CISSP DOMAIN 1: Security and Risk Management

What are the three core principles of the CIA triad?

Confidentiality, Integrity, Availability

What is Confidentiality?

Ensuring data is only accessible to authorized users

What are common threats to Confidentiality?

Cryptanalysis, Social engineering, Keyloggers, IoT backdoors

What are solutions for protecting Confidentiality?

Encryption, MFA, access control, least privilege, need-to-know

What encryption is commonly used for data at rest?

AES-256

What protocols protect data in motion?

SSL, TLS, IPsec

What is data in use protection?

Clean desk, screen protectors, locking PCs, preventing shoulder surfing

What is Integrity?

Ensuring data has not been altered

What are threats to Integrity?

Data alteration, code injection, cryptanalysis

What are solutions for Integrity?

Hashing, checksums, digital signatures, access control

What hashing algorithms are commonly used?

MD5, SHA-1, SHA-2

What does a digital signature provide?

Integrity and non-repudiation

What is Availability?

Ensuring data is accessible when needed

What are threats to Availability?

DDoS, hardware failure, application errors

What are solutions for Availability?

Redundancy, RAID, patching, IDS/IPS, SLAs

What does IAAA stand for?

Identification, Authentication, Authorization, Accountability

What is Identification?

Claiming an identity (username, ID)

What is Authentication?

Verifying identity

What are the three authentication factors?

Something you know, have, are

What is Authorization?

Determining access permissions

What is Accountability?

Tracking actions to a user (auditing)

What are common access control models?

DAC, MAC, RBAC, ABAC, RuBAC

What is PCI-DSS used for?

Protecting credit card data

What is OCTAVE?

Risk management framework (self-directed)

What is COBIT?

IT governance framework aligning IT with business goals

What is ITIL?

IT service management framework

What is FRAP?

Risk analysis for a specific system via brainstorming

What is ISO 27001?

ISMS implementation standard

What is ISO 27002?

Guidance for security controls

What is ISO 27004?

Metrics for ISMS performance

What is ISO 27005?

Risk management standard

What is ISO 27799?

Protecting PHI

What is Criminal Law?

Law where society is the victim

What is Civil Law?

Law involving individuals or organizations as victims

What is Administrative Law?

Laws created by government agencies

What is Due Diligence?

Researching and identifying risks

What is Due Care?

Acting as a reasonable person would

Who is ultimately liable in security incidents?

Senior leadership

What is Real Evidence?

Physical evidence (USB, hard drive)

What is Direct Evidence?

Firsthand witness testimony

What is Circumstantial Evidence?

Indirect evidence supporting a conclusion

What is Corroborative Evidence?

Supports other evidence

What is Hearsay?

Secondhand information (inadmissible)

What is the Best Evidence Rule?

Use the most accurate/original evidence

What is Secondary Evidence?

Copies/logs when originals unavailable

What ensures evidence integrity?

Hashing and forensic copies

What is Chain of Custody?

Tracking evidence handling

What is Entrapment?

Forcing someone to commit a crime (illegal)

What is Enticement?

Luring someone already intending to commit a crime (legal)

How long does copyright last?

Life + 70 years (or 95 for corporations)

How long do trademarks last?

10 years, renewable indefinitely

How long do patents last?

20 years

What is HIPAA?

Protects health information (PHI)

What is GDPR?

EU privacy law with strict data protections

What is the Patriot Act?

Expands government surveillance powers

What is CFAA?

Computer crime law

What is GLBA?

Protects financial data

What is SOX?

Financial reporting regulation

What is SLA?

Agreement defining service expectations (e.g., uptime)

What is a Strategic Plan?

3–5 year long-term plan

What is a Tactical Plan?

1-year management plan

What is an Operational Plan?

Detailed day-to-day plan

What are Policies?

High-level mandatory rules

What are Standards?

Mandatory technical specifics

What are Guidelines?

Optional recommendations

What are Procedures?

Step-by-step instructions

What are Baselines?

Minimum security standards

What are Administrative Controls?

Policies, procedures, training

What are Technical Controls?

Hardware/software controls

What are Physical Controls?

Locks, guards, fences

What are Preventive Controls?

Stop incidents (firewalls, least privilege)

What are Detective Controls?

Detect incidents (IDS, CCTV)

What are Corrective Controls?

Fix incidents (patches, AV)

What are Recovery Controls?

Restore systems (backups, DR)

What are Compensating Controls?

Alternative controls when others aren’t feasible

What is Risk?

Threat × Vulnerability

What is Total Risk?

Threat × Vulnerability × Asset Value

What is Residual Risk?

Total Risk – Countermeasures

What is a Threat?

Potential harmful event

What is a Vulnerability?

Weakness that can be exploited

What is Quantitative Risk Analysis?

Risk measured in monetary terms

What is Qualitative Risk Analysis?

Risk based on likelihood and impact

What are risk responses?

Mitigation, Transfer, Accept, Avoid

What is NEVER an acceptable risk response?

Rejection

What is a Risk Register?

List of identified risks

What is SLE?

Single Loss Expectancy (AV × Exposure Factor)

What is KPI?

Measures performance toward goals

What is KGI?

Measures if goals were achieved

What is KRI?

Measures risk exposure

What is GRC?

Governance, Risk Management, Compliance

What is Governance?

Aligning IT with business goals

What is Risk Management?

Identifying, assessing, and mitigating risk

What is Compliance?

Meeting laws and regulations

What is NIST 800-53?

Security control framework

What is NIST 800-37?

RMF framework

What are the 7 RMF steps?

Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

What is Business Continuity Planning?

Ensuring operations continue after disruption

What is Business Impact Analysis?

Identifies critical systems

What is RPO?

Max data loss tolerated

What is RTO?

Time to restore system