DOMAIN 1 : SECURITY PRINCIPLES

module 1 :
understand the concepts of information security :
THE CIA TRIAD : ConfidentIality Integrity Availability
*Confidentality : - confidentality means that no private information has been
disclosed to unauthorized individuals;
- confidality is hard balance to achieve , that's why we need
data classification!
- personally identifiable information (PII) as name , adresse,
etc ...
- protected \ personal health information (PHI) as medical
histories , test and laboratry results , etc ...
*INTEGRITY (‫)النزاهة‬:- integrity ensures that this information is not being corrupted
or changed without the information owner's permission .
*Availability : - means that authorized users have access to important information
in a timely manner .
example of the CIA TRIAD :
/My bank account's information to be confidential
/No one can change my information unless authorized
/The banking system , online website and app are always available

security termonology :
*Authentication : - authentication is a process to prove the identity of the
requestor;
- methods of authentication : passwords (you know) , smart cards
(you have ) , biometrics (you are ) ...
-types of authentications : /single-factor authentication (SFA)
/multi-factor authentication (MFA)
*Authorization : - authorization is the function of specifying access
rights/privileges to resources
- authentication is confirming the identity of the subject, once a
subject has been authenticated , the system cheks its AUTHORIZATION to see if it is
allowed to complete the action it is attempting
*Non-repudiation : -the protection against an individual falsely denying having
performed a particular action (created , altered , observed , or transmitted
data ).
*Privacy : - The right of an idividual to control the distrubition of information
about themselves
- Privacy vs Security --> Privacy refers to the user's ability to
control, access , and regulate their personal information , and SECURITY refers to
the system that protects that data from getting into the wrong hands
- GDPR general data protection regulation

module 2 : UNDERSTAND THE RISK MANAGEMENT PROCESS :

*Risk : - the adverse IMPACT that would arise if the circumstance or event occurs ;
- the LIKELIHOOD of occurence ;
--> RISK = LIKELIHOOD * IMPACT
RISK MANAGEMENT TERMINOLOGY :
*Vulnerability(‫ )فجوة‬: - is agap or weakness in an organization's protection of its
valuable assets , including information
*Asset : - an asset is something that has value and in need of protection
*Threat : - is somethiong or someone that aims to exploit a vulnerability to gain
unauthorized access (NATURAL THREATS AS DISASTER , UNINTENTIONAL THREATS LIKE
MISTAKE OF AN EMPLOYEE , INTENTIONAL THRAETS SUCH AS MALWARE )
RISK IDENTIFICATION :
*identify risk to protect against it
*it is not a one-and-done activity
*employees at all levels of the organization are responsible for identifying risk
*security professionals participate in risk assessment by focusing on : -needed
security controls
-risk
monitoring
-planning
-incident
response
RISK ASSESSMENT :
*risk assessment goal : risks must be linked to business goals , objectives ,
assets or processes
RISK PRIORITIES - RISK ANALYSIS :
*Quantitative risk analysis
*Qualitative risk analysis
RISK TREATMENT :
*making decision about the best actions to take regarding the identified and
prioritized risk
*options : -AVOIDANCE : the decision to attempt to eliminate the risk entirely
-ACCEPTANCE : taking no action to reduce the likelihood of a risk
occuring
-MITIGATION : taking actions to prevent or reduce the possibility of a
risk event or its impact
-TRANSFER : passing the risk to another party , who will accept the
financial impact of the harm resulting from a risk
*RISK APPETITE VS RISK TOLERANCE

module 3 : UNDERSTAND SECURITY CONTROLS (save gards):

*Security controls pertain to the physical , technical and administrative
mechanisms to protect the cia (confidentality , itegrity , availibility ) of the
system and its information.
*PHYSICAL SECURITY CONTROLS implemented through a tangible machanism
*TECHNICAL CONTROLS also called LOGICAL CONTROLS are security controls that
computer systems and network directly implement
*ADMINISTRATIVE CONTROLOS also called MANAGERIAL CONTROLS are directives ,
guidelines or advisories aimed at the people within the organization.

module 4 : UNDERSTAND GOVERNANCE ELEMENTS :

*REGULATIONS : regulations are commonly issued in the form of laws , usually from
government and typically carry financial penalties for noncompliance ( HIPAA for
health and GDPR )
*STANDARS : are often used by governance teams to provide a framework to introduce
policies and procedures in support of regulations ( ISO , NIST , IEEE )
*POLICIES : are put in place by organizational governance to provide guidance in
all activities to ensure that the organization supports industry standars and
regulations ( disk clean policy , HR policy )
*PROCEDURES : are detailed steps to complete a task that support departmental or
organizational policies ( update procedure ....)

module 5 : ISC2 CODE OF ETHICS :

1- protect society , the common good , necessary public trust and confidence , and
the infrastructure
2- act honorably , honestly , justly , responsibly and legally
3- provide diligent and competent service to principals
4- advance and protect the profession