Domain 1 Capstone: Security and Risk Management
Executive Pattern Summary
Domain 1 covers the widest range of topics on the CISSP exam. Before working through these capstone questions, internalize these six decision patterns that run through every topic in this domain:
- Governance before operations. When a scenario reveals a structural problem — missing accountability, conflicting roles, no executive sponsorship — fix governance first. Technical controls deployed into a broken governance structure will not produce the outcomes you need.
- Risk drives the response. Every control, every policy, every continuity plan exists to manage risk. If an answer choice does not connect back to organizational risk, it is probably wrong. The correct answer is proportional to the risk — not the most aggressive or the most technical option available.
- Timing determines value. BIA before BCP. Threat modeling during design. Vendor assessment before and after onboarding. Background checks before access. When two answers describe the same activity at different times, the one with correct timing wins.
- People are controls. Personnel policies, awareness programs, separation of duties, and role-based training are not secondary to firewalls and encryption. When the failure is human, the fix starts with people — through governance, process, or training.
- Legal and regulatory requirements are non-negotiable. When compliance conflicts with operational convenience, compliance wins. But the response is structured: assess the gap, engage legal, align governance, then implement controls. Never react without assessment.
- Trust has boundaries. Supply chain risk, third-party access, vendor dependencies — wherever your security relies on someone else's decisions, you need contractual controls, continuous monitoring, and contingency plans. Trust without verification is not risk management.
Domain 1 – Capstone Questions
Question 1
An organization operates in multiple countries with conflicting data privacy regulations. The legal team has identified that full compliance with one jurisdiction's requirements would violate another's.
What should the security manager do FIRST?
A. Engage legal counsel to perform a formal jurisdictional conflict analysis
B. Implement the strictest regulation across all jurisdictions
C. Ignore the less stringent regulation
D. Delay operations in the conflicting jurisdiction
Answer & reasoning
Correct: A
Jurisdictional conflicts require legal analysis before operational decisions. Implementing the strictest standard may violate the other jurisdiction. Ignoring or delaying without analysis creates unmanaged legal exposure.
Question 2
The board of directors receives quarterly security reports, but the reports focus on vulnerability counts and patch compliance percentages. Board members have expressed that the reports do not help them make decisions.
What is the BEST corrective action?
A. Increase reporting frequency to monthly
B. Include more technical detail in the reports
C. Restructure reports to present security posture in terms of business risk and strategic impact
D. Delegate security reporting to the IT director
Answer & reasoning
Correct: C
Board-level reporting must align with governance perspective. The board makes risk-based strategic decisions, not technical ones. Reports should translate security data into business impact, risk exposure, and strategic alignment.
Question 3
A BIA reveals that the customer support system has a maximum tolerable downtime of 2 hours. Current recovery capability targets 8 hours. The budget for improvement has been denied twice.
What is the MOST appropriate next step?
A. Accept the risk and document it
B. Implement a cheaper recovery solution without approval
C. Reduce the MTD to match current capability
D. Present the gap to senior management as a business risk requiring formal risk acceptance or funding
Answer & reasoning
Correct: D
When the gap between BIA requirements and recovery capability cannot be closed due to budget constraints, the risk must be escalated to senior management for formal acceptance or resource allocation. The security manager cannot unilaterally accept business risk, nor can MTD be arbitrarily adjusted.
Question 4
An organization's security policy requires encryption of all data at rest. A business unit has been storing unencrypted customer data in a shared drive for three years because "it slows down their workflow."
What should the security manager address FIRST?
A. Immediately encrypt all data on the shared drive
B. Discipline the business unit manager
C. Assess the scope of the policy violation and engage leadership to align enforcement with business operations
D. Update the policy to exclude shared drives
Answer & reasoning
Correct: C
A three-year policy violation indicates a systemic governance gap, not a one-time incident. Assessment comes first to understand the scope of exposure, followed by leadership engagement to address the root cause — which may be a combination of enforcement failure and control usability issues.
Question 5
During a threat modeling exercise in the design phase, the team identifies that a microservice communicates with an external API without mutual authentication.
In STRIDE, which threat category does this PRIMARILY represent?
A. Spoofing
B. Repudiation
C. Tampering
D. Information Disclosure
Answer & reasoning
Correct: A
Lack of mutual authentication means neither party can verify the other's identity. This is Spoofing, which maps to an Authentication failure in STRIDE. Without mutual authentication, an attacker could impersonate either the microservice or the external API.
Question 6
A security manager discovers that the organization's vendor risk assessment process evaluates vendors only during initial procurement. No reassessment has occurred for any of the 40 active vendors.
What risk management principle has been violated?
A. Risk avoidance
B. Continuous monitoring
C. Risk transference
D. Quantitative analysis
Answer & reasoning
Correct: B
Supply chain risk management requires continuous monitoring, not one-time assessment. A vendor's security posture changes over time through personnel turnover, acquisitions, technology changes, and evolving threats. Assessment at procurement alone provides a snapshot, not ongoing assurance.
Question 7
An organization's incident reports show that 60% of security breaches in the past year originated from phishing attacks targeting finance department employees. The general awareness program covers phishing at a high level.
What is the MOST effective response?
A. Increase the frequency of the general awareness program
B. Deploy advanced email filtering to block all suspicious emails
C. Provide targeted anti-phishing training specific to the finance department with simulated attacks
D. Restrict internet access for finance department employees
Answer & reasoning
Correct: C
The data identifies a specific role-based risk. The response should be targeted training for the affected department, including realistic simulations. General awareness is too broad. Email filtering addresses symptoms. Access restriction impairs business operations disproportionately.
Question 8
A newly hired CISO discovers that the information security function reports to the VP of IT, who also manages the development team responsible for implementing security controls.
What is the PRIMARY governance concern?
A. Budget allocation conflicts
B. Lack of independence between security oversight and control implementation
C. Insufficient technical expertise
D. Delayed incident response
Answer & reasoning
Correct: B
When security reports to the same leader who manages control implementation, there is a conflict of interest. Security cannot provide independent oversight of controls managed by the same authority. This is a governance structure failure requiring reporting line correction.
Question 9
An organization needs to determine how much to spend on a countermeasure for a risk with an ALE of $150,000. The proposed control costs $200,000 annually and would reduce the exposure factor from 80% to 20%.
What should the security manager recommend?
A. Implement the control because it significantly reduces risk
B. Implement the control and increase the budget
C. Accept the risk without any countermeasure
D. Reject the control because its cost exceeds the ALE
Answer & reasoning
Correct: D
A control that costs more than the risk it mitigates is not cost-effective. The control costs $200,000 annually while the entire ALE is $150,000. Even with the 75% reduction in exposure factor, spending more than the expected loss violates the principle of proportional risk response. Alternative, less expensive controls should be evaluated.
Question 10
A company's BCP was tested six months ago and passed. Since then, the organization migrated its primary database to a new cloud provider and restructured its network architecture.
What should the BCP coordinator do?
A. Update the BCP to reflect infrastructure changes and retest
B. Schedule the next test for the annual review
C. Rely on the last test results since they are recent
D. Conduct a tabletop exercise with the original plan
Answer & reasoning
Correct: A
Significant infrastructure changes invalidate previous test results. The BCP must be updated to reflect the new cloud provider and network architecture, then retested to verify it works with the current environment. A tabletop exercise with the outdated plan would validate an inaccurate plan.
Question 11
An employee with privileged access to financial systems submits a two-week resignation notice. The employee will be joining a competitor.
What personnel security action is MOST important?
A. Immediately terminate all access
B. Increase monitoring of the employee's access during the notice period and plan structured offboarding
C. Extend the notice period to 30 days
D. Require the employee to train a replacement before any access changes
Answer & reasoning
Correct: B
Enhanced monitoring during the notice period balances operational continuity with insider threat mitigation. Immediate termination may be warranted in some cases but is not always proportional. Extending the notice period does not address the risk. Training a replacement without access controls ignores the threat.
Question 12
An organization adopted a security framework two years ago. Policies were written and distributed, but no enforcement mechanisms exist. Audit findings show widespread noncompliance.
What is the ROOT cause of the noncompliance?
A. The framework is outdated
B. Employees lack security awareness
C. Governance lacks accountability mechanisms to enforce policy adherence
D. The audit was too strict
Answer & reasoning
Correct: C
Policies without enforcement mechanisms are aspirational documents. Widespread noncompliance after two years indicates the governance framework lacks accountability — defined ownership, consequences for noncompliance, and monitoring. The framework itself and employee awareness are secondary to the absence of enforcement structure.
Question 13
A software vendor provides a critical application but refuses to include a right-to-audit clause in the contract. The vendor holds a SOC 2 Type II report.
What is the BEST approach?
A. Terminate the vendor relationship immediately
B. Accept the SOC 2 report as sufficient assurance and waive the audit requirement
C. Conduct an unauthorized audit of the vendor
D. Accept the SOC 2 report as partial assurance, negotiate additional transparency controls, and document the residual risk
Answer & reasoning
Correct: D
A SOC 2 Type II report provides independent assurance but may not cover all areas relevant to your organization. The risk-based approach is to accept it as partial assurance, negotiate what additional transparency is feasible, and formally document the residual risk of not having direct audit rights.
Question 14
An organization uses qualitative risk assessment for most risks but needs to justify a $2 million investment in a new disaster recovery site to the board.
What risk assessment approach should be used for this decision?
A. Continue with qualitative assessment for consistency
B. Use a hybrid approach combining qualitative context with quantitative financial analysis
C. Skip risk assessment and rely on industry benchmarks
D. Perform quantitative analysis using ALE to demonstrate financial justification
Answer & reasoning
Correct: D
Board-level investment decisions require financial justification. Quantitative analysis using ALE, SLE, and ARO provides the monetary basis needed to compare the cost of the DR site against the expected losses without it. Qualitative context is helpful but insufficient for a $2 million decision.
Question 15
An organization's security awareness program achieves 95% completion rates. However, social engineering incidents have not decreased over the past 18 months.
What does this indicate?
A. The program needs higher completion targets
B. Technical controls should replace awareness training
C. The program is measuring participation rather than behavior change
D. Social engineering cannot be addressed through training
Answer & reasoning
Correct: C
High completion with unchanged incident rates means the program measures activity, not outcomes. Effective awareness programs measure behavior change — phishing click rates, reporting rates, policy compliance. The program needs redesign to target behavior, not just completion.
Question 16
A new regulation requires that personal data breaches be reported to the supervisory authority within 72 hours. The organization's current incident response process does not include regulatory notification timelines.
What should occur FIRST?
A. Conduct a gap analysis between current IR processes and the regulatory notification requirements
B. Notify the regulator that the organization is working toward compliance
C. Delegate regulatory notifications to the IT department
D. Implement automated breach detection to meet the timeline
Answer & reasoning
Correct: A
Before making changes, assess the gap between current processes and the new requirement. A gap analysis identifies what needs to change — detection timelines, escalation paths, notification templates, legal review steps — before operational adjustments are made.
Question 17
During a business continuity exercise, the team discovers that the recovery procedures documented for the ERP system reference infrastructure components that were decommissioned during a cloud migration six months ago.
What process failure does this reveal?
A. Inadequate change management integration with BCP maintenance
B. Insufficient disaster recovery budget
C. Lack of technical skills on the recovery team
D. Over-reliance on cloud infrastructure
Answer & reasoning
Correct: A
Business continuity plans must be updated when infrastructure changes occur. The failure is that the change management process did not trigger a BCP update when the cloud migration decommissioned the referenced components. This is an integration failure between change management and continuity planning.
Question 18
An organization transfers the financial risk of a data breach to a cyber insurance provider. Six months later, a breach occurs, and the insurance claim is denied because the organization failed to maintain the security controls specified in the policy.
What risk management principle was violated?
A. Risk transference was completed when the policy was purchased
B. Risk transference requires maintaining the conditions under which the risk was transferred
C. The insurer acted improperly by denying the claim
D. Risk acceptance would have been more appropriate
Answer & reasoning
Correct: B
Risk transference through insurance is conditional. The insurance policy requires the organization to maintain specified security controls. Failing to meet those conditions voids the transfer. Purchasing the policy alone does not constitute complete risk transference — ongoing compliance with policy terms is required.
Question 19
A large Agile development organization with 15 scrum teams needs to integrate threat modeling into their development process. Traditional workshop-based threat modeling is causing sprint delays.
Which threat modeling approach is BEST suited for this environment?
A. STRIDE with full data flow diagrams per sprint
B. PASTA with seven-stage analysis per feature
C. DREAD scoring for each user story
D. VAST, which is designed for Agile and DevOps scaling
Answer & reasoning
Correct: D
VAST (Visual, Agile, and Simple Threat) was specifically designed for Agile and DevOps environments. It creates application and operational threat models that scale across multiple teams and integrate into CI/CD pipelines without requiring dedicated workshop sessions that delay sprints.
Question 20
An organization's ethics policy was last updated five years ago. Since then, the company has expanded into AI-driven decision making, biometric data collection, and cross-border data processing. No ethical guidelines exist for these activities.
What is the PRIMARY risk?
A. Increased hardware costs
B. Governance gaps exposing the organization to ethical, legal, and reputational harm
C. Reduced system performance
D. Decreased employee productivity
Answer & reasoning
Correct: B
Ethics policies must evolve with organizational activities. AI decision making, biometric collection, and cross-border processing each introduce ethical and legal considerations that a five-year-old policy cannot address. The absence of guidelines creates governance gaps that expose the organization to regulatory action, litigation, and reputational damage.