Security Principles and Operations – Comprehensive Review

Flashcards cover key concepts across security principles, risk, privacy, governance, BCP/DR, incident response, physical and logical access, networking, threats, cloud, encryption, data handling, logging, configuration management, policy, and awareness.

Confidentiality

The protection of sensitive information from unauthorized access or disclosure.

Integrity

Assurance that data and systems are accurate, complete, and unaltered without authorization.

Availability

Guarantee that authorized users have timely and reliable access to information and resources.

CIA Triad

Foundational security model consisting of Confidentiality, Integrity, and Availability.

Non-Repudiation

Capability that prevents a party from denying the authenticity of their actions or communications.

Identification (Access Control)

Process where a user claims an identity, such as by entering a username.

Authentication

Process of proving an asserted identity (e.g., password, fingerprint, smart card).

Authorization

Granting approved privileges to an authenticated subject for specific resources.

Accounting (Access Control)

Recording and reviewing user activities for auditability and accountability.

Multi-Factor Authentication (MFA)

Authentication that requires two or more different factor types (something you know/have/are).

Password Management

Policies and tools that control password length, complexity, history, reuse, and resets.

Personally Identifiable Information (PII)

Data that can uniquely identify an individual, such as name or Social Security number.

Protected Health Information (PHI)

Individually identifiable health data safeguarded under healthcare laws (e.g., HIPAA).

Privacy Obligations

Legal and ethical duties to protect personal data during collection, use, storage, and disposal.

Privacy Management Framework (PMF)

Nine-principle model covering management, notice, collection, use, access, disclosure, security, data quality, and monitoring.

Risk

Potential for loss or harm when a threat exploits a vulnerability.

Risk Assessment

Process of analyzing and prioritizing risks by likelihood and impact.

Qualitative Risk Assessment

Risk evaluation using descriptive scales (e.g., high/medium/low).

Quantitative Risk Assessment

Risk evaluation using numeric values such as probability percentages and monetary impact.

Risk Avoidance

Eliminating activities or assets that create risk.

Risk Transfer

Shifting risk to a third party, such as via insurance or outsourcing.

Risk Mitigation

Implementing controls to reduce risk likelihood or impact.

Risk Acceptance

Consciously deciding to tolerate a residual risk without further action.

Inherent Risk

Level of risk before any controls are applied.

Residual Risk

Remaining risk after controls have been implemented.

Control Risk

Risk introduced by poorly designed or implemented safeguards.

Preventive Control

Measure that stops security incidents from occurring (e.g., firewall).

Detective Control

Measure that identifies or alerts on incidents after they begin (e.g., IDS).

Recovery Control

Measure that restores systems and data after an incident (e.g., backups).

Technical Control

Security safeguard implemented through technology or hardware.

Administrative Control

Security safeguard implemented through policies, procedures, or training.

Physical Control

Security safeguard that restricts physical access or protects the environment.

Defense-in-Depth

Layered deployment of multiple, diverse security controls for redundancy.

ISC² Code of Ethics

Four canons: protect society, act honorably, serve diligently, and advance the profession.

Ethics Reporting Requirements

Obligation for members to report known Code of Ethics violations.

Ethics Complaints Process

Formal notarized submission reviewed by the ISC² Ethics Committee; can revoke certification.

Security Policy

High-level statement that defines what must be done to protect assets.

Standard (Security Governance)

Mandatory detailed requirement specifying how to meet policy objectives.

Guideline

Recommended best-practice advice that is optional to follow.

Procedure

Step-by-step instructions that detail exactly how to perform a task.

Regulatory Compliance

Conformance with external laws, regulations, and industry standards (e.g., GDPR, PCI DSS).

Business Continuity Planning (BCP)

Preparations to keep critical business functions running during adverse events.

Business Impact Analysis (BIA)

Process that identifies critical systems, dependencies, and recovery priorities.

Single Point of Failure (SPOF)

Component whose failure would stop an entire system or process.

High Availability (HA)

Design approach that uses redundancy to minimize downtime.

Fault Tolerance (FT)

Capability of a system to continue operating correctly even if a component fails.

Redundancy Through Diversity

Using varied vendors or technologies to avoid common-mode failures.

Disaster Recovery (DR)

Focused activities to restore IT operations after a disruptive incident.

Recovery Time Objective (RTO)

Maximum acceptable time to restore a service after disruption.

Recovery Point Objective (RPO)

Maximum acceptable amount of data loss measured in time.

Recovery Service Level (RSL)

Minimum acceptable level of service during a disruption.

Full Backup

Copy of all selected data every time the backup runs.

Differential Backup

Copy of data changed since the last full backup.

Incremental Backup

Copy of data changed since the most recent backup of any type.

Snapshot Backup

Point-in-time image of a system or volume for quick restoration.

Tape Backup

Low-cost, high-capacity but slower removable media for backups.

Disk Backup

Moderate-cost, faster disk-based storage for backups and restores.

Cloud Backup

Scalable off-site backup stored in a cloud service provider’s infrastructure.

Hot Site

Fully equipped, continuously ready alternate facility for immediate failover.

Warm Site

Alternate facility with hardware installed but not fully configured or live.

Cold Site

Basic shell facility requiring equipment and data before use.

Offsite Storage

Remote location used solely to hold backup media or archives.

Initial Response Phase

First DR stage focused on containment and alternate-site activation.

Assessment Phase (DR)

Phase where damage is evaluated and recovery planning is finalized.

Read-through Test

DR test where participants review the plan individually for accuracy.

Walk-through Test

Tabletop group discussion to validate DR roles and procedures.

Simulation Test

Scenario-based exercise that enacts a disaster without affecting production.

Parallel Test

DR systems are run alongside production to verify readiness without shutdown.

Full Interruption Test

Most thorough DR test; production is shut down to validate full recovery.

Incident Response Plan (IRP)

Documented strategy for preparing and responding to security incidents.

NIST IR Lifecycle

Four phases: Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity.

Incident Response Team (IRT)

Cross-functional group responsible for executing the IR plan.

Containment Strategy

Actions that isolate affected assets to limit incident spread while preserving evidence.

Threat Intelligence

Information about adversaries, methods, and indicators used to enhance defense and response.

Physical Access Control

Mechanisms (guards, locks, badges) that regulate entry to facilities and secure areas.

Crime Prevention Through Environmental Design (CPTED)

Design philosophy that reduces crime by influencing offender decisions via the built environment.

Natural Surveillance

CPTED principle that increases visibility to deter illicit activity.

Natural Access Control

CPTED principle that guides people toward controlled entry points.

Territorial Reinforcement

CPTED principle that clearly defines ownership and boundaries to discourage intruders.

Two-Person Integrity

Requirement that two individuals be present to access a sensitive area or asset.

Two-Person Control

Requirement that two individuals jointly execute a critical action to prevent abuse.

Least Privilege

Limiting user access rights to only what is necessary to perform job duties.

Segregation of Duties

Division of tasks among different roles to prevent fraud or error.

Mandatory Access Control (MAC)

System-enforced access model using security labels and clearances; users cannot change permissions.

Discretionary Access Control (DAC)

Access model where resource owners decide who can access their objects.

Role-Based Access Control (RBAC)

Access model that assigns permissions based on organizational roles.

User Account

Individual identity used for daily, non-privileged activities.

Administrator Account

Elevated account with broad system privileges, used sparingly under strong controls.

Service Account

Non-interactive account used by applications or services, not by humans.

Network LAN

Local Area Network that connects devices within a limited geographic area.

Wide Area Network (WAN)

Network that connects multiple LANs over large geographic distances.

Personal Area Network (PAN)

Short-range network for personal devices, often using Bluetooth.

Near Field Communication (NFC)

Very short-range wireless communication used for contactless payments and pairing.

Transmission Control Protocol (TCP)

Connection-oriented transport protocol ensuring reliable, ordered data delivery.

User Datagram Protocol (UDP)

Connectionless transport protocol that offers fast, best-effort delivery without guarantees.

Internet Control Message Protocol (ICMP)

Network protocol used for diagnostic messages like ping and traceroute.

OSI Model

Seven-layer conceptual framework for network communication from Physical to Application.

IPv4

32-bit dotted-decimal IP addressing scheme (e.g., 192.168.1.1).

IPv6

128-bit hexadecimal IP addressing scheme designed to replace IPv4.

DHCP

Protocol that automatically assigns IP configuration to network hosts.