SSCP Domain 1

CIA Triad

Confidentiality, Integrity, Availability

Least Privilege

Users should only have the minimum access necessary to perform their duties.

Need to Know

Access to information is granted only if required to perform a specific task.

Separation of Duties

Splitting critical tasks among different people to prevent fraud or error.

Job Rotation

Reduces collusion risk and helps discover fraud.

Mandatory Vacation

To detect irregularities or fraud during employee absence.

Security Through Obscurity

Relying on secrecy as a defense; discouraged because it doesn't provide real security.

Due Care

Taking reasonable steps to protect assets.

Due Diligence

Ongoing process of identifying and managing risks.

Privacy

About data rights and usage.

Security

About protecting data from threats.

Types of Security Controls

Administrative, Physical, and Technical.

Preventive Controls

Controls that stop an incident from occurring.

Detective Controls

Controls that identify and report incidents.

Corrective Controls

Controls that fix issues after an incident.

Compensating Controls

Alternative measures when primary controls can't be used.

Deterrent Control

Discourages potential attackers.

Recovery Control

Restores systems to normal operation after an incident.

Authentication Factors

Something you know, have, are, do, or where you are.

Single Sign-On (SSO)

Authentication process allowing access to multiple systems with one login.

Multifactor Authentication

Using two or more authentication factors.

Biometric Authentication

Uses physical characteristics to verify identity.

Crossover Error Rate (CER)

The point where false acceptance rate equals false rejection rate.

Discretionary Access Control (DAC)

Owner determines access.

Mandatory Access Control (MAC)

Access determined by system classification.

Role-Based Access Control (RBAC)

Access based on job role.

Attribute-Based Access Control (ABAC)

Access based on user attributes.

Types of Security Policies

Organizational, issue-specific, and system-specific.

Acceptable Use Policy (AUP)

Defines how company assets can be used.

Clean Desk Policy

Requires secure handling and storage of sensitive information.

Security Standard

Mandatory implementation of policy.

Security Guideline

Recommended but optional practices.

Procedure

Step-by-step instructions to carry out tasks.

Audit Trail

A chronological record of system activities.

Review Access Logs

To identify unauthorized or unusual access.

Security Baseline

A predefined set of security settings.

Configuration Management

Tracking and controlling changes in software/hardware.

Tools Supporting Monitoring

SIEM, IDS/IPS, log analyzers.

Phases of Incident Response

Preparation, detection, containment, eradication, recovery, lessons learned.

Business Continuity

Ensuring key functions continue during disruption.

Disaster Recovery

Restoring IT operations after an outage.

Backup Strategies

Full, incremental, differential, and offsite backups.

Incident Escalation

Raising the priority level of an incident to the appropriate authority.

Security Awareness Training

Reduces risk by educating users.

Training Content

Phishing, password hygiene, physical security.

Role-Based Training

Training tailored to a user’s specific job role.

Measuring Training Effectiveness

Through tests, metrics, and audits.

Change Management

Structured process for handling system changes.

Rollback Plan

Strategy to undo changes if something goes wrong.

Document System Changes

Ensures accountability and tracking.

Change Request

Purpose, risk, impact, approval, and rollback procedures.

Regulations Affecting Security

HIPAA, GDPR, SOX.

Data Classification

Categorizing data based on sensitivity.

Principle of Retention

Data must be stored only as long as necessary.

Liability

Legal responsibility for actions or failures.

Copyright

Legal protection of intellectual property.

ISC² Code of Ethics

A set of professional principles guiding (ISC)² members in ethical conduct.

Organizational Codes of Ethics

Define expected behavior and integrity standards within a company.

Asset Management Lifecycle

Planning, acquisition/development, inventory, implementation, operation, archival, disposal.

DevSecOps

Integrating security practices early in software development.

Asset Inventory

To track hardware, software, and licenses, ensuring accountability.

Asset Disposal and Destruction Policies

To securely remove sensitive data and hardware.

Physical Security

Data center design, access badges, visitor management, surveillance.

Badging

Issuing identification badges to control personnel access.

Visitor Management

Processes to log, identify, and monitor visitors.

Personal Device Restrictions

To prevent unauthorized devices that could introduce vulnerabilities.

What is a Clean Desk Policy?

A security policy that requires employees to clear their desks of all sensitive or confidential information and securely store papers and devices when not in use, especially at the end of the workday or before leaving their workspace.

Why is a Clean Desk Policy important?

It reduces the risk of unauthorized access, data leaks, or theft by ensuring sensitive information isn’t left unattended or visible.

What is a Clear Screen Policy?

A policy requiring users to lock or log off their computers or devices when they step away from their workstation to prevent unauthorized access.