CSC Cheat Sheet 2026
The 30 highest-yield CSC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
- Why is policy development important in cybersecurity? → To establish security standards and accountability
- What is a Qualified Security Assessor (QSA) in the context of PCI DSS? → A company certified by PCI SSC to conduct PCI DSS compliance assessments
- Which access control model grants permissions based on security labels assigned to resources and user clearance levels? → Mandatory Access Control (MAC)
- What is the primary objective of cybersecurity regulations? → To secure systems and protect data
- Under the GDPR, the 'accountability' principle requires a data controller to do which of the following? → Be responsible for and able to demonstrate compliance with the GDPR principles.
- Under the California Consumer Privacy Act (CCPA), what right allows consumers to request that a business delete their personal information? → Right to deletion
- What is the primary compliance purpose of Privileged Access Management (PAM)? → To monitor, secure, and control elevated access to critical systems and data
- What is the purpose of a cybersecurity policy review? → To ensure policies are updated and effective
- What is the primary goal of IT governance? → To align IT with business objectives
- Which tool is commonly used in monitoring and alerting? → SIEM (Security Information and Event Management)
- Which regulation focuses on credit card data security? → PCI DSS
- Which of the following is an administrative control? → Security policies and training
- What is log analysis used for in monitoring? → To detect and understand security incidents
- Which PCI DSS requirement mandates that organizations maintain an information security policy for all personnel? → Requirement 12
- Which type of personal information is most commonly covered by U.S. state breach notification statutes? → Name combined with SSN, financial account number, or driver's license number
- What new right did the CPRA add for California consumers that was not included in the original CCPA? → Right to correct inaccurate personal information
- Which compliance framework explicitly mandates multi-factor authentication (MFA) for all remote access to cardholder data environments? → PCI DSS
- Which PCI DSS compliance validation level applies to merchants processing over 6 million Visa transactions annually? → Level 1
- What does the GDPR apply to? → Organizations handling EU citizen data
- Which U.S. state law created the first dedicated state privacy enforcement agency, the California Privacy Protection Agency (CPPA)? → CPRA (California Privacy Rights Act)
- Which U.S. federal agency is responsible for overseeing breach notification compliance in the healthcare sector? → HHS Office for Civil Rights (OCR)
- Which PCI DSS requirement addresses the implementation of strong access control measures for cardholder data systems? → Requirement 7
- Which federal law protects the privacy of students' educational records and applies to schools receiving federal funding? → FERPA
- Which cryptographic approach does PCI DSS recommend for protecting PANs stored in databases? → Strong one-way hash functions or strong encryption
- What does PCI DSS Requirement 9 govern? → Restricting physical access to cardholder data
- Which organization maintains and publishes the Payment Card Industry Data Security Standard (PCI DSS)? → PCI Security Standards Council
- Which of the following ISO 27001:2022 controls is considered a 'Technological' control? → A.8.28 Secure coding
- Which U.S. law restricts the online collection of personal information from children under 13 years old? → COPPA
- What does the term 'cardholder data environment' (CDE) refer to in PCI DSS? → Systems that store, process, or transmit cardholder data
- What is an incident response plan? → A strategy to address cybersecurity threats and breaches
Turn these facts into recall: