08/02/2025 14:46:46
CISSP 2024 Terms
Privacy Impact Analysis
Designed to identify the privacy of data being collected, processed, or stored by the
system and assesses the effects of a data breach. Required for GDPR and HIPAA
Conflicting Laws
When an organization or cloud provider is subject to the laws from different
jurisdictions. Example is GDPR vs the CLOUD act.
Laws
Legal rules created by government entities, such as legislatures
Regulations
The rules that are created by government agencies
Standards
Dictate a reasonable level of performance. Can be created by an organization for its
own purposes or come from industry bodies or trade groups.
Frameworks
A set of guidelines helping organizations improve their security posture
External Dependencies
Entities outside the organization that it depends on for business continuity, disaster
recovery, or operations
Hardware Root of Trust
A line of defense against executing unauthorized firmware on a system, used for key
store for Full-Disk encryption. Verifies that keys match before the secure boot
process takes place.
Physically Unclonable Function
A hardware component that generates a digital fingerprint or signatures based on the
unique physical characteristics of an integrated circuit or chip. Responds with a
unique output that is impossible to clone or recreate.
Software Bill of Materials (SBOM)
A list of all software products, libraries, and modules that go into a particular software
build or product. A US gov't requirement
Secure Access Service Edge (SASE)
A design philosophy closely related to Zero Trust which brings together networking
and security functions and delivers them as an integrated cloud service
A networking model that merges WAN and security in the cloud.
FIPS 140-2
Established to aid in the protection of digitally stored unclassified, yet sensitive
information. Developed for non-military American government agencies and
government contractors.
FIPS 140-2 Levels
1: Lowest Level of Security
2: Specifies the security requirements for cryptographic modules that protect
sensitive information
3. Requires physical protections to ensure any attempts to tamper are evident and
detectable
, 08/02/2025 14:46:46
FIPS 140-3
A regulation outlining data collection and handling standards. Superseeds FIPS 140-
2
FIPS 140-3 Levels
1: Requires production-grade equipment and externally tested algorithms
2: Adds requirements for physical taper-evidence and role-based authentication
3: Adds requirements for physical tamper resistance, identity-based authentication,
and separation between interfaces
4: Physical requirements are stringent, requiring the ability to be tamper-active,
erasing the contents of the device if it detects various forms of environmental
attacks.
FIPS 140-3 Three Types of Cryptographic Modules
1. Physical
2. Software
3. Cloud
Level of Protection
Used in key management. Encrypti nkeys must be secured at the same level of
control or higher as the data they protect.
Dictated by the sensitivity level of data.
Key Recovery
Circumstances where you need to recover a key for a particular user, without the
user's cooperation
Key Escrow
Copies of a key are held by a trusted third party
Key Management Lifecycle
1. Generation
2. Distribution
3. Storage
4. Use
5. Revocation
6. Destruction
Quantum Key Distribution
A secure communication method that involve quantum mechanics that enables two
parties to generate a shared random key known only to them.
Detects quantum anomalies that helps intercept eavesdroppers.
Quantum Key Distribution Use
Relies on having an authenticated classical channel of communication where keys
have already been exchanged. Used to distribute a key and used in commercial
solutions where initial keys are distributed by courier.
Information System Lifecycle
A structured framework for managing an information system from its initial
conception to its eventual retirement
Information System Lifecycle Steps
1. Stakeholders needs and requirements
2. Requirements analysis
CISSP 2024 Terms
Privacy Impact Analysis
Designed to identify the privacy of data being collected, processed, or stored by the
system and assesses the effects of a data breach. Required for GDPR and HIPAA
Conflicting Laws
When an organization or cloud provider is subject to the laws from different
jurisdictions. Example is GDPR vs the CLOUD act.
Laws
Legal rules created by government entities, such as legislatures
Regulations
The rules that are created by government agencies
Standards
Dictate a reasonable level of performance. Can be created by an organization for its
own purposes or come from industry bodies or trade groups.
Frameworks
A set of guidelines helping organizations improve their security posture
External Dependencies
Entities outside the organization that it depends on for business continuity, disaster
recovery, or operations
Hardware Root of Trust
A line of defense against executing unauthorized firmware on a system, used for key
store for Full-Disk encryption. Verifies that keys match before the secure boot
process takes place.
Physically Unclonable Function
A hardware component that generates a digital fingerprint or signatures based on the
unique physical characteristics of an integrated circuit or chip. Responds with a
unique output that is impossible to clone or recreate.
Software Bill of Materials (SBOM)
A list of all software products, libraries, and modules that go into a particular software
build or product. A US gov't requirement
Secure Access Service Edge (SASE)
A design philosophy closely related to Zero Trust which brings together networking
and security functions and delivers them as an integrated cloud service
A networking model that merges WAN and security in the cloud.
FIPS 140-2
Established to aid in the protection of digitally stored unclassified, yet sensitive
information. Developed for non-military American government agencies and
government contractors.
FIPS 140-2 Levels
1: Lowest Level of Security
2: Specifies the security requirements for cryptographic modules that protect
sensitive information
3. Requires physical protections to ensure any attempts to tamper are evident and
detectable
, 08/02/2025 14:46:46
FIPS 140-3
A regulation outlining data collection and handling standards. Superseeds FIPS 140-
2
FIPS 140-3 Levels
1: Requires production-grade equipment and externally tested algorithms
2: Adds requirements for physical taper-evidence and role-based authentication
3: Adds requirements for physical tamper resistance, identity-based authentication,
and separation between interfaces
4: Physical requirements are stringent, requiring the ability to be tamper-active,
erasing the contents of the device if it detects various forms of environmental
attacks.
FIPS 140-3 Three Types of Cryptographic Modules
1. Physical
2. Software
3. Cloud
Level of Protection
Used in key management. Encrypti nkeys must be secured at the same level of
control or higher as the data they protect.
Dictated by the sensitivity level of data.
Key Recovery
Circumstances where you need to recover a key for a particular user, without the
user's cooperation
Key Escrow
Copies of a key are held by a trusted third party
Key Management Lifecycle
1. Generation
2. Distribution
3. Storage
4. Use
5. Revocation
6. Destruction
Quantum Key Distribution
A secure communication method that involve quantum mechanics that enables two
parties to generate a shared random key known only to them.
Detects quantum anomalies that helps intercept eavesdroppers.
Quantum Key Distribution Use
Relies on having an authenticated classical channel of communication where keys
have already been exchanged. Used to distribute a key and used in commercial
solutions where initial keys are distributed by courier.
Information System Lifecycle
A structured framework for managing an information system from its initial
conception to its eventual retirement
Information System Lifecycle Steps
1. Stakeholders needs and requirements
2. Requirements analysis
