ISC2 CC Final Revision Notes +

Confidence Cheat Sheet

🧠 ISC2 CC Final Revision Notes (with Examples)

Domain 1: Security Principles

CIA Triad:
- Confidentiality: Prevent unauthorized access (Ex: Using encryption on emails)
- Integrity: Ensure data is accurate and untampered (Ex: File hash checksums)
- Availability: Systems accessible when needed (Ex: Backups, redundant servers)

Key Principles:
- Least Privilege: Users get only what they need (Ex: HR can’t access firewall logs)
- Separation of Duties: Split responsibilities (Ex: One person creates users, another
approves them)
- Need to Know: Limits access based on relevance (Ex: Marketing can’t access payroll data)

Roles:
- Data Owner: Defines classification (e.g., Confidential)
- Custodian: Maintains data (e.g., backup admin)
- User: Uses data responsibly

Control Types:
- Administrative: Policies, training
- Technical: Firewalls, encryption
- Physical: Locks, guards, cameras

Risk:
- Risk = Threat × Vulnerability × Impact
- Example: Unpatched server + ransomware = High Risk
- Frameworks: NIST CSF, ISO 27001

Domain 2: Business Continuity, DR, and Incident Response

BCP vs DRP:
- BCP: Keeps business running (Ex: Remote work setup during disaster)
- DRP: Restores IT systems (Ex: Recovering data from backup)
BIA:
- Identifies critical functions
- RTO: Recovery Time Objective – how soon to resume operations
- RPO: Recovery Point Objective – acceptable data loss

Incident Response Lifecycle:

1. Preparation – Plans and teams ready
2. Detection – Spotting the issue
3. Containment – Isolate the threat
4. Eradication – Remove the cause
5. Recovery – Restore operations
6. Lessons Learned – Improve

Testing:
- Tabletop: Discussion-based simulation
- Full-scale: Real simulated incident response

Domain 3: Access Control Concepts

IAAA:
- Identification: Claiming identity
- Authentication: Verifying identity (passwords, biometrics)
- Authorization: Granting permissions
- Accounting: Logging actions

Access Models:
- DAC: Owner grants permissions (Ex: File sharing)
- MAC: Based on sensitivity labels (Ex: Classified documents)
- RBAC: Based on role (Ex: HR = payroll only)
- ABAC: Based on attributes (Ex: Time, location)

MFA:
- At least 2 of: Something you know (password), have (token), are (biometric)

Domain 4: Network Security

OSI Layers:
1. Application – Email, browser
2. Presentation – Encoding, encryption
3. Session – Maintains communication
4. Transport – TCP/UDP
5. Network – IP, routing
6. Data Link – MAC addresses
7. Physical – Cables, hardware

Protocols:
- SSH, SFTP, HTTPS, IPSec

Common Attacks:
- DDoS – Disrupt availability
- MITM – Intercept communication
- ARP Spoofing – Fakes MAC identity
- Phishing – Tricks users

Network Devices:
- Firewall – Filters traffic
- IDS/IPS – Detects/prevents threats
- VPN – Secure access
- Proxy – Intermediary for requests

Domain 5: Security Operations

SIEM (e.g., Splunk):

- Correlates logs, alerts on anomalies

Patch Management:
- Closes known vulnerabilities

Backup Types:
- Full: Everything
- Incremental: Since last backup
- Differential: Since last full

Secure Disposal:
- Wipe, degauss, shred

Awareness Training:
- Prevents phishing, teaches best practices

Physical Security:
- Locks, cameras, biometric access
🧠 ISC2 CC Confidence Cheat Sheet – No More A/B Doubts

1. If two answers sound similar: Choose the one focused on control or risk reduction.
Example: Separation of Duties → A (reduce risk), not B (increase efficiency).

2. Trust ISC2 logic over real-world exceptions.

Awareness training → Helps reduce human error, not teaching programming.

3. One answer is usually more complete than the other. Pick based on goal alignment.

4. Be cautious of vague or overly permissive answers.

Avoid choices that say “all access,” “no controls,” “all users.”

5. Eliminate wrong answers fast with these red flags:

- "All users have access" → Violates least privilege
- "Improves efficiency" → Not a core security goal
- "No need to classify data" → Breaks data governance principles

6. Focus on what’s being asked – match keywords to correct category:

- Risk → Mitigate, reduce
- Access → Role, policy, control
- Network → Filter, encrypt, segment
- Ops → Monitor, log, patch

7. “Most appropriate” = the one that solves the issue in the best way for a secure
environment.

8. Reverse the question if stuck: “What would be the worst option here?”

Remember: You already know this — trust your instincts, eliminate fluff, and go with the
security-first logic.