1. Three goals of risk management are to identify risks, quantify the impact of potential threats, and find an economic balance between the impact of the risk and the cost of the countermeasure.
  2. A threat is a natural or man-made event that could have a negative impact on the organization. A vulnerability is a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage.
  3. There are two approaches to dealing with risk:

    Quantitative analysis Assigns real numbers or dollar amounts to the costs of countermeasures and the amount of damage that can occur. Pure quantitative risk analysis is not possible.

    Qualitative analysis Looks at different scenarios of risk possibilities and ranks the seriousness of the threats and the sensitivity of the assets.

  4. Formulas used for quantitative analysis include

    EF (exposure factor) = Percentage of an asset loss caused by an identified threat

    SLE (single loss expectancy) = Asset value Exposure factor

    ALE (annualized loss expectancy) = Single loss expectancy Annualized rate of occurrence

  5. Risk is dealt with in the following ways (these can be combined):

    Risk reduction Implements a countermeasure to alter or reduce the risk

    Risk transference Purchases insurance to transfer a portion or all of the potential cost of a loss to a third party

    Risk acceptance Deals with risk by accepting the potential cost and loss

    Risk rejection Pretends risk doesn't exist and ignores the risk

  6. Security policies can be regulatory, advisory, or informative.
  7. Security must flow from the top of the organization.
  8. Types of security documents include

    Policies General statements produced by senior management

    Standards Tactical documents that are more specific than policies

    Guidelines Point to a statement in a policy or procedure by which to determine a course of action

    Procedures The lowest level in the policy that provide step-by-step instructions to achieve a certain task

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author


We Want to Hear from You!



The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics


Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2

CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg © 2008-2020.
If you may any questions please contact us: