ISC2 Certification Website – Domain 1

Course Pre Assessment

Course Introduction
At the end of this course you will be able to:
 Summarise the foundational concepts of information security principles
 Differentiate among the purpose, importance and key components of
business continuity, disaster recovery and incident response
 Differentiate between physical and logical access controls
 Summarise computer networking fundamentals to assess network
vulnerabilities
 Implement effective preventive mechanisms and enhance the overall
security posture of an organisations networks infrastructure
 Interpret aspects of security operations, including data security concepts
and policy, system hardening and security awareness training, to
safeguard an organisation against and respond to security threats

Code of ethics – preamble

The safety and welfare of society and the common good, duty to our principals,
and to each other, requires that we adhere, and be seen to adhere, to the
highest ethical standards of behaviour

ISC2 Code of Ethics Canons

The ISC2 member is expected to do the following:
 Protect society, the common good, necessary public trust and confidence,
and the infrastructure.
 Act honourably, honestly, justly, responsibly, and legally.
 Provide diligent and competent service to principals.
 Advance and protect the profession.

Domain 1
Question 1
Steve is a security practitioner assigned to come up with a protective
measure for ensuring that cars don't collide with pedestrians.
What is probably the most effective type of control for this task?
 Administrative
 Nuanced
 Technical
 Physical

Physical controls, such as fences, walls and bollards, will be most likely to
ensure cars cannot collide with pedestrians by creating actual barriers
between cars and pedestrians.

Question 2
Chad is a security practitioner tasked with ensuring that the information
on the organization's public website is not changed by anyone outside the
organization.
Which concept does this task demonstrate?

 Availability
 Confirmation
 Confidentiality
 Integrity
Preventing unauthorized modification is the definition of integrity.

Question 3
Which of the following is an example of a "Something you know"
authentication factor?
 Password
 Iris Scanner
 Fingerprint
 User ID
A password is something the user knows and can present as an
authentication factor to confirm an identity assertion.

Question 4
Which of the following is an example of a "Something you are"
authentication factor?
 A Photograph of your face
 Your password and pin
 A credit card presented to a cash machine
 A user ID

Question 5
A system collects transactional information and stores it in a record in
order to show which users performed which actions.

Which concept does this demonstrate?

 Multifactor authentication
 Non-repudiation
 Privacy
 Biometrics

Question 6
What is the European Union (EU) law that grants legal protections
to individual human privacy?

 The Maastricht Treaty (the Treaty on European Union)

 The General Data Protection Regulation
 The Schengen Agreement
 The Privacy Human Rights Act

Question 7
For which of the following systems would the security concept of
availability be considered MOST important?
 Retail records of past transactions
  Medical systems that monitor patient conditions in an intensive-care
unit
 Online streaming of camera feeds that display historical works of art
in museums around the world
 Medical systems that store patient data

Information that reflects patient conditions is data that necessarily must

be kept available in real time, because that data is directly linked to
patient well-being (and possibly a matter of life or death). This is, by far,
the most important of the options listed.

Question 08
For which of the following assets is integrity probably the MOST important
security aspect?

 One frame of a streaming video

 The color scheme of a marketing website
 The file that contains passwords used to authenticate users
 Software that checks the spelling of product descriptions for a retail
website

If a password file is modified, the impact to the environment could be

significant; there is a possibility that all authorized users could be denied
access, or that anyone (including unauthorized users) could be granted
access. The integrity of the password file is probably the most crucial of
the four options listed.

Question 09
In risk management, which concept reflects something a security
practitioner might need to protect?
 Asset
 Likelihood
 Threat
 Vulnerability
An asset is anything with value, and a security practitioner may need to
protect assets.

Question 10
In risk management concepts, what is something or someone that poses
risk to an organization or asset?
 Threat
 Fear
 Control
 Asset
A threat is something or someone that poses risk to the organization; this
is the definition of a threat.
Question 11
Of the following, which would probably NOT be considered a threat?
 Natural disaster
 An external attacker trying to gain unauthorized access to the
environment
 A laptop with sensitive data on it
 Unintentional damage to the system caused by a user

A laptop, and the data on it, are assets, not threats. All the other answers
are examples of threats because they all have the potential to cause
adverse impact to the organization and its assets.

Question 12
Which of the following probably poses the MOST risk?
 A low-likelihood, high-impact event
 A low-likelihood, low-impact event
 A high-likelihood, low-impact event
 A high-likelihood, high-impact event.

Question 13
Within the organization, who can identify risk?
 The security manager
 Anyone
 Senior management
 Any security team member

Question 14
A software firewall is an application that runs on a device and prevents
specific types of traffic from entering that device.

Which type of control is this?

 Administrative
 Passive
 Physical
 Technical
Domain 1: Security Principles
Overview
This learning space covers Domain 1: Security Principles of the CC (Certified in
Cybersecurity) and provides artificial intelligence-led adaptive learning to tailor
to your unique needs in real time. By adjusting your learning journey according
to your progress, you can focus your study efforts on your knowledge gaps;
thereby, nurturing your self-awareness and boosting your learning efficiency.

Learning Objectives
After completing this domain, the participant will be able to:
 Discuss the foundational concepts of cybersecurity principles.
 Recognize foundational security concepts of information assurance.
 Define risk management terminology and summarize the process.
 Relate risk management to personal or professional practices.
 Classify types of security controls.
 Distinguish between policies, procedures, standards, regulations and laws.
 Demonstrate the relationship among governance elements.
 Analyze appropriate outcomes according to the canons of the ISC2 Code of
Ethics when given examples.
 Practice the terminology and review security principles.

Key Topics
 Identity Assurance
 Privacy Control Mechanisms
 Safeguarding Data
 Strategic Risk Management

Notes – CIA TRIAD

When defining security, it is common to use the CIA
Triad: Confidentiality, Integrity and Availability

The purpose of these terms is to describe security

using relevant and meaningful words that make
security more understandable to management and
users and define its purpose

Confidentiality: Confidentiality means permitting

authorized access to information while at the same
time protecting it from improper disclosure

Integrity: Integrity is the property of information

whereby it is
recorded, used, and maintained in a way that ensures its completeness,
accuracy, internal consistency, and usefulness for a stated purpose

Availability: Availability means that systems and data are accessible at the
time users need them. The purpose of these terms is to describe security using
relevant and meaningful words that make security more understandable to
management and users and define its purpose.

Question: The concept of secrecy is most related to which foundational aspect

of security:
Confidentiality:
NOTES – CIA TRIAD DEEP DIVE
Confidentiality: Is a difficult balance to achieve when many system users are
guests or customers and it is not known if they are accessing the system from a
compromised machine or vulnerable mobile application. So, the security
professional’s obligation is to regulate access—protect the data that needs
protection, yet permit access to authorized individuals.

Personally Identifiable Information (PII): A term related to the area of confidentiality.

It pertains to any data about an individual that could be used to identify them.

Protected Heath Information: which is information regarding one’s health status, and
classified or sensitive information, which includes trade secrets, research, business
plans, and intellectual property

Sensitivity: which is a measure of the importance assigned to information by its

owner,
or the purpose of denoting its need for protection. Sensitive information is
information that if improperly disclosed (confidentiality) or modified (integrity) would
harm an organization or individual. In many cases, sensitivity is related to the harm
to external stakeholders; that is, people or organizations that may not be a part of
the organization that processes or uses the information

Integrity: measures the degree to which something is whole and complete,

internally consistent, and correct. The concept of integrity applies to: Information or
data
 Systems and processes for business operations
 Organizations
 People and their actions

Data integrity is the assurance that data has not been altered in an unauthorized
matter. This requires the protection of the data in systems and during processing to
ensure that it is free from improper modification, errors, or loss of information and is
recorded, used, and maintained in a way that ensures its completeness. Data
integrity covers data in storage during processing and while in transit

Information must be accurate, internally consistent, and useful for a stated

purpose. The internal consistency of information ensures that information is
correct on all related systems so that it is displayed and stored in the same way
on all systems. Consistency, as part of data integrity, requires that all instances
of the data be identical in form, content, and meaning

System integrity refers to the maintenance of a known good configuration and

expected operational function as the system processes the information. Ensuring
integrity begins with an awareness of state, which is the current condition of the
system. Specifically, this awareness concerns the ability to document and
understand the state of data or a system at a certain point, creating a baseline.
For example, a baseline can refer to the current state of the information—
whether it is protected. Then, to preserve that state, the information must
always continue to be protected through a transaction.

Going forward from that baseline, the integrity of the data or the system can
always be ascertained by comparing the baseline with the current state. If the
two match, then the integrity of the data or the system is intact; if the two do not
match, then the integrity of the data or the system has been compromised.
Integrity is a primary factor in the reliability of information and system.

Availability: Availability can be defined as (1) timely and reliable access to

information and the ability to use it, and (2) for authorized users, timely and
reliable access to data and information services.

The core concept of availability is that data is accessible to authorized users

when and where it is needed and in the form and format required. This does not
mean that data or systems are available 100% of the time. Instead, the systems
and data meet the requirements of the business for timely and reliable access

Some systems and data are far more critical than others, so the security
professional must ensure that the appropriate levels of availability are provided.
This requires consultation with the involved business to ensure that critical
systems are identified and available. Availability is often associated with the term
criticality because it represents the importance an organization gives to data or
an information system in performing its operations or achieving its mission.

AUTHENTICATION – NOTES

METHODS OF AUTHENTICATION - NOTES

 Single Factor authentication: Use of one of the three available factors
 Multi Factor Authentication: Use of two or more distinct instances of the
three factors of authentication

Common best practice is to implement at least two of the three common

techniques for authentication
 Knowledge based – Passphrase or secret code to differentiate between an
authorised and unauthorised user
 Token Based
 Characteristic Based

Better security a token or characteristic would be required if resetting passwords

as a third form of authentication
NON REPUDAITAITON - NOTES
The inability to deny taking an action such as creating information,
approving information, or sending or receiving a message

PRIVACY – NOTES
RISK MANAGEMENT TERMINOLOGY – NOTES
RISK IDENTIFICATION – NOTES
How do you identify
risks? Do you walk
down the street
watching out for
traffic
and looking for
puddles on the
ground? Maybe
you’ve noticed loose
wires at your desk or
water on the office
floor? If you’re
already on the
lookout for risks,
you’ll fit
with other security
professionals who
know it’s necessary
to dig deeper to find
possible problems
RISK ASSESMENT – NOTES
The analysis performed as part of risk management. A risk assessments
incorporates threat and vulnerability analyses and considers mitigations
provided by security controls planned or in place.

Risk assessment is defined as the process of identifying,

estimating, and prioritizing risks to an organization’s operations (including
its
mission, functions, image, and reputation), assets, individuals, other
organizations, and even the nation

Risk assessment should result in aligning (or associating) each identified

risk resulting
from the operation of an information system with the goals, objectives,
assets, or
processes that the organization uses, which in turn aligns with or directly
supports the organization’s goals and objectives
RISK TREATMENT – NOTES
RISK PRIORITIES – NOTES
When risks have been
identified, it is time to
prioritize and analyze core
risks through qualitative risk
analysis and/or quantitative
risk analysis. Understanding
the organization’s overall
mission and the functions
that support the mission
helps to place risks in
context, determine the root
causes, and prioritize the
assessment and analysis of
these items. In most cases,
management will provide
direction for using the
findings of the risk
assessment to determine a prioritized set of risk-response actions. One
effective method to prioritize risk is to use a risk matrix, which helps
identify priority as the intersection of likelihood of occurrence and impact.

This is necessary to determine the root cause and narrow down apparent
risks and core risks. Security professionals work with their teams to
conduct both qualitative and quantitative analysis.

It also gives the team a common language to use with management when
determining
the final priorities. For example, a low likelihood and a low impact might
result in a low priority, while an incident with a high likelihood and high
impact will result in a high priority. Assignment of priority may relate to
business priorities, the cost of mitigating a risk, or the potential for loss if
an incident occurs.

DECISION MAKING BASED ON RISK PRIORITIES – NOTES

RISK TOLERANCE – NOTES
The perception management takes toward risk is often likened to the
entity’s appetite for risk. How much risk are they willing to take? Does
management welcome risk or want to avoid it?

The level of risk tolerance varies across organizations, and even internally:
Different departments may have different attitudes toward what is
acceptable or unacceptable risk. Understanding the organization and
senior management’s attitude toward risk is usually the starting point for
getting management to take action regarding risks.
WHAT ARE SECURITY CONTROLS – NOTES
GOVERNANCE ELEMENTS – NOTES
Any business or organization exists to fulfill a purpose, whether it is to
provide raw materials to an industry, manufacture equipment to build
computer hardware, develop software applications, construct buildings, or
provide goods and services. To complete the objective requires that
decisions are made, rules and practices are defined, and policies and
procedures are in place to guide the organization in its pursuit of
achieving its goals and mission.
PROFESSIONAL CODE OF CONDUCT - NOTES

QUESTIONS
Question 1
Which region enacted comprehensive legislation addressing personal
privacy in 2016?
 Africa
 Asia-Pacific
 European Union
 United States
In 2016, the European Union passed comprehensive legislation addressing
personal privacy, deeming it an individual human right.
Question 2
What is the purpose of implementing security controls in the risk
management process?
 To eliminate all vulnerabilities
 To increase the level of risk
 To ensure that a cyberattack would be impossible
 To mitigate the risk to an acceptable level
Security controls are implemented in the risk management process to mitigate the risk to a level
that is deemed acceptable by the entity.

Question 03
If a pickpocket is a threat, what would be their attack vector?
 Tourists
 The stolen goods
 Their technique and approach
 The crowded tourist spot
In this analogy, if a pickpocket is a threat, the attack vector would be their
technique and approach.

Question 04
How do companies that offer identity theft insurance manage their own
financial risk?
 By calculating premium payments against potential payouts
 By always honoring payout commitments
 By restricting the number of claims
 By charging low premiums

Question 05
What term is used to refer to information that, when combined with other
pieces of data, significantly narrows the possibility of association with
more individuals?
 Personally Identifiable Information (PII)
 Limited Access Data (LAD)
 PII Fusion
 Personal Identification Element (PIE)

Question 06
According to the code of ethics, what are information security
professionals expected to uphold?
 Creativity and innovation
 Be honorable, honest, just and responsible within legal conduct
 Efficient and speedy decision-making
 Secrecy and confidentiality
Information security professionals are expected to uphold honorable,
honest, just, responsible, and legal conduct, as mentioned in the code of
ethics.
Question 07
Multifactor authentication involves using two or more instances of
different authentication factors.

Which of the following are considered a widely accepted factor for

authentication?
 Somewhere you are
 Something you are
 Something you have
 Something you know

Question 08
Kristal is the security administrator for a large online service provider.
Kristal learns that the company is harvesting the personal data of its
customers and sharing the data with local governments where the
company operates, without the knowledge of the users, to allow the
governments to persecute users on the basis of their political and
philosophical beliefs.

The published user agreement states that the company will not share
personal user data with any entities without the users' explicit
permission.

According to the ISC2 Code of Ethics, to whom does Kristal ultimately owe
a duty in this situation?
 The governments of the countries where the company operates
 The company Kristal works for
 The users
 ISC2

Question 09
In the United States, which act governs the privacy of medical
information?
 FERPA
 HIPAA
 GDPR
 HITECH
Question 10
What is an "asset" in the context of risk management terminology?
 Actionable information
 A gap or weakness in protection efforts
 Something or someone that aims to exploit a vulnerability
 Something in need of protection

Question 11
Who is responsible for determining risk tolerance in an organization?
 Executive management and board of directors
 All employees
 The risk management team
  External consultants
Question 12
Which regulation grants data protection and control to individuals within
the EU, regardless of citizenship?
 Data Security and Compliance Act
 Health Insurance Portability and Accountability Act (HIPAA)
 General Data Protection Regulation (GDPR)
 International Organization for Standardization (ISO)

Question 13
What potential risk can occur when a remote worker's laptop is left
unattended or unlocked?
 Mechanical failure of backup generators
 Loss of internet connection
 Corrupt workstation due to power outage
 Accidental introduction of unauthorized software with malware

Question 14
While taking the certification exam for this certification, you notice
another candidate for the certification cheating.

 What should you do?

 Report the candidate to ISC2
 Nothing, each person is responsible for their own actions
 Yell at the other candidate for violating test security
 Call local law enforcement

Question 15
What type of authentication process is used at the bank with an ATM card?
 Single-factor authentication
 Multifactor authentication
 Biometric authentication
 Two-factor authentication
The use of an ATM card (something you have) and a PIN (something you
know) at the bank provides exactly two different factors of authentication,
making it two-factor authentication.

Question 16
What is the primary purpose of the ISC2 Code of Ethics?
 Outlining the certification process for information security
professionals
 Defining the duties and responsibilities of cybersecurity
professionals
 Establishing specific ethical standards for ISC2 members
 Ensuring the safety and welfare of society and the common good
Question 17
In e-commerce and electronic transactions, what does non-repudiation
protect against?
 Identity theft
 Unauthorized access
 Falsely denying transactions
 Data breaches

Question 18
What action is suggested to mitigate the risk associated with a threat?
 Strengthen the vulnerability
 Increase the likelihood of the event
 Evaluate the likelihood of the event and take appropriate actions to
mitigate the risk
 Ignore the threat and its impact

Question 19
What is meant by non repudiation
 If a user does something, they can't later claim that they didn't do it
 Controls to protect the organization's reputation from harm due to
inappropriate social media postings by employees, even if on their
private accounts and personal time
 It is a security feature that prevents session replay attacks
 It is part of the rules set by administrative controls

To repudiate means to attempt to deny after the fact, to lie about one's
actions

Question 20
What type of cyber attack often targets the availability of data
 Ransomware attacks
 Man-in-the-middle attacks
 Phishing attacks
 DDoS attacks

Question 21
What does knowledge based authentication involve
 Differentiating between authorized and unauthorized users using a
passphrase or secret code
 Using a physical token for authentication
 Demonstrating two or more factors for identity verification
 Resetting a users password through a help desk call
Knowledge-based authentication involves using a passphrase or secret
code (e.g., PIN or password) to differentiate between authorized and
unauthorized users.

Question 22
What role might security professionals play in risk assessment at a system
level?
 Ignoring risk assessment activities
 Solely focusing on strategic plans
 Delegating risk assessment to employees
 Assisting in risk assessment at a system level
Security professionals are likely to assist in risk assessment at a system
level, focusing on process, control, monitoring, or incident response and
recovery activities.

Question 23
What is the purpose of using a risk matrix?
 To prioritize risks based on likelihood and impact
 To determine the root causes of risks
 To assign numerical values to risks
 To eliminate all identified risks

One effective method to prioritize risk is to use a risk matrix, which helps
identify priority as the intersection of likelihood of occurrence and impact

Question 24
Who is responsible for identifying risks within an organization?
 Only security professionals
 Only top-level executives
 Only those involved in risk management
 Employees at all levels of the organization

Question 25
What measures would a trauma center be most likely to take to ensure
zero tolerance for power failure?
 Providing solid contracts with fuel providers
 Redundancy in emergency power supplies, battery backup, and
generators
 Building multiple critical care units
 Offering licensing services to patients
The trauma center ensures zero tolerance for power failure by
implementing redundancy in emergency power supplies, battery backup,
and multiple generators.

Question 26
When a company chooses to ignore a risk and proceed with a risky
activity, which treatment is being applied by default?
 Transference
 Mitigation
 Avoidance
 Acceptance
Question 26
What is risk tolerance often likened to?
 Risk management
 Risk appetite
 Risk avoidance
 Risk assessment

Question 27
A chief information security officer (CISO) at a large organization
documented a policy that establishes the acceptable use of cloud
environments for all staff.
This is an example of a: __________.
 Physical control
 Technical control
 Cloud control
 Management/Administrative control.
Flashcards
Domain 1 Security Principles
1. Adequate Security: Security commensurate with the risk and the
magnitude of harm resulting from the loss, misuse or unauthorized access
to or modification of information.

2. Administrative Controls: Controls implemented through policy and

procedures. Examples include access control processes and requiring
multiple personnel to conduct a specific operation. Administrative controls
in modern environments are often enforced in conjunction with physical
and/or technical controls, such as an access-granting policy for new users
that requires login and approval by the hiring manager.

3. Artificial Intelligence: The ability of computers and robots to stimulate

human intelligence and behaviour

4. Asset: Anything of value that is owned by an organisation. Assets include

both tangible items such as information systems and physical property
and intangible assets such as intellectual property

5. Authentication: The act of identifying or verifying the eligibility of a

station, originator, or individual to access specific categories of
information. Typically, a measure designed to protect against fraudulent
transmissions by establishing the validity of a transmission, message,
station or originator.

6. Authorisation: The right or a permission that is granted to a system entity

to access a system resource.

7. Availability: Ensuring timely and reliable access to and use of information

by authorized users.

8. Baseline: A documented, lowest level of security configuration allowed by

a standard or organization.

9. Biometric: Biological characteristics of an individual, such as a fingerprint,

hand geometry, voice, or iris patterns.

[Link]: Malicious code that acts like a remotely controlled "robot" for an
attacker, with other Trojan and worm capabilities.

[Link] or Sensitive Information: Information that has been determined

to require protection against unauthorized disclosure and is marked to
indicate its classified status and classification level when in documentary
form.

[Link]: The characteristic of data or information when it is not

made available or disclosed to unauthorized persons or processes.

[Link]: A measure of the degree to which an organization depends on

the information or information system for the success of a mission or of a
business function.
[Link] property that data has not been altered in an unauthorized manner.
Data integrity covers data in storage, during processing and while in
transit: Data integrity

[Link] process and act of converting the message from its plaintext to
ciphertext. Sometimes it is also referred to as enciphering. The two terms
are sometimes used interchangeably in literature and have similar
meanings. Encryption

16. In 2016, the European Union passed comprehensive legislation that

addresses personal privacy, deeming it an individual human right.
General Data Protection Regulation (GDPR)

17. The process of how an organization is managed; usually includes all

aspects of how decisions are made for that organization, such as policies,
roles, and procedures the organization uses to make those decisions.
Governance

18. This U.S. federal law is the most important healthcare information
regulation in the United States. It directs the adoption of national
standards for electronic healthcare transactions while protecting the
privacy of individual's health information. Other provisions address fraud
reduction, protections for individuals with health insurance and a wide
range of other healthcare-related activities.: Health Insurance
Portability and Accountability Act (HIPAA)

[Link] magnitude of harm that could be caused by a threat's exercise of a

vulnerability. Impact

[Link] potential adverse impacts to an organization's operations (including

its mission, functions and image and reputation), assets, individuals, other
organizations, and even the nation, which results from the possibility of
unauthorized access, use, disclosure, disruption, modification or
destruction of information and/or information systems. Information
Security Risk

21. The property of information whereby it is recorded, used and

maintained in a way that ensures its completeness, accuracy, internal
consistency and usefulness for a stated purpose. Integrity

22. The ISO develops voluntary international standards in collaboration

with its partners in international standardization, the International Electro-
technical Commission (IEC) and the International Telecommunication
Union (ITU), particularly in the field of information and communication
technologies. International Organization of Standards (ISO)

23. The internet standards organization, made up of network designers,

operators, vendors and researchers, that defines protocol standards (e.g.,
IP, TCP, DNS) through a process of collaboration and consensus. Internet
Engineering Task Force (IETF)
24. The probability that a potential vulnerability may be exercised
within the construct of the associated threat environment. Likelihood
25. A weighted factor based on a subjective analysis of the probability
that a given threat is capable of exploiting a given vulnerability or set of
vulnerabilities. Likelihood of Occurrence

26. Using two or more distinct instances of the three factors of

authentication (something you know, something you have, something you
are) for identity verification. Multi-Factor Authentication

[Link] NIST is part of the U.S. Department of Commerce and addresses the
measurement infrastructure within science and technology efforts within
the U.S. federal government. NIST sets standards in a number of areas,
including information security within the Computer Security Resource
Center of the Computer Security Divisions. National Institutes of
Standards and Technology (NIST)

28. The inability to deny taking an action such as creating information,

approving information and sending or receiving a message. Non-
repudiation

[Link] Institute of Standards and Technology, known as NIST, in its

Special Publication 800-122 defines PII as "any information about an
individual maintained by an agency, including (1) any information that can
be used to distinguish or trace an individual's identity, such as name,
Social Security number, date and place of birth, mother's maiden name, or
biometric records; and (2) any other information that is linked or linkable
to an individual, such as medical, educational, financial and employment
information." Personally Identifiable Information (PII)

30. Controls implemented through a tangible mechanism. Examples

include walls, fences, guards, locks, etc. In modern organizations, many
physical control systems are linked to technical/logical systems, such as
badge readers connected to door locks. Physical Controls

31. The right of an individual to control the distribution of information

about themselves. Privacy

[Link] chances, or likelihood, that a given threat is capable of exploiting a

given vulnerability or a set of vulnerabilities. Probability

33. Information regarding health status, the provision of healthcare or

payment for healthcare as defined in HIPAA (Health Insurance Portability
and Accountability Act) Protected Health Information (PHI)

34. A method for risk analysis that is based on the assignment of a

descriptor such as low, medium or high. Qualitative Risk Analysis

35. A method for risk analysis where numerical values are assigned to
both impact and likelihood based on statistical probabilities and
monetarized valuation of loss or gain. Quantitative Risk Analysis

36. A possible event which can have a negative impact upon the
organization. Risk
37. Determining that the potential benefits of a business function
outweigh the possible risk impact/likelihood and performing that business
function with no other action. Risk Acceptance

38. The process of identifying and analyzing risks to organizational

operations (including mission, functions, image, or reputation),
organizational assets, individuals and other organizations. The analysis
performed as part of risk management which incorporates threat and
vulnerability analyses and considers mitigations provided by security
controls planned or in place. Risk Assessment

39. Determining that the impact and/or likelihood of a specific risk is too
great to be offset by the potential benefits and not performing a certain
business function because of that determination. Risk Avoidance

40. The process of identifying, evaluating and controlling threats,

including all the phases of risk context (or frame), risk assessment, risk
treatment and risk monitoring. Risk Management

41. A structured approach used to oversee and manage risk for an

enterprise. Risk Management Framework

42. Putting security controls in place to reduce the possible impact

and/or likelihood of a specific risk. Risk Mitigation

43. The level of risk an entity is willing to assume in order to achieve a

potential desired result. Source: NIST SP 800-32. Risk threshold, risk
appetite and acceptable risk are also terms used synonymously with risk
tolerance. Risk Tolerance

44. Paying an external party to accept the financial impact of a given

risk. Risk Transference

45. The determination of the best way to address an identified risk.

Risk Treatment

46. The management, operational and technical controls (i.e.,

safeguards or countermeasures) prescribed for an information system to
protect the confidentiality, integrity and availability of the system and its
information. Security Controls

47. A measure of the importance assigned to information by its owner,

for the purpose of denoting its need for protection. Sensitivity

48. Use of just one of the three available factors (something you know,
something you have, something you are) to carry out the authentication
process being requested. Single-Factor Authentication

49. The condition an entity is in at a point in time. State

50. The quality that a system has when it performs its intended function
in an unimpaired manner, free from unauthorized manipulation of the
system, whether intentional or accidental. System Integrity
[Link] controls (i.e., safeguards or countermeasures) for an information
system that are primarily implemented and executed by the information
system through mechanisms contained in the hardware, software or
firmware components of the system. Technical Controls

[Link] circumstance or event with the potential to adversely impact

organizational operations (including mission, functions, image or
reputation), organizational assets, individuals, other organizations or the
nation through an information system via unauthorized access,
destruction, disclosure, modification of information and/or denial of
service. Threat

[Link] individual or a group that attempts to exploit vulnerabilities to cause or

force a threat to occur. Threat Actor

54. The means by which a threat actor carries out their objectives.
Threat Vector

55. A physical object a user possesses and controls that is used to

authenticate the user's identity. Token

[Link] in an information system, system security procedures, internal

controls or implementation that could be exploited by a threat source.
Vulnerability

[Link] is a professional organization that sets standards for

telecommunications, computer engineering and similar disciplines.
Institute of Electrical and Electronics Engineers