Use this domain to build the foundation for the entire CC exam. Security principles explain why security exists, what needs protection, how risk is managed, and how policies and ethics guide security work.
Focus on understanding the concepts clearly. If you can explain confidentiality, integrity, availability, risk, controls, governance, and ethics in simple language, the rest of the exam becomes easier.
Information assurance protects information and systems so they remain trustworthy, available, and properly controlled. The CIA triad is the core model: confidentiality, integrity, and availability.
- Confidentiality protects information from unauthorized access.
- Integrity protects information from unauthorized or accidental change.
- Availability ensures systems and data are accessible when needed.
- Authentication verifies identity.
- Non-repudiation helps prove that an action or transaction occurred.
- Privacy protects personal information and how it is collected, used, stored, and shared.
- Confidentiality - Only authorized people or systems can access information.
- Integrity - Information remains accurate, complete, and trustworthy.
- Availability - Systems and data are usable when required.
- Authentication - Process of proving identity.
- MFA - Multi-factor authentication using more than one proof of identity.
- Non-repudiation - Assurance that someone cannot deny an action they performed.
- Privacy - Responsible handling of personal information.
- Give one real example for confidentiality, integrity, and availability.
- Explain why MFA improves authentication.
- Identify how privacy is different from confidentiality.
- What are the three parts of the CIA triad?
- Why is availability important for business operations?
- What does authentication prove?
- Why is MFA stronger than a password alone?
- What does non-repudiation help prove?
Risk management is the process of identifying what can go wrong, estimating how serious it is, and deciding what to do about it. Security decisions should be based on risk, not guesswork.
- Risk connects assets, threats, vulnerabilities, likelihood, and impact.
- Risk tolerance defines how much risk an organization is willing to accept.
- Risk identification finds possible risks.
- Risk assessment estimates likelihood and impact.
- Risk treatment decides how to respond.
- Common risk responses are avoid, mitigate, transfer, and accept.
- Asset - Anything valuable that needs protection.
- Threat - Potential cause of harm.
- Vulnerability - Weakness that can be exploited.
- Risk - Possibility of loss or harm.
- Likelihood - Chance that a risk will happen.
- Impact - Damage if the risk happens.
- Risk tolerance - Amount of risk an organization accepts.
- Risk treatment - Action taken to manage risk.
- Create a simple risk example using asset, threat, vulnerability, likelihood, and impact.
- Classify risks as low, medium, or high.
- Match sample risks to avoid, mitigate, transfer, or accept.
- What is the difference between a threat and a vulnerability?
- Why do likelihood and impact matter?
- What does it mean to mitigate risk?
- When might an organization accept risk?
- Why is risk tolerance important?
Security controls are safeguards used to reduce risk. Controls can be administrative, technical, or physical. They can also prevent, detect, or correct security problems.
- Administrative controls are policies, procedures, standards, and training.
- Technical controls use technology to protect systems and data.
- Physical controls protect buildings, rooms, equipment, and people.
- Preventive controls reduce the chance of an incident.
- Detective controls identify suspicious or harmful activity.
- Corrective controls help recover after a problem.
- Control - Safeguard that reduces risk.
- Administrative control - Management or process-based safeguard.
- Technical control - Technology-based safeguard.
- Physical control - Physical protection measure.
- Preventive control - Stops or reduces security incidents.
- Detective control - Finds security incidents.
- Corrective control - Restores normal condition after an incident.
- Put MFA, policies, locks, cameras, backups, and log monitoring into control categories.
- Explain why layered controls are stronger than one control.
- Identify one preventive, detective, and corrective control for phishing.
- What is a security control?
- Is security awareness training administrative, technical, or physical?
- Is a firewall a technical control?
- What type of control is log monitoring?
- Why are backups corrective controls?
Cybersecurity professionals are trusted with systems, data, and sensitive information. Ethics guide professional behavior and help protect the public, organizations, and the profession.
- Security work must be legal, responsible, and honest.
- Access should only be used for authorized purposes.
- Sensitive information must be protected.
- Professional judgment matters when policies or situations are unclear.
- Ethical behavior builds trust.
- Ethics - Principles that guide right behavior.
- Professional conduct - Expected behavior in a professional role.
- Due care - Acting responsibly and reasonably.
- Due diligence - Taking ongoing steps to meet responsibilities.
- Conflict of interest - Situation where personal interest may affect judgment.
- Explain why authorized access does not mean unlimited use.
- Identify ethical issues in a scenario involving sensitive logs.
- Describe how due care and due diligence are different.
- Why are ethics important in cybersecurity?
- What is due care?
- What is due diligence?
- Why should analysts protect sensitive information?
- What is a conflict of interest?
Governance provides direction and accountability for security. Policies, standards, and procedures explain what must be done and how to do it. Laws and regulations create external requirements.
- Governance aligns security with organizational goals and responsibilities.
- Policies state high-level requirements.
- Standards define mandatory rules or baselines.
- Procedures provide step-by-step instructions.
- Regulations and laws may require specific security and privacy practices.
- Compliance means meeting required obligations.
- Governance - Direction, oversight, and accountability.
- Policy - High-level statement of required behavior.
- Standard - Specific mandatory requirement.
- Procedure - Step-by-step task instruction.
- Regulation - Rule issued by an authority.
- Law - Legal requirement enforced by government.
- Compliance - Meeting obligations.
- Compare policy, standard, and procedure using password management.
- Identify why compliance does not automatically mean strong security.
- Write a simple acceptable-use policy statement.
- What is governance?
- How is a policy different from a procedure?
- What is a standard?
- Why do laws and regulations matter?
- Why is compliance not the same as full security?
- I can explain confidentiality, integrity, and availability.
- I understand authentication, MFA, privacy, and non-repudiation.
- I can describe assets, threats, vulnerabilities, likelihood, impact, and risk.
- I know the main risk treatment options.
- I can classify administrative, technical, and physical controls.
- I understand preventive, detective, and corrective controls.
- I can explain why ethics matter in cybersecurity.
- I can compare policies, standards, procedures, regulations, and laws.
Security principles provide the foundation for cybersecurity. The CIA triad defines what security protects. Risk management explains how decisions are prioritized. Controls reduce risk. Ethics guide responsible behavior. Governance, policies, standards, procedures, laws, and regulations provide structure and accountability.