Core Security Concepts

What the Exam Is Really Testing

A hospital deploys full-disk encryption on every workstation. Confidentiality is airtight. Then a ransomware attack locks physicians out of patient records during a critical care window. Patients are transferred to other facilities. The encryption that protected data confidentiality did nothing for availability — and in healthcare, availability can be the highest priority.

Security is not about maximizing protection. It is about balancing competing objectives based on what the organization actually needs.

CISSP exam objective 1.2 tests your ability to understand and apply fundamental security concepts — not just define them. You will face scenarios where confidentiality, integrity, and availability pull in different directions, and the correct answer depends on context, not formula.

The CIA Triad and Its Inverse

The three pillars of information security:

• Confidentiality — Preventing unauthorized disclosure of information. Controls include encryption, access controls, and data classification.
• Integrity — Ensuring information has not been altered in an unauthorized or undetected way. Controls include hashing, digital signatures, and change management.
• Availability — Ensuring authorized users can access information and systems when needed. Controls include redundancy, failover, and capacity planning.

The DAD triad represents the opposite — what attackers target:

• Disclosure threatens confidentiality
• Alteration threatens integrity
• Destruction (or denial) threatens availability

On the exam, mapping an attack to its DAD category often reveals which CIA component the question is really about.

Authentication, Authorization, Accountability, and Non-Repudiation

These four concepts appear throughout every CISSP domain. Getting precise about their boundaries matters.

Authentication verifies identity — proving you are who you claim to be. Methods include passwords (something you know), smart cards (something you have), and biometrics (something you are).

Authorization determines access — what an authenticated identity is permitted to do. This follows authentication; you cannot authorize an unknown entity.

Accountability links actions to identities. It requires both authentication (to establish who) and logging (to record what). Without accountability, you cannot investigate incidents or enforce policy.

Non-repudiation prevents denial of an action. It goes beyond accountability: not only is the action logged, but the actor cannot credibly deny performing it. Digital signatures provide non-repudiation; standard logging alone does not.

The exam tests the boundaries between these. A common trap: treating authentication and authorization as interchangeable, or assuming that logging alone provides non-repudiation.

Foundational Security Principles

Defense in depth applies multiple, overlapping security layers so that failure of any single control does not compromise the system. A firewall, intrusion detection system, host-based antivirus, and user awareness training each address different attack vectors at different layers.

Least privilege grants users and processes the minimum access necessary to perform their function — nothing more. This limits the blast radius of compromised accounts.

Need to know is related to but distinct from least privilege. Least privilege restricts what actions a user can perform. Need to know restricts what information a user can access, even if they hold the clearance level. A top-secret clearance does not entitle you to all top-secret information — only the information relevant to your assignment.

Separation of duties divides critical functions among multiple people so that no single individual can complete a high-risk process alone. The person who approves a purchase order should not be the same person who processes the payment.

Due Care vs. Due Diligence

These two concepts appear repeatedly on the CISSP exam, and the distinction matters:

Due care is doing what a reasonable person would do. It is action — implementing policies, deploying controls, responding to known risks. Think of it as “doing the right thing.”

Due diligence is verifying that what you did actually works. It is investigation — auditing, testing, monitoring, reviewing. Think of it as “making sure the right thing was done correctly.”

An organization that writes a security policy (due care) but never audits whether the policy is followed (no due diligence) has a governance gap. An organization that audits constantly but never implements the findings has the inverse problem.

The exam tests this by presenting scenarios where one is present without the other and asking you to identify the deficiency.

Pattern Recognition

Security concept questions on the CISSP follow these patterns:

• CIA trade-offs — The question describes a scenario where protecting one element weakens another. The answer requires identifying which element the organization should prioritize based on context.
• Principle identification — A scenario describes a control or failure. You must name the principle it implements or violates (least privilege, separation of duties, etc.).
• Due care vs. due diligence — The scenario describes either implementing controls or verifying controls. Identify which is present and which is missing.
• AAA boundaries — Authentication, authorization, and accountability are presented in overlapping contexts. The correct answer requires clean separation of each concept.

Trap Patterns

Watch for these common wrong-answer traps:

• “Maximize confidentiality” — Wrong when availability is the higher priority for the business context (e.g., emergency services, healthcare).
• Confusing accountability with non-repudiation — Logging creates accountability. Non-repudiation requires cryptographic proof that the actor cannot deny.
• Treating least privilege and need to know as synonyms — Least privilege restricts actions. Need to know restricts information access.
• “Due diligence means creating policies” — Wrong. Creating policies is due care. Due diligence is verifying those policies are effective.

Scenario Practice

Question 1

An organization has implemented a security awareness program, deployed endpoint protection, and published an acceptable use policy. However, a recent audit reveals that 40% of employees have never completed the training and endpoint protection agents are disabled on several workstations.

What is the PRIMARY deficiency?

A. Lack of defense in depth
B. Failure to exercise due diligence
C. Inadequate separation of duties
D. Insufficient confidentiality controls

Question 2

A financial services company requires two separate managers to authorize any wire transfer over $100,000. A new system upgrade allows a single senior manager to approve these transfers unilaterally to speed up processing.

What security principle is being violated?

A. Least privilege
B. Defense in depth
C. Separation of duties
D. Non-repudiation

Question 3

A software developer signs a code release with their private key. After deployment, a critical bug is discovered. The developer claims they never approved the release.

What security concept addresses this situation?

A. Authentication
B. Integrity
C. Accountability
D. Non-repudiation

Key Takeaway

Security concepts are not definitions to memorize — they are lenses for analyzing scenarios. On the CISSP, you will not be asked “what is integrity?” You will be given a situation and asked which concept is being violated, which principle should guide the response, or which trade-off the organization should accept.

The distinction that trips up the most candidates: due care is acting, due diligence is verifying. Know both sides.