CISSP: Week 1 – Security and Risk Management – Systems Engineering & Integration

In your own words describe what is meant by “defense-in-depth” in security design. Give an example of a combination of security controls that you have seen implemented that show how the combination of security factors improve the overall security.
The CIA triad is a common way of describing how confidentiality, integrity and availability concerns form the pillars of information security. Give an example from your experience or a technical article you’ve read that describes methods of improving security of information in each area of the CIA triad.
Describe the administrative management practices of separation of duties, job rotation, and mandatory vacations and their role within operations security.

Domain 1 – Security and Risk Management/Intellectual Property, Risk Assessment, and Business Continuity

After reading this week’s materials, please respond to one or more of the following questions:

Explain the differences between Patents, Copyrights, and Trademarks in terms of idea, expression, and symbol.
Describe intellectual property laws. What clauses should a termination policy contain to prevent disclosure of an organization’s information?
Describe the differences between qualitative and quantitative risk management methods.
What are the steps in the business continuity planning process? Why is a clear understanding of a company’s enterprise architecture critical to this process?
Describe the steps in a Business Impact Analysis (BIA). What different loss criteria types can be associated with threats identified during the Business Impact Analysis process?

Assignment:

Instructions: Answer all questions in a single document. Then submit to the appropriate assignment folder. Each response to a single essay question should be about a half-page in length (about 150 words).

1. In this week’s readings, you learned about two methods of risk analysis: quantitative assessment and qualitative assessment. Explain the steps taken to assess a risk from a quantitative perspective where monetary and numeric values are assigned and discuss the formulas used to quantify risk. Then, explain the methods used to assess risk from a qualitative perspective where intangible values are evaluated such as the seriousness of the risk or ramifications to the reputation of the company.

2. Domain 1 introduced numerous security terms that are used in assessing risk. Please define the terms vulnerability, threat, threat agent, risk, exposure and control. Then, describe the three different control types and give examples for each.

3. After you’ve conducted your risk assessment and determined the amount of total and residual risk, you must decide how to handle it. Describe the four basic ways of handling risk.