Inhoud
verberg
π Domain 1: Security and Risk Management
π What you MUST know
CIA Triad
- What is it: Core principles of security
- What: Confidentiality, Integrity, Availability
- When:
- Data leak β Confidentiality
- Data change β Integrity
- Downtime β Availability
Risk (Threat Γ Vulnerability)
- What is it: Measurement of potential loss
- What: Risk only exists if both threat and vulnerability exist
- When: Prioritizing controls
SLE / ARO / ALE
- What is it: Financial risk model
- What: Calculates expected yearly loss
- When: Cost/benefit analysis
Governance vs Management
- What is it: Strategy vs execution
- What: Governance = direction, Management = implementation
- When: Responsibility questions
Policies, Standards, Procedures
- What is it: Organizational control hierarchy
- What: Policy β Standard β Procedure
- When: βWhat comes first?β β Policy
Compliance (e.g. GDPR)
- What is it: Legal requirements
- When: Handling regulated data
π§ Mindset (HOW TO THINK)
π You are the CISO, not the engineer
Decision rules:
- ALWAYS pick risk reduction, not elimination
- ALWAYS consider cost vs benefit
- ALWAYS align with business objectives
Question patterns:
- If answer = technical fix first β β wrong
- If answer = risk assessment first β β correct
- If answer skips policy β β wrong
- If answer starts with policy/governance β β correct
Trick recognition:
- βBestβ β most secure β it means most balanced
- βFirstβ β almost always risk analysis or policy
π Domain 2: Asset Security
π What you MUST know
Data Classification
- What is it: Assign sensitivity labels
- When: Before applying controls
Data Ownership
- What is it: Accountability for data
- When: Responsibility questions
Data Lifecycle
- What is it: Data from creation to destruction
- When: Handling data
Data Retention
- What is it: How long data is stored
- When: Legal/compliance
Data Disposal
- What is it: Secure destruction
- When: End-of-life
Privacy Principles
- What is it: Protect personal data
- When: Privacy scenarios
π§ Mindset
π Data drives everything
Decision rules:
- FIRST β classify
- SECOND β apply controls
Question patterns:
- βWhat should you do first?β β classification
- βWhat protection?β β depends on classification
Trick recognition:
- Overprotecting low-value data β β
- Underprotecting sensitive data β β
- Matching control to sensitivity β β
π Domain 3: Security Architecture & Engineering
π What you MUST know
Bell-LaPadula
- What is it: Confidentiality model
- When: Prevent data leaks
Biba
- What is it: Integrity model
- When: Prevent corruption
Cryptography
- What is it: Data protection methods
- When: Protecting data
Symmetric vs Asymmetric
- What is it: Encryption types
- When: Secure communication
TCB
- What is it: Trusted system components
- When: Architecture
Secure Design Principles
- What is it: Secure system design
- When: System creation
π§ Mindset
π Fixing later = wrong answer
Decision rules:
- Choose design over patching
- Choose architecture over tools
- Choose preventive over detective
Question patterns:
- βBest solution?β β design change
- βMost effective?β β built-in security
Trick recognition:
- Add firewall after breach β β
- Redesign system securely β β
π Domain 4: Communication and Network Security
π What you MUST know
OSI Model
- What is it: Communication layers
- When: Protocol/device questions
Network Segmentation
- What is it: Divide networks
- When: Limit spread
DMZ
- What is it: Isolated public zone
- When: Internet-facing systems
Secure Protocols
- What is it: Encrypted communication
- When: Data in transit
IDS vs IPS
- What is it: Detect vs prevent
- When: Threat detection
Network Attacks
- What is it: Threats like MITM
- When: Attack scenarios
π§ Mindset
π The network is NOT trusted
Decision rules:
- Always encrypt data in transit
- Always segment networks
- Always limit exposure
Question patterns:
- βBest protection?β β segmentation + encryption
- βReduce impact?β β isolation
Trick recognition:
- Trust internal network β β
- Zero trust approach β β
π Domain 5: Identity and Access Management
π What you MUST know
IAAA
- What is it: Access flow
- When: Access questions
MFA
- What is it: Multiple factors
- When: Strong authentication
Access Models
- What is it: Access control types
- When: Authorization
Provisioning / Deprovisioning
- What is it: Grant/remove access
- When: User lifecycle
SSO & Federation
- What is it: Shared login systems
- When: Multi-system access
π§ Mindset
π Access = risk
Decision rules:
- Grant minimum access
- Remove access immediately
- Verify identity strongly
Question patterns:
- βBest control?β β least privilege
- βAfter employee leaves?β β disable account
Trick recognition:
- Keeping access βjust in caseβ β β
- Immediate removal β β
π Domain 6: Security Assessment and Testing
π What you MUST know
Vulnerability Assessment
- What is it: Find weaknesses
- When: Regular scanning
Penetration Testing
- What is it: Exploit weaknesses
- When: Validate risk
Audit
- What is it: Compliance check
- When: Regulations
Logging & Monitoring
- What is it: Track activity
- When: Detection
Metrics
- What is it: Measure effectiveness
- When: Management
π§ Mindset
π Never assume security works
Decision rules:
- Always test controls
- Prefer continuous monitoring
- Measure everything
Question patterns:
- βEnsure effectiveness?β β testing
- βImprove security?β β metrics
Trick recognition:
- One-time testing β β
- Continuous validation β β
π Domain 7: Security Operations
π What you MUST know
Incident Response
- What is it: Handle incidents
- When: After detection
SIEM
- What is it: Log analysis
- When: Monitoring
Backups
- What is it: Data recovery
- When: Data loss
RTO / RPO
- What is it: Recovery targets
- When: DR planning
Patch Management
- What is it: Fix vulnerabilities
- When: Maintenance
Chain of Custody
- What is it: Evidence tracking
- When: Forensics
π§ Mindset
π Assume compromise
Decision rules:
- Detect fast
- Contain quickly
- Recover safely
Question patterns:
- βDuring incident?β β contain first
- βAfter incident?β β lessons learned
Trick recognition:
- Jump to recovery too fast β β
- Follow IR phases β β
π Domain 8: Software Development Security
π What you MUST know
Secure SDLC
- What is it: Secure development process
- When: Always
SAST / DAST
- What is it: Testing methods
- When: Development/testing
Secure Coding
- What is it: Writing safe code
- When: Development
OWASP Top 10
- What is it: Common vulnerabilities
- When: Web apps
β OWASP
Environment Separation
- What is it: Dev/Test/Prod separation
- When: Prevent leaks
π§ Mindset
π Security must be built, not fixed
Decision rules:
- Fix issues early
- Never expose real data
- Enforce secure coding
Question patterns:
- βBest fix?β β early SDLC
- βReduce vulnerabilities?β β secure design
Trick recognition:
- Fix after deployment β β
- Secure by design β β
π₯ FINAL EXAM STRATEGY (CRITICAL)
When stuck:
Step 1
Eliminate answers that:
- Are purely technical
- Ignore process
- Ignore business
Step 2
Choose answer that:
- Reduces risk
- Follows order:
Policy β Design β Implement β Monitor
Step 3
Ask:
π βWhat would a CISO do?β
- Not fix β but govern, reduce risk, and control impact