Security Principles Explained for ISC2 Certified in Cybersecurity (CC)

Every security decision ultimately protects one or more of three properties. Confidentiality ensures information is accessible only to authorized parties. Integrity ensures data is accurate, complete, and not tampered with. Availability ensures systems and information are accessible to authorized users when needed. These three properties form the CIA triad, and attackers target one or more of them in every breach. A ransomware attack destroys availability. Data exfiltration violates confidentiality. Unauthorized modification of records attacks integrity.

Access control limits who or what can interact with a resource. The three components of access control are: identification (claiming an identity), authentication (proving that identity), and authorization (determining what the verified identity can do). Least privilege means users should have only the access they need to perform their job and nothing more. Need to know is a stricter principle applied in classified environments: even if you have the clearance level, you only access information directly relevant to your current task.

Privacy refers to the right of individuals to control information about themselves. Personally Identifiable Information (PII) is any information that can identify a specific person: name, address, date of birth, national ID number. Privacy regulations like GDPR define how organizations must collect, store, and dispose of PII. Security professionals protect privacy by ensuring PII is only accessible to those with a legitimate need and is disposed of when no longer required.

When something goes wrong, incident response provides a structured way to detect, contain, and recover. The CC exam tests the phases: preparation (establishing policies, tools, and teams), detection (identifying that an incident has occurred), containment (limiting the damage), eradication (removing the cause), recovery (restoring normal operations), and post-incident activity (reviewing what happened and improving). Understanding what comes first versus last matters: you contain before you eradicate, and you eradicate before you recover.

Business continuity planning ensures the organization can continue critical operations during a disruption. A Business Impact Analysis (BIA) identifies which systems and processes are most critical and quantifies the impact of their failure. Recovery Point Objective (RPO) is the maximum acceptable data loss measured in time. Recovery Time Objective (RTO) is the maximum acceptable downtime. Disaster Recovery (DR) focuses specifically on restoring IT systems after a catastrophic event, while Business Continuity is broader and covers how the organization operates during the disruption.

Professional ethics in cybersecurity mean using access and knowledge responsibly. ISC2's Code of Ethics includes four mandatory canons: protect society, act honorably and responsibly, provide competent service, and advance the profession. The CC exam may present ethical dilemmas where candidates must identify the most ethical course of action according to these principles.

CIA triad: Confidentiality (prevent unauthorized access), Integrity (prevent unauthorized modification), Availability (prevent unauthorized denial of access).

Access control: Identification (who you claim to be) + Authentication (proving it) + Authorization (what you can do).

Least privilege: minimum access needed. Need to know: even with access level, only access what is relevant to your task.

Incident response order: Preparation, Detection, Containment, Eradication, Recovery, Post-Incident review.

RPO: maximum data loss tolerable. RTO: maximum downtime tolerable. Both drive recovery system design.

ISC2 Code of Ethics first canon: protect society, the public interest, the common good.