Phase 1: Domain 1 — Security & Risk Management

Phase 1: Domain 1 — Security & Risk Management (15%)

Timeline: Apr 5-11 (Week 1, first half)

This is the LARGEST domain by exam weight and covers the managerial/governance topics that engineers typically struggle with. Get this right and the rest flows.

Key Concepts

Security Governance

CIA Triad: Confidentiality, Integrity, Availability
Due diligence (research) vs due care (action)
Security governance principles, policies, standards, procedures, guidelines
Organizational roles: CISO, ISO, data owner, data custodian, data processor

Risk Management

Quantitative Risk Analysis:
- Asset Value (AV)
- Exposure Factor (EF) — percentage of asset lost
- Single Loss Expectancy: SLE = AV × EF
- Annualized Rate of Occurrence (ARO)
- Annualized Loss Expectancy: ALE = SLE × ARO
- Safeguard value: (ALE before) - (ALE after) - (annual cost of safeguard)
Qualitative Risk Analysis: Likelihood × Impact matrix (High/Medium/Low)
Risk response: Avoid, Mitigate, Transfer (insurance), Accept

Legal & Regulatory

Framework	What It Covers
HIPAA	You live this at CHLA. PHI, Minimum Necessary, BAAs, 60-day breach notification
GDPR	EU data protection — right to erasure, DPO, 72-hour breach notification
SOX	Financial reporting integrity — Section 404
PCI-DSS	Payment card data — 12 requirements, SAQ, compensating controls
GLBA	Financial institution data protection
FERPA	Student education records
Computer Fraud & Abuse Act	Unauthorized computer access (US federal)

Framework

What It Covers

HIPAA

You live this at CHLA. PHI, Minimum Necessary, BAAs, 60-day breach notification

GDPR

EU data protection — right to erasure, DPO, 72-hour breach notification

SOX

Financial reporting integrity — Section 404

PCI-DSS

Payment card data — 12 requirements, SAQ, compensating controls

GLBA

Financial institution data protection

FERPA

Student education records

Computer Fraud & Abuse Act

Unauthorized computer access (US federal)

Business Continuity

BIA (Business Impact Analysis) — identify critical functions, MTD, RTO, RPO
BCP phases: Project initiation → BIA → Recovery strategy → Plan design → Implementation → Testing → Maintenance
DRP: Hot site, warm site, cold site, mobile site
Map to your infra: VyOS VRRP = HA/failover. Vault Raft = distributed consensus. Borg = backup/recovery.

Ethics

ISC2 Code of Ethics (4 canons — memorize the ORDER):
1. Protect society, the common good, necessary public trust, and the infrastructure
2. Act honorably, honestly, justly, responsibly, and legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession

Practice Questions

25 questions/day from Official Practice Tests — Domain 1 section.

Check	Status
Read Study Guide Chapter 1 (Risk Management)	[ ]
Read Study Guide Chapter 2 (Legal/Regulatory)	[ ]
Read Study Guide Chapter 3 (BCP)	[ ]
Watch Destination Certification MindMap — Domain 1	[ ]
Mapped real experience to Domain 1 concepts	[ ]
50+ practice questions completed (Domain 1)	[ ]
Key formulas memorized (SLE, ALE, ARO)	[ ]
ISC2 Code of Ethics memorized (4 canons in order)	[ ]

Check

Status

Read Study Guide Chapter 1 (Risk Management)

[ ]

Read Study Guide Chapter 2 (Legal/Regulatory)

[ ]

Read Study Guide Chapter 3 (BCP)

[ ]

Watch Destination Certification MindMap — Domain 1

[ ]

Mapped real experience to Domain 1 concepts

[ ]

50+ practice questions completed (Domain 1)

[ ]

Key formulas memorized (SLE, ALE, ARO)

[ ]

ISC2 Code of Ethics memorized (4 canons in order)

[ ]