Organizations must understand what they need to secure, why they need to secure it, and how it will be secured. This is also one of important domain to focus for CISSP exam. Out of 100% of the exam, this domain carries an weight of 12~13%. Following topics are discussed in this domain.
- Secure Design principles
- Vulnerability Assessment & Mitigation
- Cryptography
- Physical Security Requirements
Security engineering is based on design principles, practices, and models to ensure confidentiality, integrity, and the availability requirements of information assets. The end result could be the development of a product or supporting organizational processes. Further, the product could be hardware, software, or a combination of both.

- IT assets can be grouped as software, hardware, and networking related
- Software can be further grouped as operating systems, application software, embedded software, mobile applications, and web applications
- Hardware and networking systems may contain embedded software
- Security requirements should be addressed in a continual process through design, development and integration phases
- Vulnerabilities might creep in during any of these phases
- By adhering to software development engineering practices and security organizational processes, vulnerability issues can be addressed
Sensitive assets need protection from unauthorized disclosure or tampering. The sensitivity of assets is determined by confidentiality and integrity requirements and the impact of compromise on the corporation or national security. Cryptographic methods and solutions provide assurance to protect assets from compromise.
Refer to below picture for better clarity

- Sensitive assets require an additional level of security pertaining to confidentiality and integrity.
- Additional security requirements of confidentiality and integrity can be assured through the application of cryptographic methods.
- The fundamentals of cryptography are related to encryption and the methods of encryption.
- Various types of encryption methods are used in the cryptography domain based on their characteristics, such as the type of algorithm used, the key length, and the application.
- Public Key Infrastructure (PKI) is an industry standard framework, which enables the integration of various services that are related to cryptography.
- Key management techniques are important from the perspective of cryptographic key generation, distribution, storage, validation, and destruction.
- Cryptographic key can be compromised. Compromises can be due to a weak algorithm or weak keys. Many methods of cryptanalytic attacks exist to compromise keys.
- Cryptographic standards provide tools and best practice methods to secure information and keys from cryptanalytic attack
For many forward-thinking organizations, physical security considerations begin during site selection and design. These companies have learned that building in security is easier than patching the security after the fact. In this section, site selection and site building practices that can lead to increased physical security are covered.
Above both picture are taken from book “CISSP in 21 days” written by “M.L. Srinivasan”.