This episode explains segregation of duties (SoD) and why it is a powerful administrative control for preventing fraud, reducing insider threat risk, and catching errors before they become incidents, all of which are exam-relevant at the foundational level. You will learn how SoD works by splitting critical tasks across multiple roles so no single person can complete a high-impact action end-to-end without oversight. We will discuss common examples such as separating purchasing from approval, se...
Feb 22, 2026•17 min•Ep. 35
This episode covers least privilege as the principle of giving users and systems only the access they need to perform required tasks, and it prepares you for CC questions that ask how to reduce exposure without harming productivity. You will learn how least privilege applies to users, service accounts, applications, and administrative tools, and why over-permissioning creates large blast radius when an account is compromised. We will discuss practical methods for implementing least privilege, in...
Feb 22, 2026•17 min•Ep. 34
This episode teaches you how organizations separate authorized personnel from unauthorized personnel, which is essential for both physical and logical security and appears in CC objectives through access control concepts. You will learn how identity verification works in practice using badges, check-in procedures, visitor logs, escorts, and restricted area rules, and why “knowing someone” is not a control. We will discuss common failure modes such as tailgating, piggybacking, social engineering ...
Feb 22, 2026•15 min•Ep. 33
This episode focuses on physical security monitoring and how detection mechanisms support deterrence, response, and investigation, which the CC exam expects you to understand at a practical level. You will learn how guards, cameras, alarms, motion sensors, and access logs provide signals that an organization can use to verify events and respond quickly to suspicious activity. We will discuss the difference between deterrent and detective controls, and why monitoring must be paired with a respons...
Feb 22, 2026•18 min•Ep. 32
This episode explains physical access controls and how they reduce risk by limiting who can enter facilities and restricted areas, a foundational topic for the CC exam. You will learn how badges, keys, locks, turnstiles, mantraps, and controlled entry points work together to prevent unauthorized access, support accountability, and create useful audit trails. We will discuss how environmental design choices—like lighting, door placement, reception layout, and secured zones—support physical securi...
Feb 22, 2026•16 min•Ep. 31
This episode walks through the major components of incident response, showing how preparation, detection, containment, eradication, and recovery fit together as a repeatable lifecycle. You will learn what preparation includes in practical terms, such as clear roles, access to tools, logging readiness, and playbooks that reduce decision time. We will discuss detection as the process of turning signals into validated incidents, then focus on containment strategies that reduce spread while preservi...
Feb 22, 2026•13 min•Ep. 30
This episode explains why incident response is important, emphasizing the time-sensitive nature of attacks and the need for disciplined decisions when pressure is high. You will learn how delays increase attacker dwell time, expand impact, and complicate recovery, while rushed actions can destroy evidence, trigger broader outages, or lead to incorrect conclusions. We will discuss the role of evidence handling, logging, and documentation, and why clear communication prevents confusion and protect...
Feb 22, 2026•13 min•Ep. 29
This episode introduces incident response as the structured approach for handling security events so the organization can limit damage, preserve evidence, and recover operations efficiently. You will learn how incident response differs from general troubleshooting by focusing on security objectives such as containment, eradication, and preventing recurrence. We will define key terms like incident, event, alert, and compromise, and explain why proper classification matters for deciding escalation...
Feb 22, 2026•12 min•Ep. 28
This episode covers the building blocks of a workable disaster recovery capability, including backups, replication, failover planning, documented runbooks, and validation steps that confirm systems are truly restored. You will learn how different backup types and storage choices influence recovery speed and reliability, and why integrity checks are critical before trusting restored data. We will discuss failover concepts such as hot, warm, and cold approaches in practical terms, emphasizing what...
Feb 22, 2026•13 min•Ep. 27
This episode explains why disaster recovery planning is essential, focusing on how RTO and RPO translate into real business tradeoffs and investment decisions that security professionals must understand. You will learn that shorter recovery times and smaller data loss windows usually require higher cost, more complexity, and more disciplined operations, which is why organizations must define realistic targets instead of hoping for miracles during an incident. We will discuss common misunderstand...
Feb 22, 2026•13 min•Ep. 26
This episode introduces disaster recovery as the focused effort to restore IT systems and data after an outage or major disruption, and it clarifies how disaster recovery differs from broader business continuity. You will learn how disaster recovery emphasizes technical restoration activities such as rebuilding servers, restoring backups, failing over to alternate infrastructure, and confirming services function correctly after recovery. We will define recovery time objective (RTO) and recovery ...
Feb 22, 2026•13 min•Ep. 25
This episode breaks down the core components of a business continuity program and prepares you to answer CC questions that ask what a continuity plan must include to be effective. You will learn the role of business impact analysis, dependency mapping, continuity strategies, and clear ownership so actions are not delayed during a crisis. We will discuss how plans define responsibilities, communications, alternate processes, and escalation paths, and why a plan that is not tested is often a plan ...
Feb 22, 2026•14 min•Ep. 24
This episode explains why business continuity matters, focusing on the real costs of downtime and the broader impacts that reach beyond IT into revenue, safety, legal exposure, and reputation. You will learn how continuity planning protects stakeholder trust by ensuring the organization can keep promises to customers, partners, and employees during disruptions. We will discuss how continuity priorities are set using impact analysis, including financial loss, operational bottlenecks, regulatory c...
Feb 22, 2026•14 min•Ep. 23
This episode introduces business continuity as the discipline of keeping essential business functions operating during disruptive events, which is foundational knowledge for the CC exam. You will learn how continuity planning focuses on the mission, the people, and the processes—not just the technology—and how organizations decide what must continue versus what can pause. We will cover key ideas such as critical functions, dependencies, maximum tolerable downtime, and continuity strategies that ...
Feb 22, 2026•13 min•Ep. 22
This episode explains how laws and regulations influence security requirements, and it prepares you for CC questions that test your ability to recognize compliance drivers without needing to memorize specific statutes. You will learn the practical difference between legal requirements, regulatory requirements, contractual obligations, and internal policy, and how each can create mandatory controls or reporting expectations. We will discuss why compliance is not the same as security, but why secu...
Feb 22, 2026•15 min•Ep. 21
This episode focuses on governance as the structure that makes security consistent, measurable, and aligned with business goals, which is a recurring theme in the CC objectives. You will learn how policies set high-level intent, standards define mandatory requirements, and procedures describe the step-by-step actions people follow to implement controls reliably. We will discuss why governance fails when documents are created but not maintained, when roles are unclear, or when enforcement is inco...
Feb 22, 2026•18 min•Ep. 20
This episode explains how the ISC2 Code of Ethics guides professional behavior, and why the CC exam expects you to recognize ethical responsibilities as part of being trusted with systems and data. You will learn the intent of ethical principles such as protecting society, acting honorably, providing diligent service, and advancing the profession, then connect those ideas to realistic workplace decisions. We will discuss how ethical failures show up operationally, like mishandling sensitive data...
Feb 22, 2026•18 min•Ep. 19
This episode covers physical controls, which protect facilities, equipment, and people from unauthorized access, theft, and environmental hazards, a topic the CC exam expects you to understand at a foundational level. You will learn how barriers, locks, fences, lighting, visitor procedures, and secured areas work together as layers, and why a single control rarely solves a physical risk by itself. We will discuss the idea of deterrence versus delay versus detection, and how physical security des...
Feb 22, 2026•18 min•Ep. 18
This episode explains administrative controls, which are the governance and process mechanisms that shape behavior and reduce risk, and they are critical for CC because they connect security to people and organizational decision-making. You will learn how policies, procedures, standards, training, background checks, and change management reduce vulnerabilities created by human error and inconsistent practices. We will discuss why administrative controls often fail when they are vague, unenforced...
Feb 22, 2026•17 min•Ep. 17
This episode focuses on technical controls and how they are used to reduce risk in practical, testable ways that show up in the CC objectives. You will learn how controls such as encryption, access control, firewalls, endpoint protection, and logging are selected to address specific threats and vulnerabilities, rather than being applied as a random checklist. We will discuss preventive, detective, and corrective control functions, and how the same tool can serve different functions depending on ...
Feb 22, 2026•18 min•Ep. 16
This episode explains the four classic risk treatment options—avoid, mitigate, transfer, and accept—and prepares you to choose the best response when an exam question asks what an organization should do next. You will learn that avoidance removes the risky activity, mitigation reduces likelihood or impact through controls, transfer shifts financial consequences through mechanisms like insurance or contracts, and acceptance acknowledges the risk while documenting the decision. We will discuss why...
Feb 22, 2026•19 min•Ep. 15
This episode teaches you how to assess risk in a way that produces a meaningful risk statement, which is what security teams use to communicate clearly and what the CC exam often tests through scenario-style questions. You will learn how likelihood reflects probability based on conditions and history, while impact reflects the severity of consequences to operations, finances, safety, and reputation. We will discuss why “high” and “low” labels are not magic words, and how a structured approach he...
Feb 22, 2026•19 min•Ep. 14
This episode builds the core vocabulary of risk by teaching you how to identify the inputs that create risk, which is essential for answering CC questions that describe messy real-world situations. You will learn how to define assets in terms of value and dependency, how to describe threats as potential causes of harm, and how vulnerabilities represent weaknesses that threats can exploit. We will also explain exposure pathways, meaning the routes an attacker or failure can use to reach an asset,...
Feb 22, 2026•16 min•Ep. 13
This episode focuses on risk tolerance, which is the boundary an organization sets for how much risk it is willing to accept to achieve its goals, and it is a frequent source of confusion on entry-level exams. You will learn the difference between risk appetite and risk tolerance, and how each influences security decisions, budgeting, and control selection. We will discuss why risk tolerance is not a personal opinion, but a management decision shaped by industry, regulations, brand impact, and o...
Feb 22, 2026•18 min•Ep. 12
This episode explains how risk prioritization works in a practical security program, and why the CC exam expects you to connect technical issues to business impact instead of treating every finding as equal. You will learn how organizations decide what matters most by looking at mission objectives, critical services, legal obligations, and the consequences of downtime or data exposure. We will define key terms such as asset, threat, vulnerability, likelihood, and impact, then show how those idea...
Feb 22, 2026•18 min•Ep. 11
This episode frames privacy as a core security-adjacent concept focused on appropriate collection, use, sharing, and protection of personal data, which the CC exam expects you to understand at a foundational level. You will learn the practical meaning of data minimization, purpose limitation, consent, and transparency, and how these ideas influence system design and everyday handling decisions. We will connect privacy risks to common security controls like access restrictions, encryption, loggin...
Feb 22, 2026•17 min•Ep. 10
This episode explains non-repudiation as the ability to prove that a specific action occurred and that a specific party performed it, which supports accountability and trustworthy records. You will learn how non-repudiation differs from authentication and integrity, and why it often relies on mechanisms like digital signatures, strong identity binding, and reliable logging. We will discuss what “proof” means in practical security terms: evidence that can be validated later, tied to an identity, ...
Feb 22, 2026•14 min•Ep. 9
This episode focuses on multi-factor authentication (MFA) and why it is a high-value control for reducing account takeover risk, a concept that shows up frequently in entry-level security exams. You will learn what counts as a factor, what does not, and how “two-step” can still be weak if it relies on the same underlying factor. We will discuss common MFA methods—authenticator apps, push approvals, hardware tokens, SMS codes—and compare them in terms of phishing resistance, reliability, and user...
Feb 22, 2026•13 min•Ep. 8
This episode explains authentication as the process of proving identity, and it prepares you to recognize common authentication methods and their strengths and weaknesses for the CC exam. You will review authentication factors—something you know, something you have, something you are—and learn how different methods map to those factors in real systems. We will cover why password-only authentication is fragile, how shared secrets fail in predictable ways, and why device-based and biometric factor...
Feb 22, 2026•13 min•Ep. 7
This episode covers availability as the security goal of keeping systems and data accessible to authorized users when needed, even during failures, attacks, or unexpected spikes in demand. You will learn how availability problems show up in real operations, from outages and degraded performance to capacity exhaustion and denial-of-service conditions. We will connect availability to practical strategies such as redundancy, fault tolerance, backups, disaster recovery planning, patching to prevent ...
Feb 22, 2026•14 min•Ep. 6
