Cybersecurity Domain 1 Review

A complete set of vocabulary flashcards covering the CIA triad, risk management, security control categories, and governance elements from Domain 1.

CIA Triad

The three pillars of cybersecurity concepts consisting of Confidentiality, Integrity, and Availability.

Confidentiality

Ensures only sensitive info is going to authorized people, system, or processes using techniques like access control, encryption, and passwords.

Integrity

Keeping information correct and unaltered, and protecting the data from any type of tampering; verified using techniques like checksums, digital signatures, MD5, or SHA.

Availability

Ensures that systems, data, and resources are accessible to authorized users whenever needed, minimizing downtime through backups, redundancy, and Uninterruptible Power Supplies.

Non-repudiation

Ensures that a person or system cannot deny actions they performed by using digital evidence like digital signatures and logs.

Accountability

Builds trust by holding parties responsible for their actions through biometric access, payment confirmation, blockchain transactions, and audit logs.

AAA

A framework for security consisting of Authentication, Authorization, and Accounting.

Authentication

Verifies the user, device, or system based on what you know, what you have, what you are, or where you are.

Authorization

The process of determining and granting a user’s permission to access specific resources, typically occurring after authentication.

Accounting

Also known as auditing, it refers to tracking and recording user’s activities, such as access to resources, actions, or system usage.

Privacy

The protection of personal information and adherence to laws and policies governing its collection, storage, and use.

Data Subject

The individual whose personal information is being collected or processed.

Controller

The entity that determines the purpose and means of processing personal data.

Processor

The entity that processes data on behalf of the controller, such as a cloud service provider.

Data Inventory

A comprehensive list of all data assets, including their location and type.

Retention

Policies defining how long data is kept and when it is deleted, such as keeping tax records for seven years.

Right to be Forgotten

The right for individuals to request the deletion of their personal data when it is no longer necessary or legally required to retain.

Risk Identification

The process of identifying potential risks through stakeholder input, reviewing past incidents, and evaluating external threats to create a risk register.

Risk Assessment

The process of evaluating identified risks to understand their likelihood and impact for prioritization.

Qualitative Risk Analysis

A subjective approach to access risks based on expert judgment and descriptive categories like low, medium, or high without numerical data.

Quantitative Risk Analysis

A data-driven approach that assigns numerical values to risks using formulas like SLE, ALE, and ARO.

Exposure Factor (EF)

The percentage of an asset’s value that is lost due to a specific risk event (e.g., $70\%$ facility damage equals an EF of $0.70$).

Single-Loss Expectancy (SLE)

The expected financial loss from a single risk event, calculated as $SLE = \text{Asset Value (AV)} \times \text{Exposure Factor (EF)}$.

Annualized Rate of Occurrence (ARO)

The estimated number of times a specific risk is expected to occur in a year (e.g., once every $5$ years equals an ARO of $0.2$).

Annualized Loss Expectancy (ALE)

The projected annual financial loss from a specific risk, calculated as $ALE = SLE \times \text{Annualized Rate of Occurrence (ARO)}$.

Probability

The likelihood that a specific threat will occur, expressed as a percentage or decimal value like $30\%$ or $0.3$.

Likelihood

The perceived chance of a risk occurring, often described in qualitative terms such as likely or unlikely.

Impact

The magnitude of the effect caused by a risk event, including financial, reputational, and operational damages.

Risk Tolerance

The acceptable level of variation in outcomes that an organization is willing to withstand during day-to-day operations.

Risk Appetite

The overall level of risk an organization is willing to take to achieve its strategic goals.

Transfer (Risk Strategy)

Shifting the risk to a third party, such as purchasing insurance or outsourcing.

Accept (Risk Strategy)

Choosing to acknowledge and bear the risk without taking specific action, often used for low-impact or negligible risks.

Technical Controls

Hardware or software mechanisms used to manage access, including encryption, smart cards, firewalls, and IDS/IPS.

Managerial Controls

Administrative controls defined by security policies, such as hiring practices, background checks, and assessments.

Operational Controls

Day-to-day security operations primarily executed by people, including awareness training and backup procedures.

Physical Controls

Security mechanisms focused on protecting facilities and real-world objects, such as fences, guards, and motion detectors.

Deterrent Control

Controls deployed to discourage violation of security policies.

Preventive Control

Controls deployed to prevent or stop unwanted or unauthorized activity from occurring.

Detective Control

Controls deployed to discover or detect unwanted or unauthorized activity.

Compensating Control

Controls that provide options to aid in enforcement when other existing controls are insufficient.

Corrective Control

Measures taken to fix vulnerabilities or mitigate damage after a security incident has occurred.

Directive Control

Proactive measures designed to guide behavior and enforce compliance with security policies.

Policies

High-level, mandatory statements outlining an organization's security objectives (representing the 'Why').

Standards

Detailed, mandatory rules specifying uniform methods and technical specifications to enforce policies (representing the 'What').

Procedures

Step-by-step instructions for carrying out specific tasks to comply with standards and policies (representing the 'How').

Differential Privacy

A method that injects calculated mathematical 'noise' into data sets to ensure that the outcome of a data query remains statistically identical whether an individual's data is included or not.

k-Anonymity

A structural property indicating that an individual's quasi-identifiers are indistinguishable from at least k-1 other individuals in the dataset, enhancing anonymity.

l-Diversity

An extension of k-anonymity that ensures sensitive attributes within groups are varied, making it difficult to infer an individual's traits.

Homomorphic Encryption

A cryptographic method allowing data to be processed and analyzed while it remains encrypted, providing security and confidentiality.

Data Minimization

A principle ensuring that only necessary data is collected for a specific purpose, preventing the gathering of non-essential information.

Pseudonymization

A data handling technique that replaces direct identifiers with randomly generated tokens to protect an individual's identity.

Automated Data Retention & Deletion

Processes for securely erasing personally identifiable information (PII) when it is no longer needed, often tied to predefined retention policies.

Purpose Siloing

Data access restrictions based on the specific reason for data collection, ensuring that data cannot be misused for other purposes.

Privacy Impact Assessment (PIA)

An evaluation process identifying what PII is collected, the reasons for it, and the risks associated with that data collection.

Data Subject Access Rights (DSAR)

Legal entitlements that give individuals the ability to request access to their personal data held by organizations.

NIST Privacy Framework

A flexible, risk-based framework designed to help organizations manage privacy risk with five core functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P.

ISO/IEC 27701

An international standard that establishes a Privacy Information Management System (PIMS), outlining controls for both Data Controllers and Data Processors.

Risk Treatment Strategies

Methods for handling assessed risks, including avoidance, transfer, mitigation, and acceptance of risks.

Inherent Risk

The baseline risk that exists before any controls or safeguards are implemented.

Residual Risk

The remaining risk after controls have been applied, reflecting the effectiveness of risk management efforts.

Risk Register

A visual tool used to track risks, including their likelihood, impact, and planned responses, often utilized in risk management to prioritize and manage risks effectively.

Integrity in Data Management

The assurance that data is accurate, consistent, and unaltered, crucial for maintaining trust in information systems.

Cryptography

The practice and study of techniques for securing communication and information through encoding, ensuring data integrity and confidentiality.

Blockchain Immutability

The property of blockchain technology that ensures once data is recorded, it cannot be modified or deleted, thereby guaranteeing data integrity and trust.

Access Control

A security technique that regulates who or what can view or use resources in a computing environment, typically implemented through authentication and authorization methods.

Role-Based Access Control (RBAC)

An access control method where permissions are assigned to specific roles rather than individual users, making user management easier and more secure.

Attribute-Based Access Control (ABAC)

An access control method that grants access based on user attributes, resource attributes, and current environmental conditions, providing a more flexible permission mechanism.

Single Sign-On (SSO)

An authentication process that allows a user to access multiple applications with one set of login credentials, enhancing user convenience and security.

Least Privilege Principle

A security principle that grants users the minimum levels of access – or permissions – needed to perform their job functions, reducing security risks.

Access Review

A periodic process where organizations assess user access rights to ensure they align with current job roles and responsibilities, helps prevent unauthorized access.

Privileged Access Management (PAM)

A system used to control and monitor access to critical systems and sensitive data, focusing on minimizing risks associated with higher-level privileges.

Audit Trail

A chronological record that tracks user activities and system changes over time, providing evidence for compliance and security investigations.

Guidelines

Recommendations and best practices to guide actions. Optional and flexible, not enforceable like standards or policies

Acceptable Use Policy(AUP)

Defines acceptable and prohibited uses of organizational resources like networks, devices, and internet access

Information Security Policies

Broad policies that outline how the organization protects its data and information system for threats

Business Continuity Policy

Ensures critical operations can continue during and after a disruption

Disaster Recovery Policy

Specifies how the organization will recover IT systems and data after a disaster

Incident Response Policy

Establishes processes for identifying, managing, and mitigating security incidents 

Software Development Lifecycle(SDLC) Policy

Outlines security measures and standards during the development, testing, and development of software

Change Management Policy

Defines how changes to systems, applications, and configurations are requested, evaluated, approved, and implemented