Exam Tip: Word Pairs That Might Get You!


Studying for a certification exam like the CISSP or Security+ is stressful enough, what’s even more stressful is getting a question wrong on a practice exam knowing that in your mind it should be correct. The problem is usually word pairs that are similar in meaning, yet different. Below is a short list of some of the more common confusing word pairs.


Need to Know: Users having access only to the information needed to perform their duties. For example, having a Top-Secret clearance does not mean you get to access to all Top-Secret material. You only have access the information needed for your job.

Least Privilege: A principle, whereby a subject has the most restrictive set of privileges needed to perform their task. Example, A user account that is created for querying databases, should not have administrative privileges. Also applies to read, write, execute privileges. 


Due Care: Simply put, doing what is right and needed. The opposite is negligence.

Due Diligence: Ensuring sufficient information has been gathered to make informed decisions.


Categorization: Assigning a system a threat level of High, Medium, or Low based on Confidential, Integrity, or availability (CIA).

Classification: Assigning security labels to objects, for example applying Secret, Top Secret, or confidential to objects.


Scoping: When creating a baseline, you remove controls that do not apply to your environment. For example, your system does not have a public web presence, therefore, you remove the controls that apply to securing a public website.

Tailoring: Modifying security controls to make them fit your environment or technology. For example, a control says that your screen should lock after 15 minutes of inactivity, however, the systems is in a secure area, and is always required unlocked. Therefore, a waiver will be needed.


Deterrent: Makes someone choose not to commit a crime. For example, a person wants to hop a fence, but they see a “beware of dog” sign. So the beware of dog sign acts as a deterrent.

Preventive: If a person chooses to do a crime, he/she is blocked (prevented) from doing so.


Boundary: Your boundary is within your trusted network and has different security level. Also, can mean an accreditation boundary with all devices that an accredited system contains.

Perimeter: Goes around your entire company or network. Can be physical or logical.


Whitelist: A list of what is allowed. Example, an application whitelist (only these apps are permitted)

 Blacklist: A list of what is not allowed. Example, an IP blacklist (These IP addresses are not permitted).


Piggybacking: Following someone into a secure zone with their knowledge.

Tailgating: Following someone into a secure zone without their knowledge.


Bug: Typically, a syntax error in code by coder

Flaw: A logical design flaw.


Risk appetite: The amount of risk and the type of risk that an organization is willing to pursue or retain.

Risk Tolerance: reflects the acceptable variation of risk. Over or under the risk bar.


Breach: An unauthorized person made it beyond perimeter defenses, into a security zone.

Disclosure: Sensitive information was obtained by an unauthorized person.


Loss: Related to availability. For example, data was destroyed (Thus lost, not available).

Leakage: Sensitive information was disclosed. Typically, related to confidently.


Certification: Verifying the system or application performs as intended.

Accreditation: Approval to deploy the system or application.


Critical: Something that is required for operation to continue.

Sensitive: Data or information that should be kept confidential.

+ There are no comments

Add yours