🔑 1. Key Concepts

• CIA Triad
• Governance & Accountability
• Risk Management Lifecycle
• Risk Analysis (Qualitative & Quantitative)
• Risk Treatment Strategies
• Policies, Standards, Procedures, Guidelines
• Compliance vs Security
• Business Continuity & Disaster Recovery
• Security Awareness
• Ethics

---

📖 2. Deep Dive (Expanded)

---

🔹 CIA Triad

• Confidentiality → Prevent unauthorized access to information
  • Examples: encryption, access control, classification
• Integrity → Ensure data remains accurate and unaltered
  • Examples: hashing, checksums, digital signatures
• Availability → Ensure systems and data are accessible when needed
  • Examples: redundancy, backups, failover

Why it matters:
All security controls map back to one or more of these principles.

Exam insight:
Questions often test which CIA principle is being protected.

---

🔹 Governance

Governance defines how security is directed and controlled.

• Management defines:
  • strategy
  • policies
  • risk appetite
• Security/IT:
  • implements controls
  • monitors effectiveness

Key principles:

• Accountability remains with management
• Security must align with business goals

Exam insight:
If the question is about direction, responsibility, or alignment → governance.

---

🔹 Risk Management

A structured process to manage uncertainty and reduce risk.

Process:

1. Identify risks
2. Analyze risks
3. Evaluate risks
4. Treat risks

Risk Treatment Options:

• Mitigate → reduce likelihood or impact
• Transfer → shift risk (insurance, outsourcing)
• Avoid → eliminate the activity
• Accept → formally acknowledge risk

Why it matters:
Security decisions are based on risk vs cost, not technology.

Exam insight:
Always think: What is the best business decision?

---

🔹 Risk Analysis (Quantitative)

Used to assign financial values to risks.

Key Terms:

• AV (Asset Value)
  → Total value of the asset
• EF (Exposure Factor)
  → Percentage of loss if a threat occurs
• SLE (Single Loss Expectancy)
  → Financial loss from a single incident

$SLE = AV \times EF$SLE=AV×EF

👉 Example:
Asset = €100,000, EF = 0.3
→ SLE = €30,000

---

• ARO (Annual Rate of Occurrence)
  → Expected frequency per year
• ALE (Annualized Loss Expectancy)
  → Expected yearly loss

$ALE = SLE \times ARO$ALE=SLE×ARO

👉 Example:
SLE = €30,000, ARO = 2
→ ALE = €60,000

---

Why it matters:
Helps management decide whether controls are cost-effective.

Exam insight:

• SLE = loss per incident
• ALE = yearly loss
• Compare ALE vs control cost

---

🔹 Policies Framework

Defines how security is documented and enforced.

• Policy
  • High-level direction
  • Created by management
• Standard
  • Mandatory requirement
  • Supports policy
• Procedure
  • Step-by-step instructions
• Guideline
  • Recommended approach

Exam insight:
Understand the hierarchy and purpose.

---

🔹 Compliance

Compliance = following laws and regulations.

Examples:

• GDPR
• HIPAA

Key points:

• Mandatory
• Driven by external requirements

Security vs Compliance:

• Compliance = minimum required
• Security = broader, risk-based

---

🔹 Business Continuity & Disaster Recovery

Ensures operations continue during disruptions.

Key Components:

• BIA (Business Impact Analysis)
  • Identifies critical processes
  • Determines business impact
• RTO (Recovery Time Objective)
  • Maximum acceptable downtime
• RPO (Recovery Point Objective)
  • Maximum acceptable data loss

Flow:

1. Perform BIA
2. Define recovery objectives
3. Develop DRP

Exam insight:
BIA always comes first.

---

🔹 Security Awareness

• Focus on human behavior
• Includes training on phishing and social engineering

Why it matters:
Humans are the weakest link.

Exam insight:
Often the BEST answer over technical controls.

---

🔹 Ethics

Defined by
ISC2:

• Protect society
• Act ethically and legally
• Provide competent service
• Advance the profession

---

🧠 3. Manager Mindset

• Business impact first
• Risk decisions = management responsibility
• Security supports business
• Cost vs benefit matters

👉 If unsure: choose the answer that benefits the organization

---

❓ 4. Practice Questions

1

Who is responsible for risk acceptance?
A. Security Analyst
B. IT Manager
C. Senior Management
D. Auditor

---

2

What is the primary goal of governance?
A. Implement controls
B. Align security with business
C. Monitor systems
D. Detect threats

---

3

Which is a valid risk treatment option?
A. Ignore
B. Eliminate
C. Accept
D. Monitor

---

4

What does confidentiality ensure?
A. Accuracy
B. Availability
C. Protection from unauthorized access
D. Backup

---

5

What comes first in business continuity planning?
A. DRP
B. Backup
C. BIA
D. Testing

---

6

Who owns security risk?
A. IT
B. Security team
C. Management
D. Users

---

7

What is a policy?
A. Technical setting
B. High-level directive
C. Procedure
D. Suggestion

---

8

What is the purpose of a standard?
A. Suggest approach
B. Optional guidance
C. Mandatory requirement
D. Documentation

---

9

When should risk be accepted?
A. Always
B. When IT decides
C. When cost exceeds impact
D. When unknown

---

10

What is the main goal of risk management?
A. Eliminate risk
B. Reduce risk to acceptable level
C. Avoid threats
D. Stop attacks

---

11

What does integrity ensure?
A. Secrecy
B. Accuracy and consistency
C. Availability
D. Encryption

---

12

What is due care?
A. Monitoring
B. Implementing controls
C. Auditing
D. Ignoring risk

---

13

What is due diligence?
A. Ignoring risk
B. Initial setup
C. Ongoing validation and monitoring
D. Risk transfer

---

14

What is the purpose of BIA?
A. Recover systems
B. Identify critical processes
C. Prevent attacks
D. Backup systems

---

15

What is RTO?
A. Data loss
B. Recovery time
C. Risk value
D. Frequency

---

16

What is RPO?
A. Downtime
B. Risk
C. Data loss tolerance
D. Threat level

---

17

Why is awareness training important?
A. Cost reduction
B. Performance
C. Reduce human risk
D. Replace controls

---

18

What is compliance?
A. Risk mitigation
B. Following laws
C. Monitoring
D. Security controls

---

19

What is the BEST first step in security?
A. Firewall
B. Risk assessment
C. Training
D. Encryption

---

20

Who is accountable for security?
A. IT
B. Security team
C. Management
D. Auditor

---

✅ 5. Answers + Reasoning

---

1

C. Senior Management
Risk acceptance is a business decision because it impacts the organization financially and strategically. Management owns this decision, while IT only provides input.

---

2

B. Align security with business
Governance ensures that security supports business goals. Without alignment, security could hinder operations instead of enabling them.

---

3

C. Accept
Accepting risk is a formal strategy when mitigation is not cost-effective. Ignoring risk is never valid, as all risks must be acknowledged and evaluated.

---

4

C. Protection from unauthorized access
Confidentiality ensures that sensitive information is only accessible to authorized users, typically enforced through access control and encryption.

---

5

C. BIA
The BIA identifies critical processes and their impact. This information is necessary before designing recovery strategies like DRP.

---

6

C. Management
Management owns the consequences of risk decisions, making them responsible for security risk, even if implementation is delegated.

---

7

B. High-level directive
Policies define the organization’s intent and direction. They guide decisions but do not include technical or operational details.

---

8

C. Mandatory requirement
Standards enforce specific controls and ensure consistency across the organization. They must be followed to comply with policies.

---

9

C. When cost exceeds impact
If mitigating a risk costs more than the expected loss (ALE), accepting the risk is a rational business decision.

---

10

B. Reduce risk to acceptable level
Risk cannot be eliminated completely. The goal is to manage it within acceptable limits defined by the organization.

---

11

B. Accuracy and consistency
Integrity ensures that data remains reliable and unchanged unless properly authorized.

---

12

B. Implementing controls
Due care refers to taking appropriate steps to protect assets, such as implementing security measures.

---

13

C. Ongoing validation and monitoring
Due diligence ensures that controls continue to function effectively over time through monitoring and review.

---

14

B. Identify critical processes
BIA determines which processes are essential and what impact their disruption would have, guiding recovery priorities.

---

15

B. Recovery time
RTO defines how quickly systems must be restored after a disruption to avoid unacceptable impact.

---

16

C. Data loss tolerance
RPO defines the maximum acceptable data loss, usually measured as time between backups.

---

17

C. Reduce human risk
Most security incidents involve human error. Awareness training reduces the likelihood of such incidents.

---

18

B. Following laws
Compliance ensures adherence to legal and regulatory requirements, which are mandatory for organizations.

---

19

B. Risk assessment
Understanding risk is always the first step. Controls should only be implemented after identifying and analyzing risks.

---

20

C. Management
Accountability cannot be delegated. Management remains responsible for security, even if execution is handled by others.

---

⚠️ 6. Exam Traps

• Confusing responsibility (IT) with accountability (management)
• Choosing technical solutions over business-focused answers
• Forgetting cost-benefit analysis
• Assuming risk can be eliminated

---

🔄 7. Flash Review

• CIA = foundation
• Risk = likelihood × impact
• Management owns risk
• BIA before DRP
• Policy > Standard > Procedure
• Security supports business

---

📊 8. Score

Score: ___ / 20

• 16–20 → ✅ Strong
• 10–15 → ⚠️ Review
• <10 → ❌ Re-study Domain 1