CISSP Week 1, Session 1: Security Governance Foundations

---

Welcome to Session 1 of your CISSP journey. Today, we’re diving into the bedrock of everything you’ll be building on—Security Governance Foundations. That means ethics, core security principles, and how organizations make risk-based decisions in complex environments. Let’s get into it.

1. ISC² Code of Ethics

The CISSP isn’t just about tech—it’s about trust. The ISC² Code of Ethics sets that tone. There are four canons:

• Protect society, the common good, and infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide competent service to principals.
• Advance and protect the profession.

Violating these can result in sanctions or revocation of your certification. This isn’t just a checkbox—ethical behavior is critical.

2. Professional Practices

Professionalism in cybersecurity means understanding due care and due diligence:

• Due Care: Taking the right actions (precautions).
• Due Diligence: Doing your homework (researching risks).

When breaches happen, investigators ask: “Did you act like a reasonable security professional would?”

3. Core Security Concepts (CIA Triad)

All security controls aim to protect one or more parts of the CIA Triad:

• Confidentiality – Keep data secret (e.g., encryption, access controls).
• Integrity – Ensure data accuracy (e.g., checksums, hashing).
• Availability – Ensure systems/data are accessible (e.g., DR plans).

Whether it's policies or technical controls—always ask, “What part of the triad does this support?”

4. Risk-Based Management

Security is about managing limited resources effectively using risk management:

1. Identify risks – What could go wrong?
2. Analyze risks – How likely and how bad?
3. Treat risks – Avoid, transfer, mitigate, or accept.

You can’t protect everything equally—align controls to business value. Standards like NIST RMF and ISO 27005 help with this.

5. Supply Chain and Third-Party Risk (2 min)

You might have great internal security—but still get compromised by a vendor (remember SolarWinds?).

• Assess third-party risk during onboarding.
• Include security terms in contracts.
• Continuously monitor vendor compliance.

Cloud models and external services shift risk—but don’t remove your responsibility.

Wrap-Up: Key Takeaways

• Follow the Code of Ethics—your certification depends on it.
• Use due care and diligence in all decisions.
• Anchor controls to the CIA triad.
• Apply risk-based thinking across the board.
• Manage your third-party exposure.

Final Thoughts

You just took your first step toward CISSP mastery. This isn’t just about passing an exam—it’s about thinking differently about trust, responsibility, and risk in our digital world. Great work—onward to Session 2!