# Domain 1 - Index This domain sets the foundation for governance, risk, compliance, ethics, legal, and the management systems that steer an enterprise security program. 1. [[CIA Triad]] — Core goals of information security. 2. [[Security Governance]] — How leadership directs and controls security. 3. [[Security Policy Types]] — Policy, standard, guideline, procedure hierarchy. 4. [[Standards, Guidelines, and Procedures]] — Binding vs. advisory controls and how-to steps. 5. [[Due Care vs Due Diligence]] — Reasonable actions vs. ongoing oversight. 6. [[Risk Management Process]] — Identify, analyze, respond, monitor. 7. [[Risk Terminology]] — Threat, vulnerability, likelihood, impact, residual risk. 8. [[Risk Response Strategies]] — Avoid, transfer, mitigate, accept. 9. [[Qualitative Risk Assessment]] — Subjective scales, heat maps, risk matrix. 10. [[Quantitative Risk Assessment]] — ALE, SLE, ARO calculations. 11. [[Asset Valuation]] — Determining asset criticality and value. 12. [[Data Classification and Handling]] — Labels and handling requirements. 13. [[Security Roles and Responsibilities]] — Owner, custodian, user, senior management. 14. [[Security Control Types]] — Preventive, detective, corrective, compensating, deterrent. 15. [[Control Frameworks (ISO/IEC 27001, NIST, COBIT)]] — Program scaffolding. 16. [[Risk Appetite and Tolerance]] — What level of risk the org accepts. 17. [[Business Continuity Planning (BCP) Overview]] — Keeping business running. 18. [[Business Impact Analysis (BIA)]] — Prioritizing processes and dependencies. 19. [[Recovery Objectives (RTO, RPO, WRT, MTD)]] — Time and data loss targets. 20. [[Disaster Recovery Strategies (Hot/Warm/Cold)]] — Site options and trade-offs. 21. [[Incident Response Lifecycle]] — Prepare, detect, contain, eradicate, recover, lessons. 22. [[Evidence Handling and Chain of Custody]] — Admissibility and integrity. 23. [[E-Discovery (EDRM)]] — ESI lifecycle for legal matters. 24. [[Legal Systems and Laws (Civil, Criminal, Administrative)]] — Global legal basics. 25. [[Intellectual Property Protection]] — Copyright, patent, trademark, trade secret. 26. [[Privacy Principles and Regulations]] — Core privacy concepts and major regimes. 27. [[Data Owners, Controllers, and Processors]] — Governance roles over data. 28. [[Security Awareness and Training]] — Human risk reduction. 29. [[Social Engineering and Insider Threats]] — People-centric risks. 30. [[Third-Party and Supplier Risk Management]] — Outsourcing and supply chain. 31. [[Service Level Agreements and Contracts]] — SLAs, NDAs, BPAs, right-to-audit. 32. [[Ethics and (ISC)² Code of Ethics]] — Professional conduct. 33. [[Security Program Management (PDCA)]] — Continuous improvement loop. 34. [[Security Metrics, KPIs, and KRIs]] — Measuring performance and risk. 35. [[Threat Modeling (STRIDE, PASTA, Kill Chain)]] — Systematic threat analysis. 36. [[Threat Intelligence Lifecycle and Sources]] — Direction, collection, processing, use. 37. [[Policy Exception and Exception Management]] — Controlled deviations. 38. [[Data Retention and Destruction]] — Keep just enough; dispose safely. 39. [[Export Controls and Cryptography Law]] — Restrictions on crypto and tech transfer. 40. [[Compliance Frameworks and Audits (SOX, PCI DSS, SOC Reports)]] — Conformance and attestations. >[!info] Tip >- Use this index as your daily jumping-off point in Obsidian. #cisSP #domain-1 #concept