2.7. Reflection Checkpoint

Key Takeaways

• Ethics hierarchy: Society (Canon 1) > Principals/employers (Canon 3) — when they conflict, society wins through orderly escalation.
• Governance creates accountability: data owners are business managers, not IT; risk acceptance requires explicit management sign-off; due diligence precedes, due care follows.
• Risk analysis: ALE = SLE × ARO; a safeguard is justified when (ALE_before − ALE_after) > annual cost of control. Quantitative and qualitative methods are complementary, not competing.
• The four risk responses are avoid, mitigate, transfer, and accept — "ignore" and "reject" are not valid responses.
• Personnel security peaks at termination: access revocation must happen simultaneously with or before employee notification.
• BIA produces MTD, RTO, RPO — in that order of derivation. MTD must be greater than RTO for the recovery plan to be viable.
• Awareness programs measure behavior change, not course completion.

Connecting Forward

Phase 3 applies Domain 1 thinking to the specific objects of protection: data and assets. The classification decisions made under governance policy (2.1) determine the handling and protection requirements you'll study in Domain 2. The data lifecycle management and destruction methods in Phase 3 directly feed the evidence handling concepts you'll use in Domains 6 and 7.

Self-Check Questions

• A company's CISO tells you that they "accept the risk" of running unpatched legacy systems. What documentation and process would you look for to confirm this is genuine risk acceptance rather than unmanaged risk ignorance?
• An employee falls for a phishing simulation and receives immediate remedial training. Six months later, they fall for another simulation on a different topic. What does this pattern suggest about the awareness program design, and what would you change?