Plain-English definitions of terms that recur in CISSP study. Simplified for learning; the ISC2 exam outline is authoritative.
| Term | Definition |
|---|---|
| CIA triad | Confidentiality, Integrity, Availability — the core goals of security. |
| Risk management | Identifying, assessing, responding to, and monitoring risk. |
| Risk response | Avoid, transfer, mitigate, or accept a risk. |
| Defense in depth | Layering controls so no single failure is catastrophic. |
| Least privilege | Granting only the access strictly required. |
| Separation of duties | Splitting tasks so no one person can commit and conceal fraud. |
| DAC | Discretionary Access Control — the owner sets access. |
| MAC | Mandatory Access Control — the system enforces labels. |
| RBAC | Role-Based Access Control — access by role. |
| ABAC | Attribute-Based Access Control — access by attributes and context. |
| Bell-LaPadula | A confidentiality model: no read up, no write down. |
| Biba | An integrity model: no write up, no read down. |
| Reference monitor | The abstract component that mediates all access. |
| BIA | Business Impact Analysis — finds critical functions and impacts. |
| RTO | Recovery Time Objective — target time to restore a function. |
| RPO | Recovery Point Objective — acceptable amount of data loss. |
| MTD | Maximum Tolerable Downtime before serious harm. |
| BCP / DRP | Business Continuity Plan / Disaster Recovery Plan. |
| Symmetric encryption | Encryption with one shared key; fast, for bulk data. |
| Asymmetric encryption | Public/private key pair; key exchange and signatures. |
| PKI | Public Key Infrastructure: certificates and authorities. |
| Due care | Doing what a reasonable person would to protect assets. |
| Due diligence | The ongoing effort to identify risks and verify controls. |
| Residual risk | The risk that remains after controls are applied. |
| Federation | Sharing identity across trust domains for single sign-on. |