🔢
CISSP Formulas & Mnemonics Công thức & Ghi nhớ
Tất cả công thức, thứ tự ưu tiên, và mnemonic cần nhớ cho kỳ thi / All formulas, priority orders, and mnemonics needed for the exam.
📊 Risk Quantitative Formulas
Formula 1: Single Loss Expectancy (SLE)
Thiệt hại kỳ vọng mỗi lần sự cố xảy ra / Expected loss per single incident
SLE = AV × EF
AV = Asset Value (Giá trị tài sản)
EF = Exposure Factor — % of asset lost per incident (% tài sản mất mỗi lần)
SLE = Single Loss Expectancy (Thiệt hại kỳ vọng mỗi lần)
AV = Asset Value (Giá trị tài sản)
EF = Exposure Factor — % of asset lost per incident (% tài sản mất mỗi lần)
SLE = Single Loss Expectancy (Thiệt hại kỳ vọng mỗi lần)
Example — Partner A Loan Platform
Partner A VN loan platform: Asset Value (AV) = $2,000,000. A ransomware attack would destroy 40% of data (EF = 0.4).
SLE = $2,000,000 × 0.4 = $800,000
SLE = $2,000,000 × 0.4 = $800,000
Formula 2: Annual Loss Expectancy (ALE)
Thiệt hại kỳ vọng hàng năm / Annualized expected loss
ALE = SLE × ARO
ARO = Annual Rate of Occurrence (Tần suất xảy ra hàng năm)
ALE = Annual Loss Expectancy (Thiệt hại kỳ vọng hàng năm)
ARO = Annual Rate of Occurrence (Tần suất xảy ra hàng năm)
ALE = Annual Loss Expectancy (Thiệt hại kỳ vọng hàng năm)
Example — Ransomware ARO
Ransomware occurs once every 5 years → ARO = 1/5 = 0.2
ALE = $800,000 × 0.2 = $160,000/year
ALE = $800,000 × 0.2 = $160,000/year
Formula 3: Control Value / ROI
Giá trị kiểm soát / Return on security investment
Value = ALE(before) − ALE(after) − Cost of Control
If Value > 0 → control IS worth implementing ✓
If Value ≤ 0 → control costs more than the risk mitigated ✗
If Value > 0 → control IS worth implementing ✓
If Value ≤ 0 → control costs more than the risk mitigated ✗
Example — Backup Solution ROI
Implementing a backup solution costs $20,000/year and reduces ALE from $160,000 to $40,000.
Value = $160,000 − $40,000 − $20,000 = +$100,000 ✓ Positive ROI — control is worth it.
Value = $160,000 − $40,000 − $20,000 = +$100,000 ✓ Positive ROI — control is worth it.
Formula 4: Total Risk vs Residual Risk
Rủi ro tổng thể và rủi ro còn lại / Risk before and after controls
Total Risk = Threat × Vulnerability × Asset Value
Residual Risk = Total Risk × (1 − Control Effectiveness)
Residual Risk = Total Risk × (1 − Control Effectiveness)
Key Rule: Risk can NEVER be zero. Residual risk always remains after controls are applied. The goal is risk reduction, not elimination. / Rủi ro không bao giờ bằng zero. Luôn còn rủi ro tồn dư sau khi áp dụng kiểm soát.
CVSS Score Reference — Severity & SLA
| CVSS Score | Severity | Remediation SLA |
|---|---|---|
| 0.0 | None | No action required |
| 0.1 – 3.9 | Low | 90 days |
| 4.0 – 6.9 | Medium | 30 days |
| 7.0 – 8.9 | High | 7 days |
| 9.0 – 10.0 | Critical | 24 – 48 hours |
⏱ Recovery Time Formulas
The Master Recovery Equation
RTO + WRT ≤ MTD
RTO = Recovery Time Objective — thời gian phục hồi hệ thống kỹ thuật
WRT = Work Recovery Time — thời gian xác nhận / restore dữ liệu sau khi hệ thống online
MTD = Maximum Tolerable Downtime — thời gian tối đa doanh nghiệp có thể chịu đựng
RPO = Recovery Point Objective — lượng dữ liệu tối đa có thể mất, tính theo thời gian
RTO = Recovery Time Objective — thời gian phục hồi hệ thống kỹ thuật
WRT = Work Recovery Time — thời gian xác nhận / restore dữ liệu sau khi hệ thống online
MTD = Maximum Tolerable Downtime — thời gian tối đa doanh nghiệp có thể chịu đựng
RPO = Recovery Point Objective — lượng dữ liệu tối đa có thể mất, tính theo thời gian
Critical Rule: If RTO + WRT > MTD → Business FAILS before IT recovers → Unacceptable design. Must redesign recovery strategy or invest in faster recovery. / Nếu RTO + WRT > MTD → doanh nghiệp sụp đổ trước khi IT phục hồi xong — thiết kế không được chấp nhận.
Example Table — Platform C Multi-Tenant Platform
| Tenant | MTD | RTO | WRT | RPO | RTO+WRT ≤ MTD? |
|---|---|---|---|---|---|
| Partner A VN Loan disbursement |
8 h | 4 h | 2 h | 15 min | ✅ 6h ≤ 8h |
| Partner E PH Card processing |
2 h | 1 h | 30 min | 2 min | ✅ 1.5h ≤ 2h |
| Partner C PH Lead generation |
24 h | 8 h | 2 h | 1 h | ✅ 10h ≤ 24h |
🔐 Biometric Error Rate Formulas
Crossover Error Rate (CER / EER)
CER = point where FAR = FRR
FAR = False Accept Rate — người sai được vào (rủi ro bảo mật / security risk)
FRR = False Reject Rate — người đúng bị từ chối (rủi ro usability / user experience)
CER/EER = Crossover Error Rate — điểm giao FAR = FRR — đo độ chính xác tổng thể
FAR = False Accept Rate — người sai được vào (rủi ro bảo mật / security risk)
FRR = False Reject Rate — người đúng bị từ chối (rủi ro usability / user experience)
CER/EER = Crossover Error Rate — điểm giao FAR = FRR — đo độ chính xác tổng thể
Rule: Lower CER = More accurate system. A system with CER of 1% is more accurate than one with CER of 5%. The CER is the single number used to compare biometric systems.
Trade-off: Security vs Usability
High Security Priority
Lower FAR threshold → Accept more FRR (more rejections). Tighter security, more friction for users.
Example: Government facility access control
High Usability Priority
Lower FRR threshold → Accept more FAR (security risk). Smoother UX, but higher impersonation risk.
Example: Consumer banking app fingerprint login
Partner E scenario: Consumer card app — balance both FAR and FRR. Target CER < 1% for production deployment.
🧠 ISC2 Priority Chains & Mnemonics
Chain 1: ISC2 Decision Priority
Thứ tự ưu tiên khi ra quyết định / When answering CISSP questions, always think in this order
Risk / Business Impact
→
Policy / Governance
→
People / Process
→
Technology
R P P T
ISC2 always prioritizes risk and business impact first, then governance/policy, then people and process, and technology solutions last.
Chain 2: ISC2 Code of Ethics Canons (Priority Order)
Thứ tự ưu tiên trong Code of Ethics — Society đứng ĐẦU
1. Society & Public
→
2. Principals / Clients
→
3. Profession
→
4. Self
S P P S
Exam trap: When employer interests conflict with public safety, Society always wins. You must protect the public even if your employer says otherwise.
Chain 3: Incident Response Phases (NIST 800-61)
Các giai đoạn phản ứng sự cố / IR lifecycle in order
Preparation
→
Detection
→
Containment
→
Eradication
→
Recovery
→
Lessons Learned
PDCERL
Chain 4: Evidence Collection Order
Thứ tự thu thập bằng chứng: dễ mất nhất → bền nhất / Most volatile → Least volatile (RFC 3227)
CPU / Cache
→
RAM
→
Swap / Page File
→
Network State
→
Processes
→
Disk
→
Removable Media
→
Remote Logs
CRSNPDRL
Forensic rule: Always collect most volatile evidence first. CPU registers and cache are gone the moment power is cut. Remote logs are the safest and can be retrieved later.
Chain 5: BCP / DR Testing (Least → Most Disruptive)
Thứ tự kiểm tra BCP từ nhẹ đến nặng / Testing escalation ladder
Checklist Review
→
Tabletop Exercise
→
Simulation
→
Parallel Test
→
Full Interruption
CTSPF
| Test Type | Disruption | Production Systems | Notes |
|---|---|---|---|
| Checklist Review | None | No impact | Document review only |
| Tabletop Exercise | None | No impact | Discussion-based walkthrough |
| Simulation | Low | No impact | Realistic scenario practice |
| Parallel Test | Medium | Both run simultaneously | DR site activated, production stays up |
| Full Interruption | High | Production shut down | Most realistic — real failover test |
🔑 Cryptography Quick Reference
Key Operation Rules — Which Key for What?
| Operation | Key Used | Example |
|---|---|---|
| Encrypt data for recipient | Recipient's PUBLIC key | TLS: browser uses server's public key |
| Decrypt received data | YOUR PRIVATE key | Server decrypts session key with private key |
| Sign a message / document | YOUR PRIVATE key | JWT: server signs token with RSA private key |
| Verify a signature | Signer's PUBLIC key | Client verifies JWT with server's public key |
| HMAC (keyed hash) | SHARED SECRET key | Partner D B2B API: both sides hold same HMAC key |
EPIC
AES Modes Reference
| Mode | Security | Nonce / IV | FinTech Company X Usage |
|---|---|---|---|
| ECB | ❌ INSECURE Same input → same output. Patterns visible. |
None | Never use |
| CBC | ⚠️ Good Padding oracle risk if implemented wrong. |
IV required (random) | Legacy systems only |
| CTR | ✅ Good Stream cipher. Parallelizable. |
Nonce MUST be unique per key | Platform C PII field encryption |
| GCM | ✅✅ Best Authenticated encryption (AEAD). Integrity + confidentiality. |
Nonce required (96-bit recommended) | APIs, TLS 1.3, all new systems |
AES-CTR Nonce Reuse = CATASTROPHE: Two ciphertexts encrypted with the same nonce can be XOR'd together to recover the plaintext — effectively no encryption. Always use
Nonce lặp lại trong AES-CTR là thảm họa — hai ciphertext cùng nonce có thể bị XOR để lộ plaintext. Luôn dùng crypto/rand để tạo nonce.
crypto/rand for nonce generation. NEVER use counters or timestamps as nonces.
Nonce lặp lại trong AES-CTR là thảm họa — hai ciphertext cùng nonce có thể bị XOR để lộ plaintext. Luôn dùng crypto/rand để tạo nonce.
Hash Algorithm Status
| Algorithm | Output Size | Status | Approved Use |
|---|---|---|---|
| MD5 | 128-bit | ❌ BROKEN Collision attacks demonstrated 2004. |
Never for security. Checksums only. |
| SHA-1 | 160-bit | ❌ DEPRECATED Practical collision attack (2017). |
Never for new systems. |
| SHA-256 | 256-bit | ✅ Current standard | Digital signatures, HMAC, certificate integrity |
| SHA-3 | Variable (224–512) | ✅ Alternative standard | High-security applications, post-SHA-2 transition |
| bcrypt / Argon2 | Variable | ✅ Password hashing | ALWAYS use for passwords. Never SHA-256 raw for passwords. |
Key distinction: SHA-256 is for integrity (document hashing, signatures). bcrypt/Argon2 is for passwords — they are intentionally slow to resist brute-force. Using SHA-256 for passwords is a critical vulnerability.
🎯 Access Control Models Quick Reference
| Model | Who Controls Access | Flexibility | Typical Use | TS Example |
|---|---|---|---|---|
| DAC Discretionary |
Object owner decides | High | Linux files, shared drives, consumer apps | N/A — too flexible for fintech |
| MAC Mandatory |
System enforces labels | Low (most restrictive) | Government classified systems, military | N/A — too rigid for SaaS |
| RBAC Role-Based |
Admin assigns roles to users | Medium | Enterprise portals, SaaS admin modules | Platform C admin module — role-based permissions per lender |
| ABAC Attribute-Based |
Policy engine evaluates attributes | Very High | Fine-grained, context-aware, multi-tenant | Platform C per-lender scoped JWT validation (tenant + role + action) |
D M R A
Decision rule: Use RBAC when roles are stable and well-defined (e.g., Admin, Viewer, Approver). Use ABAC when context matters — time of day, location, tenant ID, data sensitivity level, or when the same user needs different permissions depending on the resource.
📐 Security Model Rules Quick Reference
| Model | Focus | Rule 1 | Rule 2 | Memory Trick |
|---|---|---|---|---|
| Bell-LaPadula | Confidentiality | No Read UP (NRU) Can't read higher-classified data |
No Write DOWN (NWD) Can't write to lower-classified |
"BLP: info flows UP" Simple Security + *-Property |
| Biba | Integrity | No Read DOWN (NRD) Can't read lower-integrity data |
No Write UP (NWU) Can't write to higher-integrity |
"Biba: trust flows DOWN" Opposite of BLP |
| Clark-Wilson | Integrity | Well-Formed Transactions (CDI + IVP) | Separation of Duties TP → UDI → CDI pipeline |
"Clark-Wilson = Commercial banking" Designed for business systems |
| Brewer-Nash | Conflicts of Interest | Cannot access competing clients in same conflict class | Dynamic SoD — access history determines future access | "Chinese Wall = Consulting firms" Investment banks, law firms |
Bell-LaPadula (BLP)
Protects confidentiality. Military classification. Read UP blocked, Write DOWN blocked. Information can only move UP the sensitivity ladder.
Biba Model
Protects integrity. Opposite direction rules. Read DOWN blocked (dirty input), Write UP blocked (contaminating clean data). Trust flows downward.
🔢 CISSP Exam Key Numbers to Memorize
| Number | What It Represents |
|---|---|
| 700 / 1000 | CISSP passing score (scaled scoring) |
| 125 – 175 | Number of exam questions (CAT adaptive format) |
| 180 min | Exam duration (3 hours) |
| 5 years | Required work experience (minimum, in 2+ domains) |
| 30 days | Minimum wait after 1st failed attempt before retake |
| 90 days | Minimum wait before 3rd and subsequent attempts |
| 9 months | Time limit to submit endorsement after passing |
| 15% | D1 Security & Risk Management exam weight (largest domain) |
| 10% | D2 Asset Security exam weight (smallest domain) |
| 72 hours | GDPR + Philippines DPA breach notification deadline to authority |
| 9.0 – 10.0 | CVSS Critical range → patch within 24–48 hours |
| 5 / hour | OTP rate limit best practice (FinTech Company X implementation example) |
| 3-2-1 | Backup rule: 3 copies, 2 different media types, 1 offsite location |
| EAL 4 | Most common commercial Common Criteria evaluation level |
| 128-bit | AES minimum key size (256-bit strongly preferred) |
| 2048-bit | RSA minimum key size for current security |
| 256-bit | ECC key equivalent in strength to RSA-3072 |
3-2-1 Backup Rule