Security and system resilience
The Security Foundation
Anchor to the fundamentals: the CIA triad names the goal, and the framework question is COBIT versus NIST CSF versus ISO 27001.
How the exam words it
- -The stem describes a security goal and asks which CIA element it protects: confidentiality, integrity, or availability.
- -It names a security principle (least privilege, defense in depth, separation of duties) and asks what it means or which scenario applies it.
- -It asks for the five NIST Cybersecurity Framework functions or their order.
- -It asks which framework provides a certifiable information security management system, pointing to ISO 27001.
The playbook
- 1Map the goal to the CIA triad: confidentiality is preventing unauthorized disclosure, integrity is preventing unauthorized change, and availability is keeping systems accessible.
- 2Apply the principles: least privilege grants the minimum access needed, and defense in depth layers multiple independent controls so one failure is not fatal.
- 3Recall the five NIST CSF functions in order: identify, protect, detect, respond, and recover.
- 4Pick ISO 27001 for a certifiable ISMS and NIST CSF for a voluntary risk-based framework, keeping COBIT as the IT governance model.
The trap
Mixing up integrity and confidentiality, or the NIST CSF function order. Integrity protects against unauthorized change; confidentiality protects against unauthorized disclosure.
How the exam varies it
The same pattern, re-skinned along these axes:
Which CIA element a control protectsSecurity principle: least privilege versus defense in depthFramework identification: NIST CSF functions versus ISO 27001 ISMS
Drill this pattern
8 questions of The Security Foundation from across the AUD topics. Clear it by getting 5 right with a streak of 3.