinking. You therefore do not derive a list of controls directly from the triad; you use it as a questioning grid.
Exam trap: if a question implies the CIA model is itself a regulatory requirement or a controls standard, that is wrong. The model is a conceptual framework; requirements come from risks, laws, and business obligations. The triad's popularity stems from its simplicity, and extended models (five pillars, Parkerian) address better-funded, more motivated threats.
- Information has value through its decision-making use, not in itself
- Security ensures information is correct, complete, available, and reliable
- The triad and five pillars are memory-joggers, not the source of requirements
- Requirements come from risks, laws, and business obligations
Case studies
The risk null factor
Context : A small business hosts a payroll application on a Linux server. A new worm exclusively targets a flaw in an obsolete Windows service. Management, panicked by the news, requests an emergency budget of EUR 50,000 to deploy a worm-specific patch on all servers, including the Linux payroll server.
Question : Given the formula Risk = Threat × Vulnerability × Asset, is the spending justified for the Linux server?
Show analysis and answer
The threat (the worm) does exist and the payroll server is a high-value asset. But the Linux server has no vulnerability to this Windows flaw: the Vulnerability factor equals zero for that asset.
In the formula Risk = Threat × Vulnerability × Asset, a null factor cancels the product: the residual risk of this worm on the Linux server is zero. Spending to protect it against this specific threat is a waste of safeguard, contrary to a rational use of resources.
The correct governance answer: due diligence (having characterized the asset and identified the absence of vulnerability) prevents misdirected due care. The budget should target genuinely vulnerable assets, not all assets indiscriminately.
Takeaway : Without a matching vulnerability, a threat creates no risk, regardless of asset value.
Confidentiality or integrity?
Context : An accounting clerk, without authorization, alters a vendor's IBAN in the payment system to substitute their own account. The file remains readable by all authorized users and the system stays available. The fraud is discovered after two transfers.
Question : Which CIA attribute was primarily violated, and what mechanism would have allowed attributing the action to the clerk?
Show analysis and answer
The information was not disclosed to an unauthorized third party: confidentiality is not the central attribute. The data remained accessible: availability is intact. It is integrity that was violated, because data was modified without authorization, making it incorrect.
The common trap is to answer confidentiality whenever an employee "accesses" sensitive data. Here, the wrongful act is an unauthorized write, not a read: integrity.
To attribute the action, you need accountability, which relies on unique identification, strong authentication, and auditing of logs. Without logs linking the modification to the clerk's identity, nonrepudiation is impossible and the organization cannot prove who acted.
Takeaway : Unauthorized modification = integrity; attribution requires accountability (identification + authentication + auditing).
Confidential but not private
Context : A platform stores its users' health data in an encrypted database, with access strictly limited to authorized clinicians: no leak, no disclosure. The company then decides to reuse that same data, internally and without informing users, to train a marketing scoring model.
Question : Is confidentiality violated? Which attribute is actually at stake?
Show analysis and answer
Confidentiality is not violated: the data stays encrypted, not disclosed to unauthorized third parties. The attribute actually breached is privacy. The data subject did not consent to this purpose, which contravenes the OECD principles of purpose specification and use limitation, and the GDPR.
The classic trap is to equate privacy with confidentiality. Here the data is indeed kept secret, but the individual's right to control the use of their personal data is violated.
Governance answer: a processing purpose must be specified and consented to; reusing PII for another objective requires a new legal basis. Technical security (encryption) is never enough to guarantee privacy.
Takeaway : Data can stay confidential while still violating privacy: privacy concerns purpose and consent, not just disclosure.
CIA vs DAD
Each objective of the CIA triad has a mirror threat summarized by the acronym DAD: Disclosure (against Confidentiality), Alteration (against Integrity), Destruction or Denial (against Availability). The exam may frame a question from the attack side: a data leak = Disclosure, hence a breach of Confidentiality. Do not answer "DAD is another security model": it is the negative of CIA, the list of consequences to avoid.
Due care vs due diligence
The most common mistake is to swap the two. Remember: due diligence = knowing what is right (investigating, assessing, analyzing risks, auditing a vendor); due care = doing the right thing (applying patches, enforcing the policy, monitoring). If the question is about investigation, research, or prior assessment, it is due diligence. If it is about prudent, continuous action, it is due care. The absence of both = negligence, judged by the prudent person rule.
Privacy vs confidentiality vs safety
Three neighboring notions, three distinct angles. Confidentiality = prevent unauthorized disclosure (who can read). Privacy = the data subject's right to control the collection and use of their personal data (purpose, consent, PII, OECD, GDPR). Safety = prevent harm to persons or property, in the physical world. Data can be confidential yet processed in violation of privacy; and a data leak (confidentiality breach) can threaten safety (e.g., disclosed employee addresses). On the exam, privacy and safety are full attributes listed in the 1.2 objectives, not mere synonyms for confidentiality.
Checkpoint — Knowledge check
-
An attacker quietly alters amounts in a financial database without preventing anyone from accessing it. Which security attribute is primarily compromised?
- A Integrity
- B Confidentiality
- C Availability
- D Authentication
Answer & rationale
Answer : A — Integrity
Unauthorized modification of data targets integrity. Confidentiality would involve disclosure (unauthorized read), absent here. Availability is intact since access remains possible. Authentication is not a triad attribute but an access-control phase.
-
In the IAAAA lifecycle, which phase consists solely of claiming an identity, without yet proving it?
- A Identification
- B Authentication
- C Authorization
- D Accountability
Answer & rationale
Answer : A — Identification
Identification is the mere claim ("I am alice"). Authentication proves that claim via a factor (password, biometric). Authorization grants rights once the identity is proven. Accountability attributes an action afterward. The order and the Identification/Authentication distinction are recurring traps.
-
A real threat targets a flaw in software that is installed on none of the company's systems. According to Risk = Threat × Vulnerability × Asset, what is the risk to those systems?
- A Null, because the matching vulnerability is absent
- B High, because the threat exists
- C Medium, because the assets have value
- D Impossible to determine without an ALE
Answer & rationale
Answer : A — Null, because the matching vulnerability is absent
If vulnerability equals zero, the product Threat × Vulnerability × Asset equals zero: no risk, even with a real threat and valuable assets. This is the example of a Linux system immune to a Windows worm. The other answers ignore the effect of a null factor.
-
A CISO conducts a thorough risk analysis and audits vendors before selecting an encryption solution. Which governance concept does this prior investigation illustrate?
- A Due diligence
- B Due care
- C Least privilege
- D Separation of duties
Answer & rationale
Answer : A — Due diligence
Investigating, assessing, and auditing before acting is due diligence (knowing what is right). Due care would be the prudent action that follows, such as deploying then maintaining the encryption. Least privilege and separation of duties are access principles, off-topic here. Swapping due care and due diligence is the intended trap.
-
The ISC2 section 1.2 objectives require explaining several attributes beyond the CIA triad. Which of these sets is complete according to the manual?
- A Authenticity, nonrepudiation, privacy, safety
- B Authenticity, nonrepudiation only
- C Accountability, auditing, privacy
- D Least privilege, defense in depth, safety
Answer & rationale
Answer : A — Authenticity, nonrepudiation, privacy, safety
Manual 1.2 lists seven attributes: confidentiality, integrity, availability, plus authenticity, nonrepudiation, privacy, and safety. Many stop at authenticity and nonrepudiation and forget privacy and safety, though they are explicitly in the objectives. Accountability and auditing belong to the access lifecycle, not to information attributes; least privilege and defense in depth are principles.
-
A company keeps customer data encrypted and undisclosed but reuses it for a purpose the customers did not consent to. Which attribute is primarily violated?
- A Privacy
- B Confidentiality
- C Availability
- D Authenticity
Answer & rationale
Answer : A — Privacy
Since the data stays encrypted and undisclosed, confidentiality is preserved. It is privacy that is violated: the data subject did not consent to this purpose (purpose specification, use limitation among the OECD principles, GDPR). The trap is equating privacy with confidentiality.
-
According to the ISC2 manual, what is the status of the CIA triad and the five pillars?
- A Conceptual memory-joggers, not the source of security requirements
- B The direct and exhaustive source of controls to implement
- C A regulatory requirement imposed by the GDPR
- D A certification standard equivalent to ISO 27001
Answer & rationale
Answer : A — Conceptual memory-joggers, not the source of security requirements
The manual states these models are not the source of security requirements, but mere memory-joggers keeping these concerns front of mind. Requirements come from risks, laws, and business obligations. You do not derive a list of controls or a standard directly from them.
Key takeaways
- The CIA triad (Confidentiality, Integrity, Availability) plus authenticity and nonrepudiation forms the ISC2 five pillars.
- The access lifecycle follows the IAAAA order; Identification claims, Authentication proves; AAA covers only its core.
- Risk = Threat × Vulnerability × Asset: a null factor cancels the risk.
- Distinguish threat (event), threat agent (actor), and vulnerability (weakness).
- Defense in depth stacks administrative, technical, and physical controls; nature and function are two distinct axes.
- Due diligence = knowing what is right; due care = doing the right thing; their absence = negligence.
- The 1.2 objectives list seven attributes: CIA + authenticity + nonrepudiation + privacy + safety; do not forget the last two.
- Privacy (the data subject's right over their data: purpose, consent, PII, OECD, GDPR) is not confidentiality (non-disclosure).
- Safety protects persons and property in the physical world; a data leak can threaten safety.
- Information has value through the decisions it enables; the triad and five pillars are memory-joggers, not the source of requirements.
Professional Ethics
Prerequisites : None. Can be studied alongside module 1.
Ethics is the foundation of the trust placed in the security professional. The CISSP must understand, adhere to, and promote professional ethics (Key Area A): this is the very first objective of Domain 1, and strict adherence to the (ISC)² Code of Ethics is a condition of certification, not a mere recommendation.
This module covers three pillars. First the (ISC)² Code of Ethics, its preamble and its 4 canons in their prescriptive order (which acts as a tie-breaker in case of conflict). Then RFC 1087 "Ethics and the Internet" from the Internet Architecture Board (IAB), compared with other codes (IEEE, ACM, ISACA). Finally, putting it into practice: reporting violations, managing conflicts of interest, and understanding the consequences of a breach, including revocation of the certification by the ISC2 ethics committee.
2.1 The (ISC)² Code of Ethics: preamble and 4 canons
The (ISC)² Code of Ethics opens with a preamble setting the guiding principle: the safety and welfare of society, the common good, the duty to our principals, and the duty to each other require that we adhere - and be seen to adhere - to the highest ethical standards. The preamble concludes that strict adherence to the Code is a condition of certification.
Next come the 4 canons, in this exact order: (1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; (2) Act honorably, honestly, justly, responsibly, and legally; (3) Provide diligent and competent service to principals; (4) Advance and protect the profession.
The order is PRESCRIPTIVE: it acts as a tie-breaker. When two canons conflict, the higher-ranked canon prevails over the lower-ranked one. Thus protecting society (canon 1) outweighs the duty to one's employer (canon 3); and acting legally (canon 2) prevails over the commercial interest of the profession (canon 4). It is this hierarchical reasoning - not mere recitation - that the exam tests.
Classic trap: scrambling the order, for example placing "advance and protect the profession" before "protect society." The welfare of society is ALWAYS first; the profession comes last.
- 4 canons, fixed order: society -> honor/legality -> principals -> profession.
- The order is prescriptive: the higher canon prevails in a conflict.
- Strict adherence to the Code is a condition of certification.
2.2 RFC 1087 (IAB) and other professional codes
RFC 1087 "Ethics and the Internet" is published by the Internet Architecture Board (IAB). It does not describe positive canons like ISC2; instead it explicitly declares UNETHICAL six categories of activity: (1) seeking unauthorized access to Internet resources; (2) destroying the integrity of information; (3) disrupting normal Internet use; (4) wasting resources (people, capacity, etc.) through such actions; (5) compromising the privacy of users; (6) practicing negligence in the conduct of Internet experiments.
The logic of RFC 1087 maps onto the CIA triad: unauthorized access and privacy compromise touch confidentiality, destroying integrity touches integrity, and disruption and waste touch availability. This is a handy exam angle for memorizing the list.
Other organizations maintain their own codes: IEEE and ACM (computing and software engineering), ISACA (IS audit and governance). They share the spirit - integrity, competence, primacy of the public interest - but differ in scope and authority. Key point: only the (ISC)² Code of Ethics conditions the CISSP certification. RFC 1087 and the IEEE/ACM/ISACA codes are complementary references, not the disciplinary basis of ISC2.
Classic trap: attributing the list of unethical activities to the (ISC)² Code of Ethics. That list comes from RFC 1087 / the IAB, not to be confused with the 4 canons.
- RFC 1087 = IAB; states 6 UNETHICAL activities (not canons).
- The 6 items map onto the CIA triad.
- Only the (ISC)² Code conditions certification; IEEE/ACM/ISACA are complementary.
2.3 Promoting ethics in practice: reporting and consequences
Promoting ethics (the verb "promote" in Key Area A) goes beyond personal adherence: the professional must also report violations and defuse conflicts of interest. A conflict of interest arises when a personal interest - family ties, financial gain, animosity - may compromise objectivity. The expected response is disclosure and recusal, not concealment.
Reporting follows a formal process. At ISC2, a complaint triggers a procedure: a finding of facts, an opportunity for the accused member to offer a rebuttal, then review by the ISC2 Ethics Committee. The committee lets the member review the findings and recommendations before submitting them to the ISC2 board, which rules.
The ultimate consequence of a breach is revocation of the certification: it is the ISC2 board, on the recommendation of the ethics committee, that decides whether to revoke membership. Beyond that, unethical conduct destroys the organization's trust, which can no longer accept the professional's security advice.
Classic trap: believing the manager or employer "revokes" the CISSP. Revocation of the certification belongs to ISC2 (ethics committee + board), not the employer. The employer may terminate employment; only ISC2 withdraws the certification.
- Promoting ethics = reporting violations and disclosing conflicts of interest.
- ISC2 process: complaint -> facts -> rebuttal -> ethics committee -> board.
- Only ISC2 (committee + board) revokes the certification, never the employer.
2.4 The organizational code of ethics and the Enron / SOX illustration
Beyond the (ISC)² Code of Ethics, you must distinguish the organizational code of ethics: a policy document approved and supported by the organization's senior management. Where the (ISC)² Code binds the certified individual, the organizational code binds all personnel and sets the acceptable modes of behavior. It is often merged with the overall personnel policies and may state the organization's mission and core values.
An organizational code concretely defines what is forbidden: discriminatory and unproductive behavior (racial, religious, or sexual harassment), unfair trade practices such as nepotism, bribery, and awarding contracts in exchange for favors. Some codes are also designed to ensure compliance with legislation the organization is subject to (compliance-driven).
Application point: ethics, like everything else, must be embedded in policies and procedures, and the ethics committee must continually review and monitor them. The security professional sets the example: their conduct becomes the reference practice (tone at the top).
History illustrates the stakes. In the late 1990s / early 2000s, a series of accounting scandals - WorldCom, Adelphia, Enron - led to bankruptcies. Enron's auditing firm, Arthur Andersen, provided both audit AND business consulting: an inherent conflict of interest (the roles are adversarial). Andersen then ordered the destruction of documents during a regulatory investigation. In response, the U.S. Congress created the Sarbanes-Oxley Act (SOX) - requiring greater transparency in the financial reporting of publicly traded companies - and amended the Federal Rules of Evidence: a data owner can no longer destroy information once notice of a legal action or investigation is received.
Classic trap: confusing the organizational code of ethics (internal, approved by management, enforced by the employer) with the (ISC)² Code (which conditions certification, enforced by ISC2). And: Andersen showed that having a data-destruction policy does not make destruction ethical during an investigation - which is exactly what SOX corrected.
- Organizational code of ethics = internal policy approved by senior management; distinct from the (ISC)² Code.
- It forbids harassment, nepotism, bribery, unfair practices, and may be compliance-driven.
- Enron + Arthur Andersen (audit/consulting conflict, document destruction) led to SOX + amended Federal Rules of Evidence.
Case studies
The flaw discovered at a client
Context : On an audit engagement, you discover a critical vulnerability exposing the medical data of thousands of patients. Your client (principal) asks you not to document it in the report to avoid a regulatory disclosure and reputational impact.
Question : Should you obey the client and omit the flaw from the report?
Show analysis and answer
The duty of diligent service to the principal (canon 3) here conflicts with protecting society and the common good (canon 1), because third-party patients are at risk.
The prescriptive order decides: canon 1 prevails over canon 3. You cannot conceal a flaw that threatens society to serve a client's interest. Acting honestly (canon 2) also forbids a falsified report. The correct conduct is to document the vulnerability and remind the client of its obligations.
Takeaway : Society (canon 1) > principal (canon 3): public safety is not sacrificed to a client's comfort.
Unauthorized monitoring of a colleague
Context : A network administrator reports that an employee browses the Internet during work hours, breaching internal policy. You find that the administrator had the technical rights to monitor but was given no explicit authorization to do so, and that a personal conflict existed between them.
Question : Is the administrator's report ethically acceptable?
Show analysis and answer
The employee's activity is not illegal but breaches policy. Crucially, the administrator acted without authorization and under an undisclosed conflict of interest, undermining the honesty and justice expected (canon 2) and bordering on compromising the user's privacy (spirit of RFC 1087).
The arbitration: holding the technical rights is not the same as ethical authorization. The report is tainted by both its means and its motive. The policy breach should be handled through proper HR channels, but the administrator's conduct - unmandated monitoring and a concealed conflict - must also be examined.
Takeaway : Having the technical capability is not having authorization; an undisclosed conflict of interest taints a report.
Enron, Arthur Andersen, and the birth of SOX
Context : Arthur Andersen provides Enron with both audit and business consulting services. When a regulatory investigation into Enron opens, Andersen executives order the destruction of thousands of documents and volumes of electronic data tied to the engagement, citing an internal end-of-engagement data-destruction policy.
Question : What makes this conduct unethical, and what legislative response followed?
Show analysis and answer
Two ethical problems compound. First, combining audit and business consulting for the same client is an inherent conflict of interest: consulting seeks to maximize the client's profit, while auditing must ensure compliance and faithful reporting - adversarial roles.
Second, destroying documents during an investigation, even under an internal policy, violates honesty and justice (canon 2) and betrays public trust (canon 1). That no law forbade it at the time does not erase the ethical breach: legality and ethics are not the same.
The response: Congress created the Sarbanes-Oxley Act (SOX), requiring transparency in publicly traded companies' financial reporting, and amended the Federal Rules of Evidence to bar any data owner from destroying information once notified of a legal action or investigation. Exam lesson: a destruction policy does not legitimize destruction in the face of an investigation, and a conflict of interest must be structurally avoided, not merely 'compartmentalized' by assertion.
Takeaway : Audit + consulting for the same client = inherent conflict of interest; destroying data under investigation is unethical - SOX and the amended Federal Rules of Evidence are the legal response.
The order of the canons is not decorative
The 4 canons are ranked in decreasing priority and the exam tests this order as a tie-breaking rule. "Protect society" is ALWAYS first; "advance and protect the profession" is ALWAYS last. Faced with a dilemma, identify the conflicting canons and apply the higher-ranked one. Memorizing the list without grasping the hierarchy will fail scenario questions.
Don't confuse the codes: ISC2 vs RFC 1087 vs IEEE/ACM/ISACA
The (ISC)² Code of Ethics = 4 positive canons, a condition of the CISSP certification. RFC 1087 = a list of 6 UNETHICAL activities published by the IAB. IEEE, ACM, and ISACA have their own codes, complementary but with no authority over the CISSP. Common trap: attributing the list of unethical activities to the ISC2 canons, or thinking only ISC2 has a code. Only ISC2 conditions YOUR certification; the other codes are not its disciplinary basis.
Checkpoint — Checkpoint - Professional Ethics
-
In the (ISC)² Code of Ethics, which canon prevails when it conflicts with the duty to one's employer?
- A Protect society, the common good, and the infrastructure
- B Provide diligent service to principals
- C Advance and protect the profession
- D All canons carry equal weight
Answer & rationale
Answer : A — Protect society, the common good, and the infrastructure
The canons are prescriptive: canon 1 (protect society) prevails over canon 3 (service to principals). Option D is wrong: the order is hierarchical.
-
Which document lists unauthorized access, destroying integrity, and compromising privacy as unethical activities?
- A The (ISC)² Code of Ethics
- B RFC 1087 from the Internet Architecture Board
- C The ISACA code of ethics
- D The CBK preamble
Answer & rationale
Answer : B — RFC 1087 from the Internet Architecture Board
The list of 6 unethical activities comes from IAB RFC 1087 "Ethics and the Internet," not the ISC2 canons.
-
Who ultimately decides to revoke a member's certification for an ethics breach?
- A The member's employer
- B The Internet Architecture Board
- C The ISC2 board, on the recommendation of the ethics committee
- D The external auditor
Answer & rationale
Answer : C — The ISC2 board, on the recommendation of the ethics committee
Revocation belongs to ISC2: the ethics committee investigates and recommends, the board rules. The employer may terminate employment but does not revoke the certification.
-
What is the correct order of the 4 canons of the (ISC)² Code of Ethics?
- A Profession; principals; honor; society
- B Society; honor/legality; principals; profession
- C Honor; society; profession; principals
- D Principals; society; profession; honor
Answer & rationale
Answer : B — Society; honor/legality; principals; profession
Prescriptive order: protect society -> act honorably and legally -> serve principals -> advance the profession. Society first, profession last.
-
What distinguishes an organizational code of ethics from the (ISC)² Code of Ethics?
- A It is an internal policy approved by senior management, applying to all personnel and enforced by the employer
- B It lists the 6 unethical activities of RFC 1087
- C It conditions the CISSP certification just like the 4 canons
- D It is published and revoked by the Internet Architecture Board
Answer & rationale
Answer : A — It is an internal policy approved by senior management, applying to all personnel and enforced by the employer
The organizational code is a policy document approved by management, applying to all personnel and enforced by the employer. Only the (ISC)² Code conditions certification (B and D describe RFC 1087/the IAB).
-
The Enron / Arthur Andersen case directly led to which U.S. legislative response?
- A RFC 1087
- B The Sarbanes-Oxley Act (SOX) and the amendment of the Federal Rules of Evidence
- C The (ISC)² Code of Ethics
- D The ISACA code of ethics
Answer & rationale
Answer : B — The Sarbanes-Oxley Act (SOX) and the amendment of the Federal Rules of Evidence
In response to the Enron scandal and Arthur Andersen's document destruction, Congress created SOX (reporting transparency) and amended the Federal Rules of Evidence (no destroying data under investigation).
Key takeaways
- The (ISC)² Code of Ethics has a preamble + 4 canons; strict adherence is a condition of certification.
- Prescriptive order: society > honor/legality > principals > profession; the higher canon prevails in a conflict.
- RFC 1087 (IAB) declares 6 unethical activities; don't confuse it with the ISC2 canons or with IEEE/ACM/ISACA.
- Promoting ethics = reporting violations and disclosing conflicts of interest.
- Only ISC2 (ethics committee + board) can revoke the certification, never the employer.
- Distinguish the organizational code of ethics (management's internal policy, applying to all personnel) from the (ISC)² Code (which conditions certification).
- An internal code forbids harassment, nepotism, bribery, and unfair trade practices, and may target legal compliance.
- Enron + Arthur Andersen (audit/consulting overlap, document destruction) led to SOX and the amended Federal Rules of Evidence: legality at the time is not ethics.
Security Governance & Documentation
Prerequisites : Modules 1 and 2 (core concepts, ethics).
Security exists only to serve the business: the information systems security department has no reason to exist without the organization it protects. This module ties security to the company's goals, mission and objectives and clarifies who decides what.
We first distinguish Governance (the WHAT, owned by the board, accountable) from Management (the HOW, responsible) and Operations (the DOING). We then map the roles - from Senior Manager to Custodian - then the control frameworks (ISO 27001/27002, COBIT, NIST SP 800-53, ITIL, CIS Controls), the risk-bearing organizational processes (M&A, divestitures), and finally the documentation hierarchy Policy > Standard/Baseline > Procedure > Guideline.
Exam goal: know who is accountable vs responsible, which document is mandatory vs optional, and which framework answers which need.
3.1 Aligning security with the business
Security governance is the meta-process that links the organization's efficiencies to its goals and objectives: it governs how policies are written, how people are trained and how actions are performed. Founding rule: the business can exist without the security department, but the security department has no reason to exist without the business. Security must therefore enhance and support business goals, never needlessly hinder them.
Three levels not to confuse. Governance = the WHAT: the board / directors / top management set direction, risk appetite and policies; they are accountable. Management = the HOW: managers translate this into programs, allocate resources and remain responsible for execution. Operations = the DOING: teams apply controls day to day. The risk appetite (the level of risk the organization accepts) is set by top management, not by operations.
Example: a board sets "zero tolerance for patient data leakage" (governance); the CISO designs an encryption and DLP program (management); the SOC team monitors alerts (operations). Exam trap: a risk acceptance decision made by a technical administrator is invalid - accepting residual risk is a senior management responsibility, not an operator's.
- Security serves the business, never the reverse
- Governance = WHAT/accountable, Management = HOW/responsible, Operations = DOING
- Risk appetite is set at the highest level
3.2 Roles and responsibilities
The Senior Manager (CEO, board) is ultimately accountable for security: they sign the policies and carry the risk before shareholders and the law. The Information Security Officer / CISO is functionally responsible: they design, run and maintain the security program. Key exam distinction: accountable (the single one, at the top, answerable for the outcome) vs responsible (the one who executes, delegable).
Data roles. The Data Owner (often a business executive) classifies the data and defines its sensitivity; they decide who may access it. The Custodian (Data Custodian / steward, often IT) preserves CIA day to day: backups, technical rights, encryption - they apply the owner's decisions, they do not make them. The User / Operator applies the rules and signs the AUP (Acceptable Use Policy). The Auditor independently assesses and measures the gap between policy and reality.
Regulatory vocabulary (GDPR). The Data Controller determines the purposes and means of processing (decides WHY and HOW); the Data Processor processes on the controller's behalf (executes, on instruction). Trap: do not confuse Owner (internal, classifies) with Controller (legal notion, accountable for processing); nor Custodian (internal, technical) with Processor (third party, legal).
- Senior Manager = ultimately accountable; ISO/CISO = responsible
- Owner classifies, Custodian preserves CIA
- Controller decides processing, Processor executes it for them
3.3 Control frameworks
ISO 27001 states the requirements of an ISMS (Information Security Management System): it is the certifiable standard - an organization is audited and certified for its conformance. ISO 27002 is the catalog of best-practice controls (the detailed "how" of measures); it is NOT certifiable. Classic trap: you certify against ISO 27001, never ISO 27002.
COBIT (ISACA) is an IT governance and management framework, widely used by auditors; it links IT objectives to business objectives. NIST SP 800-53 is an exhaustive catalog of security and privacy controls (for US federal systems): you start from a baseline (Low/Moderate/High per FIPS 199/200), then apply scoping (drop irrelevant controls) and tailoring (adapt the rest to context). ITIL is the set of IT service management best practices (service delivery), mapped to ISO 20000. The CIS Controls (18 of them) are a prioritized, concrete list of defensive controls, free and action-oriented.
Example: to earn an internationally recognized certification, target ISO 27001; to build a US federal program, rely on NIST 800-53; to align IT and governance for auditors, COBIT. Trap: NIST 800-53 is not "certifiable" like ISO 27001 - it is a catalog, not a certification scheme.
- ISO 27001 = certifiable (ISMS); ISO 27002 = best practices, not certifiable
- NIST 800-53 = catalog, with scoping & tailoring from a baseline
- COBIT = IT governance/audit; ITIL = IT services; CIS = 18 controls
3.4 Organizational processes impacting security
Some business decisions deeply alter the security posture. In an acquisition, the buyer inherits the target's legacy systems, policies, procedures and data - often poorly secured - and may suddenly fall under new legislation and regulations. A merger requires aligning the security governance of the resulting entity. A divestiture or spinoff forces an assessment of what must leave, what stays, and how to separate accesses and data without breaking confidentiality.
The major M&A risk: the acquiring organization inherits the target's vulnerabilities. Real case cited by the CBK: Marriott acquired Starwood in 2016; a Starwood reservation system had already been compromised since 2014 - the breach was discovered only after the acquisition, exposing hundreds of millions of customers. Hence the importance of security due diligence BEFORE signing.
Governance of these processes: a governance committee (often mandatory for non-profits) frames decisions; digital transformation and reorganization also introduce risks (orphan accounts, unmigrated data). Exam trap: due diligence must precede integration; integrating first then "auditing later" amounts to importing the target's compromises into your own network.
- An acquisition inherits the target's vulnerabilities (Marriott/Starwood case)
- Security due diligence BEFORE signing, not after
- Divestitures: cleanly separate accesses and data
3.5 Documentation hierarchy
Security documentation is structured in tiers. The Policy is the highest-level document: it expresses intent and direction, is issued and signed by senior management, and stays stable and general (the "why"). It is mandatory.
Beneath the policy: the Standard imposes precise, uniform choices (technologies, configurations) - it is mandatory. The Baseline defines the minimum security level to reach (a configuration floor) - mandatory. The Procedure describes the detailed step-by-step execution of a task - mandatory within its scope. The Guideline, however, is a recommendation: flexible and optional, it advises without compelling (the "if you wish").
Exam memo: Policy > Standard / Baseline > Procedure are mandatory; only the Guideline is optional. Recurring trap: "A standard is a suggestion" is FALSE (it is mandatory); "a guideline is mandatory" is FALSE (it is optional). Another trap: the policy does not contain technical details - those go down into standards and procedures so the policy stays stable over time.
- Policy > Standard/Baseline > Procedure > Guideline
- Only the Guideline is optional; the rest is mandatory
- The policy stays general; details go down into standards and procedures
3.6 Due care, due diligence and business alignment
Aligning security with the business means fitting plans and resources to goals and objectives: spending time, material or money on nonessential activities signals poor alignment. The manual stresses that the security practitioner must first understand how the organization functions and its objectives, and only then determine how security fits in to enhance those functions. The BIA (business impact analysis, covered in 1.8) is the recognized form that captures this alignment of goals, resources and risks. Misaligned governance produces policies that needlessly inhibit productivity, impose undue costs and hinder strategic intent.
Two legal and ethical duties shape this effort. Due care = taking all reasonable and prudent actions to plan and carry out a task or responsibility, across its whole life cycle (from conception to disposal). It is putting in place the systems that control or prevent threat events. Due diligence = taking all reasonable and prudent actions to monitor, control, manage and, as needed, redirect the plans and actions you are responsible for; it is staying aware of the environment and new risks. Manual phrasing: "constant vigilance" expresses due diligence; you pay attention to the alarms the systems (due care) generate. Management dictum: "you cannot manage what you do not measure."
Two legal notions refine these duties. Prudent actions = what people of comparable training, experience and authority would do in the same circumstances. Reasonable actions = decisions with a clear, logical and defensible justification after the fact (acting on a hunch is not reasonable). Central exam trap: publishing a policy is NOT sufficient due diligence; to meet the legal duty, the organization must also have a documented and active monitoring and enforcement capability ensuring it adheres to its own policy. Due diligence also includes the security review of vendors/suppliers before using them, and personnel background checks.
- Due care = putting controls in place; due diligence = continuous monitoring and redirecting
- Publishing a policy is NOT enough: documented and active monitoring + enforcement are required
- Prudent man / reasonable actions: legal test of what is defensible after the fact
- Aligning security with the business = fitting plans/resources to goals; the BIA captures alignment
3.7 Extended frameworks: RMF, FedRAMP, SABSA and categories
Beyond the ISO 27001/27002-COBIT-NIST 800-53-ITIL-CIS core, the manual details several frameworks worth knowing. ISO 27000 family: 27001 (ISMS requirements, certifiable), 27002 (control catalog, advisory), 27003 (implementation guidance), 27005 (risk management). 27001's first action: read 27002 and justify the inclusion/exclusion of each control - this exercise produces the Statement of Applicability (SoA).
The NIST/FIPS ecosystem cascades. A FIPS is a requirement, a SP (Special Publication) is a guideline that helps meet it. FIPS 199 categorizes the system (Low/Moderate/High per C-I-A); NIST SP 800-60 explains how to perform that categorization; FIPS 200 mandates minimum controls per category; NIST SP 800-53 provides the control catalog satisfying FIPS 200. The NIST RMF (SP 800-37) transforms the old Certification & Accreditation into a six-step process (Categorize, Select, Implement, Assess, Authorize, Monitor); it is mandatory only for US federal but is widely adopted in the private sector and offers NO private certification. FedRAMP applies this logic to the cloud: the JAB (Joint Authorization Board) grants reusable provisional authorizations, and 3PAOs (Third-Party Assessment Organizations) independently verify a CSP's controls.
SABSA (Sherwood Applied Business Security Architecture) is a business-driven, risk- and opportunity-focused security architecture methodology that traceably supports business objectives (advantages: value-assured, prioritized, scalable, agile, open source, auditable). Finally, the manual distinguishes CATEGORIES of frameworks: privacy (PMF, ex-GAPP from AICPA, incorporates GDPR/TSC); risk/ERM (ISO 31000, ISO 27005, COSO ERM, ISACA Risk IT, NIST SP 800-37); cybersecurity (ISO 270XX, HITRUST CSF for HIPAA, CSA STAR for the cloud with its 3 tiers and the CAIQ); and Security Control Frameworks (SCF) that provide minimum implementation practices (PCI DSS, SWIFT CSCF, NIST, COBIT, CIS). Cross-cutting tool: gap analysis compares controls in place to what an SCF requires. Trap: NIST RMF/800-53 and SABSA do not deliver private certification like ISO 27001.
The NIST Cybersecurity Framework (CSF) organizes security around five functions: Identify, Protect, Detect, Respond, Recover. Widely adopted, it serves as a common language to steer and communicate the security posture at executive level.
- FIPS = requirement, SP = guideline: 199 categorizes -> 200 mandates -> 800-53 provides the catalog
- NIST RMF (800-37) = 6 steps Categorize/Select/Implement/Assess/Authorize/Monitor
- FedRAMP = cloud RMF with JAB and 3PAO; SABSA = business-driven traceable architecture
- Categories: privacy (PMF), risk/ERM (ISO 31000, COSO, Risk IT), cyber (HITRUST, CSA STAR), SCF (PCI DSS)
- Gap analysis = gap between controls in place and what an SCF requires
Case studies
Integrating an acquired target's controls
Context : Your group acquires a healthcare SME. Management wants to connect the target's network to yours immediately to speed up synergies. The target has no ISMS and no up-to-date asset inventory, and its admin accounts are shared.
Question : What is the first security action to take, and why is immediate integration risky?
Show analysis and answer
Connect first, secure later means importing into your network all of the target's vulnerabilities and possible compromises - exactly the Marriott/Starwood scenario, where a pre-existing breach traveled with the acquisition.
The right sequence: run security due diligence BEFORE any interconnection - asset inventory, data classification (healthcare = sensitive data, inherited HIPAA/GDPR regulations), access review, compromise hunt. Then align security governance and apply your standards and baselines before opening the network. Isolating (segmenting) the target during the assessment is the default prudent measure.
Takeaway : Due diligence and isolation BEFORE interconnection: you don't inherit the breaches of a target you haven't audited.
Which control framework for which need
Context : Three requirements arrive at once: (1) management wants an internationally recognized certification to reassure clients; (2) the audit committee demands verifiable IT/governance alignment; (3) a subsidiary must respond to a US federal tender.
Question : Which framework do you map to each need?
Show analysis and answer
Need 1 (international certification) -> ISO 27001: the only certifiable option, via an audited ISMS. ISO 27002 does not fit because it is not certifiable, it is a catalog of best practices.
Need 2 (IT/governance alignment for auditors) -> COBIT: built by ISACA to link IT and business objectives, it is the auditors' reference.
Need 3 (US federal program) -> NIST SP 800-53: control catalog imposed on federal systems, with baseline selection then scoping & tailoring. Note, 800-53 is not a certification scheme like ISO 27001 - it is a control framework to implement.
Takeaway : One framework per need: ISO 27001 to certify, COBIT to govern/audit, NIST 800-53 for US federal.
Is a published policy enough?
Context : After a data-leak incident, a regulator reviews your organization. You present an AUP and an encryption policy, signed by senior management and circulated to everyone. No control logs, no sanctions, no internal audit exist to verify their actual application.
Question : Can the regulator find a failure of due diligence despite the policies existing?
Show analysis and answer
Yes. The ISC2 manual is explicit: publishing a policy is an INSUFFICIENT form of due diligence. A signed document at best satisfies part of due care (putting a control intent in place), but the legal duty of due diligence requires a documented and active monitoring and enforcement capability proving the organization actually adheres to its own policy.
Here, the absence of logs, audits and sanctions shows no feedback loop measures the real state or corrects deviations - the very opposite of "constant vigilance." Applying the prudent man: a comparable organization would have put monitoring and enforcement in place. The right posture combines due care (the controls: encryption, AUP) AND due diligence (continuous monitoring, alarm review, audits, sanctions) across the whole life cycle.
Takeaway : A signed policy does not cover due diligence: without active, documented monitoring and enforcement, the legal duty is unmet.
Standard vs Guideline: mandatory or optional
Common error: thinking a Standard is a "recommendation." FALSE. A Standard is MANDATORY, just like Baseline and Procedure. Only the Guideline is optional and flexible. If the stem calls a measure "recommended but not enforced," it is a Guideline; if it is "enforced and uniform," it is a Standard.
Accountable vs Responsible
Responsibility (execution) can be delegated, accountability (answering for outcomes) never. The Senior Manager remains ultimately accountable even if the CISO is responsible for execution. Trap: a question "who is ultimately responsible for security?" expects senior management / CEO, not the CISO or the administrator. And a risk acceptance by an operator is invalid.
ISO 27001 vs ISO 27002
You certify against ISO 27001 (the ISMS requirements), NEVER against ISO 27002 (the catalog of best-practice controls). Exam trap: "our organization is ISO 27002 certified" is an incorrect phrasing. 27001 = what to require and certify; 27002 = how to implement the controls.
Due care vs due diligence
Due care = PUTTING IN PLACE the controls that prevent threat events ("doing the right thing"). Due diligence = continuously MONITORING, reading alarms, reviewing, redirecting ("constant vigilance"). Trap: "publishing a policy" is at best the start of due care - it is NOT due diligence, which requires active monitoring and enforcement. Another manual cue: reviewing a vendor's security before using it, or running background checks, are acts of due diligence.
FIPS vs SP, and certification
A FIPS is a REQUIREMENT (mandatory for US federal); a SP (Special Publication) is a GUIDELINE helping to meet it. Chain: FIPS 199 categorizes -> FIPS 200 mandates minimum controls -> NIST SP 800-53 provides the catalog -> NIST SP 800-37 (RMF) orchestrates. Trap: neither NIST RMF, nor 800-53, nor SABSA offers private certification like ISO 27001 - they are references/methodologies, not certification schemes.
Checkpoint — Checkpoint - Module 3
-
Who is ultimately accountable for information security in the organization?
- A The system administrator
- B The Senior Manager / top management
- C The Data Custodian
- D The internal Auditor
Answer & rationale
Answer : B — The Senior Manager / top management
Accountability is not delegated: it sits with senior management, who signs policies and carries the risk. The CISO is responsible for execution, not ultimately accountable.
-
Which of these standards is certifiable?
- A ISO 27002
- B NIST SP 800-53
- C ISO 27001
- D ITIL
Answer & rationale
Answer : C — ISO 27001
ISO 27001 states ISMS requirements and allows an audited certification. ISO 27002 is a non-certifiable best-practice catalog; NIST 800-53 is a catalog; ITIL is service best practices.
-
In the documentation hierarchy, which document is OPTIONAL?
- A Standard
- B Baseline
- C Procedure
- D Guideline
Answer & rationale
Answer : D — Guideline
Only the Guideline is a flexible, optional recommendation. Standard, Baseline and Procedure are mandatory.
-
Who classifies data and decides who can access it?
- A The Data Custodian
- B The Data Owner
- C The Operator
- D The Data Processor
Answer & rationale
Answer : B — The Data Owner
The Data Owner classifies data and defines access. The Custodian preserves CIA day to day but applies the owner's decisions; the Processor processes on the controller's instruction.
-
During an acquisition, what is the priority security measure?
- A Immediately connect the networks for synergies
- B Run security due diligence before interconnection
- C Delete all of the target's documentation
- D Wait for the next annual audit
Answer & rationale
Answer : B — Run security due diligence before interconnection
The acquirer inherits the target's vulnerabilities (Marriott/Starwood case). Due diligence and isolation must precede any interconnection to avoid importing compromises.
-
Your organization has published and circulated a security policy signed by management, but neither checks nor enforces compliance. Per the ISC2 manual, this constitutes:
- A Sufficient due diligence
- B INSUFFICIENT due diligence (monitoring and enforcement are missing)
- C A separation-of-duties violation
- D Valid evidence of risk acceptance
Answer & rationale
Answer : B — INSUFFICIENT due diligence (monitoring and enforcement are missing)
The manual is explicit: publishing a policy is an insufficient form of due diligence. The legal duty additionally requires a documented and active monitoring and enforcement capability.
-
In the NIST/FIPS ecosystem, which document PROVIDES the control catalog satisfying FIPS 200's minimum requirements?
- A FIPS 199
- B NIST SP 800-60
- C NIST SP 800-53
- D NIST SP 800-37 (RMF)
Answer & rationale
Answer : C — NIST SP 800-53
FIPS 199 categorizes, SP 800-60 explains categorization, FIPS 200 mandates minimum controls, and NIST SP 800-53 provides the control catalog. SP 800-37 is the RMF orchestrating it all.
-
An organization wants a business-driven, risk- and opportunity-focused security architecture, traceable to business objectives. Which framework fits?
- A SABSA
- B PCI DSS
- C CSA STAR
- D FedRAMP
Answer & rationale
Answer : A — SABSA
SABSA (Sherwood Applied Business Security Architecture) is precisely a business-driven, traceable architecture methodology. PCI DSS protects card data, CSA STAR targets the cloud, FedRAMP authorizes CSPs for US federal.
Key takeaways
- Security exists to serve the business: Governance (WHAT/accountable), Management (HOW/responsible), Operations (DOING).
- Risk appetite and risk acceptance belong to senior management, never to operations.
- Accountable (single, at the top) cannot be delegated; responsible (execution) can.
- ISO 27001 is certifiable (ISMS), ISO 27002 is not; NIST 800-53 is a catalog (scoping & tailoring); COBIT governs IT.
- M&A and divestitures: security due diligence BEFORE integration, you inherit the target's risks.
- Documentation hierarchy: Policy > Standard/Baseline > Procedure (mandatory) > Guideline (optional).
- Due care = putting controls in place; due diligence = continuously monitoring, reading alarms and redirecting ("constant vigilance").
- Publishing a policy is NEVER enough as due diligence: documented and active monitoring and enforcement are required.
- NIST/FIPS chain: 199 categorizes -> 200 mandates -> 800-53 catalog -> 800-37 RMF (6 steps); FedRAMP applies RMF to the cloud (JAB, 3PAO).
- Aligning security with the business = fitting plans and resources to goals; the BIA captures this alignment.
Compliance, Law, and Investigations
Prerequisites : Module 3 (governance, documentation hierarchy).
Module 4 covers the legal and regulatory dimension of the security profession. A CISSP is not a lawyer, but must be able to translate legal obligations into control requirements, distinguish a law from a contractual standard, and orchestrate an investigation without destroying the evidentiary value of collected items.
We explore three complementary axes. First, compliance: how to determine what binds the organization (laws, regulations, contracts, standards) and the landscape of major regimes (SOX, PCI-DSS, SOC, HIPAA, GDPR, FISMA). Then, the legal framework: legal systems, categories of law and associated burden of proof, cybercrime, intellectual property, import/export, and privacy. Finally, investigations: investigation types, forensic standards, and chain of custody.
The exam's guiding thread is nuance. The trap question does not ask 'what is GDPR' but 'who is accountable' or 'which burden of proof applies'. Work the distinctions, not just the definitions.
4.1 Determining Compliance - Laws, Regulations, Contracts, Standards
The first skill is classifying an obligation. A law is enacted by a legislature and binds everyone. A regulation is issued by an agency under the authority of a law and also carries the force of law. A contract is a commitment between parties (e.g., adhering to PCI-DSS to process cards). A standard is a technical or best-practice framework, binding only when imposed by a law or contract.
Landscape of major regimes. SOX (Sarbanes-Oxley): a US law targeting the integrity of financial reporting for publicly traded companies, after the accounting scandals. PCI-DSS: a private standard from the PCI Security Standards Council imposed by contract on anyone who stores, processes, or transmits cardholder data. SOC 1/2/3 (AICPA, under SSAE 18): attestation reports - SOC 1 on internal control over financial reporting (ICFR), SOC 2 on the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy), SOC 3 a public, lighter version of SOC 2.
HIPAA: a US law protecting health data (PHI). GDPR: an EU regulation, expanded individual rights, breach notification within 72 hours, fines up to 4 percent of annual worldwide turnover. FISMA: a law imposing a security program on US federal agencies and their contractors, aligned with the NIST RMF.
Exam trap: do not confuse the nature of the instruments. PCI-DSS is not a law - its force comes from the contract with the payment networks. A SOC report is not an absolute security certification but an auditor's attestation on controls at a point in time or over a period.
- Law and regulation carry the force of law; a standard binds only via law or contract
- PCI-DSS = standard imposed by contract, not a law
- SOC 1 = financial reporting; SOC 2/3 = Trust Services Criteria
- GDPR: 72 h notification, fine up to 4 percent of annual worldwide turnover
- FISMA applies to US federal agencies and their contractors
4.2 Legal Systems and Categories of Law
Legal systems differ by country. Common law (Anglo-Saxon) relies on case law and precedent. Civil law (continental) rests on comprehensive written codes. Customary law derives from customs and traditions, and religious law draws its rules from a sacred text. Many countries are hybrids.
Within common law, three categories matter for the exam. Criminal law protects society: the State prosecutes, the burden of proof is 'beyond a reasonable doubt', and the penalty can be imprisonment. Civil law (in the tort sense) resolves disputes between private parties: the standard is 'preponderance of the evidence', and the penalty is financial (damages). Administrative/regulatory law is issued by agencies: it carries the force of law, and its burden of proof is generally low.
Example: an employee embezzles funds. The State may prosecute criminally (prison); the company may also sue civilly to recover the money (damages). Both actions coexist with different proof standards.
Exam trap: the highest burden of proof is criminal (beyond a reasonable doubt). Civil and regulatory only require preponderance of evidence, which is lower. Do not just memorize the names, but the order of severity.
- Common law = precedent; civil law = written codes
- Criminal: State prosecutes, beyond a reasonable doubt, prison possible
- Civil: dispute between parties, preponderance of evidence, damages
- Regulatory: agency, force of law, low burden of proof
- One conduct can trigger criminal AND civil actions simultaneously
4.3 Cybercrime and Data Breaches
Cybercrime refers to any offense where the computer acts as a tool of the offense (e.g., fraud, phishing) or as a target of the offense (e.g., intrusion, denial of service). This tool/target distinction shapes the legal characterization and the type of investigation.
We must distinguish breach from data disclosure. A breach is the loss of control, confidentiality, or integrity of a system or data. A data disclosure is the actual revelation of data to an unauthorized party. Not every breach leads to a disclosure, but a disclosure almost always reflects a breach. Notification laws (GDPR, US state laws) often require alerting regulators and affected individuals within a deadline.
Landmark laws. In the US, the Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access, or access exceeding authorization, to a protected system. Many countries have equivalent statutes; the challenge is extraterritoriality, since an attack often crosses several jurisdictions.
Exam trap: a breach is not synonymous with data disclosure. The scenario may describe a compromised system with no proven exfiltration; the right answer speaks of breach (loss of control), not disclosure. Also be careful not to confuse the notification obligation (legal trigger) with mere technical detection.
- Cybercrime: computer as tool OR as target
- Breach (loss of control) does not always imply disclosure
- A disclosure almost always reflects an underlying breach
- CFAA = key US statute on unauthorized access
- Notification laws impose an alert deadline
4.4 Intellectual Property, Import/Export, and Transborder
Four intellectual property regimes must be mastered. A trademark protects a distinctive sign (name, logo, slogan) identifying the origin of a product; renewable indefinitely as long as it is used. A patent protects a new, useful, and non-obvious invention; typical 20-year term in exchange for public disclosure. A copyright protects the expression of a work (code, text, image), not the idea; generally the life of the author plus 70 years. A trade secret protects confidential information with economic value (formula, algorithm); unlimited duration as long as the secret is maintained, but no protection if it leaks.
Infringement is unauthorized use: using a protected mark, making a patented product, copying a work, or misappropriating a secret. DRM (Digital Rights Management) adds technical controls to enforce licenses (e.g., a lock preventing copying).
Import/export controls restrict the movement of sensitive goods. The Wassenaar Arrangement coordinates control of dual-use goods (civilian/military), including certain encryption technologies. Transborder data flow refers to the transfer of data across borders; it is governed by regimes such as GDPR, which restrict transfers to countries without adequate protection.
Exam trap: to protect a secret algorithm, a trade secret can outperform a patent. A patent requires public disclosure and expires after 20 years; a trade secret stays protected indefinitely as long as it is not revealed. The choice depends on the reverse-engineering risk and the duration of the advantage sought.
- Trademark = distinctive sign, renewable indefinitely
- Patent = ~20 years, requires public disclosure
- Copyright = expression (not idea), life + 70 years
- Trade secret = unlimited but no protection after a leak
- Wassenaar = dual-use goods and export control of crypto
4.5 Privacy and OECD Principles
Privacy concerns the protection of PII (Personally Identifiable Information), any data that can identify a person. The organization that collects PII assumes obligations: minimize collection, secure, inform, and enable individuals to exercise their rights.
The eight OECD principles (1980, revised) form the most-cited international foundation. 1) Collection Limitation: collect lawfully and fairly, ideally with consent. 2) Data Quality: relevant, accurate, up-to-date data. 3) Purpose Specification: purpose stated before collection. 4) Use Limitation: do not use beyond the stated purpose without consent or legal basis. 5) Security Safeguards: protect with reasonable measures. 6) Openness: transparency about practices. 7) Individual Participation: the person can access, challenge, and correct their data. 8) Accountability: the data controller answers for compliance with all these principles.
Key point: the data controller remains accountable, even when it outsources processing to a data processor. Outsourcing an activity does not outsource legal responsibility.
Exam trap: the question often contrasts data controller and data processor. The processor acts on behalf of the controller, but ultimate accountability - and thus the penalty - targets the controller. Do not pick the processor as responsible for compliance with the OECD principles or GDPR.
- PII = any data identifying a person
- The 8 OECD principles range from Collection Limitation to Accountability
- Purpose Specification + Use Limitation bind use to the stated purpose
- The data controller remains accountable, not the processor
- Outsourcing processing does not outsource responsibility
4.6 Investigation Types, Forensics, and Chain of Custody
Four investigation types differ by their actors, burden of proof, and purpose. The administrative investigation is internal to the organization, aims to inform a management decision (HR, internal compliance), and has a low burden of proof. The criminal investigation is conducted with law enforcement, seeks a criminal conviction, and requires the highest burden of proof (beyond a reasonable doubt). The civil investigation supports a dispute between private parties and rests on preponderance of evidence. The regulatory investigation is conducted by a regulator to verify compliance with a regulation, with a generally low burden of proof.
The choice of type drives collection rigor. An investigation that may become criminal must, from the outset, follow the strictest forensic standards, because rigor cannot be reconstructed afterward. Reference standards: ISO/IEC 27037 (identification, collection, acquisition, preservation of digital evidence), ISO/IEC 27043 (investigation process principles), and NIST SP 800-86 (integrating forensics into incident response).
Evidence admissibility depends on its relevance, reliability, and lawful acquisition. The chain of custody documents who handled each item, when, where, and why, from collection to court. A broken chain of custody can make evidence inadmissible, even if it is technically valid.
Exam trap: after an incident, if a criminal investigation begins, immediately treat the scene to the highest standards. The classic trap suggests 'start internally then see' - but sloppy collection destroys evidentiary value. When criminal proceedings are plausible, align with their requirements.
- 4 types: administrative, criminal, civil, regulatory
- Criminal = highest burden of proof, law enforcement
- If criminal is plausible, apply the strictest forensic standards
- ISO 27037/27043 and NIST SP 800-86 frame forensics
- A broken chain of custody makes evidence inadmissible
4.7 Software Licensing and Import/Export Controls (ITAR, EAR, Wassenaar)
Software is a form of intellectual property: the buyer acquires not a copy but a right to use, framed by a license. The CISSP must recognize four main models. A contractual (negotiated) license is a signed written agreement between the parties, with tailored clauses (scope, duration, number of seats); it is the legally strongest form. A shrink-wrap license takes its name from the plastic packaging: acceptance of the terms is deemed given upon opening the package, with no signature. A click-through (also click-wrap) license asks the user to click 'I agree' before installing or using the software; consent is the act of clicking. Finally, the EULA (End-User License Agreement), notably for cloud services, defines use limitations: who may use it, how, for how long, and whether derivative work is allowed and protected.
The exam point is that a EULA charges for the right to use, not ownership of the copy. Clearly defining use limitations (who, how, how long) is essential; in some EU countries, the license agreement must be registered with a national intellectual property office. DRM adds technical controls (locks, geolocation, 'phone home') to enforce the license, which raises fair use debates.
Import/export controls restrict the movement of sensitive technologies, especially cryptography. Beyond the Wassenaar Arrangement (already covered: 42 countries, dual-use goods and encryption), two US regimes are essential. ITAR (International Traffic in Arms Regulations), administered by the Department of State, governs strictly military articles and services listed on the US Munitions List. EAR (Export Administration Regulations), administered by the Department of Commerce (BIS), covers commercial and dual-use goods, including much encryption, via the Commerce Control List. The Militarily Critical Technologies List (MCTL) further details technologies requiring specific export permission.
Exam trap: do not reduce import/export to Wassenaar alone. Distinguish ITAR (pure military, Department of State) from EAR (commercial and dual-use, Department of Commerce). Countries such as Russia, China, and North Korea additionally impose strong restrictions on citizens' use of cryptography, which can make merely bringing an encrypting device while traveling illegal.
- Licenses: contractual (signed), shrink-wrap (on opening), click-through (on click), EULA (cloud)
- A EULA charges for the right to use, never ownership of the copy
- ITAR = pure military, Department of State, US Munitions List
- EAR = commercial and dual-use, Department of Commerce (BIS), Commerce Control List
- Wassenaar and MCTL complete the framework; encryption is the central issue
- Some countries ban citizens from using crypto (Russia, China, North Korea)
4.8 Privacy Law Landscape (US and International)
US privacy is described as sectoral: there is no single federal law, but a patchwork of sector-specific statutes, supplemented by state laws and overseen for general commerce by the FTC (Federal Trade Commission). Three federal statutes recur on the exam. HIPAA protects health data (PHI). GLBA (Gramm-Leach-Bliley Act) protects the financial data of financial-institution customers. COPPA (Children's Online Privacy Protection Act) protects the online data of children under 13. At the state level, the CCPA (California Consumer Privacy Act, 2018) is the strongest US protection, yet was not ruled adequate under GDPR; CalOPPA already required publishing a privacy policy.
Two statutes govern surveillance. ECPA (Electronic Communications Privacy Act) protects electronic communications against interception. The Fourth Amendment protects against unreasonable searches and seizures, but only against the government: it does not constrain what a private organization does with its own data, and that organization may voluntarily hand information to the State on simple request. The USA PATRIOT Act (2001) extended search-and-seizure powers, authorizing national security letters served without a judge or subpoena, and often bars disclosing to the data subject that such a letter was received.
Internationally, transfers out of the EU depend on GDPR adequacy decisions (Japan, New Zealand, Argentina, Canada are approved; the US is not). Successive US arrangements - Safe Harbor then Privacy Shield - were struck down by the CJEU (Schrems II, 2020) for failing to offer sufficient protection against US surveillance. What remains are Standard Contractual Clauses (SCCs, smaller companies) and Binding Corporate Rules (BCRs, large groups, approved by a supervisory authority), both weakened by Schrems II. The EU Digital Markets Act targets 'gatekeepers' (Amazon, Apple, Meta, Microsoft) with fines up to 10 percent of worldwide turnover (20 percent for repeat infringement).
Many countries have GDPR-like laws: Brazil (LGPD), Argentina, Chile (privacy declared a constitutional right), Colombia, Australia (Notifiable Data Breaches: breach to be reported within 30 days above AU 3M turnover), South Africa (POPIA). Data localization requires storing certain data within national territory: Russia requires that any data about a Russian citizen physically reside on servers in Russia, forcing local data centers. APEC's Cross-Border Privacy Rules (CBPR) and the right to be forgotten (right to erasure, GDPR) round out this shifting landscape.
Exam trap: do not confuse the sectoral US regimes (HIPAA = health, GLBA = finance, COPPA = children) and never claim the US has a general federal law equivalent to GDPR. Know that Safe Harbor and Privacy Shield were struck down (Schrems), that the US has no adequacy decision, and that the data controller remains accountable for international transfers.
In Canada, the baseline law is PIPEDA (2000). In the EU, privacy of electronic communications also falls under the ePrivacy Directive (2002/58/EC), which predates and complements GDPR.
- US privacy is sectoral: HIPAA (health), GLBA (finance), COPPA (children), no general federal law
- CCPA = strongest US state protection, but not GDPR-adequate
- Safe Harbor then Privacy Shield struck down by CJEU (Schrems II); US has no adequacy decision
- Out-of-EU transfers via adequacy decision, SCCs, or BCRs
- Fourth Amendment targets government, not private parties; PATRIOT Act = national security letters without a judge
- Data localization (Russia), POPIA, LGPD, GDPR-like laws: the controller remains accountable
Case studies
Choosing the investigation type after an incident
Context : A company detects that an administrator copied a customer database to an external drive before resigning. Indicators suggest a possible resale to a competitor, which could constitute a crime. The CIO suggests 'looking into it internally first, informally, so as not to alarm anyone'.
Question : Which investigation type should be prioritized, and with what collection precautions?
Show analysis and answer
The scenario presents a potentially criminal act (data theft, possible violation of the CFAA and trade secrets). Even if the organization first launches an administrative investigation to inform its decision, it must anticipate a shift to criminal.
The prudent rule is to immediately apply the highest forensic standards (ISO/IEC 27037, NIST SP 800-86): image the drive, document every handling, and establish a chain of custody from the first seizure. Informal 'let's see' collection would destroy evidentiary value if the matter becomes criminal.
The trap is believing you can 'formalize later'. Rigor lost at the start cannot be recovered. The correct stance is: treat the scene as criminal by default when criminal proceedings are plausible, while still conducting the management analysis.
Takeaway : When criminal proceedings are plausible, collect from the start to the strictest forensic standards and maintain a chain of custody.
Which IP regime to protect an algorithm
Context : A startup has developed a scoring algorithm that is its competitive advantage. Leadership hesitates: file a patent for official protection, or keep the algorithm as a trade secret. The algorithm is hard to reverse-engineer from the final product.
Question : Which intellectual property regime should be recommended, and why?
Show analysis and answer
A patent offers strong protection but requires full public disclosure of the invention and expires after about 20 years. After that, the algorithm falls into the public domain and any competitor can exploit it.
A trade secret protects information indefinitely as long as it stays confidential and reasonable measures are taken to keep it secret (NDA, compartmentalization, access control). Since the algorithm is hard to reverse-engineer, the risk of leakage through the product is low, making the trade secret especially suitable.
The recommendation is the trade secret: no disclosure, potentially perpetual protection, and preserved competitive advantage. A patent would be preferable if the reverse-engineering or independent reinvention risk were high, since it would then provide an enforceable exclusive right despite disclosure.
Takeaway : Trade secret when reverse-engineering is unlikely; patent when reinvention risk justifies an enforceable exclusivity despite disclosure.
Transferring HR data from the EU to the United States
Context : A multinational group wants to centralize all HR data from its subsidiaries, several of them in the EU, on a single data center in the United States to cut costs. The DPO recalls that the US has no adequacy decision and that Privacy Shield was struck down.
Question : Is the transfer possible, and under what legal conditions?
Show analysis and answer
GDPR forbids transfer to a country without adequate protection, except via an authorized mechanism. Since the US has no adequacy decision, and Safe Harbor then Privacy Shield were struck down by the CJEU (Schrems II) due to US surveillance, the group cannot rely on those arrangements.
The remaining routes are Standard Contractual Clauses (SCCs) for modest-sized entities and Binding Corporate Rules (BCRs), approved by a supervisory authority, for a large intra-organization group. Schrems II nonetheless weakened SCCs: the exporter must verify case by case that the destination country's law does not prevent compliance, and provide supplementary measures (encryption, pseudonymization), with processing suspendable at any stage.
The right answer is therefore neither 'impossible' nor 'unrestricted', but: transfer possible via BCRs (suited to a group) coupled with technical safeguards, after an impact assessment. Above all, the data controller remains accountable for GDPR compliance despite US localization and any outsourcing of processing.
Takeaway : Without an adequacy decision, an EU-to-US transfer relies on SCCs or BCRs with supplementary safeguards (post-Schrems II); the controller remains accountable.
International transfers amid heterogeneous privacy laws
Context : A multinational processes data of EU, Canadian, Brazilian and California residents. Each jurisdiction has its own law (GDPR, PIPEDA, LGPD, CCPA) and some, like the EU, restrict transfers to countries without adequate protection.
Question : How can the company stay compliant when the laws diverge and cross-border transfers are restricted?
Show analysis and answer
First map the data by jurisdiction and identify the law applicable to each flow. For non-EU transfers, rely on recognized mechanisms: Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR) or an adequacy decision - Privacy Shield having been invalidated (Schrems II).
Apply the highest common denominator where possible (often GDPR), while honoring local specifics (right to be forgotten in the EU, sale opt-out under CCPA, etc.). The data controller stays accountable even when processing is outsourced.
Data localization may require keeping certain data in the country of origin (e.g., Russia). When laws conflict, document the analysis and arbitrate with legal counsel.
Takeaway : Map by jurisdiction, transfer via SCC/BCR/adequacy, aim for the highest standard; the controller stays accountable.
Criminal vs civil: do not swap the burden of proof
The most demanding burden of proof is criminal: beyond a reasonable doubt. Civil and regulatory only require preponderance of evidence, which is easier to meet. The classic error is assigning the high standard to civil. Memorize the order: criminal (highest) > civil and regulatory (preponderance).
Patent vs trade secret and SOC 1 vs SOC 2
Two frequent confusions. On IP: a patent requires public disclosure and expires (~20 years), whereas a trade secret is unlimited but collapses once it leaks. On attestation: SOC 1 covers internal control over financial reporting (ICFR), while SOC 2 covers the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy). Do not pick SOC 1 to assess a cloud provider's security.
ITAR vs EAR and Wassenaar: do not conflate them
The trap is believing all export goes through the Wassenaar Arrangement alone. Distinguish: ITAR (International Traffic in Arms Regulations) = strictly military articles (US Munitions List), administered by the Department of State; EAR (Export Administration Regulations) = commercial and dual-use goods, including much encryption (Commerce Control List), administered by the Department of Commerce/BIS; Wassenaar = a multilateral arrangement coordinating dual-use goods and crypto. A commercial encryption product typically falls under EAR, not ITAR.
No mandatory order among investigation types
Classic error: believing an administrative investigation must always come first, or that a criminal investigation automatically suspends the others. In reality, a single act can trigger several investigations (administrative, civil, regulatory, criminal, industry standard) that proceed serially AND in parallel, each body investigating freely unless restricted by a judicial order. Note also the often-forgotten fifth type: Industry Standards.
Checkpoint — Checkpoint - Module 4
-
Why is PCI-DSS not considered a law?
- A It is a private standard whose force comes from contractual obligations
- B It is a regulation issued by a federal agency
- C It is a law but only in the United States
- D It is a non-binding OECD recommendation
Answer & rationale
Answer : A — It is a private standard whose force comes from contractual obligations
PCI-DSS is a standard from the PCI Security Standards Council; it binds entities handling card data by contract, not by legislation.
-
Which burden of proof applies to a criminal investigation?
- A Preponderance of evidence
- B Beyond a reasonable doubt
- C Clear and convincing evidence only
- D None, a confession is enough
Answer & rationale
Answer : B — Beyond a reasonable doubt
Criminal requires the highest standard, beyond a reasonable doubt; civil and regulatory only require preponderance of evidence.
-
To protect a secret algorithm hard to reverse-engineer over the long term, which regime is preferable?
- A Patent, for the public disclosure
- B Copyright, which covers ideas
- C Trade secret, unlimited protection while it stays confidential
- D Trademark, to identify the product
Answer & rationale
Answer : C — Trade secret, unlimited protection while it stays confidential
A trade secret avoids the disclosure required by a patent and stays protected indefinitely if confidentiality is maintained; copyright does not protect ideas.
-
Under GDPR, who remains accountable for compliance when processing is outsourced?
- A The data processor
- B The data controller
- C The regulatory authority
- D The data subject
Answer & rationale
Answer : B — The data controller
The data controller decides the purposes and remains accountable; outsourcing processing to a processor does not outsource legal responsibility.
-
What is the role of chain of custody in an investigation?
- A Encrypt evidence to keep it confidential
- B Document who handled each piece of evidence, when and why, to preserve admissibility
- C Determine the applicable burden of proof
- D Notify the breach to the regulator within 72 hours
Answer & rationale
Answer : B — Document who handled each piece of evidence, when and why, to preserve admissibility
Chain of custody traces evidence handling from collection to court; a broken chain can make evidence inadmissible even if it is technically valid.
-
A license where the user accepts the terms by clicking 'I agree' before installing the software is called:
- A Shrink-wrap
- B Click-through (click-wrap)
- C Negotiated contractual
- D Binding Corporate Rule
Answer & rationale
Answer : B — Click-through (click-wrap)
Click-through (or click-wrap) derives consent from the click itself. Shrink-wrap relies on opening the package; contractual is signed.
-
Which US regime governs the export of commercial and dual-use goods, including much encryption?
- A ITAR (Department of State)
- B EAR (Department of Commerce / BIS)
- C HIPAA
- D Wassenaar Arrangement only
Answer & rationale
Answer : B — EAR (Department of Commerce / BIS)
EAR, administered by the Department of Commerce (BIS), covers commercial and dual-use; ITAR targets strictly military articles (US Munitions List).
-
Why can a transfer of PII from the EU to the US not rely on Privacy Shield?
- A Because the US obtained an adequacy decision
- B Because the CJEU struck it down (Schrems II) for insufficient protection
- C Because GDPR forbids all international transfers
- D Because CCPA automatically replaces it
Answer & rationale
Answer : B — Because the CJEU struck it down (Schrems II) for insufficient protection
The CJEU struck down Safe Harbor then Privacy Shield (Schrems II) due to US surveillance; what remains are SCCs and BCRs with supplementary safeguards.
-
For digital evidence to be admissible, it must in particular be:
- A Encrypted, anonymized, and timestamped
- B Relevant, reliable/competent, and material
- C Approved by the sectoral regulator
- D Derived from a prior administrative investigation
Answer & rationale
Answer : B — Relevant, reliable/competent, and material
Admissibility rests on the evidence being relevant, reliable/competent, and material, lawfully collected with an intact chain of custody.
Key takeaways
- An obligation is classified as law, regulation, contract, or standard; PCI-DSS is a contractual standard
- SOC 1 = financial reporting, SOC 2/3 = Trust Services Criteria; GDPR = 72 h and up to 4 percent of turnover
- Criminal = beyond a reasonable doubt (highest); civil and regulatory = preponderance of evidence
- Patent (~20 years, disclosure) vs trade secret (unlimited, but void if leaked); copyright protects expression, not idea
- The data controller remains accountable for the 8 OECD principles, even when outsourcing
- When criminal proceedings are plausible, apply ISO 27037/NIST SP 800-86 and keep a chain of custody from collection
- Licenses: contractual (signed), shrink-wrap (opening), click-through (click), EULA (cloud) - you pay for use, not the copy
- US export: ITAR (military, State) vs EAR (commercial/dual-use, Commerce); Wassenaar and MCTL complete it
- US privacy is sectoral: HIPAA (health), GLBA (finance), COPPA (children), CCPA (strongest state), no general federal law
- Safe Harbor and Privacy Shield struck down (Schrems II); out-of-EU transfers via adequacy decision, SCCs, or BCRs
- Fourth Amendment and PATRIOT Act/ECPA: private parties may hand over data, national security letters need no judge
- Investigations: 5 types (including Industry Standards), serial AND parallel with no mandatory order; admissibility = relevant, reliable, material + eDiscovery (EDRM)
Risk Management
Prerequisites : Module 1 (risk triad) and module 3 (governance, risk appetite).
Risk management is the heart of Domain 1 and the highest-yield zone on the exam. Everything starts from a simple equation: a risk exists only when a threat exploits a vulnerability against an asset that has value. Remove any one of the three and the risk drops to zero. This module takes you from terminology (asset value, exposure factor, inherent vs residual risk) to the structured NIST SP 800-30 process, then to the two families of analysis - qualitative (Probability x Impact matrix) and quantitative (SLE/ALE/ARO) - before covering treatment (Avoid, Transfer, Mitigate, Accept) and the control taxonomy.
The recurring exam trap: confusing close but distinct concepts. SLE is not ALE; risk transfer does not eliminate risk; a control type (administrative/technical/physical) is not a control category (preventive/detective...). And above all, it is the risk owner (senior management), never the security analyst, who signs off on accepting a risk. Keep these distinctions in mind throughout the module - they are worth direct points.
5.1 Risk fundamentals and terminology
Risk rests on a triad: asset, threat, vulnerability. An asset is anything of value to the organization (data, systems, people, reputation), and its value (asset value, AV) dictates the reasonable level of protection. A threat is a potentially harmful event - natural (earthquake, flood), technical (power outage, malware) or human (disgruntled employee). A vulnerability is a weakness that lets a threat cause harm (datacenter with no UPS, unpatched OS). Remember the exclusion principle: a Linux system has no vulnerability to the Conficker worm, hence no associated risk - no vulnerability, no risk.
The conceptual formula for inherent risk is: Threat x Vulnerability x Asset value. This is the raw risk, BEFORE any control. No control fully eliminates risk: a control gap always remains (the portion the control does not cover). Residual risk is therefore: (Threat x Vulnerability x Asset value) x control gap, that is, what remains AFTER controls are applied. Classic trap: do not confuse residual risk with risk acceptance. Residual risk is a quantity; acceptance is a decision (the organization chooses to do nothing more).
The exposure factor (EF) is the fraction of an asset's value destroyed by a single occurrence of a risk event: an asset totally destroyed has an EF of 1.0, a triply redundant system that loses one node has an EF of about 1/3. On the tolerance side, distinguish risk appetite (the level of risk the organization is willing to pursue to meet its objectives) from risk tolerance (the acceptable variance around that level for a given risk). Acceptable risk is the minimum risk the organization is willing to carry. All these identified, assessed and treated risks are recorded in the risk register, the central log that tracks each risk, its owner, its treatment and its status.
- No vulnerability OR no threat OR no asset value => no risk.
- Inherent risk = before controls; residual risk = after controls; the control gap explains the difference.
- Residual risk (quantity) is not risk acceptance (decision).
- Risk appetite (level pursued) differs from risk tolerance (variance accepted).
5.2 The NIST SP 800-30 risk analysis process
NIST SP 800-30, Risk Management Guide for Information Technology Systems, describes a risk analysis process structured in six steps. Following it ensures the analysis is repeatable and defensible before management.
Step 1 - System Characterization: bound the scope of the effort and describe the systems analyzed (data, interfaces, boundaries). Step 2 - Threat Identification: enumerate the relevant threat sources. Step 3 - Vulnerability Identification: enumerate the exploitable weaknesses. These two steps feed the formula Risk = Threat x Vulnerability x Asset.
Step 4, in three parts: 4a Control Analysis (analyze the controls/safeguards already in place or planned to reduce risk), then 4b Likelihood Determination and Impact Analysis (cross probability with impact to surface the critical risks: high probability x high impact). Step 5 - Countermeasure Recommendations: recommend controls based on cost criteria (purchase, design, implementation, environment modifications, compatibility with other countermeasures, repair/replace, operating support, effect on productivity). Step 6 - Document results: report the findings to senior management and sponsors. Trap: the analyst recommends (step 5), but the treatment decision and the final documentation belong to management (step 6) - the analyst does not decide alone.
- 6 steps: Characterization -> Threat ID -> Vulnerability ID -> Control/Likelihood/Impact -> Countermeasure -> Document.
- The Risk = Threat x Vulnerability x Asset formula structures steps 2-3.
- The analyst recommends; management decides and signs off the final documentation.
5.3 Qualitative analysis and the Probability x Impact matrix
Qualitative analysis is scenario-based: for each major threat to an asset, the team builds a What if? scenario and assesses the exposure and the loss potential if the threat were realized. It assigns no dollar amounts; it produces a relative ranking from subjective scales. That is its strength (fast, low data, easy to communicate) and its weakness (subjectivity).
The central tool is the Probability x Impact matrix. A typical probability scale runs Frequent (A) -> Probable (B) -> Occasional (C) -> Remote (D) -> Improbable (E). A typical impact scale runs Negligible (1) -> Marginal (2) -> Important/Critical (3-4) -> Catastrophic (5). The crossing rates each scenario as Low / Medium / High / Very High risk. Example: a Frequent x Catastrophic scenario lands in Very High risk and demands immediate action; an Improbable x Negligible scenario lands in Low risk and can often be accepted.
Major exam trap: never add or average qualitative ratings. A 1-10 scale misleads the user into thinking a risk rated 8 is four times as severe as one rated 2, which is false - these are ordinals, not arithmetic magnitudes. To do arithmetic (compare an expected loss to a control cost), you must switch to quantitative.
- Qualitative = scenarios + relative scales, subjective, no dollars.
- P x I matrix: Frequent..Improbable x Negligible..Catastrophic -> Low..Very High.
- Never add or average qualitative ratings (they are ordinals).
5.4 Quantitative analysis: SLE, ALE, ARO
Quantitative analysis assigns real monetary values, which lets you do arithmetic and directly compare an expected loss to a safeguard cost - the language management understands. Three key quantities chain together.
The single loss expectancy (SLE) is the expected loss from ONE occurrence: SLE = AV x EF, where AV is the asset value and EF the exposure factor (fraction <1 destroyed by the event). The annual rate of occurrence (ARO) is the number of times per year the event is expected. The annual loss expectancy (ALE) is the expected loss over one year: ALE = SLE x ARO.
Worked example. A vehicle is worth AV = $5,000. In a collision, expected damage is EF = 20% (0.2). This kind of collision occurs once every 4 years, so ARO = 0.25. Compute: SLE = 5,000 x 0.2 = $1,000; ALE = SLE x ARO = 1,000 x 0.25 = $250. Decision: the rule is to compare the ALE to the annual cost of the safeguard. If insurance costs $200/year (< the $250 ALE), transferring is rational; if it costs $400/year (> ALE), paying the safeguard would spend more than the expected loss - better to accept or find cheaper. Golden rule: never spend more to treat a risk than the cost of the risk itself. Trap: EF is a fraction, ARO can be < 1 (rarer than annual), and ARO is NOT the SLE.
- Chain: AV x EF = SLE; SLE x ARO = ALE.
- Decide: if annual safeguard cost < ALE => treat; otherwise accept.
- Never spend more on a control than the value of the risk it treats.
5.5 Risk treatment: Avoid, Transfer, Mitigate, Accept
Once a risk is prioritized, the organization picks a treatment among four options (mnemonic MART: Mitigate, Avoid, Reduce/Transfer, Transfer). Risk avoidance: cease the exposed activity (close a store in a high-crime area, relocate a plant out of a hurricane zone). Used when the potential impact is too high to be offset by the rewards. Risk mitigation (reduce, renamed Modify by ISO 27005): take remediation measures or deploy controls (technical, physical, administrative) to reduce likelihood or impact. Whatever you do, residual risk always remains.
Risk transference (renamed Sharing by ISO 27005): pay a third party to absorb the financial impact - typically insurance, whose premium depends on likelihood/impact, controls in place and claims history. Crucial point: transfer shifts the financial impact, it does NOT eliminate the risk. The organization remains operationally exposed and keeps its legal and reputational liability; the insurer pays a fraction, not the whole, and often requires evidence of a reasonable security program. Risk acceptance: run the activity with no further action, because the impact or likelihood is negligible, or the benefit outweighs the risk. Note: acceptance means the organization does nothing more - not to be confused with residual risk.
Decision and sign-off: prioritizing and choosing the treatment are business decisions owned by senior management (the risk owner). The security professional advises, but it is the risk owner who formally signs off on accepting a risk. Recurring trap: if a question asks who accepts the risk, the answer is the business/senior management, never the analyst or the CISO alone.
- Four options: Avoid, Transfer/Share, Mitigate/Reduce, Accept.
- Risk transfer shifts the financial impact but does not eliminate the risk (legal liability retained).
- The risk owner / senior management signs off on acceptance, not the analyst.
5.6 Control types and categories on the incident timeline
Two orthogonal axes classify controls. First the control TYPE - how it is implemented: administrative (policies, separation of duties, job rotation), technical/logical (firewalls, IDS, ACLs, biometrics), physical (fence, lighting, fire suppression). Then the control CATEGORY - what function it serves, split into seven categories placed on an incident timeline.
Before the incident (planning and defense): Directive (guides expected behavior - policy, Authorized personnel only signs), Deterrent (discourages the attacker - electric fence, warning banner), Preventive (stops the event - change control, password login, 8-ft fence), Compensating (alternative control when the intended one does not meet the requirement - layered defense in depth). During/after detection: Detective (signals an event happened - motion detector, antivirus, supervision). After the incident: Corrective (corrects - an IDS dynamically altering a router ACL, reboot, fire extinguisher), Recovery (restores to normal - backup restoration, redundant server).
Central exam trap: NEVER confuse type and category. A firewall is technical type and preventive category; a policy is administrative type and directive category; a fire extinguisher is physical type and corrective category. A single cell therefore always combines a type AND a category. Another trap: Compensating is not a temporal category but a substitute control, chosen when the primary control cannot be implemented.
- Type (how) and category (what function) are two independent axes to combine.
- Seven categories on the timeline: Directive, Deterrent, Preventive, Detective, Corrective, Recovery, Compensating.
- Compensating = alternative control, not a temporal position.
5.7 Continuous monitoring, SCA, KPIs and frameworks
Selecting and implementing controls is not enough: they must be monitored over time. The Security Control Assessment (SCA) is the periodic evaluation of control effectiveness and uses three complementary methods: Examine (review documents, configurations, policies), Interview (question staff) and Test (exercise the control under real conditions). The Examine / Interview / Test triad is the one to remember.
Monitoring relies on key performance indicators (KPIs) that quantify control performance over time and feed reporting to leadership, regulators and stakeholders. The goal is continuous improvement: continually verifying that the organization is improving its risk management and the return on investment (ROI) of its controls. The Risk Maturity Model (RMM) assesses the strength of the security program and lays out a continuous-improvement plan based on the maturity level reached.
On frameworks, several risk frameworks structure the approach: ISO 31000:2018 (general, enterprise-wide risk management), ISO 27005:2018 (information-security-specific risk management, aligned with ISO 27001), and on the NIST side, the NIST RMF (Risk Management Framework, described by SP 800-37) which leans on SP 800-30 for risk analysis. ISO Guide 73:2009 provides the common vocabulary. Trap: ISO 31000 is generic (enterprise), while ISO 27005 is dedicated to information security; do not confuse them, and do not confuse SP 800-30 (risk analysis guide) with SP 800-37 (the full RMF process).
- SCA = Examine / Interview / Test.
- KPIs + RMM drive continuous improvement and control ROI.
- ISO 31000 (general) != ISO 27005 (info security); SP 800-30 (analysis) != SP 800-37 (RMF).
5.8 Choosing qualitative/quantitative, FAIR, safeguard cost-benefit and frameworks
Knowing how to compute an ALE does not tell you WHEN to choose quantitative over qualitative. The ISC2 manual decides by context. Qualitative suits Newness (activity, market or organization too new to have a measurable track record), Uniqueness (products or ways of working so singular that no industry comparison exists), lack of time/money/talent to take the measurements, and the absence of a reliable measuring method. Quantitative suits cases where the business processes tied to the risk are well understood, where measurement techniques of sufficient precision and reliability exist, and where experience yields a sample large enough to be statistically significant. Trap: that last requirement (significant sample) is also the argument against over-using quantitative - without enough data the result is not significant; quantitative advocates reply that even two or three measurements good to one significant digit say more than anecdotal qualitative estimates.
The quantitative alternative the manual highlights is the FAIR method (Factor Analysis of Information Risk): it makes most assessment tasks start out quantitative and stay that way, in a numerically straightforward and managerially simple manner. FAIR is integrated into the NIST CSF and HITRUST, and compatible with ISO 31000, COBIT and COSO. It is the antidote to qualitative's logic flaw (you cannot average five Highs, three Mediums and one Low into a portfolio rating).
The term risk exposure has three distinct meanings. The exposure window measures over time the probability of occurrence of a risk event (you are not exposed to the car-accident risk while asleep at home; a firm backing political causes sees its threat probability climb near an election) - useful to risk-based access control systems. The exposure factor (EF) is the fraction (<1) of an asset's value reduced by a single occurrence (already seen: 1.0 = total destruction). The exposure estimate describes that a risk is categorically much lower or higher than another for a given organization (a company with no ties to a country has low exposure to that country's risks).
On control selection, the NIST RMF (Select step) offers two approaches. Baseline control selection starts from control baselines (predefined control sets for a group or community) then tailors by removal (top-down) - this provides consistency at broad scale. Organization-generated control selection starts from no predefined set: the organization picks controls through its own process (bottom-up), fitting for a highly specialized system (weapon, medical device, smart meter). Both then derive requirements via a life-cycle systems engineering process (ISO 15288, NIST SP 800-160 Vol 1).
Selection is decided by cost-benefit analysis. Key manual distinction: a safeguard reduces impact/likelihood BEFORE the risk is realized, a countermeasure reduces them AFTER. You compare the cost of acquiring, deploying and maintaining the control against its ability to reduce impact/likelihood AND against the cost of the risk if realized. Every control has a negative impact (monetary cost or loss of user capability/convenience): weigh this operational impact against the benefit. Broadened golden rule: in most cases, do not spend far more mitigating, transferring or avoiding a risk than the worst possible impact - even an acceptance decision is made in light of this trade-off. Practically, a safeguard's one-year value is: ALE before safeguard - ALE after safeguard - annual safeguard cost; a positive result justifies the control.
Finally, deploying overlapping controls of several types AND categories is defense in depth (layered defense), for two reasons: to avoid a single failure (e.g. a power cut neutralizing all technical controls, or a new vulnerability in the sole control) fully exposing you; and to force the attacker to prepare multiple means of attack, reducing their number. All of it must be reported: reporting serves two purposes on two timelines - in near real time it keeps managers informed of posture and issues alerts/alarms during an incident; periodically it provides accountability to management, and sometimes to regulators or even law enforcement, with the organization's approval. Beyond the risk frameworks already seen (ISO 31000, ISO 27005, NIST SP 800-30/800-37), the manual also cites NIST SP 800-39, COBIT, SABSA and PCI; ISO Guide 73 supplies the vocabulary and COSO/COBIT frame governance.
- Qualitative if Newness/Uniqueness/lack of data or method; quantitative if processes understood, measurements reliable, sample significant.
- FAIR = quantitative alternative integrated into NIST CSF/HITRUST, compatible with ISO 31000/COBIT/COSO.
- Risk exposure has 3 meanings: exposure window (probability over time), exposure factor (fraction <1), exposure estimate (categorical comparison).
- Safeguard = before realization; countermeasure = after. Safeguard value = ALE before - ALE after - annual cost.
- NIST RMF Select: baseline (top-down) vs organization-generated (bottom-up).
- Frameworks: ISO 31000, ISO 27005, SP 800-30/37/39, COBIT, SABSA, PCI, COSO, ISO Guide 73, FAIR.
Case studies
Should we buy screen insurance?
Context : You own a smartphone worth AV = $200. You break the screen about once every nine months, with damage estimated at 30% of the phone price. An insurer offers screen coverage at $4.99/month.
Question : Compute SLE, ARO and ALE, then decide: mitigation (a 2nd phone at $200), transfer (insurance) or other?
Show analysis and answer
EF = 30% = 0.30, so SLE = AV x EF = 200 x 0.30 = $60 per incident. One break every 9 months gives ARO = 1 / 0.75 = 1.33 per year. So ALE = SLE x ARO = 60 x 1.33 = $80/year.
Compare the options against the $80 ALE. Mitigation via a second phone: about $200, far above the $80 ALE - not cost-effective, ruled out. Transfer via insurance: 4.99 x 12 = $59.88/year, below the $80 ALE - rational, we spend less than the expected loss. Avoidance (no phone) would remove the risk but destroy the intended use - not relevant here.
Takeaway : Transfer (insurance at $59.88) is the rational choice because its annual cost is below the ALE ($80). Rule: treat only if the control cost < ALE.
Accept, Mitigate or Transfer for an e-commerce portal?
Context : An SMB runs an e-commerce portal. Three risks emerge from the analysis: (1) service outage from recurring power failures, ALE = $50,000; (2) credit card fraud in a breach, high potential impact but low probability; (3) a cosmetic display bug with no measurable impact, near-zero ALE.
Question : Which treatment (Accept, Mitigate, Transfer) for each, and who approves the acceptance decision?
Show analysis and answer
Risk 1 (power failure, ALE $50,000): if a UPS + generator costs well under $50,000/year, mitigate (technical/physical preventive control) because the control is cheaper than the expected loss. Risk 2 (post-breach fraud, high impact / low probability): the classic transfer profile - cyber insurance absorbs the financial impact, but note it does not eliminate the risk (legal and reputational liability retained, and the insurer requires a reasonable security program). You can combine transfer + mitigation (tokenization, PCI DSS compliance). Risk 3 (cosmetic bug, ALE ~ 0): acceptance - treatment would cost more than the loss; the organization does nothing more.
In every case of acceptance or transfer with significant residual risk, the risk owner / senior management formally signs off, not the security analyst or the CISO alone.
Takeaway : The right treatment depends on the cost/impact/probability profile: mitigate when control < ALE, transfer high-impact low-probability (with no illusion of elimination), accept a negligible risk. Sign-off always belongs to the risk owner.
Does the safeguard return more than it costs?
Context : A billing server is worth AV = $120,000. A ransomware attack would destroy EF = 60% of it and occurs on average twice a year (ARO = 2). A vendor offers an EDR + immutable-backup solution at $25,000/year, which would cut frequency to once every two years (ARO = 0.5) without changing the exposure factor.
Question : Compute the ALE before and after the safeguard, then the safeguard's annual value. Should it be bought?
Show analysis and answer
SLE = AV x EF = 120,000 x 0.60 = $72,000 per incident (unchanged; the EDR does not reduce EF but frequency).
ALE before = SLE x ARO = 72,000 x 2 = $144,000/year. ALE after = SLE x ARO = 72,000 x 0.5 = $36,000/year.
Safeguard value = ALE before - ALE after - annual cost = 144,000 - 36,000 - 25,000 = $83,000/year. The result is strongly positive: the safeguard saves $108,000 of expected losses for a $25,000 cost, a net benefit of $83,000/year. This is rational mitigation. One must still weigh the operational impact (an EDR can burden endpoints or generate false positives) against this benefit, and recall that the EDR is a safeguard (it acts BEFORE realization to reduce likelihood), not a mere post-incident countermeasure.
Takeaway : Safeguard value = ALE before - ALE after - annual cost. Positive (+$83,000 here) => mitigation justified. Always subtract the control cost AND consider the operational impact.
Arbitrating a security investment under budget constraints
Context : An e-merchant suffers on average 3 payment-fraud incidents per year; each costs about EUR 40,000 (losses + chargebacks). An anti-fraud system (scoring engine + 3-D Secure) costs EUR 60,000/yr and would cut frequency to 0.5 incident/yr. Cautious management hesitates between deploying, transferring the risk to insurance, or accepting it.
Question : Compute the ALE before and after, the safeguard value, and recommend a justified risk treatment.
Show analysis and answer
ALE before = SLE × ARO = EUR 40,000 × 3 = EUR 120,000/yr. ALE after = EUR 40,000 × 0.5 = EUR 20,000/yr. ALE reduction = EUR 100,000/yr.
Safeguard value = (ALE before - ALE after) - annual cost = (120,000 - 20,000) - 60,000 = +EUR 40,000/yr. The safeguard is cost-effective: mitigate (reduce).
Transferring to insurance shifts the financial impact but not legal liability or reputational harm, and is likely costlier than the ALE reduction achieved. Accepting leaves a risk (EUR 120,000/yr) well above reasonable appetite. Acceptance of the residual risk (EUR 20,000/yr) must be signed by the risk owner, not by operations.
Takeaway : When (ALE before - ALE after) > annual cost, mitigation pays off; the residual risk is formally accepted by the risk owner.
- SLE = AV × EF; ALE = SLE × ARO; reason in currency/year.
- Safeguard value = (ALE before - ALE after) - annual cost; positive = worthwhile.
- Insurance transfers the financial impact, not liability or reputation.
- Residual risk is accepted by the risk owner, never by operations.
SLE, ALE and ARO are not interchangeable
SLE = loss from ONE occurrence (AV x EF); ARO = annual frequency (a number, sometimes < 1); ALE = yearly loss (SLE x ARO). The exam mixes these terms to trap you: if the question gives a per-incident amount, that is the SLE; if it mentions a number of events per year, that is the ARO; the annual amount to compare with a control cost is the ALE. Never forget to multiply SLE by ARO.
Risk transfer does not eliminate risk
Buying insurance (transfer/share) shifts the FINANCIAL IMPACT to a third party, but the operational risk remains and legal and reputational liability stays with the organization. The insurer pays only a fraction and often requires evidence of a reasonable security program. If a question frames transfer as removing the risk, it is wrong: only avoidance removes the risk by ceasing the exposed activity.
Control type vs control category, and who accepts the risk
Type says HOW the control is implemented (administrative, technical/logical, physical); category says WHAT FUNCTION it serves (directive, deterrent, preventive, detective, corrective, recovery, compensating). A firewall = technical + preventive; a policy = administrative + directive. The exam often asks for one while hoping you give the other. Corollary: the decision to accept a residual risk is a business decision signed off by the risk owner / senior management, never by the security analyst or the CISO acting alone.
Safeguard vs countermeasure: before or after realization
The ISC2 manual distinguishes the two by TIMELINE: a safeguard reduces impact or likelihood BEFORE the risk is realized (broadly preventive), a countermeasure reduces them AFTER realization. A firewall or EDR that prevents the incident is a safeguard; an incident response team or a backup restore acting once the attack has occurred is a countermeasure. If a question contrasts the two, the timing (before/after) is what decides, not the control's technical type.
Quantitative is not always superior: the sample question
Quantitative is only legitimate if processes are well understood, precise and reliable measurements exist, and a statistically significant sample is available. The trap is believing you must always quantify: under Newness or Uniqueness, with no history or measuring method, qualitative (or FAIR with few data points) is more honest. Conversely, do not conclude that a small number of measurements forbids any quantification - two or three measurements good to one significant digit can be more informative than anecdotal qualitative estimates.
Checkpoint — Checkpoint - Risk Management
-
An asset is worth $80,000. A fire would destroy 25% of it and occurs on average once every 5 years. What is the ALE?
- A $20,000
- B $4,000
- C $100,000
- D $16,000
Answer & rationale
Answer : B — $4,000
SLE = AV x EF = 80,000 x 0.25 = $20,000. ARO = 1/5 = 0.2. ALE = SLE x ARO = 20,000 x 0.2 = $4,000. The $20,000 trap is the SLE, not the ALE.
-
A company buys cyber insurance against ransomware. Which risk treatment, and what remains with the organization?
- A Avoidance; no risk left
- B Transfer/Share; operational risk and legal liability remain
- C Mitigation; residual risk drops to zero
- D Acceptance; the organization does nothing
Answer & rationale
Answer : B — Transfer/Share; operational risk and legal liability remain
Insurance is transfer (share): it shifts the financial impact but does not eliminate the risk. Legal and reputational liability and operational risk remain with the organization.
-
In NIST SP 800-30, at which step are countermeasures recommended?
- A Step 1 - System Characterization
- B Step 3 - Vulnerability Identification
- C Step 5 - Countermeasure Recommendations
- D Step 6 - Document results
Answer & rationale
Answer : C — Step 5 - Countermeasure Recommendations
Step 5 recommends controls based on cost criteria, after the step 4 Control/Likelihood/Impact analysis. Step 6 only documents and reports to management.
-
How is a fire extinguisher classified along the two type/category axes?
- A Administrative type, directive category
- B Physical type, corrective category
- C Technical type, preventive category
- D Physical type, deterrent category
Answer & rationale
Answer : B — Physical type, corrective category
A fire extinguisher is a physical device (physical type) that acts after the fire starts to correct the situation (corrective category). Type and category are two distinct axes to combine.
-
What are the three methods of a Security Control Assessment (SCA)?
- A Plan, Do, Check
- B Examine, Interview, Test
- C Identify, Protect, Detect
- D Mitigate, Avoid, Accept
Answer & rationale
Answer : B — Examine, Interview, Test
The SCA periodically evaluates control effectiveness via Examine (document/config review), Interview (staff interviews) and Test (real exercise). The other lists belong to PDCA, the NIST CSF or risk treatment.
-
An asset is worth $120,000, EF = 60%, ARO = 2/year. A safeguard at $25,000/year cuts ARO to 0.5. What is the safeguard's annual value?
- A $108,000
- B $83,000
- C $36,000
- D $144,000
Answer & rationale
Answer : B — $83,000
SLE = 120,000 x 0.60 = $72,000. ALE before = 72,000 x 2 = $144,000; ALE after = 72,000 x 0.5 = $36,000. Value = 144,000 - 36,000 - 25,000 = $83,000. The $108,000 trap forgets to subtract the annual safeguard cost; $36,000 is the residual ALE.
-
An organization launches a brand-new product with no loss history and no reliable measuring method. Which risk assessment approach fits best?
- A Quantitative, because it is always more rigorous
- B Qualitative, due to Newness and the lack of measurable data
- C No assessment until six-nines precision is available
- D Automatic transfer of the risk to an insurer
Answer & rationale
Answer : B — Qualitative, due to Newness and the lack of measurable data
The manual places Newness (and Uniqueness) among the situations where qualitative fits: with no history or reliable measuring method, quantitative would not be statistically significant. Quantitative is not always superior, and demanding six nines to quantify is the strawman argument quantitative advocates reject.
-
Per the ISC2 manual, what distinguishes a safeguard from a countermeasure?
- A A safeguard is technical, a countermeasure is physical
- B A safeguard reduces impact/likelihood BEFORE the risk is realized, a countermeasure AFTER
- C A safeguard is free, a countermeasure is paid
- D A safeguard is signed by the analyst, a countermeasure by the risk owner
Answer & rationale
Answer : B — A safeguard reduces impact/likelihood BEFORE the risk is realized, a countermeasure AFTER
The manual distinguishes them by timeline: safeguard before realization (reduces likelihood/impact upstream), countermeasure after. The technical type (technical/physical) and the cost are not the distinguishing criterion.
-
Can a single control (e.g., a surveillance camera) belong to both a control type and a control category?
- A Yes: physical type (nature) AND detective category (function)
- B No: a control has a single attribute
- C Yes, but only for technical controls
- D No: type and category are synonyms
Answer & rationale
Answer : A — Yes: physical type (nature) AND detective category (function)
Every control is classified on TWO axes: its type/nature (administrative, technical, physical) and its category/function (preventive, detective, corrective, deterrent, compensating, directive, recovery). A camera is physical (nature) and detective (function).
Key takeaways
- No vulnerability, threat or asset value => no risk; inherent risk x control gap = residual risk.
- NIST SP 800-30 structures analysis in 6 steps, from System Characterization to Document results.
- Qualitative = subjective scenarios on a P x I matrix, no arithmetic; quantitative = SLE/ALE/ARO to decide.
- Quantitative chain: AV x EF = SLE; SLE x ARO = ALE; treat only if control cost < ALE.
- Four treatments (Avoid, Transfer, Mitigate, Accept); transfer does not eliminate risk; the risk owner signs off acceptance.
- Type (administrative/technical/physical) and category (7 functions on the timeline) are two distinct axes to combine.
- Pick the approach: qualitative under Newness/Uniqueness/lack of data; quantitative (including FAIR) when processes are understood, measurements reliable and the sample significant.
- Risk exposure has 3 meanings: exposure window (probability over time), exposure factor (fraction <1), exposure estimate (categorical comparison).
- A safeguard acts before realization, a countermeasure after; safeguard value = ALE before - ALE after - annual cost, weighed against operational impact.
- NIST RMF Select: baseline (top-down) for consistency, organization-generated (bottom-up) for specialized systems; defense in depth layers types and categories.
- Risk frameworks in scope: ISO 31000, ISO 27005, NIST SP 800-30/37/39, COBIT, SABSA, PCI, COSO, ISO Guide 73 and FAIR.
Threat Modeling & Supply Chain Risk Management (SCRM)
Prerequisites : Module 5 (risk management).
This module covers two Domain 1 Key Areas that candidates often underestimate yet appear frequently on the exam: threat modeling (Key Area K) and Supply Chain Risk Management or SCRM (Key Area L).
Threat modeling means examining a system, application, or organization from the attacker's point of view to identify the vulnerabilities they would seek to exploit, then mapping suitable countermeasures to them. It is a form of testing: it reveals a problem, it does not fix it. SCRM extends risk management discipline to suppliers, contractors, and service providers. Incidents such as Target (2013), XCodeGhost (2015), and SolarWinds/Sunburst (2020) show that an attacker often compromises an organization through a weaker third party rather than attacking it head-on.
You will learn to distinguish attacker-centric, asset-centric, and software-centric approaches, walk through the threat modeling process, compare STRIDE, DREAD, and PASTA, then assess a third party using due diligence, minimum security requirements, SLR, and SLA.
6.1 Threat modeling concepts
Threat modeling is a technique for examining an environment, system, or application from an attacker's point of view to determine the vulnerabilities they are likely to exploit, then identifying suitable countermeasures. The attack surface is the total range of areas where an attacker can potentially trigger a compromise: the larger it is, the higher the risk. Reducing the attack surface (disabling services, closing ports, removing accounts) is a first-order defensive strategy.
Threat modeling requires a nontechnical abstraction of the target before diving into detail. This is done with a data flow diagram (also called a dataflow diagram or workflow diagram): a conceptual view of how data and processes move through the target from start to finish. This abstraction lets the team pinpoint where (in time, space, and process) an attacker could act.
Three approaches structure the analysis. The attacker-centric approach starts from the actors who could cause harm (e.g., AML analysis, threat profiling) and works out their goals and capabilities. The asset-centric approach starts from the valuable assets to protect (e.g., PHI, PII) and works back toward the threats targeting them. The software-centric (or system-centric) approach represents the system as a set of interconnected processes via architecture diagrams, which analysts evaluate component by component; it is the most useful for most information system environments.
Exam trap: threat modeling is a form of testing; it identifies that a problem exists but does not fix it. Remediation is a later, separate step.
- Threat modeling adopts the attacker's point of view to reveal exploitable vulnerabilities.
- The attack surface must be reduced; it is the sum of exposed entry points.
- Three approaches: attacker-centric (actors), asset-centric (assets), software/system-centric (processes).
- The data flow diagram provides the nontechnical abstraction prior to analysis.
- Threat modeling identifies the problem but does not fix it.
6.2 The threat modeling process
Threat modeling follows an ordered process. First step, assessment scope: identify the critical assets to protect. This step is closely tied to BIA (Business Impact Analysis) priorities; what is critical for business continuity is also critical to protect. You do not model everything indiscriminately: the scope frames the effort.
Second step, identify the threat agents and possible attacks: who or what wants to attack? Consider both insiders and outsiders, and both malicious and accidental threats. Third step, understand existing countermeasures: an audit of what is already in place and how effective it really is. Without this baseline, you risk proposing redundant controls or overestimating protection.
Fourth step, identify exploitable vulnerabilities, prioritizing those affecting the critical path defined by the BIA. Fifth step, prioritize the identified risks: threat modeling operates on priorities, because you cannot protect everything. Any residual risk left as-is must be justified and formally accepted. Sixth step, identify countermeasures to reduce risk: complete the defensive posture by deploying controls against the prioritized vulnerabilities (IDS/IPS, firewalls, access control, biometrics, etc.).
Exam trap: scope and prioritization rely on the BIA. A question asking where to start in threat modeling usually expects identifying/prioritizing critical assets, not immediately deploying countermeasures.
- Scope identifies critical assets and aligns with BIA priorities.
- Identify threat agents and attacks (insiders/outsiders, malicious/accidental).
- Audit existing countermeasures before adding more.
- Prioritize risks: you cannot protect everything; residual risk must be justified.
- Then deploy countermeasures against the prioritized vulnerabilities.
6.3 Methodologies: STRIDE, DREAD, PASTA
STRIDE is a threat classification system from the Microsoft Security Development Lifecycle (SDLC), used to inform developers about threats during development. Its six categories: Spoofing identity, Tampering with data (unauthorized data modification), Repudiation (the attacker can deny or conceal their participation), Information disclosure (accidental or malicious data exposure), Denial of service (an attack on availability, the A in the CIA triad), and Elevation of privilege (the attacker gains a level of control to disable or destroy the target). STRIDE categorizes: it tells you what type of threat it is.
DREAD is a scoring model: Damage, Reproducibility, Exploitability, Affected users, Discoverability. You rate each dimension to obtain a relative score that helps prioritize threats. STRIDE and DREAD are complementary: one classifies, the other quantifies.
PASTA (Process for Attack Simulation and Threat Analysis) is a seven-step, risk-centric methodology that aligns business objectives with technical threat analysis and simulates attacks to assess real risk. It runs from defining objectives to risk and impact analysis.
Also worth knowing (at least by name): OCTAVE (organization-wide view of IT systems risk, variants OCTAVE and OCTAVE-S), TRIKE, VAST, CORAS, LINDDUN (privacy-oriented), and NIST SP 800-154 (data-centric threat modeling guide). ATASM (Architecture, Threats, Attack Surfaces, Mitigations) is another cited approach.
Exam trap: do not confuse STRIDE (threat categorization) with DREAD (scoring/prioritization). PASTA stands out for being risk-centric with its 7 steps.
- STRIDE categorizes 6 threat types: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege.
- DREAD scores 5 dimensions to prioritize; it does not categorize.
- PASTA is risk-centric with 7 steps aligning business and threats.
- Other models to recognize: OCTAVE, TRIKE, VAST, LINDDUN, NIST 800-154.
- STRIDE classifies, DREAD quantifies: do not confuse the two roles.
6.4 Supply Chain Risk Management (SCRM)
No organization operates alone: it depends on suppliers, vendors, contractors, and customers. SCRM applies to this chain the same risk management methodologies the organization applies to its internal operations. Historically, supply chain risks targeted tangible assets (fires, natural disasters), but information and communication technologies are just as vulnerable, accidentally and maliciously, especially for critical systems.
Risks fall into three families. Hardware: purchased equipment (servers, workstations, cameras, legacy factory systems) that can be counterfeited or tampered with; a Silicon Root of Trust and a Software Bill of Materials (SBOM) help verify integrity. Software: off-the-shelf software with bugs or poorly designed functions that are exploitable; a flaw unknown to the vendor and exploited by an attacker is a zero-day. Services / Cloud: attacking a small supplier shared by large companies is often easier than attacking those large companies directly.
Acquisition best practices impose cybersecurity requirements as a condition of contract award, and favor buying from OEMs (Original Equipment Manufacturers), their trusted sources, and authorized resellers, to avoid counterfeit equipment. Beware of 4th parties: your own suppliers' subcontractors extend the chain and the risk beyond your direct visibility.
Classic examples: Target (2013, access via an HVAC third party to payment terminals), XCodeGhost (2015, counterfeited XCode compiler), and above all SolarWinds/Sunburst (2020): a legitimate network monitoring tool, infected at the source, distributed the Sunburst malware to thousands of organizations - a textbook software supply chain attack.
Exam trap: compromising a single service provider to reach all of its customers (SolarWinds) is the core SCRM argument. The weakest third party often defines the real security level.
- SCRM applies risk management to the whole chain: suppliers, vendors, contractors, customers.
- Three risk families: hardware (counterfeit/tampering), software (bugs, zero-day), services/cloud.
- Buying from OEMs and their authorized resellers reduces the risk of counterfeit hardware.
- 4th parties (your suppliers' subcontractors) extend risk beyond your visibility.
- SolarWinds/Sunburst: compromising a single provider reaches thousands of customers.
6.5 Third-party assessment and due diligence
Before any binding supply chain agreement, the security professional must conduct due diligence on the third party. It combines three activities: the on-site assessment (visiting and inspecting the supplier's premises), the document exchange (exchanging documentation: policies, certifications, audit reports), and the process/policy review (reviewing processes and policies to verify the supplier follows an acceptable security control framework). The security professional must be involved in all three to understand the transaction's risks. External assurances complete the assessment: ISO audits, CSA STAR for cloud, or AICPA attestations (SOC).
Minimum security requirements are defined during the project's requirements gathering phase. A best practice is to write a Statement of Requirements covering: a concise requirement specification for management, a statement of key objectives, a description of the operating environment, background and references, and major design constraints.
Two documents structure the relationship. The SLR (Service Level Requirements) describes the expected service from the client's viewpoint: it is the upstream expression of need. The SLA (Service Level Agreement) is the signed agreement between the third party and the client, documenting the IT service provided, the service level targets (measurable goals), and the respective responsibilities of supplier and customer. In short: the SLR expresses what you want, the SLA contractually commits to what will be delivered and measured.
Contractual clauses reinforce governance: right to audit to verify the supplier's compliance, breach/incident notification obligations, subcontracting requirements (governing 4th parties), and jurisdiction clauses when the third party operates under a different regulation.
Exam trap: due diligence happens BEFORE the contract is signed; the right to audit and the SLA govern the execution phase. And never confuse SLR (need, client-side) with SLA (signed, bilateral, measurable agreement).
- Due diligence combines on-site assessment, document exchange, and process/policy review.
- Minimum security requirements are set as early as requirements gathering (Statement of Requirements).
- SLR = client-stated need; SLA = signed, measurable, bilateral agreement.
- Key clauses: right to audit, incident notification, 4th-party governance, jurisdiction.
- Due diligence precedes the contract; the SLA and right to audit govern execution.
6.6 Reduction analysis (decomposition) and prioritization
Once the data flow diagram is drawn, the decisive step of software-centric threat modeling is reduction analysis, also called decomposition. To decompose means breaking the system into its constituent elements to make visible the exact places where an attacker can act. Five elements must be identified systematically.
First, trust boundaries: any boundary where the level of trust or privilege changes (between the Internet and the DMZ, between the DMZ and the internal network, between the application and the database). Threats concentrate at these boundaries, because data crosses from one trust zone into another there. Next, data flow paths: the route data follows through the system, from one point to another. Then input points (or entry points): any place where external data enters the system (forms, APIs, uploads, parameters); these are the doors through which the attacker injects. Then privileged operations: actions requiring elevated rights (changing a config, creating an admin account, accessing a key) that are prime targets for elevation of privilege. Finally, the description of the security stance / approach: the application's security posture and assumptions (policies, dependencies, controls presumed in place), which must be made explicit so they are not taken for granted.
Decomposition feeds prioritization directly, because threat modeling works by priorities: you cannot address everything. Two simple, frequently tested methods. First, Probability x Damage Potential, which combines the likelihood that a threat materializes with the magnitude of damage if it does, yielding a risk ranking. Second, a qualitative High / Medium / Low ranking, faster when quantified data is lacking. DREAD is a finer scoring variant of this same logic.
Two methodologies round out the landscape beyond STRIDE/DREAD/PASTA. VAST (Visual, Agile, and Simple Threat modeling) is designed to scale across agile organizations: it distinguishes application threat models (developer-oriented, via process flow diagrams) from operational threat models (infrastructure- and architect-oriented), and integrates into DevOps pipelines. Trike is a risk-management- and audit-oriented methodology built on a requirements model that assigns an acceptable risk level to each asset and generates threat models from that model.
Exam trap: remember that threat modeling, decomposition included, is a form of testing. It reveals where the weak trust boundaries, exposed input points, and risky privileged operations are, but it fixes nothing: remediation is a later, separate step.
- Decomposition identifies trust boundaries, data flow paths, input points, privileged operations, and security stance.
- Threats concentrate at trust boundaries, where data changes trust zones.
- Input points are injection doors; privileged operations are elevation-of-privilege targets.
- Prioritize via Probability x Damage Potential or a High/Medium/Low ranking.
- VAST scales in agile/DevOps (app vs operational models); Trike is risk-management/audit-oriented.
- Decomposition is still testing: it locates weaknesses but does not fix them.
Case studies
Applying STRIDE to a customer portal
Context : A bank deploys a web portal where customers view accounts and initiate transfers. The security team draws a data flow diagram (browser -> API -> database) and applies STRIDE component by component.
Question : Which STRIDE categories map to: (1) an attacker replaying another customer's session token, (2) a customer denying they ordered a transfer, (3) API flooding that blocks access?
Show analysis and answer
(1) Replaying another customer's token to impersonate them is Spoofing identity: the attacker poses as an entity they are not. Countermeasure: session-bound tokens, short expiry, strong re-authentication.
(2) A customer denying they ordered a transfer is Repudiation: they conceal their participation in a transaction. Countermeasure: signed logs, timestamping, and ideally non-repudiation via signatures and traceable MFA.
(3) Flooding the API to block access is Denial of service, an attack on availability (the A in the CIA triad). Countermeasure: rate limiting, WAF, scaling, and anti-DDoS filtering.
Note that one scenario can touch several categories: the software-centric approach, following the data flow diagram, ensures no component is overlooked.
Takeaway : STRIDE categorizes each threat by type and points directly to the right family of countermeasures; following the data flow diagram avoids blind spots.
Assessing a critical cloud supplier
Context : A healthcare company wants to outsource storage of patient records (PHI) to a SaaS provider. The service is critical and subject to strong regulatory requirements. The security professional is engaged before signing.
Question : What structured approach should be conducted before contracting, and how should the relationship then be framed?
Show analysis and answer
Before the contract, run three-part due diligence: on-site assessment of the provider's datacenter, document exchange (policies, certifications, reports), and process/policy review to verify an acceptable control framework. For cloud, require a CSA STAR evaluation and/or an AICPA SOC 2 attestation as external assurance; also check jurisdiction (where PHI resides).
Define minimum security requirements as early as requirements gathering: encryption at-rest and in-transit, access management, breach notification. Express the need in an SLR (availability, RTO/RPO, support), then formalize it in a signed SLA with measurable service level targets and shared responsibilities.
Write into the contract: right to audit, incident notification obligation, and 4th-party governance (the provider's subcontractors). This asset-centric approach (PHI being the asset) ensures the weakest third party does not become the link that degrades the real security level.
Takeaway : Due diligence (on-site + documents + process) before the contract, then SLR/SLA, right to audit, and 4th-party governance: the relationship is secured end-to-end around the PHI asset.
The Waxbill project: threat modeling, export controls, and SCRM of a drone
Context : An Albuquerque manufacturer is the lead contractor for a long-range environmental surveillance drone (UAV) named Waxbill. The commissioning client is a disaster-recovery committee, but the manufacturer also intends to sell the device to other governmental clients worldwide. The drone carries an imaging system able to identify individuals, a satellite uplink, and strongly encrypted transmission using proprietary technology. You take on several security roles in turn: the board's interlocutor for legal budgeting, owner of design confidentiality, and point of contact for an internal auditor.
Question : How do you tie together privacy, cross-border transfers, dual-use export controls, SCRM, and CIA to secure the Waxbill project from design to delivery?
Show analysis and answer
Privacy. Imaging that identifies individuals triggers personal-data protection regimes. The safest strategy is to adopt the strictest standard as a guiding principle (a GDPR-style adequate level of protection): if the device meets that bar, it broadly covers less strict jurisdictions. For foreign clients, local compliance then falls to each buyer, but the maker retains manufacturer responsibility (privacy by design, minimization, encryption).
Cross-border transfers. Transmitting data around the globe raises the question of which jurisdiction is crossed. Here one architectural point shifts the analysis: the satellite uplink goes from drone to satellite and back, without directly crossing terrestrial national borders, which mitigates part of the cross-border exposure. Where data is ultimately stored and processed must still be documented.
Export controls / dual-use. The surveillance system and above all strong encryption are dual-use goods: civilian but divertible to military/surveillance ends. Encryption typically falls under the Wassenaar Arrangement. If the buyer is a signatory country, strong encryption poses no problem. Otherwise, two options: ship a weaker algorithm, or provide no encryption and shift responsibility to the buyer. Key point: the buyer must not be able to change this setting without violating the terms of service.
SCRM. Waxbill aggregates hardware and software components from many suppliers (sensors, satellite modules, firmware). Each component introduces hardware risk (counterfeit/tampering - hence the value of OEMs, authorized resellers, Silicon Root of Trust, and SBOM), software risk (bugs, zero-day), and service risk (4th parties beyond visibility). The lead contractor must apply the same risk-management rigor to its supply chain as to its internal operations.
Threat modeling and CIA across the lifecycle. Facing the internal auditor, you demonstrate mastery of the triad: Confidentiality of proprietary designs (strict access control, need-to-know, encryption at-rest and in-transit), Integrity of software and hardware (version control, rigorous validation before integration, integrity checks against unauthorized modification), Availability of critical systems (redundancy, failover, contingency/BCDR plans). A data flow diagram of the drone, followed by reduction analysis (drone/satellite/ground trust boundaries, sensor input points, firmware-update privileged operations), lets you identify and then prioritize threats - knowing this threat modeling identifies problems without fixing them, with remediation coming afterward.
Takeaway : A single product (a drone) concentrates all of Domain 1: privacy (adequacy/GDPR), cross-border (satellite uplink), dual-use export controls (Wassenaar for encryption), multi-supplier SCRM, and threat modeling + CIA across the lifecycle. The winning answer adopts the strictest standard, locks encryption behind the terms of service, and applies internal-operations rigor to the supply chain.
Defining Service Level Requirements by sector
Context : A bank is reviewing its service contracts and wants to draw on other sectors to frame its Service Level Requirements (SLR) before negotiating SLAs. Between businesses, the client defines the SLRs; for an individual (e.g., a mobile plan), the provider sets the terms, take it or leave it.
Question : Which SLRs would be relevant for: an airline, a hotel, an investment group, and a cloud provider?
Show analysis and answer
Airline/hotel: availability of the booked-and-paid seat or room, meals matching dietary needs flagged in time, and above all passenger safety/security (written into the Contract of Carriage).
Investment group: assurance that purchased securities come from real entities, and compliance with regulators (e.g., SEC) - usually written into the client SLA.
Cloud provider: location and availability of data and services, BCDR solution in normal AND crisis mode, datacenter physical security, staff reliability and internal audit controls.
For all: privacy protections compliant with applicable regulations and protection of sensitive data (if encryption: the right algorithm, key generation, storage and distribution). Key distinction: the SLR states the need (client side), the SLA commits to and measures it.
Takeaway : The SLR states the client's need upstream; each sector has its own SLRs, but privacy, availability and data protection recur everywhere.
STRIDE categorizes, DREAD scores
A classic trap: believing STRIDE and DREAD do the same thing. STRIDE is a classification system (6 categories: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege) answering "what type of threat is this?". DREAD is a scoring model (Damage, Reproducibility, Exploitability, Affected users, Discoverability) answering "which threat should be addressed first?". One classifies, the other quantifies to prioritize. PASTA, again different, is a 7-step risk-centric methodology. If the question asks to categorize a threat, think STRIDE; if it asks to prioritize or score, think DREAD.
SLR vs SLA and the timing of due diligence
Two frequent confusions. First SLR vs SLA: the SLR (Service Level Requirements) is the expression of need from the client's viewpoint, upstream; the SLA (Service Level Agreement) is the signed, bilateral agreement with measurable service level targets and defined responsibilities. The SLR precedes and feeds the SLA. Second, timing: due diligence (on-site, document exchange, process/policy review) happens BEFORE the contract is signed, to decide whether to engage. The right to audit and continuous monitoring govern the execution phase, AFTER. If a question places due diligence after signing, that is a distractor.
An SLA without a numeric metric is unenforceable
Classic trap: an SLA written in vague terms. A clause like "excellent uptime for the duration of the service" is useless, because attorneys can debate the meaning of "excellent" indefinitely. Every SLA element must carry a discrete, objective, numeric metric (e.g., "any interruption exceeding 5 seconds per period constitutes a failure"). The SLA's strength is its role as a payment discriminator: a failed element triggers a credit or free periods, incentivizing the provider to deliver. Another tested nuance: SLAs suit recurring, continual requirements (a weekly report), not singular or infrequent events; a disaster recovery / BCDR objective belongs in the contract rather than in the SLA itself.
Checkpoint — Checkpoint - Module 6
-
In the threat modeling process, what does defining the assessment scope primarily align with?
- A BIA priorities (critical assets)
- B The annual security budget
- C The number of external threat agents
- D The list of firewalls already deployed
Answer & rationale
Answer : A — BIA priorities (critical assets)
Scope identifies the critical assets to protect and aligns closely with BIA priorities: you cannot protect everything, so you target what matters for continuity.
-
An attacker gains a level of control allowing them to disable the entire system. Which STRIDE category is this?
- A Elevation of privilege
- B Repudiation
- C Information disclosure
- D Spoofing identity
Answer & rationale
Answer : A — Elevation of privilege
Elevation of privilege is when the attacker not only accesses the target but gains a level of control to disable or destroy it.
-
Which statement correctly distinguishes DREAD from STRIDE?
- A DREAD assigns a score to prioritize; STRIDE categorizes threat types
- B DREAD categorizes threats; STRIDE assigns them a score
- C Both are 7-step risk-centric methodologies
- D DREAD is an ISO standard and STRIDE a NIST standard
Answer & rationale
Answer : A — DREAD assigns a score to prioritize; STRIDE categorizes threat types
STRIDE classifies threats into 6 categories; DREAD scores 5 dimensions (Damage, Reproducibility, Exploitability, Affected users, Discoverability) to prioritize. The 7-step risk-centric methodology is PASTA.
-
Which activity must be performed BEFORE signing a contract with a critical cloud supplier?
- A Due diligence (on-site, document exchange, process/policy review)
- B Exercising the annual right to audit
- C Measuring the SLA's service level targets
- D Termination for non-compliance
Answer & rationale
Answer : A — Due diligence (on-site, document exchange, process/policy review)
Due diligence precedes any binding supply chain agreement: it combines on-site assessment, document exchange, and process/policy review. The right to audit and service level targets belong to execution, after signing.
-
During reduction analysis of an application, where do threats primarily concentrate?
- A At trust boundaries, where the level of trust or privilege changes
- B In compiled source code, never exposed
- C Only in user documentation
- D On administrators' workstations only
Answer & rationale
Answer : A — At trust boundaries, where the level of trust or privilege changes
Decomposition identifies trust boundaries, data flow paths, input points, privileged operations, and security stance. Trust boundaries are where data crosses from one trust zone into another: that is where threats concentrate.
-
For the Waxbill drone sold to a country not party to a control agreement, which framework governs the export of strong encryption, considered a dual-use good?
- A The Wassenaar Arrangement
- B The AICPA SOC 2 standard
- C The ISO 27001 standard
- D The CSA STAR framework
Answer & rationale
Answer : A — The Wassenaar Arrangement
Encryption is a dual-use good whose export is governed by the Wassenaar Arrangement. If the buyer is a signatory, strong encryption is permitted; otherwise, a weaker algorithm or none must be shipped, and the buyer must not be able to change this without violating the terms of service.
Key takeaways
- Threat modeling adopts the attacker's viewpoint and reduces the attack surface, via attacker-centric, asset-centric, or software/system-centric approaches; it identifies the problem without fixing it.
- The process is anchored in the BIA: scope -> threat agents -> existing countermeasures -> exploitable vulnerabilities -> prioritization -> new countermeasures.
- STRIDE categorizes (6 types), DREAD scores (5 dimensions), PASTA is risk-centric with 7 steps; also know OCTAVE, TRIKE, VAST, LINDDUN, NIST 800-154.
- SCRM covers hardware, software, and cloud; buy from OEMs and authorized resellers, watch 4th parties; SolarWinds illustrates the single-supplier attack.
- Assess a third party through pre-contract due diligence (on-site, documents, process), set minimum security requirements, and never confuse SLR (client need) with SLA (signed, measurable agreement).
- Reduction analysis (decomposition) breaks the system into trust boundaries, data flow paths, input points, privileged operations, and security stance to locate threats, then prioritizes via Probability x Damage or High/Medium/Low.
- Beyond STRIDE/DREAD/PASTA, know VAST (scalable, agile/DevOps, app vs operational models) and Trike (risk management/audit, per-asset requirements model).
- An SLA only has value if every element carries an objective numeric metric; it acts as a payment discriminator (credits/penalties) and suits recurring requirements, not rare events (BCDR -> contract).
- Third-party assessment combines governance review, site security survey, formal security audit, and penetration testing, backed by external assurances (ISO, CSA STAR, AICPA SOC) and formal periodic reviews / annual lightweight assessments.
- The Waxbill case shows a drone aggregates all of Domain 1: privacy (adequacy/GDPR), cross-border (satellite uplink), dual-use export controls (Wassenaar), multi-supplier SCRM, and threat modeling + CIA across the lifecycle.
Continuity, Personnel Security and Awareness
Prerequisites : Module 1 (concepts) and module 5 (risk) for the BIA.
An organization's resilience does not rest on technology alone: it stands on three human and organizational pillars that Domain 1 treats together. First, business continuity (Business Continuity / Disaster Recovery, BCDR), which all starts from the Business Impact Analysis (BIA): without knowing the critical path and the value of assets, no credible recovery can be planned. Next, personnel security, because people are both the weakest link and the best defense: the insider threat is addressed before hiring (candidate screening) and throughout the joiner-mover-leaver lifecycle.
Finally, the awareness program, which turns written rules into actual behavior. This module stresses the distinctions the exam loves to trap: MTD vs RTO vs RPO, friendly vs unfriendly termination, and above all Awareness vs Training vs Education. Each time, retain the exact definition, a concrete example, then the associated pitfall. The cross-cutting logic remains due care (doing what a prudent professional would do) and due diligence (verifying that it works, notably through metrics).
7.1 Business Continuity and the BIA
Business continuity (BC) covers the actions, processes and tools that let the organization keep its critical operations running during a contingency; disaster recovery (DR) covers restoration back to normal operations. Together they are called BCDR. Everything starts with the Business Impact Analysis (BIA), the effort that determines the value of each asset, the likely threats and the potential for those threats to materialize. The BIA reveals the critical path: the set of activities without which the organization cannot survive. Example: an insurer whose systems go down can keep issuing policies manually - a costly but viable workaround.
The BIA is above all a management process. It requires senior leadership support, because leaders set the tolerable level of risk (risk appetite / risk tolerance) and weigh the costs. The risks to assess go beyond the technical: financial impact (revenue loss), reputational (loss of customer trust), and regulatory (HIPAA mandates a data backup plan and an emergency operations mode; noncompliance means penalties). Several methods feed the BIA: surveys of asset owners (close to the ground but biased), financial audit (thorough but value varies over time), customer feedback, industry benchmarks.
The BIA then prioritizes Critical Business Functions. A classic grid distinguishes: Critical (a halt immediately threatens survival - e.g. a payment engine), Essential (needed short term but tolerates a brief interruption), Supporting (assists critical functions without being vital - e.g. internal reporting), Nonessential (can be suspended for a long time - e.g. internal audit, hiring). Exam pitfall: the BIA is not a recovery plan; it provides the data (critical path, values, dependencies) that feed the BCP/DRP. Confusing BIA with BCP is a classic mistake.
- The BIA is a management process requiring senior leadership support.
- It reveals the critical path and asset value before any BCDR planning.
- Risks to assess: Financial, Reputational, Regulatory.
- Prioritization: Critical > Essential > Supporting > Nonessential.
- The BIA is not the BCP: it provides the plan's input data.
7.2 The Three Key BIA Outputs: MTD, RTO, RPO
The BIA produces three control parameters that senior management hands to the BCDR designers. The Maximum Tolerable Downtime (MTD), also called Maximum Allowable Downtime (MAD) or Maximum Allowable Outage (MAO), is the maximum duration a business process can be disrupted without causing significant or unacceptable harm to the mission. It is a ceiling: beyond it, the organization suffers serious damage. Example: for a trading platform the MTD may be a few hours; for a brochure website, several days.
The Recovery Time Objective (RTO) is the target duration to restore availability of the critical path after an interruption. Fundamental constraint: RTO <= MTD. Setting the RTO equal to or greater than the MTD defeats its purpose, since the harm threshold would be crossed. Note: "recovery" here is not the return to normal operations, but the return to temporary functional availability of the critical path. The shorter the RTO, the costlier the BCDR solution: it is a cost/speed trade-off.
The Recovery Point Objective (RPO) measures how much data the organization can lose without unacceptable harm. It is expressed in units of time (minutes, hours, days), generally the gap between the last good backup and the moment of the incident - not in gigabytes. For a bank the RPO tends toward zero (no transaction lost); other sectors tolerate more. On the timeline: RPO looks backward (data lost before the incident), RTO looks forward (time to recover after). Also note the Work Recovery Time (WRT), the period for catching up accumulated transactions. Exam pitfall: RTO = time, RPO = data (expressed in time). Confusing the two is the most frequent mistake.
- MTD = ceiling of tolerable downtime; synonyms MAD / MAO.
- RTO = target recovery time; constraint RTO <= MTD.
- RPO = tolerable data loss, measured in time, looks backward.
- The shorter the RTO, the higher the solution cost.
- RTO and RPO are two distinct axes on the recovery timeline.
7.3 Personnel Security: the Lifecycle
People are double-edged: a source of error and malice, but also the first line of defense. The insider threat is addressed as early as possible, before access to data. Candidate screening precedes hiring: a precise job description (reference to assess performance and ground any later termination), verification of references, employment history, background check (criminal record, degrees, certifications) and, for highly sensitive roles, a financial profile (reveals exploitable instability). Once hired, access follows least privilege and ideally an RBAC model where rights derive from the described role.
At hiring, employment agreements are signed: employee handbook (policies and standards, receipt acknowledged), employment contract (terms, pay, performance), Nondisclosure Agreement (NDA, non-disclosure during and after employment), Acceptable Use Policy (AUP, approved use of assets) and Code of Conduct. These documents are signed no later than onboarding, ideally before a representative, each party keeping a copy. Onboarding includes review of the contract and job description, initial security training, and secure issuance of access (ID/password, badges, tokens).
Termination must be equally codified. We distinguish friendly (amicable departure, e.g. resignation, retirement) - an exit interview can be held to learn the reasons and remind of NDA obligations - and unfriendly (dismissal, conflictual departure) which demands stronger, faster controls. In all cases: immediately lock IT accounts to prevent last-minute changes, recover equipment and access control items (badge, keys, tokens), review NDA terms, and escort the person off premises if the role is not remote. Exam pitfall: for an administrator dismissed without notice (unfriendly), access revocation must precede or accompany the announcement, never follow it; a forewarned admin can sabotage or exfiltrate.
- The insider threat is addressed pre-hire via candidate screening.
- NDA, AUP, Code of Conduct and contract are signed at onboarding.
- Friendly = amicable departure with exit interview; unfriendly = immediate revocation.
- Always: lock accounts, recover equipment/badges/tokens, escort out.
- For an unfriendly admin, revoke access before or during the announcement.
7.4 Internal Third-Party Controls: Vendor, Consultant, Contractor
Internal third parties - vendor, consultant, contractor, subcontractors, visitors - gain physical or logical access without falling under the same HR controls as employees. They are an often-underestimated insider-threat vector. The guiding principle remains least privilege: access is limited to the strict minimum, for the strictly required duration, and revoked as soon as the engagement ends. Before any access, a reliable identity verification is performed and, depending on sensitivity, a background check, which may be required of the third party or of their employer.
Contractually, the third party signs a specific NDA (often distinct from the employees' one, sometimes a mutual NDA / two-way NDA when sensitive information flows both ways) and accepts an AUP covering the assets they access. The contract must codify security obligations, ownership of deliverables and the conditions for ending access. For subcontractors accessing systems, the organization can impose explicit people-facing instructions and monitoring and surveillance activities.
Typical operational controls: physical escort for visitors and workers in sensitive zones, activity monitoring (supervised screen sharing, session recording, logging), and access restricted to the relevant systems only. Any surveillance must strictly comply with applicable laws, which vary widely across jurisdictions. Exam pitfall: a consultant is not an employee; do not apply the same onboarding controls by default, but a dedicated regime (specific NDA, escort, reinforced monitoring, temporary access) - and remember to revoke access at the end of the engagement, otherwise you leave exploitable orphan accounts.
- Internal third parties are a full-fledged insider-threat vector.
- Least privilege: minimal, temporary access, revoked at engagement end.
- Identity verification, background check, specific NDA (sometimes mutual).
- Controls: escort, monitoring (screen sharing, recording), restricted access.
- Monitoring must comply with local surveillance laws.
7.5 Awareness Program: Awareness, Training, Education
A human-security program is a matter of due care (providing effective training) and due diligence (verifying it works). The exam distinguishes three types of learning activity. Awareness ("the why", for everyone) attracts and engages attention by acquainting people with an issue; it shapes beliefs and behaviors (signage, screensavers, newsletters, reminders). Training (role-related skills) builds proficiency in a precise set of tasks: recognizing phishing and applying the right response. Education (deep understanding) explains causes and concepts for a targeted audience, often tied to certifications. Mnemonic: Awareness changes what you notice, Training what you can do, Education what you understand.
The program particularly targets social engineering (phishing, vishing, smishing). Methods: Computer-Based Training (CBT, self-paced, standardized, but click-through risk - effective coupled with fake phishing tests), live training (counters click-through, builds rapport), regular communications, reward mechanisms (rewarding good behavior rather than punishing), gamification (greater engagement and retention, e.g. OWASP Cornucopia) and Security Champions (volunteers from each business area spreading good reflexes). Content must be reviewed periodically (laws, policy, new attacks, new tools).
Due diligence requires measuring effectiveness through metrics tied to objectives. Examples: phishing-simulation click rate (expected to fall over time), module completion rate, signed attestation (proof of acknowledgement), number of incident reports, assessment results. Exam pitfall: do not confuse the three levels. A mandatory CBT module on "how to recognize phishing" is Training, not Education; a poster reminding to lock your screen is Awareness. The typical question gives an example and asks you to name the level - the right answer depends on the verb: to make aware (Awareness), to make capable (Training), to make deeply understand (Education).
- Awareness = why (everyone); Training = skills (role); Education = understand (deep).
- The program mainly addresses social engineering (phishing, vishing, smishing).
- Methods: CBT, live, reward, gamification, Security Champions.
- Due care = provide training; due diligence = measure its effectiveness.
- Metrics: phishing click rate, completion, signed attestation.
7.6 HR Anti-Fraud Controls: SoD, Least Privilege, Job Rotation, Mandatory Vacation, Dual Control
Beyond the joiner-mover-leaver lifecycle, personnel security rests on a family of administrative controls that reduce insider threat and fraud. They split into preventive (they stop abuse from happening) and detective (they reveal it afterward). The manual in fact opens the topic with the two-person integrity control, showing these mechanisms sit at the heart of Domain 1.
Preventive controls. Separation of duties (SoD) breaks a sensitive transaction into several steps assigned to different people, so no single individual can carry it out end to end (e.g. whoever creates a vendor cannot approve its payment). Least privilege grants the minimum rights needed for the role, ideally via RBAC. Need-to-know goes further: even when cleared, one accesses only the information strictly required for the task at hand (least privilege governs system permissions, need-to-know governs knowledge). Dual control / two-person control (sometimes two-person integrity or the two-person rule) requires two people to act together for a critical operation (e.g. two keys for a vault, dual approval of a wire transfer). Note: SoD spreads different steps across people; dual control requires two people for the same step.
Detective and hybrid controls. Job rotation moves people between functions; it makes sustained fraud harder (a collusion becomes unstable) and surfaces wrongdoing when a successor finds the anomalies, while reducing single points of knowledge. Mandatory vacation forces an employee to be away for a continuous period during which another person fills the role: a fraud that needs daily presence to be maintained (account falsification, lapping) eventually surfaces. Job rotation and mandatory vacation are mainly detective (and deterrent), whereas SoD, least privilege, need-to-know and dual control are preventive. Exam pitfall: do not confuse the three. SoD = split a task across several people (preventive); job rotation = move people between roles over time (detective); mandatory vacation = remove the person so another uncovers the fraud (detective). If the question asks "which control reveals a fraud an employee hides by staying at their post", the answer is mandatory vacation.
- Preventive: SoD, least privilege, need-to-know, dual control.
- Detective/deterrent: job rotation, mandatory vacation.
- SoD spreads different steps; dual control requires two people for the same step.
- Least privilege = system permissions; need-to-know = access to knowledge.
- Mandatory vacation unmasks a fraud that needs the fraudster's daily presence.
7.7 BCMS and Continuity Standards: ISO 22301, NIST SP 800-34, BC vs DR
An organization that wants to formalize its continuity can build its Business Continuity Plan (BCP) from scratch or rely on recognized standards, either as a reference or by fully adopting them. Knowing these frameworks and the notion of a Business Continuity Management System (BCMS) - the management system that runs continuity as an ongoing process, not a frozen document - is expected at the exam.
Standards to remember. NIST SP 800-34 (Contingency Planning Guide for Federal Information Systems) provides instructions and recommendations for federal-system contingency planning. The ISO 22300 series defines the requirements and guidelines of a BCMS: ISO 22300 (vocabulary, the glossary), ISO 22301 (requirements, the certifiable standard setting BCMS requirements), ISO 22313 (guidance, help in implementing 22301) and ISO/TS 22315 (guidelines for business impact analysis, the BIA). Mnemonic: 22301 = what to do (requirements, certifiable); 22313 = how to do it (guidance). The organization may also have to meet continuity requirements of legal, regulatory or contractual origin (e.g. HIPAA mandates a data backup plan and an emergency operations mode; some financial venues mandate a BCP).
BC vs DR: the distinction the exam tests. These are two separate elements. Business Continuity (BC) is the organization's ability to keep its core functions running and to keep delivering products and services during a major disruption - the business and organizational side. Disaster Recovery (DR) is how that continuity is technically achieved and restored: the technologies, infrastructure and tools required; DR is part of the BCP. Plainly: BC = stay operational on the business side; DR = restore the systems and return to normal. Both start from a policy and rely on the BIA, which sets the scope and extent of the plans. Finally, once the critical path is identified, all external dependencies (supply chain, providers, cloud) are captured and a stakeholder map is built feeding a communications plan; for a cloud-based operation the plan must cover failure modes of losing a local data center, a region, or even the global SaaS provider (the hardest to recover from). Exam pitfall: do not reduce BC to DR. If the question contrasts "keep functioning" (BC) with "restore the systems" (DR), or asks which standard is certifiable (ISO 22301), keep the distinction sharp.
- The BCP can be built or rely on standards (build vs adopt).
- ISO 22300 series: 22300 vocab, 22301 requirements (certifiable), 22313 guidance, 22315 BIA.
- NIST SP 800-34 = federal contingency planning.
- BC = stay operational (business); DR = restore systems (technical), included in the BCP.
- Capture external dependencies and a stakeholder map; plan cloud failure modes (data center, region, global SaaS).
Case studies
Setting RTO and RPO for a Payment System
Context : A fintech runs a payment engine the BIA classified as Critical. Senior management judges that beyond 4 hours of downtime, contractual penalties and loss of trust become unacceptable. The team proposes a 6-hour RTO and a 1-hour RPO to cut infrastructure costs.
Question : Is the team's proposal acceptable? Which parameters must be corrected and why?
Show analysis and answer
The 4-hour threshold is the MTD (Maximum Tolerable Downtime): beyond it, harm is unacceptable. The fundamental rule is RTO <= MTD. A 6-hour RTO exceeds the 4-hour MTD: the organization would hit its harm threshold before even being restored. The proposal is therefore invalid; the RTO must be brought below 4 hours (e.g. 2 to 3 hours to keep a safety margin before the threshold).
The 1-hour RPO is a separate problem: for a payment system, losing up to an hour of transactions is generally unacceptable, since each lost transaction is a direct financial loss and a customer dispute. The financial sector typically targets an RPO near zero (synchronous replication). Cutting costs by relaxing the RPO is a false economy here. Lesson: never set RTO and RPO to minimize cost first; start from business constraints (MTD, data-loss tolerance) then size and fund the solution accordingly.
Takeaway : RTO <= MTD is non-negotiable; for a payment system, target an RPO near zero.
Offboarding a Dismissed Administrator
Context : A system administrator holding privileged rights (RBAC: domain access, backups, service accounts) is dismissed for cause. Management wants to call them to a 9 a.m. meeting to announce the decision, then "handle access later in the day" via the IT team.
Question : What is the major flaw in this plan and how should the actions be correctly sequenced?
Show analysis and answer
This is an unfriendly termination involving a highly privileged account - the riskiest scenario. The major flaw is timing: announcing the dismissal before revoking access leaves a window in which a now-hostile administrator can sabotage (deleting backups, planting backdoors via service accounts), exfiltrate data or lock out other accounts. The rule: for an unfriendly case, access revocation precedes or accompanies the announcement, never the reverse.
Correct sequence: (1) confidentially prepare in advance the disabling of all their accounts (interactive and related service accounts), rotation of secrets they know and review of backups; (2) at the meeting, disable access in real time (ideally while they are in the room, cut off from their terminals); (3) deliver the announcement; (4) recover equipment and access control items (badge, keys, tokens), remind of NDA obligations; (5) escort the person off premises; (6) afterward audit the account's recent actions. A formal exit interview mainly makes sense in a friendly departure; here the priority is containing the risk.
Takeaway : In an unfriendly termination, revoke access before or during the announcement, especially for a privileged account.
A Fraud Unmasked by Mandatory Vacation
Context : In an SME, the same accountant enters supplier invoices, approves payments and reconciles bank statements. They never take extended leave and insist on handling these "sensitive" tasks alone. Management sees them as dedicated. The internal auditor worries about fraud risk.
Question : Which HR anti-fraud controls are missing, and which is most likely to reveal a fraud already in progress?
Show analysis and answer
Combining entry + approval + reconciliation violates separation of duties (SoD): one person controls the transaction end to end, enabling them to create a fake vendor, approve it and hide the trace at reconciliation. First preventive fix: split these three steps across different people (and apply least privilege / need-to-know on access). Dual control on transfers above a threshold would further strengthen prevention.
But these fixes prevent future fraud; they do not necessarily reveal one that may already be running. The decisive detective control here is mandatory vacation: forcing the accountant to be away for a continuous period during which a stand-in fills the role. A lapping or fake-vendor scheme needs daily intervention to stay invisible (continuously doctored reconciliations); as soon as the fraudster is removed, the stand-in hits the anomalies. Systematically refusing leave is itself a classic red flag. Job rotation would produce a comparable detective effect over a longer horizon. Lesson: preventive controls (SoD, dual control, least privilege) and detective controls (mandatory vacation, job rotation) are complementary; to unmask a fraud the perpetrator sustains by their own presence, rely on mandatory vacation.
Takeaway : SoD and dual control prevent fraud; mandatory vacation (and job rotation) reveal it when the perpetrator sustains it by their presence.
RTO <= MTD: the forgotten constraint
The RTO must always be strictly less than (or at most equal to) the MTD/MAD. Setting an RTO greater than or equal to the MTD defeats its purpose: you would cross the harm threshold before being restored. To questions "the RTO must always be less than...", the right answer is the MTD/MAD, not a fixed duration (12h) nor the regulatory deadline (which must itself stay above the RTO, with a margin).
RTO vs RPO: recovery time versus data loss
RTO and RPO are two distinct axes. The RTO measures the time to restore service after the incident (looks forward). The RPO measures the tolerable amount of lost data, expressed in time - the gap back to the last good backup (looks backward). Pitfall: believing the RPO is measured in gigabytes, or swapping the two. "How long to recover" = RTO; "how much data lost" = RPO.
Awareness vs Training vs Education
Three levels not to confuse. Awareness makes everyone aware of the "why" (poster, reminder). Training makes one capable of performing role-related tasks (a "recognize phishing" module). Education builds deep understanding of causes and concepts (a curriculum, certification). Classic pitfall: labeling a mandatory CBT module "Education" when it is only Training. Identify the verb: to make aware, to make capable, or to make understand.
SoD vs job rotation vs mandatory vacation
Three anti-fraud controls often confused. Separation of duties (SoD) splits one transaction into steps assigned to different people - preventive, acts in the moment. Job rotation moves people between roles over time - detective/deterrent, breaks sustained collusion. Mandatory vacation removes a person so a stand-in uncovers a fraud they hid by daily presence - detective. Pitfall: calling mandatory vacation "preventive" or confusing SoD (two people, different steps) with dual control (two people, same step). If the question is about "revealing" an existing fraud, think detective (mandatory vacation / job rotation), not SoD.
BC vs DR: business continuity versus technical restoration
BC and DR are two separate elements. Business Continuity (BC) is the ability to keep core functions running and keep delivering products and services during disruption - the business/organizational side. Disaster Recovery (DR) is the technical way to restore service (technologies, infrastructure, tools) and is part of the BCP. Pitfall: equating BC with the mere technical failover to a recovery site (that is DR), or believing DR encompasses BC. On standards: the certifiable BCMS standard is ISO 22301 (requirements), not ISO 22313 (which is only the guidance).
Checkpoint — Check your understanding
-
An organization's recovery time objective (RTO) must always be less than:
- A 12 hours
- B The deadline imposed by regulators
- C The maximum allowable downtime (MAD/MTD)
- D The time needed to alert the public
Answer & rationale
Answer : C — The maximum allowable downtime (MAD/MTD)
The MTD/MAD is the point beyond which the organization suffers unacceptable harm; setting the RTO equal to or above the MTD defeats its purpose. 12h is arbitrary and the regulatory deadline should not serve as the RTO (no margin).
-
Which of these does the BIA provide, rather than being a recovery plan itself?
- A The detailed failover procedure to the recovery site
- B The critical path, asset value and dependencies
- C The crisis communication script
- D The technical configuration of backups
Answer & rationale
Answer : B — The critical path, asset value and dependencies
The BIA is a management process identifying the critical path, asset value and dependencies, then prioritizing Critical Business Functions. These data feed the BCP/DRP, which holds the operational procedures. Confusing BIA with the plan is a common pitfall.
-
A privileged administrator is dismissed for cause (unfriendly termination). Which action takes priority?
- A Schedule a detailed exit interview first
- B Immediately revoke their access, ideally before or during the announcement
- C Give them 48h to hand over their files
- D Update the job description for the role
Answer & rationale
Answer : B — Immediately revoke their access, ideally before or during the announcement
A hostile privileged account can sabotage or exfiltrate if the announcement precedes revocation. In an unfriendly case, access is disabled before or during the announcement, equipment and badges are recovered, then the person is escorted out. The formal exit interview mainly applies to friendly departures.
-
A hallway poster reminds staff to lock their screen when stepping away. Which learning level is this?
- A Education
- B Training
- C Awareness
- D Certification
Answer & rationale
Answer : C — Awareness
The poster attracts attention and shapes behavior without teaching a skill or deep concepts: this is Awareness. Training would make one capable of performing a task (e.g. recognizing phishing); Education would build deep understanding of causes and concepts.
-
An employee solely holds a sensitive role and always refuses long absences. Which control is most likely to reveal a fraud they would hide through daily presence?
- A Separation of duties
- B Mandatory vacation
- C Least privilege
- D Background check
Answer & rationale
Answer : B — Mandatory vacation
Mandatory vacation forces a continuous absence during which a stand-in uncovers the anomalies a fraud (lapping, fake vendor) must sustain daily: it is a detective control. SoD and least privilege are preventive (they stop, they do not reveal); the background check happens pre-hire.
-
What distinguishes separation of duties (SoD) from dual control (two-person control)?
- A None, they are synonyms
- B SoD assigns different steps to different people; dual control requires two people for the same step
- C SoD is detective, dual control is preventive
- D Dual control concerns physical access only
Answer & rationale
Answer : B — SoD assigns different steps to different people; dual control requires two people for the same step
SoD spreads the distinct steps of a transaction across people so none completes it alone. Dual control requires two people simultaneously on the same critical action (e.g. dual wire approval, two keys). Both are preventive; they are not synonyms.
-
An organization wants its Business Continuity Management System (BCMS) certified. Which standard sets the certifiable requirements?
- A ISO 22313
- B NIST SP 800-34
- C ISO 22301
- D ISO 22300
Answer & rationale
Answer : C — ISO 22301
ISO 22301 is the certifiable requirements standard for a BCMS. ISO 22313 is only guidance (how to implement 22301), ISO 22300 is the vocabulary, and NIST SP 800-34 is a federal contingency-planning guide, not a certifiable BCMS standard.
-
On the recovery timeline, which measure captures the amount of data lost, and where does it sit relative to the disaster?
- A RPO, located BEFORE the disaster (back to the last good backup)
- B RTO, located AFTER the disaster
- C WRT, located AFTER recovery
- D MTD, which equals RPO
Answer & rationale
Answer : A — RPO, located BEFORE the disaster (back to the last good backup)
RPO measures tolerable data loss and sits before the disaster (gap back to the last good backup). RTO (recovery) and WRT (working off the backlog) come after. MTD is not the RPO; RTO ≤ MTD.
Key takeaways
- The BIA is a management process requiring senior leadership support and revealing the critical path and asset value before any BCDR.
- Three key BIA outputs: MTD (ceiling), RTO (recovery time, RTO <= MTD), RPO (tolerable data loss, in time).
- The insider threat is addressed from candidate screening; NDA, AUP and Code of Conduct are signed at onboarding.
- In an unfriendly termination, revoke access before or during the announcement, especially for a privileged account, then recover equipment/badges and escort out.
- Internal third parties (vendor, consultant, contractor) fall under least privilege: specific NDA, escort, monitoring, temporary access revoked at engagement end.
- Awareness (why, everyone) vs Training (skill, role) vs Education (deep understanding); due diligence = measure via phishing click rate, completion, signed attestation.
- Preventive HR anti-fraud controls: separation of duties (SoD), least privilege, need-to-know, dual control (two-person); detective: job rotation and mandatory vacation, which reveal a fraud sustained by the perpetrator's presence.
- SoD spreads different steps across people; dual control requires two people for the same critical step.
- Continuity standards: NIST SP 800-34 (federal) and the ISO 22300 series - 22301 requirements (certifiable), 22313 guidance, 22315 BIA, all driving a BCMS.
- BC = keep core functions running on the business side; DR = technically restore the systems and is part of the BCP; do not reduce BC to DR.
- After the critical path, capture external dependencies and a stakeholder map, and plan cloud failure modes (data center, region, global SaaS provider).
Domain summary
Ethics and law shape the information security environment: ethical principles ground trust and reliability, and many have crystallized into civil and criminal law. ISC2 requires its members to understand and uphold its Code of Ethics.
These constructs feed the fundamental security attributes: confidentiality, integrity, availability, complemented by non-repudiation, authenticity, privacy and safety. Law and ethics define two complementary duties: due care (taking reasonable, prudent action) and due diligence (monitoring, managing and, if needed, intervening to verify controls meet their purpose).
Organizations rely on governance to plan, organize and control their decisions; security plays a supporting role and must align with business objectives. Privacy and data protection have become a major concern, reflected in new and sometimes conflicting laws across jurisdictions. Finally, risk management ties it all together: you identify, assess and treat risks by selecting proportionate controls, with due care guiding the choice and due diligence verifying effectiveness.
Glossary (Terms & Definitions)
The key Domain 1 terms, to master in English for the exam.
| Term | Definition |
|---|---|
| Audit / Auditing | Tools, processes and activities used to perform compliance reviews. |
| Availability | Timely and reliable access to and use of information by authorized users. |
| Business continuity (BC) | Actions, processes and tools for keeping critical operations running during a contingency. |
| Business impact analysis (BIA) | A list of the organization's assets annotated with the criticality of each. |
| Compliance | Adherence to a mandate: the actions demonstrating it and the tools/documents supporting it. |
| Confidentiality | Preserving authorized restrictions on access and disclosure, including personal privacy and proprietary information. |
| Data subject | The human individual related to a set of personal data. |
| Disaster recovery (DR) | Tasks that bring the organization back from contingency operations to regular operations. |
| Due care | A legal concept: the duty owed by a provider to a customer (acting reasonably). |
| Due diligence | Actions taken to demonstrate and provide due care (investigate, monitor, verify). |
| Governance | The process of how an organization is managed: decisions, policies, roles and procedures. |
| Governance committee | A formal body that determines how decisions are made and approves changes and exceptions. |
| Guidelines | Suggested (non-mandatory) practices to best accomplish a task. |
| Integrity | Guarding against improper modification or destruction; includes non-repudiation and authenticity. |
| Intellectual property | Intangible assets (notably software and data). |
| Maximum allowable downtime (MAD / MTD) | How long the organization can survive an interruption of critical functions. |
| Personally identifiable information (PII) | Any data about a person that could be used to identify them. |
| Policy | A document published by senior management dictating strategic goals. |
| Privacy | The right of an individual to control the distribution of information about themselves. |
| Procedures | Explicit, repeatable activities to accomplish a specific task. |
| Recovery point objective (RPO) | How much data the organization can lose before it is no longer viable. |
| Recovery time objective (RTO) | The target time set for recovering from an interruption. |
| Residual risk | The risk remaining after controls have been put in place (risk mitigation). |
| Risk | The possibility of harm and the likelihood that harm will be realized. |
| Risk acceptance | Deciding the benefits outweigh the impact/likelihood and proceeding with no further action. |
| Risk avoidance | Not performing a function because its risk is judged too great. |
| Risk mitigation | Putting controls in place to reduce the impact and/or likelihood of a risk. |
| Risk transference | Paying an external party to accept the financial impact of a risk (e.g., insurance). |
| Security control framework | A construct outlining the organization's security approach (processes, procedures, solutions). |
| Security governance | The entirety of policies, roles and processes used to make security decisions. |
| Standards | Specific mandates explicitly stating expectations of performance or conformance. |
Domain key takeaways
What you must remember
- Security governance is the foundation of effective security management: policies, standards and procedures guide controls and resource allocation.
- Risk management is critical: identify, assess, treat, then select and implement appropriate controls.
- Security controls (administrative, technical/logical, physical) protect against unauthorized access, disclosure and destruction.
- Legal and regulatory compliance is essential: know the applicable laws and how to comply.
- The fundamental principles (confidentiality, integrity, availability, plus authenticity, non-repudiation, privacy, safety) underpin every decision.
- Due care and due diligence define the professional's duties and protect them, with their organization, from a negligence claim.
- Ethics (the 4 ISC2 canons, prescriptive order) is a condition of certification, not an option.