CISSP Domain 1 Security and Risk Management Cheat Sheet

Information Security Governance

Security Policy and related documents


  • Policy – High level management directives that are mandatory and does not dwelve into specifics
  • Components of a program policy:
    • Purpose – Describes the need of the policy; typically to provide CIA of protected data
    • Scope – Describes what systems, people, facilities, and organizations are covered by the policy
    • Responsibilities – Responsibilities of the information security staff, policy and management teams, as well as responsibilities of all members of the organization
    • Compliance – Describes how to judge effectiveness of policy and what happens when policy is violated.
  • Policy types – NIST: program policy (organization security program), issue-specific policy (email policy, email privacy policy), and system specific policy (file server policy, webserver policy)


Low level step-by-step guide for accomplishing a task that are mandatory. Example: Steps to follow when creating a new user.


Describes the specific use of technology often applied to hardware and software which are mandatory. Example: standard issue of laptop hardware and software


Guidelines are recommendations which is discretionary. Examples advice to take first letter of every word in a sentence to form a strong password. You can create a strong password without following this guideline.


Baselines are uniform ways of implementing a standard which is discretionary. Example: Performing a security baseline using the CIS standard benchmark. You can harden the system without following the benchmark as long as it is at least as secure as one following the benchmark.

Personnel Security

Security Awareness and Training

  • Awareness – Changes user behaviour; ie remind users to never share accounts or passwords
  • Training – Provides a skillset; ie teaches the user how to perform a task such as training network engineers how to configure routers

Background checks

Organizations should conduce thorough background checks before hiring. This includes criminal records, financial investigation, verifying education and certifications.

Employee Termination

A fair formal termination process includes a progressive discipline (ladder of discipline) process:

  • Coaching
  • Formal Discussion
  • Verbal Warning meeting, with HR attendance
  • Written warning meeting, with HR attenance
  • Termination

This is fair, and lowers chance of negative reaction. People tend to act more reasonably if they feel they have been treated fairly.

Vendor, Consultant and Contractor Security

They may have access to sensitive data. They must be trained and made aware of the risks. Security policies, procedures and guidance should be applied. Policies in regards to ownership of data and intellectual property should be developed. Clear rules dictating where and when 3rd party may access or store data must be developed.

Outsourcing and offshoring

Outsourcing – Use of a third party to provide IT services at lower cost
Offshoring – Outsourcing to another country
Concerns about offshoring are risks associated with privacy and regulatory issues. ie Australia has no HIPAA, SOX or GLBA.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV