Pass the ISC ISC certification CC Questions and answers with CertsForce

ThePrinciple of Least Privilegeensures users, applications, and systems have only the minimum permissions necessary to perform their duties. This reduces the attack surface and limits potential damage if credentials are compromised.

GDPR directly addresses privacy, while FIPS and MOUs can also relate to privacy controls and data handling requirements.

Anintrusionis an unauthorized attempt to access systems or resources, whether successful or not.

ABAC uses centralized policy engines (PDPs) to evaluate attributes and enforce fine-grained access control decisions dynamically.

Replay attacks disrupt communication by resending captured packets, potentially causing session confusion or denial of service. IPSec mitigates this using sequence numbers.

The principle of least privilege states that users, systems, and processes should be granted only the minimum permissions required to perform their assigned tasks—nothing more. This principle reduces the attack surface and limits potential damage from compromised accounts or insider threats.

If an attacker gains access to a low-privilege account, the impact is significantly reduced compared to a highly privileged account. Least privilege also helps prevent accidental misuse of system resources.

Two-person control requires two individuals to approve an action. Job rotation reduces fraud by changing responsibilities. Separation of privileges ensures critical tasks require multiple permissions. While all are valid security concepts, least privilege directly addresses permission minimization.

This principle is foundational in access control models, identity and access management (IAM), and zero trust architectures. NIST and CIS explicitly recommend least privilege as a core security control for protecting systems and sensitive data.

Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual, either directly or indirectly. Examples include full name, Social Security number, date of birth, address, email address, phone number, and biometric identifiers.

PII is regulated by numerous laws and standards, including privacy regulations and data protection frameworks. Protecting PII is critical to prevent identity theft, fraud, and privacy violations.

Health information is a subset of sensitive data (often classified as PHI). Trade secrets and business data fall under intellectual property. Information classification levels describe value, not identity.

Security controls for PII typically include encryption, access control, monitoring, and data loss prevention mechanisms.

Likelihood represents the probability that a threat will successfully exploit a vulnerability and is a core component of risk calculation.

Anexecutive summarygives leadership a concise overview of objectives, scope, and recovery strategies without technical detail.

MAC enforces access based on classification labels and user clearances, commonly used in military and government systems.