ISC CC - CC - Certified in Cybersecurity

ICMP is used for network diagnostics, including ping operations that test host availability. RFC 792 defines ICMP behavior.

Phishing uses deceptive messages—often emails or websites—to trick users into revealing sensitive information. Spoofing is often used as a technique within phishing attacks.

Information security is fundamentally built on theCIA triad:Confidentiality, Integrity, and Availability. These three principles form the cornerstone of nearly all cybersecurity frameworks, including NIST, ISO/IEC 27001, and CIS controls.

Confidentialityensures that information is accessible only to authorized individuals and systems.

Integrityensures that data remains accurate, complete, and unaltered except by authorized actions.

Availabilityensures that systems and data are accessible to authorized users when needed.

Accessibility, while related to usability and system design, isnota core pillar of information security. In fact, security controls often intentionallylimitaccessibility to protect systems and data. Accessibility focuses on ensuring ease of access (often in the context of user experience or disability access), whereas security focuses oncontrolled access.

Confusing accessibility with availability is common, but they are not the same. Availability is about reliable access forauthorized users, while accessibility is about ease of access in general. Therefore, accessibility is not one of the foundational elements upon which information security is built.

This distinction is critical for understanding security architecture and governance.

In Business Continuity Planning (BCP), the termbusinessrefers primarily to theoperational aspects of the organization—the people, processes, and activities required to deliver products and services. While IT systems, finances, and facilities support operations, BCP focuses on ensuring thatcritical business functions continueduring and after disruptions.

This includes customer service, supply chain operations, payroll, compliance activities, and decision-making processes. BCP is broader than disaster recovery, which focuses mainly on restoring IT systems. According to NIST SP 800-34, business continuity emphasizes mission-essential functions and their dependencies, including personnel, third parties, facilities, and technology.

A disaster recovery team typically includes executive leadership, IT personnel, legal representatives, and public relations staff. These roles are critical for decision-making, technical recovery, and external communication.

A billing clerk is unlikely to be part of the disaster recovery team because the role does not typically contribute to recovery strategy, system restoration, or crisis communication.

Virtualization enables multiple virtual machines to run on a single physical system by abstracting hardware resources. Each VM operates independently with its own OS, improving efficiency and isolation.

ABusiness Continuity Plan (BCP)ensures critical operations continue during and after significant disruptions, regardless of the cause.

Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual, either directly or indirectly. Examples include full name, Social Security number, date of birth, address, email address, phone number, and biometric identifiers.

PII is regulated by numerous laws and standards, including privacy regulations and data protection frameworks. Protecting PII is critical to prevent identity theft, fraud, and privacy violations.

Health information is a subset of sensitive data (often classified as PHI). Trade secrets and business data fall under intellectual property. Information classification levels describe value, not identity.

Security controls for PII typically include encryption, access control, monitoring, and data loss prevention mechanisms.

Deterrent controls are designed to discourage individuals from attempting unauthorized or malicious actions. CCTV systems act as deterrent controls because their visible presence can discourage theft, vandalism, or unauthorized access by increasing the perceived risk of being caught.

Business Continuity Plans (BCP), Disaster Recovery Plans (DRP), and Incident Response Plans (IRP) are corrective and recovery-focused controls, not deterrents. They address what happensafteran incident occurs.

Deterrent controls are often combined with preventive and detective controls to form a layered security strategy. Examples include warning signs, lighting, guards, and surveillance cameras. These controls play an important psychological role in reducing security incidents.

Role-Based Access Control (RBAC) enforces least privilege by assigning permissions based on job roles rather than individuals. Users receive only the permissions necessary for their role, reducing excess access.

RBAC is widely used in enterprises, cloud platforms, and operating systems due to its scalability and manageability.