Domain 1

Security Principles
Published

May 22, 2026

Cybersecurity Fundamentals

The CIA Triad

The CIA triad is the foundational model of information security, covering three core properties every secure system must uphold.

Confidentiality

Permitting authorized access to information while protecting it from improper use.

The main challenge is balancing access — giving guest users enough access to be useful, without exposing private data if their machine is compromised.

Term Definition
PII (Personally Identifiable Information) Any data about an individual that could be used to identify them
PHI (Protected Health Information) Health status, trade secrets, research, business plans, and intellectual property
Sensitivity Sensitive information whose improper disclosure (confidentiality) or modification (integrity) would harm an organization or individual

Integrity

Ensuring the completeness, accuracy, consistency, and usefulness of data.

Integrity starts with awareness of state — the current condition of a system at a given point in time. This documented snapshot is called a baseline. To preserve integrity, information must remain protected throughout every transaction.

Availability

Systems and data must be accessible when users need them. This doesn’t mean 100% uptime — it means meeting business requirements for timely and reliable access.


Proving Identity

Authentication

Authentication verifies who you are. There are three common factors:

Factor Examples
Something you know Passwords, passphrases, PINs
Something you have Tokens, memory cards, smart cards
Something you are Biometrics (fingerprint, face, retina)
  • SFA (Single-Factor Authentication) — uses one factor
  • MFA (Multi-Factor Authentication) — uses two or more factors

Example: An ATM is multi-factor — it requires something you have (card) and something you know (PIN).

Non-repudiation

Non-repudiation ensures people cannot deny actions they performed — such as creating, approving, or sending information. It holds individuals accountable for their transactions.

Examples: SMS confirmation codes, 3D Secure for card payments.


Privacy

Privacy is governed by law, not just technical controls. Implementing security measures alone is not enough to meet privacy regulations — how data is used matters too.

GDPR (General Data Protection Regulation)

The GDPR is an EU law that sets strict rules on how companies collect, store, use, and protect personal data. It gives individuals control over their own information. Even if data is stored securely, usage can still be non-compliant if it is considered excessive.


Risk Management

Risk management involves evaluating the probability of a threat occurring against its potential impact, to determine priority.

Core Concepts

Term Definition
Asset Something in need of protection
Vulnerability A gap or weakness in protection efforts
Threat Something or someone that aims to exploit a vulnerability

Risk Assessment Process

1. Identification

A continuous process of finding what could go wrong (threats) and what could be affected (assets and vulnerabilities). Covers technical, human, and organizational risks — not just IT.

2. Estimation

Evaluate each identified risk by:

  • Likelihood — how probable is it?
  • Impact — how bad would it be?

3. Prioritization

Rank risks by estimated severity and focus resources accordingly. An organization’s risk tolerance — its willingness to accept risk — guides where thresholds are set.

Example: A company that cannot tolerate downtime invests in backup generators.

4. Risk Treatment

Option Description
Mitigate Reduce the risk (e.g. patch systems, enable MFA, use encryption)
Avoid Stop the risky activity entirely
Transfer Outsource or insure (e.g. cloud provider, cyber insurance)
Accept Acknowledge and tolerate the risk

Security Controls

Controls are grouped into three categories:

Physical

Hardware devices and physical protections: badge readers, locks, cameras, fences, security guards, and architectural building features.

Technical

Controls implemented by computer systems and networks: firewalls, encryption, antivirus software, MFA, intrusion detection systems (IDS), and access control mechanisms.

Administrative

Policies, procedures, and organizational measures: security policies, employee training, incident response plans, background checks, risk assessments, access management procedures, and compliance auditing.

Governance Elements

  • Management implement the systems and structures that the organization will use to achieve its goals
  • They are guided by laws and regulations created by governments to enact public policy
  • Laws and regulations guide the development of standards, which cultivate policies, which result in procedures.
Term Definition Example
Procedure Detailed step-by-step instructions that explain how to perform a specific task in support of policies. Employee onboarding procedure
Policy High-level rules set by organizational management that guide actions and ensure alignment with goals, standards, and regulations. Access Control Policy (mandatory MFA)
Standard Established framework or set of requirements used to support consistent implementation of policies and compliance with regulations. ISO
Regulation Legally enforced rules issued by governments that organizations must follow, often with penalties for non-compliance. GDPR, HIPAA

Professional Code of Conduct / code of Ethics

Information Security professionals must act honorably, honestly, justly, responsably and legally. Security professionals must protect systems and data while acting legally, honestly, and responsibly, even when it’s inconvenient or costly.

Example : An administrator with privileged access used system logs in a personal conflict with an employee who had reported concerns using those logs. Instead of handling the situation through proper reporting channels, the administrator considered or attempted to expose or share log data in retaliation. This raised an ethical issue because privileged access was being used for personal motives rather than legitimate administrative or security purposes.