adam's notes

Domain 1 - Security Concepts and Practices
Security Concepts
Privacy Compliance
Code of Ethics
Resource Security
Data Security
Data Lifecycle
Security Standards
Baseline Security Standard Elements
Standards and Frameworks
Authentication
Security Controls
Assessing Security Controls
Security Awareness Training
Physical Security
Datacenter Protection
Physical Access Control
Visitor Management

❯

❯

Domain 1 Security Concepts and Practices

Domain 1 - Security Concepts and Practices

Important

This is based off Mike Chapple’s ISC2 SSCP 2024 Course, not the textbook.

Security Concepts

CIA Triad
CIANA+PS
Digital Signature
Digital Certificate
Need to Know
Principle of Least Privilege
Separation of duties
- aka segregation of duties
M-of-N Control
- aka dual control or two-person control
Nonrepudiation

Privacy Compliance

Personally Identifiable Information (PII)
Protected Health Information (PHI)
Generally Accepted Privacy Principles (GAPP)
Privacy Impact Assessment (PIA)
Universal Declaration of Human Rights
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Data Minimization

Code of Ethics

ISC2 Code of Ethics

Resource Security

Information Lifecycle

Data Security

Data Security Roles

Data Lifecycle

Create
Store
Use
Share
Archive
Destroy

Security Standards

Baseline Security Standard Elements

Administered by a named individual
Protected against unauthorized access
Don’t jeopardize other systems or data
Remain under positive control

Standards and Frameworks

ISO
- 27000
- 27001 - covers control objectives
- 27002 - covers control implementation
- 27701 - covers privacy controls
- 30001 - covers risk management programs
NIST 800-53
NIST Cybersecurity Framework (CSF)
NIST Risk Management Framework (RMF)
FedRAMP
Sherwood Applied Business Security Architecture (SABSA)

Authentication

used in two different ways:
1. information is authenticated by confirming that all of the metadata about its creation, transmission, and receipt convey that the chain of trust from creator through sender to recipient has not been violated
2. in access control terms, authentication validates that the requesting subject is who or what they claim that they are and that this identity is known o the system
in 1984 the Computer Fraud and Abuse Act (CFAA) extended the same concept of unauthorized entry into the virtual worlds of information systems

Security Controls

Defense in Depth
Functional Security Controls
Security Policy Framework
DevOps and DevSecOps

Assessing Security Controls

ITIL Security KPIs
Key Risk Indicators (KRIs)

Security Awareness Training

Security, Awareness, Training, and Education (SATE)
Elements of Social Engineering

Physical Security

Datacenter Protection

Cold aisle
Fire Extinguisher Classes
Networking Fire Suppression

Physical Access Control

Locks
Mantrap

Visitor Management

Graph View

Backlinks

C845 - Information Systems Security (SSCP)

Created with Quartz v4.5.2 © 2026

CC BY-NC-SA
adamfurman.me