Defense in Depth
Defense in depth layers multiple independent controls so that the failure of any one does not expose the asset. CISSP treats it as a core secure-design principle alongside least privilege and secure defaults.
Defense in depth layers multiple independent controls so that the failure of any one does not expose the asset. CISSP treats it as a core secure-design principle alongside least privilege and secure defaults.
The CIA triad is the trio of confidentiality, integrity, and availability that underpins nearly every information-security decision.
Risk management is the process of identifying, assessing, treating, and monitoring risk so that residual risk stays within an organization's tolerance.
Quantitative risk analysis expresses risk in monetary terms, chiefly through SLE × ARO = ALE (single loss expectancy times annualized rate of occurrence equals annualized loss expectancy).
Residual risk is the risk that remains after controls have been applied.
Defense in depth layers multiple independent controls so that the failure of any one does not expose the asset.
Least privilege grants each subject only the access strictly required to perform its function, and no more.
Bell-LaPadula is a confidentiality-focused security model enforcing 'no read up, no write down' to protect classified data.
The Biba model is an integrity-focused security model enforcing 'no read down, no write up' so trusted data is not contaminated by lower-integrity sources.
Public Key Infrastructure (PKI) is the framework of certificate authorities, certificates, and keys that binds identities to public keys and enables trust.
Symmetric encryption uses a single shared secret key for both encryption and decryption, making it fast but requiring secure key distribution.
Access control models — DAC, MAC, RBAC, and ABAC — define how access decisions are made and who sets them.
Federated identity lets users authenticate once with a trusted identity provider and access resources across independent domains, using standards such as SAML and OIDC.
Recovery Time Objective (RTO) is the maximum tolerable time to restore a service, and Recovery Point Objective (RPO) is the maximum tolerable data loss measured in time.
Security operations covers the day-to-day protective work of monitoring, incident response, forensics, and change and configuration management.
The Software Development Life Cycle (SDLC) is the structured process for building software, into which CISSP embeds security at every phase.