CISSP: Domain 1 - Security and Risk Management - Module 1
Understand and apply concepts of Confidentiality, Integrity and Availability

This course covers the first of 4 modules of Domain 1 of the CISSP, covering security and risk management. It will focus on the CIA Triad, governance principles, compliance, and legal issues.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • What confidentiality, integrity, and availability is and how it applies to information security and how to apply those concepts in the real world
  • How to apply security governance principles
  • Compliance, and how it plays a huge role within security and risk management
  • The legal and regulatory issues that pertain to cybersecurity within a global context

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So let's begin the course. Welcome to Domain 1: Security And Risk Management. Now the format that you'll be conducting this course through will be based on a section-by-section presentation through each domain to keep things in a normal, comfortable bite-sized kind of delivery. So let's begin. 

So here's our domain agenda. We want to be sure that we explore and understand and apply the concepts of confidentiality, integrity and availability. We want to explore and understand so that we can apply a security governance principles. Obviously the topic of compliance will play a very large role here. We want to understand the legal and the regulatory issues that pertain to our cybersecurity but we want to be sure that we do this and explore a global context. Ethics will, of course, have to be addressed. We want to look at the development and implementation of documented security policy, standards, and other governance documentation. We're going to explore business continuity requirements, personnel security policies. Risk management concepts will, of course, be fundamental to this domain, as will threat modeling. We must ultimately integrate security risk considerations into the acquisitions strategy and practice. And establish management security education, training, and awareness to ensure that the workforce is properly informed and engaged. 

So this will be the very first module within domain one where we're going to understand and apply the concepts of confidentiality, integrity and availability. So here we have the much discussed historic C-I-A Triad. We have our three bars of our own iron triangle: confidentiality, which refers to prevention of unauthorized disclosure of sensitive information. And sensitive information, of course, means what is sensitive to the organization. And it can be various types. It also means that it has access for authorized users only. Now confidentiality includes many different kinds of information: things that may be of a privacy nature, that is referencing individuals; or it can be things of a more company-oriented type like trade secrets. Then we have integrity. And integrity highlights the basic topic of information trustworthiness. We want to prevent unauthorized or contaminating modifications of systems and information. And we want to ensure that only authorized actions by authorized users are the ones being taken so that our information remains trustworthy. Our third leg of the iron triangle is availability. This means we want to prevent disruption or loss of service and associated productivity and that information, with its integrity in tact and its confidentiality are available to authorized users when and where they

Now a common discussion point about the C-I-A Triad is which one of these is the priority? And the answer to that is that depends on what your organization values most. C-I-A is not meant to indicate priority, but the primary fundamental and most critical characteristics of our most precious asset: the data. In accordance with that, your organization needs to decide possibly through multiple contexts and multiple types of information which one of these three is the priority. To say that all three are high priorities for any organization is, of course, an obvious truth. However, certain kinds of information may require treatment of one of these as more than the others. But that context, again, must be determined by your organization. There is no one-size-fits-all or most here. 

Throughout our organization's life cycles and our systems' life cycles we need assurance that these characteristics are being met in appropriate fashion. We have operational assurance which focuses on the features and architecture of a system. And that of course includes things like system integrity, trusted recovery, the identification and remediation of covert channels. It means that we build in software security from the beginning. It means that we are consistently implementing policies so that we get consistent enforcement of processes like change management and maintenance, so that the organization's systems can be depended upon to work in a proper expected fashion. 

Then we have life cycle assurance. What this addresses is the insurance of the TCB, the trusted computing base, and that it's designed and developed and maintained with formally controlled standards that enforce protection at each stage in the system's life cycle. It means that we do things like security testing. We do trusted distribution of code to make sure it arrives at a pristine point. And that implementation is done. And throughout its life cycle, configuration management is employed to ensure that only the changes that are wanted are implemented correctly, verify is implemented correctly and perform as intended. Now throughout all of the cycles that we're going to face in our life cycle of operations or assurance or any other form of our system's performance, we're going to have to deal with different kinds of knowledge, and the fact that we do or don't have conscious awareness of it. 

So let's talk for a moment about knowledge and awareness. What we need to do is divide these things up into these four different buckets. We need to take the steps necessary to learn and clarify what is necessary first. Another way of saying, first things first. So we have known knowns. Those are things that we know and are conscious that we know them. We've captured them and are able to make use of them. We have unknown knowns, which are uncaptured lessons learned. These may be part of the body of corporate information and knowledge and experience. They simply may not have been captured such that we can actualize them. We have known unknowns otherwise known as assumptions. Now our known unknowns need to have validation of the assumptions in other words, are they real, are they credible, do they pass the much talked about sniff test so to speak. And then ultimately we have our unknown unknowns. As many have said, we don't know what we don't know. Now the difference between the knowledge and awareness is that in knowing, are we conscious that we do? Have we captured these things? So, how do we decide what we're going to do with them? So our primary goal should be to validate the knowns, to make sure that what we think we know we do in fact know. Obviously we want to reduce our unknowns. And that requires a lot of work, a lot of research. We need to define, we need to eliminate the unknowns where we can. And we need to define the boundaries where we cross from the world of the known into the world of the unknown. In dividing our information up into these four different types of knowns or unknowns, we're able to make plans to actualize what we know; validate our assumptions to add to what we know, to what we can expect or what we anticipate. We capture our lessons learned, that's moving them into the category of the known knowns. And we put a boundary around unknown unknowns and develop contingency plans for what we may theorize that might include. We also have to cope with various cycles of urgency and importance. This, of course, begs the subject of what is urgent is not necessarily important and vice versa. So let's define what actually goes into these things. 

First we have our urgent and important. And these are operational concerns, the things that may be going on right now that require our direct attention and there is some urgency about it. Not necessarily an emergency, but something that's urgent that requires our direct attention now. We have our non-urgent, important. These are the things that fall into a category that are of strategic importance. They're not urgent because they're not things that we need to deal with right this red-hot minute. But, they're important because these are longer term concerns, things that, perhaps, we have to put into motion today so that it will produce results at some point in the future. Maybe even the distant future. We have our urgent, unimportant. Urgent because someone is knocking on our door insisting that we drop what we're doing and deal with this item that they've handed us. But upon review, it may turn out that it's a potential time waster. But that's something that requires careful judgment before we make a snap decision and decide that it's urgent because someone else says so but not because it's truly urgent. And then we have our non-urgent, unimportant. Those can be time wasters but they can be other sorts of activities that are simply not urgent and not, especially, important to our organization's life cycles. So, the way that we resolve these is that we deal with the urgent and important in a prompt, direct fashion. Our non-urgent, important strategic items we work to develop them so that eventually they can be implemented. Our urgent, unimportant may be suitable for delegation to another person to cope with. Or they can be disregarded if they are truly urgent only in the mind and not truly urgent in the real world. And then our non-urgent, unimportant. We can remove them. It's not very often a very good idea to ignore things just out of hand. But it's a good idea to take a look at not urgent, unimportant to make sure that you're making the right decision about it. On the other hand, not urgent, unimportant could be vacation time. It's certainly a good thing to do to rest the mind and prepare you as refreshed and ready to start up doing this sort of thing again.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics