This course covers the first of 4 modules of Domain 1 of the CISSP, covering security and risk management. It will focus on the CIA Triad, governance principles, compliance, and legal issues.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • What confidentiality, integrity, and availability is and how it applies to information security and how to apply those concepts in the real world
  • How to apply security governance principles
  • Compliance, and how it plays a huge role within security and risk management
  • The legal and regulatory issues that pertain to cybersecurity within a global context

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So we're going to continue on with section three, about compliance. So here we're going to talk about legislative and regulatory compliance, as well as privacy requirements. So the things that we have to look at are the different kinds of laws and regulations that we're faced with. 

Now, there is a difference between laws and regulations. Laws are typically looked at as being of a criminal type of law or a civil type of law that govern different relationships, different legal types of contests between parties. And then we have regulations which are more along the line of compliance types of requirements that we might get from the Department of Health and Human Services, or the Food and Drug Administration, or the Federal Trade Commission, who are all enforcers of regulations. We also have a safe harbor provision which governs how we're going to handle individually-identifiable information to prevent its wrongful disclosure to unauthorized parties. 

When we combine all of these different elements together, governance, risk management and compliance, we come up with this triumvirate, you could call it, called GRC. The notion behind governance is how we manage and use the various assets and so forth that we have in our business roles, that we are good stewards and good users of these. Risk management of course, is identifying risks, categorizing them as acceptable or unacceptable and taking approaches to mitigate them in accordance with not only our regulatory environment but with a risk appetite that our organization may have. And then compliance is identifying those things that we must comply with, that we must adhere to, different kinds of metrics, different kinds of procedures that we have to do. 

Here we have some examples of different laws, primarily governing privacy. Now as you see, we have the European Union and the Data Protection Directive known as 95/46/EC. And we would add to this the recently enacted GDPR at the EU. Australia has its Privacy Act. Argentina has a Personal Data Protection Law. Canada has its law, PIPEDA, the Personal Information Protection and Electronic Documents Act. We in United States have HIPAA for one, largely in healthcare, and we have the Gramm-Leach-Bliley Act, largely in financial services. Now those five represent laws that have been passed by some governing or legislative body. So they affect the entire nation or municipality that they have been passed over. Then we have the industry standard known as PCI, the PCI Data Security Standards. The difference is when it's a law, the government imposes various kinds of sanctions when a failure to meet the governings of that law have been established for a given organization or individual. With industry standards, there are different kinds of penalties that can be exacted, but they don't have the force of law. They are no less important than laws, they simply don't have the legislative backing that laws have. 

We'll discuss laws more as we go through this course.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics