Tier 3a — Security Principles (Revised)

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/55

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 9:58 PM on 5/24/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

56 Terms

1
New cards

Threat

An external force that jeopardizes security

2
New cards

Threat vector

The method an attacker uses to reach the target

3
New cards

Threat actor

The person or group behind the threat

4
New cards

Vulnerability

A weakness in a system or control that an attacker could exploit

5
New cards

Risk

A threat combined with a corresponding vulnerability

6
New cards

Threat + Vulnerability

Risk equation

7
New cards

Likelihood

The probability that a risk will actually occur

8
New cards

Impact

The amount of damage if a risk materializes

9
New cards

Confidentiality

Keep data private and secret — only authorized parties can see it

10
New cards

Integrity

Data is accurate, consistent, and unaltered by unauthorized parties

11
New cards

Availability

Systems and applications work when users need them — uptime

12
New cards

Confidentiality example

Encryption, clean desk policy, screen locks

13
New cards

Integrity example

Hashing, digital signatures, file integrity monitoring

14
New cards

Availability example

Backups, redundancy, DDoS protection, fault tolerance

15
New cards

Risk avoidance

Change business practices to make the risk irrelevant

16
New cards

Risk transference

Move the risk to another organization (e.g., insurance) — can't transfer 100%

17
New cards

Risk mitigation

Reduce the likelihood or impact of the risk

18
New cards

Risk acceptance

Acknowledge the risk and continue operations anyway

19
New cards

Inherent risk

Original level of risk before any controls are applied

20
New cards

Residual risk

Risk that remains after controls are applied

21
New cards

Control risk

New risk introduced BY the controls themselves

22
New cards

Risk tolerance

The level of risk the organization is willing to accept

23
New cards

Qualitative risk analysis

Subjective judgment grouped into categories (high/medium/low)

24
New cards

Quantitative risk analysis

Numeric ratings, often in dollars, for likelihood and impact

25
New cards

Configuration management

Tracks how devices are set up — both OS and installed software inventory

26
New cards

Baseline

A configuration snapshot at a given point in time

27
New cards

Baselining

The practice of establishing a known-good configuration as a reference point

28
New cards

Versioning

Assigning numbers to track configuration changes over time

29
New cards

Version control

The practice of tracking revisions to files or code over time

30
New cards

Configuration diagrams

Documents that show how systems are set up

31
New cards

Change management

Controls how changes happen to minimize risk

32
New cards

ISC2 Canon 1

Protect society, the common good, public trust, and the infrastructure

33
New cards

ISC2 Canon 2

Act honorably, honestly, justly, responsibly, and legally

34
New cards

ISC2 Canon 3

Provide diligent and competent service to principals

35
New cards

ISC2 Canon 4

Advance and protect the profession

36
New cards

Policy

Bedrock document of security expectations approved at the highest levels — MANDATORY

37
New cards

Standard

Specific details of required security controls — MANDATORY

38
New cards

Procedure

Step-by-step instructions employees follow to perform tasks — may or may not be mandatory

39
New cards

Guideline

Advice from security professionals to the rest of the organization — OPTIONAL

40
New cards

AUP (Acceptable Use Policy)

Defines authorized uses of company technology and penalties for violation

41
New cards

BYOD (Bring Your Own Device)

Policy covering use of personal devices with company information

42
New cards

Something you know

Authentication factor — password, PIN, security question answer

43
New cards

Something you have

Authentication factor — token, debit card, authenticator app

44
New cards

Something you are

Authentication factor — biometric (fingerprint, iris, palm, face)

45
New cards

MFA (Multi-Factor Authentication)

Combines authentication from TWO DIFFERENT factor categories (e.g., password + token)

46
New cards

SSO (Single Sign-On)

Shares an authenticated session across multiple systems so users don't re-authenticate — about UX, not auth strength

47
New cards

Non-repudiation

Prevents someone from falsely denying an action — provided by digital signatures

48
New cards

PII (Personally Identifiable Information)

Data that can be tied back to a specific person — governed by privacy laws like GDPR

49
New cards

PHI (Protected Health Information)

Medical records (paper and electronic) — governed by HIPAA

50
New cards

PCI DSS (Payment Card Industry Data Security Standard)

Regulation covering credit/debit card data handling

51
New cards

Preventive control

Stops a security issue from happening (firewall, MFA, fence)

52
New cards

Detective control

Identifies security issues that have occurred (IDS, CCTV, log review)

53
New cards

Corrective control

Remediates issues after they happen (patching, restoring from backup)

54
New cards

Technical control

Uses technology to achieve the control objective — also called logical control

55
New cards

Administrative control

Uses processes and policies (training, AUP, background checks)

56
New cards

Physical control

Impacts the physical world (locks, fences, guards, bollards)