FlashGenius Logo FlashGenius
SecurityX CAS-005 ยท Domain 4 of 4

Governance, Risk
& Compliance

The final domain (20%) โ€” covers NIST CSF 2.0, NIST RMF, ISO 27001, compliance-as-code, threat modeling with STRIDE/DREAD, and third-party supply chain risk.

20%
Exam Weight
4
Concept Areas
12
Flashcards
8
Quiz Questions
๐Ÿ  Hub 1 ยท Engineering 2 ยท Architecture 3 ยท Operations 4 ยท GRC โš–๏ธ vs CISSP

What Domain 4 Covers

At 20%, Governance, Risk & Compliance tests strategic security thinking โ€” applying risk frameworks, mapping regulatory requirements, modeling threats, and managing the risks introduced by vendors and the software supply chain.

Objective A

Apply Risk Management Frameworks

NIST CSF 2.0, NIST RMF, ISO 27001 to structure enterprise security programmes.

Objective B

Integrate Compliance Requirements

Map PCI DSS, GDPR, HIPAA; automate with compliance-as-code.

Objective C

Manage Third-Party & Supply Chain Risk

Vendor assessments, SLA enforcement, fourth-party risk.

NIST CSF 2.0 NIST RMF ISO 27001 STRIDE DREAD ALE / SLE / ARO Compliance-as-Code Supply Chain Risk
๐Ÿ†•
New in CAS-005: Compliance-as-code (OPA, Chef InSpec) is a new topic. The exam tests it as an engineering practice, not just a governance checkbox. Expect scenario questions about embedding policy enforcement in CI/CD pipelines.
๐Ÿ’ก
Exam focus: Know the NIST CSF 2.0 function names in order (Govern is new and always tested). Know ALE = SLE ร— ARO by heart. Know each STRIDE letter and the threat it represents.

Key Concept Areas

Click each card to expand. Four areas cover the full Domain 4 objective set.

1. Risk Management Frameworks โ–พ
NIST CSF 2.0 (2024)
  • Six functions: Govern (NEW), Identify, Protect, Detect, Respond, Recover.
  • "Govern" sits above all other functions โ€” establishes organizational cybersecurity strategy and accountability.
NIST RMF
  • Seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.
  • Required for federal systems under FISMA.
ISO 27001
  • ISMS requirements standard. Annex A = 93 controls. ISO 27002 = implementation guidance.
Risk Calculation
  • Quantitative risk โ€” ALE = SLE ร— ARO. SLE = asset value ร— exposure factor. ARO = how often per year. Precise but resource-intensive.
  • Qualitative risk โ€” risk matrix using likelihood ร— impact. Faster but less precise.
๐Ÿ’ก
Study tip: CSF 2.0 functions in order โ€” Govern (new) โ†’ Identify โ†’ Protect โ†’ Detect โ†’ Respond โ†’ Recover. RMF 7 steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.
2. Compliance-as-Code & Regulatory Requirements NEW in CAS-005 โ–พ
Compliance-as-Code
  • Compliance-as-code โ€” automated compliance checks in CI/CD pipelines, preventing non-compliant configs reaching production.
  • OPA (Open Policy Agent) โ€” policy enforcement at API/Kubernetes/Terraform layer.
  • Chef InSpec โ€” infrastructure compliance testing as code.
Key Regulations
  • PCI DSS โ€” 12 requirements for cardholder data environments. Requires segmentation, encryption, access controls, vulnerability scanning.
  • GDPR โ€” EU data protection: data minimization, purpose limitation, right to erasure, DPO requirement, 72-hour breach notification.
  • HIPAA โ€” US healthcare; protects PHI with administrative, physical, and technical safeguards.
๐Ÿ’ก
Study tip: Compliance-as-code is an engineering practice, not just governance. OPA enforces policy at the code/infrastructure layer โ€” tested alongside Domain 1 DevOps content.
3. Threat Modeling โ–พ
Methodologies
  • STRIDE โ€” Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Microsoft framework for threat categorization.
  • DREAD โ€” Damage, Reproducibility, Exploitability, Affected users, Discoverability. Risk scoring model (1-10 per dimension).
  • PASTA โ€” 7-stage attacker-centric methodology. Aligns threat model to business objectives.
  • Data flow diagrams (DFDs) โ€” map data flows, trust boundaries, entry points. Starting artifact for STRIDE analysis.
  • MITRE ATT&CK in GRC โ€” mapping TTPs to identify coverage gaps and risk exposure.
๐Ÿ’ก
Study tip: STRIDE identifies threat type (what can go wrong). DREAD scores identified threats. Know each STRIDE letter and what attack it represents.
4. Third-Party Risk & Supply Chain Security โ–พ
Vendor Risk Management
  • Third-party risk management โ€” vendor evaluation via questionnaires, SOC 2 Type II reports, pen test results, right-to-audit clauses.
  • Fourth-party risk โ€” your vendor's vendors; hidden supply chain exposure.
Supply Chain Attacks
  • Supply chain attacks โ€” compromising trusted vendor to attack downstream customers. Canonical example: SolarWinds SUNBURST โ€” malicious update reached 18,000+ customers.
  • SBoM in GRC โ€” identifies which systems use a compromised component when a vulnerability is disclosed.
Contract & Compliance Controls
  • SLA security requirements โ€” incident notification timelines, minimum encryption standards, data residency obligations.
  • Data sovereignty โ€” legal requirement that data be stored/processed only within specific national borders.
๐Ÿ’ก
Study tip: SolarWinds = canonical supply chain example. SBoM = the tool that tells you where a compromised component is deployed.

Flashcards

12 terms covering Domain 4's governance, risk, compliance, and supply chain concepts. Click to flip.

Knowledge Check

Question 1 of 8 ยท Score: 0

๐ŸŽ‰

SecurityX CAS-005 ยท V1

All 4 domains covered โ€” now test your cert decision

Review the hub for the full overview, or use the interactive comparison to decide between SecurityX and CISSP.

๐Ÿ“ Practice Tests on FlashGenius Back to Hub โ†’ โš–๏ธ SecurityX vs CISSP Official Exam Page