Domain 1
Cybersecurity Fundamentals
The CIA Triad
The CIA triad is the foundational model of information security, covering three core properties every secure system must uphold.
Confidentiality
Permitting authorized access to information while protecting it from improper use.
The main challenge is balancing access — giving guest users enough access to be useful, without exposing private data if their machine is compromised.
| Term | Definition |
|---|---|
| PII (Personally Identifiable Information) | Any data about an individual that could be used to identify them |
| PHI (Protected Health Information) | Health status, trade secrets, research, business plans, and intellectual property |
| Sensitivity | Sensitive information whose improper disclosure (confidentiality) or modification (integrity) would harm an organization or individual |
Integrity
Ensuring the completeness, accuracy, consistency, and usefulness of data.
Integrity starts with awareness of state — the current condition of a system at a given point in time. This documented snapshot is called a baseline. To preserve integrity, information must remain protected throughout every transaction.
Availability
Systems and data must be accessible when users need them. This doesn’t mean 100% uptime — it means meeting business requirements for timely and reliable access.
Proving Identity
Authentication
Authentication verifies who you are. There are three common factors:
| Factor | Examples |
|---|---|
| Something you know | Passwords, passphrases, PINs |
| Something you have | Tokens, memory cards, smart cards |
| Something you are | Biometrics (fingerprint, face, retina) |
- SFA (Single-Factor Authentication) — uses one factor
- MFA (Multi-Factor Authentication) — uses two or more factors
Example: An ATM is multi-factor — it requires something you have (card) and something you know (PIN).
Non-repudiation
Non-repudiation ensures people cannot deny actions they performed — such as creating, approving, or sending information. It holds individuals accountable for their transactions.
Examples: SMS confirmation codes, 3D Secure for card payments.
Privacy
Privacy is governed by law, not just technical controls. Implementing security measures alone is not enough to meet privacy regulations — how data is used matters too.
GDPR (General Data Protection Regulation)
The GDPR is an EU law that sets strict rules on how companies collect, store, use, and protect personal data. It gives individuals control over their own information. Even if data is stored securely, usage can still be non-compliant if it is considered excessive.
Risk Management
Risk management involves evaluating the probability of a threat occurring against its potential impact, to determine priority.
Core Concepts
| Term | Definition |
|---|---|
| Asset | Something in need of protection |
| Vulnerability | A gap or weakness in protection efforts |
| Threat | Something or someone that aims to exploit a vulnerability |
Risk Assessment Process
1. Identification
A continuous process of finding what could go wrong (threats) and what could be affected (assets and vulnerabilities). Covers technical, human, and organizational risks — not just IT.
2. Estimation
Evaluate each identified risk by:
- Likelihood — how probable is it?
- Impact — how bad would it be?
3. Prioritization
Rank risks by estimated severity and focus resources accordingly. An organization’s risk tolerance — its willingness to accept risk — guides where thresholds are set.
Example: A company that cannot tolerate downtime invests in backup generators.
4. Risk Treatment
| Option | Description |
|---|---|
| Mitigate | Reduce the risk (e.g. patch systems, enable MFA, use encryption) |
| Avoid | Stop the risky activity entirely |
| Transfer | Outsource or insure (e.g. cloud provider, cyber insurance) |
| Accept | Acknowledge and tolerate the risk |
Security Controls
Controls are grouped into three categories:
Physical
Hardware devices and physical protections: badge readers, locks, cameras, fences, security guards, and architectural building features.
Technical
Controls implemented by computer systems and networks: firewalls, encryption, antivirus software, MFA, intrusion detection systems (IDS), and access control mechanisms.
Administrative
Policies, procedures, and organizational measures: security policies, employee training, incident response plans, background checks, risk assessments, access management procedures, and compliance auditing.
Governance Elements
- Management implement the systems and structures that the organization will use to achieve its goals
- They are guided by laws and regulations created by governments to enact public policy
- Laws and regulations guide the development of standards, which cultivate policies, which result in procedures.
| Term | Definition | Example |
|---|---|---|
| Procedure | Detailed step-by-step instructions that explain how to perform a specific task in support of policies. | Employee onboarding procedure |
| Policy | High-level rules set by organizational management that guide actions and ensure alignment with goals, standards, and regulations. | Access Control Policy (mandatory MFA) |
| Standard | Established framework or set of requirements used to support consistent implementation of policies and compliance with regulations. | ISO |
| Regulation | Legally enforced rules issued by governments that organizations must follow, often with penalties for non-compliance. | GDPR, HIPAA |
Professional Code of Conduct / code of Ethics
Information Security professionals must act honorably, honestly, justly, responsably and legally. Security professionals must protect systems and data while acting legally, honestly, and responsibly, even when it’s inconvenient or costly.
Example : An administrator with privileged access used system logs in a personal conflict with an employee who had reported concerns using those logs. Instead of handling the situation through proper reporting channels, the administrator considered or attempted to expose or share log data in retaliation. This raised an ethical issue because privileged access was being used for personal motives rather than legitimate administrative or security purposes.