Flashcards · Cybersecurity
CISSP Flashcards
Free flashcards for CISSP: flip each card to reveal the definition. Built from the CISSP glossary as a study aid, these are concept checks, not real exam questions.
1 / 46
Click the card (or press Space) to flip · use Prev/Next to move
All 46 terms
- CIA triad
- Confidentiality, Integrity, Availability - the core goals of security.
- Risk management
- Identifying, assessing, responding to, and monitoring risk.
- Risk response
- Avoid, transfer, mitigate, or accept a risk.
- Defense in depth
- Layering controls so no single failure is catastrophic.
- Least privilege
- Granting only the access strictly required.
- Separation of duties
- Splitting tasks so no one person can commit and conceal fraud.
- DAC
- Discretionary Access Control - the owner sets access.
- MAC
- Mandatory Access Control - the system enforces labels.
- RBAC
- Role-Based Access Control - access by role.
- ABAC
- Attribute-Based Access Control - access by attributes and context.
- Bell-LaPadula
- A confidentiality model: no read up, no write down.
- Biba
- An integrity model: no write up, no read down.
- Reference monitor
- The abstract component that mediates all access.
- BIA
- Business Impact Analysis - finds critical functions and impacts.
- RTO
- Recovery Time Objective - target time to restore a function.
- RPO
- Recovery Point Objective - acceptable amount of data loss.
- MTD
- Maximum Tolerable Downtime before serious harm.
- BCP / DRP
- Business Continuity Plan / Disaster Recovery Plan.
- Symmetric encryption
- Encryption with one shared key; fast, for bulk data.
- Asymmetric encryption
- Public/private key pair; key exchange and signatures.
- PKI
- Public Key Infrastructure: certificates and authorities.
- Due care
- Doing what a reasonable person would to protect assets.
- Due diligence
- The ongoing effort to identify risks and verify controls.
- Residual risk
- The risk that remains after controls are applied.
- Federation
- Sharing identity across trust domains for single sign-on.
- SSO
- Single Sign-On - one authentication for access to many systems.
- MFA
- Multi-Factor Authentication - two or more independent factors.
- IAM
- Identity and Access Management - managing identities and their access.
- Hashing
- A one-way function producing a fixed digest; verifies integrity, not encryption.
- Digital signature
- A hash encrypted with a private key; proves authenticity and integrity.
- Non-repudiation
- Assurance that someone cannot deny an action they took.
- Salting
- Random data added before hashing to defeat rainbow-table attacks.
- Data classification
- Labelling data by sensitivity (e.g. public, internal, confidential).
- Data owner vs custodian
- The owner is accountable for data; the custodian handles day-to-day protection.
- SLA
- Service Level Agreement - agreed service and availability targets.
- Threat / vulnerability / exploit
- An actor or event, a weakness, and the means used to abuse it.
- ALE / SLE / ARO
- Quantitative risk math: ALE equals SLE times ARO.
- Qualitative vs quantitative risk
- Descriptive ratings versus numeric (monetary) analysis.
- Zero trust
- Never trust, always verify; no implicit trust by network location.
- Clark-Wilson
- An integrity model enforcing well-formed transactions and separation of duties.
- TCB
- Trusted Computing Base - the hardware and software that enforce security policy.
- SIEM
- Security Information and Event Management - central log collection, correlation and alerting.
- DLP
- Data Loss Prevention - controls that stop sensitive data leaving.
- Tokenization
- Replacing sensitive data with a non-sensitive token.
- Change management
- A controlled process for approving and recording system changes.
- Pen test vs vulnerability assessment
- Actively exploiting weaknesses versus identifying and rating them.