CSC Cheat Sheet 2026

The 30 highest-yield CSC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

  1. Why is policy development important in cybersecurity? To establish security standards and accountability
  2. What is a Qualified Security Assessor (QSA) in the context of PCI DSS? A company certified by PCI SSC to conduct PCI DSS compliance assessments
  3. Which access control model grants permissions based on security labels assigned to resources and user clearance levels? Mandatory Access Control (MAC)
  4. What is the primary objective of cybersecurity regulations? To secure systems and protect data
  5. Under the GDPR, the 'accountability' principle requires a data controller to do which of the following? Be responsible for and able to demonstrate compliance with the GDPR principles.
  6. Under the California Consumer Privacy Act (CCPA), what right allows consumers to request that a business delete their personal information? Right to deletion
  7. What is the primary compliance purpose of Privileged Access Management (PAM)? To monitor, secure, and control elevated access to critical systems and data
  8. What is the purpose of a cybersecurity policy review? To ensure policies are updated and effective
  9. What is the primary goal of IT governance? To align IT with business objectives
  10. Which tool is commonly used in monitoring and alerting? SIEM (Security Information and Event Management)
  11. Which regulation focuses on credit card data security? PCI DSS
  12. Which of the following is an administrative control? Security policies and training
  13. What is log analysis used for in monitoring? To detect and understand security incidents
  14. Which PCI DSS requirement mandates that organizations maintain an information security policy for all personnel? Requirement 12
  15. Which type of personal information is most commonly covered by U.S. state breach notification statutes? Name combined with SSN, financial account number, or driver's license number
  16. What new right did the CPRA add for California consumers that was not included in the original CCPA? Right to correct inaccurate personal information
  17. Which compliance framework explicitly mandates multi-factor authentication (MFA) for all remote access to cardholder data environments? PCI DSS
  18. Which PCI DSS compliance validation level applies to merchants processing over 6 million Visa transactions annually? Level 1
  19. What does the GDPR apply to? Organizations handling EU citizen data
  20. Which U.S. state law created the first dedicated state privacy enforcement agency, the California Privacy Protection Agency (CPPA)? CPRA (California Privacy Rights Act)
  21. Which U.S. federal agency is responsible for overseeing breach notification compliance in the healthcare sector? HHS Office for Civil Rights (OCR)
  22. Which PCI DSS requirement addresses the implementation of strong access control measures for cardholder data systems? Requirement 7
  23. Which federal law protects the privacy of students' educational records and applies to schools receiving federal funding? FERPA
  24. Which cryptographic approach does PCI DSS recommend for protecting PANs stored in databases? Strong one-way hash functions or strong encryption
  25. What does PCI DSS Requirement 9 govern? Restricting physical access to cardholder data
  26. Which organization maintains and publishes the Payment Card Industry Data Security Standard (PCI DSS)? PCI Security Standards Council
  27. Which of the following ISO 27001:2022 controls is considered a 'Technological' control? A.8.28 Secure coding
  28. Which U.S. law restricts the online collection of personal information from children under 13 years old? COPPA
  29. What does the term 'cardholder data environment' (CDE) refer to in PCI DSS? Systems that store, process, or transmit cardholder data
  30. What is an incident response plan? A strategy to address cybersecurity threats and breaches
Turn these facts into recall: