Exam Focus Snapshot
This independent Quick Reference supports candidates preparing for the ISC2 Certified in Cybersecurity (CC) exam, code CC. Use it as a compact review of high-yield cybersecurity fundamentals, especially definitions, control selection, risk thinking, and operational decision points.
The CC exam emphasizes practical understanding across these broad areas:
| Area | What to know for exam questions |
|---|
| Security principles | CIA triad, risk, governance, policies, ethics, privacy, security controls |
| Business continuity and incident response | BIA, BCP, DR, backups, RTO/RPO, incident response phases |
| Access control | Identification, authentication, authorization, accountability, MFA, access models |
| Network security | Ports, protocols, network devices, segmentation, wireless, secure communication |
| Security operations | Monitoring, logging, vulnerability management, patching, malware, physical security |
Core Security Principles
CIA and Supporting Concepts
| Concept | Meaning | Exam cue |
|---|
| Confidentiality | Prevent unauthorized disclosure | Encryption, access control, data classification |
| Integrity | Prevent unauthorized or improper modification | Hashing, checksums, digital signatures, change control |
| Availability | Ensure systems/data are accessible when needed | Redundancy, backups, DR, fault tolerance |
| Authentication | Prove identity | Password, smart card, biometric, MFA |
| Authorization | Grant allowed actions after authentication | Permissions, roles, access rules |
| Accountability | Tie actions to an identity | Logs, audit trails, unique user IDs |
| Nonrepudiation | Prevent denial of an action | Digital signatures, signed receipts, audit evidence |
| Privacy | Proper handling of personal information | Consent, minimization, purpose limitation, retention |
| Safety | Protect people and physical well-being | Fire suppression, evacuation, environmental controls |
Security Design Principles
| Principle | Practical meaning | Common trap |
|---|
| Least privilege | Grant only the access needed to perform duties | Do not confuse with need-to-know; least privilege is about permissions |
| Need-to-know | Access only information required for the role/task | Often used with classified or sensitive data |
| Separation of duties | Split sensitive tasks among multiple people | Prevents fraud and single-person abuse |
| Job rotation | Move staff through roles | Can reveal fraud or process weaknesses |
| Mandatory vacations | Require time away from work | Helps detect hidden abuse by forcing coverage |
| Defense in depth | Use multiple layers of controls | Not one “perfect” tool |
| Fail secure | Failure leaves system protected | Example: locked door on power failure where safety permits |
| Secure by default | Default configuration is restrictive | Default passwords violate this principle |
| Zero trust | Never trust implicitly; verify continuously | Not a single product; it is an architecture approach |
Risk, Threats, Vulnerabilities, and Controls
Risk Vocabulary
| Term | Definition | Example |
|---|
| Asset | Anything of value | Customer data, server, application, reputation |
| Threat | Potential cause of harm | Attacker, fire, malware, insider misuse |
| Threat actor | Entity that exploits a weakness | Criminal group, disgruntled employee |
| Vulnerability | Weakness that can be exploited | Unpatched server, weak password |
| Exploit | Method used to take advantage of a vulnerability | Phishing kit, SQL injection payload |
| Risk | Likelihood and impact of a threat exploiting a vulnerability | Ransomware encrypting a file server |
| Inherent risk | Risk before controls | Raw exposure |
| Residual risk | Risk remaining after controls | Accepted or further treated |
| Control | Safeguard or countermeasure | MFA, firewall, policy, lock |
A common simple risk expression is:
\[
\text{Risk} = \text{Likelihood} \times \text{Impact}
\]
Risk Response Decisions
| Response | Choose when | Example |
|---|
| Avoid | Stop the risky activity | Do not launch a high-risk service |
| Mitigate | Reduce likelihood or impact | Patch systems, add MFA, segment network |
| Transfer | Shift financial/operational impact | Insurance, outsourcing with contracts |
| Accept | Acknowledge and live with risk | Low risk within tolerance |
| Escalate | Risk exceeds authority of current owner | Send to senior leadership/risk committee |
Exam trap: Transferring risk does not remove responsibility. An organization can outsource operations, but it still owns governance and accountability.
Control Categories
| Control type | Purpose | Examples |
|---|
| Administrative / managerial | Direct people and processes | Policies, training, risk assessments, background checks |
| Technical / logical | Enforced by systems | Firewalls, encryption, MFA, access control lists |
| Physical | Protect facilities and hardware | Locks, guards, cameras, badges, fences |
Control Functions
| Function | Goal | Examples |
|---|
| Preventive | Stop an event before it occurs | MFA, locks, firewalls, security awareness |
| Detective | Identify that something happened | Logs, IDS, cameras, audits |
| Corrective | Fix after an incident | Patching, restoring data, reimaging systems |
| Deterrent | Discourage an action | Warning banners, guards, visible cameras |
| Recovery | Restore normal operations | Backups, DR site, failover |
| Compensating | Alternative when preferred control is not feasible | Manual review when automated control is unavailable |
Governance, Policies, and Roles
Documents and Their Strength
| Document | Purpose | Typical wording |
|---|
| Policy | Management intent and mandatory direction | “Must” |
| Standard | Specific mandatory requirement | “Passwords must meet…” |
| Procedure | Step-by-step instructions | “Do these steps in order…” |
| Guideline | Recommended practice | “Should” |
| Baseline | Minimum secure configuration | “Minimum required settings” |
Exam trap: A policy says what is required. A procedure says how to do it.
Security Roles
| Role | Responsibility |
|---|
| Senior management | Ultimately accountable for risk decisions |
| Data owner | Classifies data and decides access requirements |
| Data custodian | Protects and maintains data according to owner rules |
| Data user | Uses data according to policy |
| System owner | Accountable for system operation and security needs |
| Administrator | Implements and maintains technical controls |
| Auditor | Independently reviews compliance and control effectiveness |
Ethics and Professional Conduct
For ISC2 CC exam preparation, expect ethical reasoning questions that favor:
- Protecting society, people, and legitimate interests.
- Acting honestly, legally, and professionally.
- Reporting issues through proper channels.
- Avoiding unauthorized access, even with good intent.
- Maintaining confidentiality unless disclosure is properly authorized or legally required.
Business Continuity, Disaster Recovery, and Incident Response
BCP vs DR vs IR
| Discipline | Primary question | Scope |
|---|
| Business continuity planning | How does the business keep critical functions operating? | People, process, facilities, technology, suppliers |
| Disaster recovery | How are IT systems restored after disruption? | Infrastructure, applications, data, recovery sites |
| Incident response | How are security events handled and contained? | Detection, containment, eradication, recovery, lessons learned |
Key Continuity Metrics
| Metric | Meaning | Exam cue |
|---|
| BIA | Business Impact Analysis; identifies critical processes and impacts | Foundation for BCP priorities |
| RTO | Recovery Time Objective; maximum acceptable time to restore | “How long can we be down?” |
| RPO | Recovery Point Objective; maximum acceptable data loss | “How much data can we lose?” |
| MTD / MTO | Maximum tolerable downtime/outage | Longest outage the business can tolerate |
| MTBF | Mean time between failures | Reliability measure |
| MTTR | Mean time to repair/recover | Maintainability/recovery measure |
High-yield distinction:
- RTO is about time to restore service.
- RPO is about amount of data loss.
Backup Types
| Backup type | What it copies | Restore complexity | Storage use |
|---|
| Full | Everything selected | Simplest | Highest |
| Incremental | Changes since last backup of any type | More complex; restore full plus all incrementals | Lowest |
| Differential | Changes since last full backup | Moderate; restore full plus latest differential | Medium and grows over time |
Recovery Site Types
| Site type | Readiness | Cost tendency | Use case |
|---|
| Hot site | Ready or near-ready to operate | Highest | Critical systems with low downtime tolerance |
| Warm site | Partially equipped/configured | Medium | Moderate recovery needs |
| Cold site | Space and basic utilities | Lowest | Long recovery time acceptable |
Incident Response Lifecycle
| Phase | Actions | Evidence focus |
|---|
| Preparation | Policies, tools, training, contact lists, playbooks | Readiness |
| Detection and analysis | Validate alerts, classify severity, determine scope | Preserve logs and facts |
| Containment | Limit spread or damage | Short-term and long-term containment |
| Eradication | Remove root cause | Malware removal, patching, credential resets |
| Recovery | Restore services safely | Monitor for reinfection or recurrence |
| Lessons learned | Improve controls and process | Post-incident review |
flowchart LR
A[Prepare] --> B[Detect and Analyze]
B --> C[Contain]
C --> D[Eradicate]
D --> E[Recover]
E --> F[Lessons Learned]
F --> A
Evidence and Chain of Custody
| Concept | Why it matters |
|---|
| Chain of custody | Documents who handled evidence, when, and why |
| Integrity of evidence | Shows evidence was not altered |
| Preservation | Prevents accidental modification or destruction |
| Legal hold | Prevents deletion when litigation or investigation is expected |
| Time synchronization | Makes event timelines reliable across systems |
Exam trap: Do not “investigate” by changing a suspect system unnecessarily. Preserve evidence and follow procedure.
Identity and Access Management
IAAA Model
| Step | Question answered | Example |
|---|
| Identification | Who claims to be accessing? | Username, user ID |
| Authentication | Can the claim be proven? | Password, token, biometric |
| Authorization | What is the identity allowed to do? | Role, permission, ACL |
| Accountability | Can actions be traced? | Logs, audit records |
Authentication Factors
| Factor | Description | Examples |
|---|
| Something you know | Secret knowledge | Password, PIN |
| Something you have | Physical/logical possession | Smart card, hardware token, phone app |
| Something you are | Biometric trait | Fingerprint, face, iris |
| Somewhere you are | Location context | Geolocation, network location |
| Something you do | Behavior | Typing pattern, gesture |
MFA requires different factor types. A password plus a PIN is not strong MFA because both are “something you know.”
Access Control Models
| Model | Control basis | Best fit | Exam trap |
|---|
| DAC | Owner controls access | Flexible business sharing | Less centralized control |
| MAC | System/enforced labels and clearances | Highly sensitive/classified environments | Users cannot override labels |
| RBAC | Access based on job role | Enterprise administration | Role explosion can occur |
| ABAC | Attributes and policies | Dynamic, context-aware access | More complex policy design |
| Rule-based | Predefined rules | Firewalls, time-of-day restrictions | Not the same as role-based |
Account and Privilege Controls
| Control | Purpose |
|---|
| Unique user IDs | Support accountability |
| Shared account restriction | Prevent loss of attribution |
| Privileged access management | Control administrator-level access |
| Just-in-time access | Grant elevated access only when needed |
| Account review | Remove stale or excessive permissions |
| Joiner-mover-leaver process | Manage access through employment lifecycle |
| Password policy | Define length, complexity, reuse, and reset expectations |
| Lockout/throttling | Reduce brute-force success |
| Service account management | Limit, monitor, and rotate non-human credentials |
Network Security Reference
OSI Model Quick Map
| Layer | Name | Examples | Security relevance |
|---|
| 7 | Application | HTTP, SMTP, DNS | Web filtering, WAF, application attacks |
| 6 | Presentation | Encoding, encryption formats | TLS, data formatting |
| 5 | Session | Session management | Session hijacking concerns |
| 4 | Transport | TCP, UDP | Ports, firewalls, reliability |
| 3 | Network | IP, ICMP, routing | Routers, IP filtering, segmentation |
| 2 | Data Link | Ethernet, MAC, switches | VLANs, ARP attacks, switching |
| 1 | Physical | Cables, radio, signals | Locks, wiring closets, interference |
Common Protocols and Ports
| Protocol | Port(s) | Purpose | Secure note |
|---|
| FTP | 20/21 | File transfer | Prefer secure alternatives |
| SSH | 22 | Secure remote shell | Replaces Telnet |
| Telnet | 23 | Remote shell | Insecure plaintext |
| SMTP | 25 | Mail transfer | Often paired with secure mail controls |
| DNS | 53 | Name resolution | Protect against spoofing/poisoning |
| DHCP | 67/68 | Dynamic IP assignment | Rogue DHCP is a risk |
| HTTP | 80 | Web traffic | Plaintext |
| Kerberos | 88 | Network authentication | Uses tickets |
| POP3 | 110 | Retrieve email | Plaintext unless protected |
| NTP | 123 | Time synchronization | Important for logs |
| IMAP | 143 | Email access | Plaintext unless protected |
| SNMP | 161/162 | Network management/traps | Use secure versions/configurations |
| LDAP | 389 | Directory access | LDAPS protects with TLS |
| HTTPS | 443 | Secure web traffic | HTTP over TLS |
| SMB | 445 | File/printer sharing | Common lateral movement target |
| LDAPS | 636 | Secure LDAP | LDAP over TLS |
| IMAPS | 993 | Secure IMAP | Email retrieval over TLS |
| POP3S | 995 | Secure POP3 | Email retrieval over TLS |
| RDP | 3389 | Remote desktop | Restrict and protect strongly |
| Technology | Primary function | Choose when |
|---|
| Router | Connects networks and routes traffic | Traffic between IP networks |
| Switch | Connects devices in a LAN | Internal network connectivity |
| VLAN | Logical segmentation on switches | Separate departments, systems, or trust zones |
| Firewall | Allows/blocks traffic by policy | Enforce network boundaries |
| Stateful firewall | Tracks connection state | Most common network filtering scenario |
| Proxy | Intermediates client requests | Content filtering, privacy, logging |
| IDS | Detects suspicious activity | Alerting without inline blocking |
| IPS | Blocks suspicious activity inline | Prevention when false positives are manageable |
| WAF | Filters web application traffic | Protect web apps from application-layer attacks |
| VPN | Encrypted tunnel over untrusted network | Remote access or site-to-site connectivity |
| NAC | Controls device access to network | Enforce posture before connection |
| SIEM | Centralizes and correlates logs | Monitoring, alerting, investigations |
| EDR | Endpoint detection and response | Detect and respond on workstations/servers |
| DLP | Prevents sensitive data leakage | Monitor/control data movement |
| Load balancer | Distributes traffic | Availability and scalability |
Segmentation Patterns
| Pattern | Purpose | Example |
|---|
| DMZ | Place public-facing systems away from internal network | Web server accessible from internet |
| Internal segmentation | Limit lateral movement | Separate finance, HR, production |
| Guest network | Isolate untrusted users/devices | Visitor Wi-Fi |
| Management network | Protect admin interfaces | Separate admin VLAN |
| Zero trust segmentation | Verify access per request/context | Identity-aware access controls |
Wireless Security
| Topic | What to remember |
|---|
| WPA2/WPA3 | Preferred modern wireless protection compared with older weak options |
| Weak protocols | WEP is insecure and should be avoided |
| SSID hiding | Not a strong security control |
| Guest Wi-Fi | Should be segmented from internal resources |
| Rogue access point | Unauthorized AP connected to network |
| Evil twin | Malicious AP impersonating a legitimate one |
Cryptography and PKI
Crypto Concepts
| Concept | Purpose | Example use |
|---|
| Encryption | Protect confidentiality | Encrypt files, disks, network sessions |
| Symmetric encryption | Same key encrypts/decrypts | Fast bulk data encryption |
| Asymmetric encryption | Public/private key pair | Key exchange, digital signatures |
| Hashing | One-way integrity check | File integrity, password storage |
| Salt | Random value added before hashing | Defends against precomputed hash attacks |
| Digital signature | Integrity, authentication, nonrepudiation | Signed software, signed email |
| Certificate | Binds public key to identity | TLS website certificate |
| PKI | System for issuing/managing certificates | CA, certificates, revocation |
| TLS | Protects data in transit | HTTPS |
| Data at rest | Stored data | Full-disk or database encryption |
| Data in transit | Moving data | TLS, VPN |
| Data in use | Actively processed data | Protected by access controls and secure processing |
Hashing vs Encryption
| Feature | Hashing | Encryption |
|---|
| Direction | One-way | Reversible with key |
| Main goal | Integrity | Confidentiality |
| Output | Fixed-length digest | Ciphertext |
| Used for passwords? | Yes, with salt and slow hashing approach | Passwords should not simply be encrypted for storage |
| Used to recover original data? | No | Yes, if key is available |
Certificate and Trust Terms
| Term | Meaning |
|---|
| CA | Certificate Authority that issues certificates |
| Root CA | Trust anchor |
| Intermediate CA | CA below root used to issue certificates |
| CSR | Certificate signing request |
| CRL / OCSP | Certificate revocation checking methods |
| Private key | Must be protected and not shared |
| Public key | Can be distributed |
| Certificate expiration | Certificate no longer valid after its validity period |
Exam trap: A digital signature is created with a private key and verified with the corresponding public key.
Common Threats and Defenses
Attack Types
| Threat | Description | Primary defenses |
|---|
| Phishing | Fraudulent messages to steal credentials or induce action | Awareness, filtering, MFA, reporting |
| Spear phishing | Targeted phishing | Executive/user training, verification |
| Vishing | Voice phishing | Call-back procedures, awareness |
| Smishing | SMS phishing | Mobile awareness, link caution |
| Malware | Malicious software | EDR/AV, patching, least privilege |
| Ransomware | Encrypts/extorts data | Backups, segmentation, EDR, user training |
| Trojan | Malware disguised as legitimate software | Software control, awareness |
| Worm | Self-propagating malware | Patching, segmentation |
| Rootkit | Hides privileged compromise | Secure boot, EDR, rebuild if needed |
| Keylogger | Captures keystrokes | EDR, MFA, safe software practices |
| DoS/DDoS | Disrupts availability | Filtering, capacity, DDoS protection |
| MITM | Intercepts communication | TLS, certificate validation, VPN |
| Password spraying | Tries common passwords across many accounts | MFA, monitoring, lockout/throttling |
| Brute force | Repeated guessing | MFA, lockout, rate limiting |
| SQL injection | Malicious SQL through input | Input validation, parameterized queries |
| XSS | Script injection into web pages | Output encoding, validation, CSP |
| CSRF | Tricks authenticated user into unwanted action | Anti-CSRF tokens, SameSite cookies |
| Insider threat | Misuse by trusted person | Least privilege, monitoring, separation of duties |
| Supply chain attack | Compromise through vendor/software dependency | Vendor risk management, code signing, monitoring |
Social Engineering Red Flags
| Red flag | Why it matters |
|---|
| Urgency | Pressures victim to skip verification |
| Authority | Pretends to be executive, IT, legal, or vendor |
| Fear | Threatens account closure or discipline |
| Scarcity/reward | Offers prize, refund, or rare opportunity |
| Secrecy | Tells user not to tell others |
| Unusual payment/request | Gift cards, wire transfer, credential request |
Security Operations
Operational Processes
| Process | Purpose | Key exam point |
|---|
| Asset management | Know what exists | You cannot protect unknown assets |
| Data classification | Label data by sensitivity | Drives handling and access rules |
| Change management | Control production changes | Reduces outages and unauthorized changes |
| Configuration management | Maintain secure, known states | Baselines and hardening |
| Patch management | Fix known vulnerabilities | Prioritize by risk and criticality |
| Vulnerability management | Identify, assess, remediate weaknesses | Scanning is not the same as fixing |
| Log management | Collect and retain event records | Supports detection and investigations |
| Security monitoring | Identify suspicious activity | SIEM, alerts, dashboards |
| Backup management | Preserve recoverability | Test restores, not just backup jobs |
| Awareness training | Reduce human risk | Phishing, reporting, policy behavior |
| Vendor management | Manage third-party risk | Contracts, reviews, security requirements |
Vulnerability Management Flow
| Step | Action |
|---|
| 1. Discover | Identify assets and vulnerabilities |
| 2. Prioritize | Rank by severity, exploitability, exposure, business impact |
| 3. Remediate | Patch, configure, remove, or compensate |
| 4. Validate | Confirm fix worked |
| 5. Report | Track trends, exceptions, and residual risk |
Exam trap: A vulnerability scan identifies potential weaknesses. A penetration test attempts exploitation under defined rules.
Logging and Monitoring
| Log source | Useful for |
|---|
| Authentication logs | Login success/failure, brute force, account misuse |
| Firewall logs | Allowed/blocked traffic, scanning patterns |
| Endpoint logs | Malware, process execution, device activity |
| Application logs | User actions, errors, business transactions |
| DNS logs | Suspicious domains, malware callbacks |
| Web server logs | Web attacks, access patterns |
| Cloud/SaaS audit logs | Administrative changes and user activity |
| Physical access logs | Badge access, facility investigations |
Alert Triage Questions
- Is the alert valid or a false positive?
- What asset, user, or data is affected?
- Is the activity still ongoing?
- What is the business impact?
- Is containment required now?
- What evidence must be preserved?
- Who must be notified according to procedure?
Physical and Environmental Security
| Control | Purpose | Notes |
|---|
| Badge/access card | Restrict facility entry | Must be deprovisioned when access ends |
| Biometrics | Strong physical authentication | Consider false acceptance/rejection and privacy |
| Mantrap | Prevent tailgating/piggybacking | One person authenticated at a time |
| Security guard | Deterrent and response | Can verify identity and handle exceptions |
| CCTV | Detection and deterrence | Requires monitoring/retention process |
| Locks | Basic physical prevention | Keys must be managed |
| Fencing/bollards | Perimeter and vehicle control | Physical boundary protection |
| Fire detection/suppression | Life safety and equipment protection | Safety first |
| HVAC | Temperature/humidity control | Supports availability |
| UPS | Short-term power continuity | Bridges outages or generator startup |
| Generator | Longer-term power support | Requires fuel and testing |
| Cable locks | Protect portable assets | Reduces theft risk |
| Secure disposal | Prevent data recovery | Shred, degauss, wipe, destroy as appropriate |
Data Security and Privacy Basics
Data Lifecycle
| Stage | Security focus |
|---|
| Create/collect | Collect only what is needed; classify early |
| Store | Encrypt, restrict access, back up |
| Use | Enforce least privilege and monitoring |
| Share/transmit | Use approved channels and encryption |
| Archive | Retain according to policy and business/legal needs |
| Destroy | Use approved secure disposal methods |
Data Handling Terms
| Term | Meaning |
|---|
| Data classification | Assign sensitivity level |
| Data labeling | Mark data with classification |
| Data handling | Rules for storage, sharing, transmission, disposal |
| Data retention | How long data is kept |
| Data minimization | Keep only necessary data |
| Masking | Hide part of data from view |
| Tokenization | Replace sensitive value with token |
| Anonymization | Remove identifying details so individuals cannot reasonably be identified |
| Pseudonymization | Replace identifiers while retaining possible re-linking under controls |
High-Yield Decision Tables
Which Control Fits the Scenario?
| Scenario | Best control direction |
|---|
| Users reuse weak passwords | MFA, password policy, awareness |
| Admins have excessive rights | Least privilege, privileged access management, access review |
| Public web app attacked with injection | Secure coding, input validation, WAF, testing |
| Malware spreads between workstations | EDR, patching, segmentation, least privilege |
| Need proof a file was not changed | Hashing or digital signature |
| Need secret communication over internet | TLS or VPN |
| Need recoverability after ransomware | Offline/immutable backups, tested restore, segmentation |
| Need detect suspicious logins | Central logging, SIEM rules, authentication monitoring |
| Need stop unauthorized people entering data center | Badges, guards, mantrap, CCTV |
| Need ensure vendors meet security expectations | Contract requirements, vendor risk assessment, monitoring |
Prevention vs Detection vs Response
| If the question asks for… | Think of… |
|---|
| Stop it before it happens | Preventive controls |
| Know it happened | Detective controls |
| Restore after it happens | Recovery controls |
| Fix root cause | Corrective controls |
| Discourage behavior | Deterrent controls |
| Alternative control | Compensating controls |
Common Exam Traps
| Trap | Correct thinking |
|---|
| “The best control is always technical.” | Administrative and physical controls may be the best answer depending on scenario. |
| “Encryption provides integrity by itself.” | Encryption mainly protects confidentiality; hashing/signatures support integrity. |
| “Authentication and authorization are the same.” | Authentication proves identity; authorization grants permissions. |
| “Backups are enough.” | Backups must be protected and restore-tested. |
| “A policy gives step-by-step actions.” | Procedures provide step-by-step actions. |
| “IDS blocks attacks.” | IDS detects/alerts; IPS blocks inline. |
| “Risk transfer removes accountability.” | Accountability remains with the organization. |
| “MFA means any two credentials.” | MFA requires different factor categories. |
| “RTO and RPO are interchangeable.” | RTO is downtime; RPO is data loss. |
| “Accepting risk means ignoring it.” | Accepted risk should be documented and authorized. |
Final Review Checklist
Before exam day, make sure you can:
- Distinguish confidentiality, integrity, availability, authentication, authorization, accountability, and nonrepudiation.
- Match administrative, technical, and physical controls to scenarios.
- Choose preventive, detective, corrective, deterrent, recovery, or compensating controls.
- Explain risk terms: asset, threat, vulnerability, exploit, likelihood, impact, residual risk.
- Compare avoid, mitigate, transfer, accept, and escalate.
- Identify BIA, BCP, DR, RTO, RPO, backups, and recovery site concepts.
- Walk through the incident response lifecycle.
- Compare DAC, MAC, RBAC, ABAC, and rule-based access.
- Recognize common ports, protocols, and network security devices.
- Explain symmetric encryption, asymmetric encryption, hashing, digital signatures, certificates, and TLS.
- Select appropriate defenses for phishing, malware, ransomware, web attacks, and password attacks.
- Apply secure operations concepts: patching, vulnerability management, logging, monitoring, change control, and physical security.
Practical Next Step
Use this Quick Reference to identify weak areas, then move into timed ISC2 CC-style practice questions. After each missed question, write down the tested concept, the clue in the wording, and why the correct control or process was the best fit.