Chapter 1. Information Security and Risk Management
In our first chapter, we enter the domain of Security Management. Throughout this book, you will see that many Information Systems Security domains have several elements and concepts that overlap. Appendix D, "The Information Systems Security Engineering Professional (ISSEP) Certification," has a lot of good information on security management. We're going to refer to some of it here, but it's a good idea to be familiar with the high-level ISSEP concepts, in particular Systems Security Engineering and the risk management process. This domain also introduces concepts that we look at in more detail in both the "Operations Security" (Chapter 6) and "Physical Security" (Chapter 10) domains.
The domain of Security Management incorporates the identification of information data assets with the development and implementation of policies, standards, guidelines, and procedures to protect those assets. It defines the management practices of data classification and risk management. It also addresses confidentiality, integrity, and availability by identifying threats, classifying the organization's assets, and rating their vulnerabilities so that effective security controls can be implemented.
Since this is the first chapter of the CISSP and CAP Prep Guide, Platinum Edition, let's take a minute to describe our approach to the CISSP material. The CISSP certification is not an entry-level certification; there are other certifications ...