CISSP Security Domains Study Deck

Vocabulary flashcards covering the eight CISSP security domains and key cybersecurity principles based on the study deck.

Domain 1: Security and Risk Management

The domain that focuses on security posture, risk management, compliance, legal regulations, ethics, business continuity, and security policies.

Security Posture

An organization's ability to manage cybersecurity defenses and respond to changes and threats.

InfoSec (Information Security)

The processes used to protect information from unauthorized access, use, disclosure, disruption, modification, or destruction.

InfoSec Design Processes

Includes Incident Response, Vulnerability Management, Application Security, Cloud Security, and Infrastructure Security.

Domain 2: Asset Security

Managing and protecting organizational assets and data throughout their lifecycle, including storage, maintenance, retention, destruction, and backups.

Backups

Tools that allow organizations to restore data after a security incident, data loss, or system failure.

Domain 3: Security Architecture and Engineering

The practice of designing secure systems, tools, and processes to protect organizational assets and data.

Shared Responsibility

The principle that everyone involved in designing and maintaining systems shares responsibility for reducing security risks.

Security Design Principles

Key concepts including Least Privilege, Defense in Depth, Zero Trust, Fail Securely, Separation of Duties, Keep it Simple, Trust but Verify, and Threat Modeling.

Defense in Depth

Using multiple layers of security controls to protect systems and data.

Zero Trust

A security model that never automatically trusts users or devices and always verifies before granting access.

Domain 4: Communication and Network Security

Protecting networks and communications across on-site, remote, wireless, and cloud environments.

Network Security Controls

Mechanisms that help prevent unauthorized access and protect organizational networks from threats.

Domain 5: Identity and Access Management (IAM)

Processes that ensure users are authenticated, authorized, and granted appropriate access to resources.

Principle of Least Privilege

The rule that users should only receive the minimum level of access necessary to perform their job duties.

Least Privilege Example

A customer service representative being able to view a customer's phone number but being unable to access other unnecessary sensitive information.

Domain 6: Security Assessment and Testing

The process of identifying and reducing risks, vulnerabilities, and threats through testing and assessments.

Penetration Testing

Simulating attacks on systems to identify vulnerabilities before threat actors exploit them.

Security Audits

Reviews that evaluate security controls, permissions, and compliance to reduce breach risks.

Domain 7: Security Operations

Detecting, responding to, investigating, and preventing security incidents.

Security Operations Tools and Processes

Includes SIEM Tools, Log Management, Incident Response, Intrusion Detection, Playbooks, Forensics, and Reporting.

SIEM (Security Information and Event Management)

A tool that collects and analyzes security logs to detect threats.

Incident Response

The process of detecting, containing, investigating, and recovering from security incidents.

Domain 8: Software Development Security

Incorporating security into every phase of software development.

SDLC Security Integration

The necessity of building security into design, development, testing, and deployment rather than adding it at the end of the Software Development Life Cycle.

Application Security Testing

Testing software to identify and fix vulnerabilities before release.

CISSP 8 Domains Focus Summary

1: Risk & Compliance, 2: Assets & Data Lifecycle, 3: Secure System Design, 4: Network Protection, 5: Authentication & Authorization, 6: Audits & Pen Testing, 7: Incident Response & Monitoring, 8: Secure Coding & SDLC.