(ISC2 CC) Domain 1: Security Principles

ISC2 CC Certified in Cybersecurity

Adequate Security

Security in proportion to risk/impact

Artificial Intelligence

The ability of computers and robots to simulate human intelligence and behavior.

Bot

Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and worm capabilities.

Administrative Controls

Controls implemented through policy and procedures.

Often in conjunction with physical and/or technical controls.

(i.e., Access control processes, requiring multiple personnel to conduct a specific operation; an access-granting policy for new users that requires login and approval by the hiring manager)

Physical Controls

Controls implemented through tangible mechanisms.

Often in conjunction with technical controls/systems (badge readers connected to door locks)

(i.e. walls, fences, guards, locks, etc.)

Security Controls

Safeguards or countermeasures applied to protect the confidentiality, integrity and availability of an information system and its information

Technical Controls

Security controls (safeguards or countermeasures) primarily implemented/executed through mechanisms contained in the hardware, software or firmware components of an Information System.

Asset

Anything of value that is owned by an organization.

Authentication

Verifying the identity of a user, process, or device,

Prerequisite to allowing access to resources in an Information System.

Authorization

The right or permission that is granted to a system entity to access a system resource.

Baseline

A documented, lowest level of security configuration allowed by a standard or organization.

Token

A physical object a user possesses that is used to authenticate the user's identity.

Biometric

Biological characteristics of an individual

(i.e. fingerprint, hand geometry, voice, iris patterns, etc.)

Classified or Sensitive Information

Information determined to require protection against unauthorized disclosure.

Marked to indicate classified status and classification level when in documentary form.

Confidentiality

Property: Data/information when not made available or disclosed to unauthorized persons/processes.

Integrity

Property: When information has not been modified in an unauthorized manner since being created, stored, or transmitted

Data Integrity

Property: Describes when data has not been modified in an unauthorized manner.

Data in storage, Data in processing, and Data in transit.

System Integrity

Property: Describes when a system performs its intended function, unimpaired, free from manipulation in an unauthorized manner.

Availability

Timely and reliable access to/use of information by authorized users.

Criticality

Measure: The degree to which an organization depends on an information system/information for the success of a mission or business function.

Sensitivity

Measure: The level of importance assigned to information by its owner, denoting its need for protection.

Encryption

The process and act of converting a message from plaintext to ciphertext; enciphering

Non-repudiation

The inability to deny taking an action.

(i.e. creating information, approving information, sending/receiving a message)

General Data Protection Regulation (GDPR)

In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.

Health Insurance Portability and Accountability Act (HIPAA)

This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of an individual's health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.

Privacy

The right of an party to maintain control and confidentiality over the information about themselves.

Personally Identifiable Information (PII)

Any data that can distinguish or trace an individual's identity

(i.e. common identifiers like name and Social Security number, biometric records, medical, educational, financial, and employment information.

Protected Health Information (PHI)

Information regarding health status, the provision of healthcare, or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).

Governance

The process of how an organization is managed.

Includes all aspects of how decisions are made; informed by policies, procedures, and roles.

International Organization of Standards (ISO)

Develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.

Internet Engineering Task Force (IETF)

The internet standards organization, made up of network designers, operators, vendors, and researchers, that defines protocol standards (IP, TCP, DNS) through a process of collaboration and consensus.

Institute of Electrical and Electronics Engineers

A professional organization that sets standards for telecommunications, computer engineering, and similar disciplines.

National Institutes of Standards and Technology (NIST)

Part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. Sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.

Likelihood of Occurrence (Probability)

A weighted factor based on the likelihood of a given threat exploiting a given vulnerability/set of vulnerabilities.

Quantitative (Numeric, Percentage) measure

Likelihood

Chance of something happening

Qualitative (Low, Medium, High) measure

Impact

Measure: Magnitude of harm

Risk

Measure: The extent to which an entity is threatened by a threat (potential circumstance or event)

Impact x Likelihood of Occurrence (Probability)

Information Security Risk

The potential adverse impacts to an organization's operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, resulting from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information systems and/or information.

Threat

Any circumstance or event with the potential to cause adverse impacts to an organization’s operations (including mission, functions, image or reputation), assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Risk Management

The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.

Risk Assessment

The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

Qualitative Risk Analysis

A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high.

Quantitative Risk Analysis

A method for risk analysis where numerical values are assigned to impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.

Risk Management Framework

A structured approach used to oversee and manage risk for an organization.

Risk Acceptance

Determination that the potential benefits of a business function outweigh the likelihood/impact of a risk; performing that business function with no other action.

Risk Avoidance

Determination that the likelihood/impact of a risk outweigh the potential benefits of a business function; not performing that business function.

Risk Mitigation

Implementing security controls to reduce potential impact/likelihood of a risk.

Risk Tolerance

The level of risk an entity is willing to assume in order to pursue a desired result.

(Risk threshold, risk appetite, acceptable risk)

Risk Transference

Paying an external party to accept the financial impact of a given risk.

Risk Treatment

The process of selecting and implementing controls to modify the level of risk.

Threat Actor

An individual or group posing a threat.

Threat Vector

The means or pathway by which a threat actor carries out their objectives.

Single-Factor Authentication

Use of just one of the three available factors of authentication

(something you know, something you have, something you are)

Multi-Factor Authentication

Use of two or more of the three available factors of authentication

(something you know, something you have, something you are)

State

The condition an entity is in at a point in time.