Security Principles
Three goals to protect, one practice to keep them safe
A leaked patient file, a quietly altered bank balance, a checkout page that will not load: each is a different kind of harm, and naming which one is at stake is the first move on almost every Security Principles question. The three goals are the CIA triad, confidentiality (only authorized people can see the data), integrity (the data stays accurate and unaltered), and availability (the data and systems are there when authorized people need them). Information assurance is the discipline of keeping all three intact at once, balancing them rather than maximizing any single one. Hold this triad as the anchor for the whole domain: every later idea here, every risk you weigh, every control you pick, and every policy you write, exists to defend confidentiality, integrity, or availability. The classic trap is treating these as interchangeable; read the harm described in the scenario and the goal it threatens usually picks itself.
The domain unfolds in five steps: goals, then risk, then the response
This domain reads as one storyline, and the five subtopics are its chapters in order. Information Assurance sets the goals to protect (the CIA triad, plus authentication, non-repudiation, and privacy), so reach for it whenever a question asks what is being defended. Risk Management is how you decide what to defend first and how hard: it sizes each risk by likelihood and impact, loops through identify, assess, treat, and monitor, and picks one of four treatments (avoid, mitigate, transfer, accept). Security Controls are the safeguards that carry out a treatment, sorted by how they work (technical, administrative, physical) and what they accomplish (preventive, detective, corrective, deterrent), then stacked as defense in depth. The ISC2 Code of Ethics is the professional duty that bounds every choice you make: four Canons in a fixed order, with the lower-numbered one winning a conflict. Governance is the written layer that makes all of this repeatable, turning leadership's intent into the policies, standards, procedures, and guidelines an organization must follow. Goals, then the risk to them, then the controls, ethics, and governance that form the response.
When two answers both work, choose the one that manages risk to an acceptable level
Security at this level is not about driving risk to zero, because no organization can. The guiding instinct the exam rewards is to bring risk down to the level leadership has decided it can live with (its risk tolerance), then stop, rather than piling on every possible safeguard. That is why mitigate is the most common risk treatment, why a senior leader (not the analyst) formally accepts the residual risk that controls leave behind, and why defense in depth means independent layers rather than simply more controls. When two answers both reduce a risk, prefer the one that fits the organization's tolerance and keeps accountability where it belongs; the right answer is proportionate, documented, and owned by the correct role.
The domain's storyline: goals, then the response, and where each is covered
| Step in the storyline | What it decides | Drill into |
|---|---|---|
| Set the goals | What we are protecting: confidentiality, integrity, availability (plus authentication, non-repudiation, privacy) | Information Assurance |
| Size the risk | What to protect first and how hard, by likelihood and impact, then which of four treatments to apply | Risk Management |
| Apply the safeguards | How a treatment is carried out, by control type and function, layered as defense in depth | Security Controls |
| Bound the conduct | The professional duty behind every choice: four Canons, lower-numbered wins a conflict | ISC2 Code of Ethics |
| Write it down | How intent becomes the rules everyone follows: policy, standard, procedure, guideline, plus external law | Governance |