Security+ Domain 5 – Security Program Management and Oversight

Security+ Domain 5 – Security Program Management and Oversight (20% weightage)

Key terms and definitions from this objective are given below:

5.1 Summarize elements of effective security governance.

Policies:

• Acceptable Use Policy (AUP): Defines acceptable use of organizational resources, including computers, networks, and information systems.
• Information Security Policies: Establish guidelines for protecting sensitive information and managing security risks.
• Business Continuity: Outlines strategies and procedures to ensure business operations continue during and after disruptions.
• Disaster Recovery: Describes processes and measures to recover and restore systems and data after a disaster or significant disruption.
• Incident Response: Defines steps and actions to be taken in response to security incidents, ensuring a structured and effective response.
• Software Development Lifecycle (SDLC): Governs the development process, emphasizing security considerations at each phase.
• Change Management: Regulates the process of introducing, modifying, or removing systems and components.

Standards:

• Password: Specifies requirements for creating and managing passwords to ensure security.
• Access Control: Defines rules and procedures to regulate access to systems and data.
• Physical Security: Establishes measures to safeguard physical assets, facilities, and resources.
• Encryption: Specifies methods and algorithms for encrypting sensitive data to protect confidentiality.

Procedures:

• Change Management: Details the steps and protocols for implementing changes in the IT environment.
• Onboarding/Offboarding: Describes the processes for integrating new employees into the organization and removing departing employees.
• Playbooks: Step-by-step guides outlining actions to be taken in response to specific incidents or scenarios.

External Considerations:

• Regulatory: Compliance with laws and regulations governing data protection and information security.
• Legal: Adherence to legal requirements and obligations related to information security and data privacy.
• Industry: Industry-specific standards and practices influencing security policies and procedures.
• Local/Regional: Considerations related to the specific geographic location or region where the organization operates.
• National: Compliance with national laws and regulations governing information security.
• Global: Considerations related to international laws and regulations, especially for organizations with a global presence.

Monitoring and Revision:

Ongoing processes of reviewing, updating, and ensuring the effectiveness of security guidelines, policies, and procedures.

Types of Governance Structures:

• Boards: Oversight and decision-making bodies responsible for high-level governance.
• Committees: Groups formed to address specific governance tasks or areas.
• Government Entities: Regulatory bodies or government agencies overseeing compliance with laws and regulations.
• Centralized/Decentralized: Refers to the distribution of governance responsibilities within an organization.

Roles and Responsibilities for Systems and Data:

• Owners: Individuals responsible for overall governance and decision-making regarding systems and data.
• Controllers: Manage data processing activities and ensure compliance with relevant regulations.
• Processors: Entities that process data on behalf of data controllers.
• Custodians/Stewards: Responsible for the day-to-day management and protection of specific data assets.

5.2 Explain elements of the risk management process.

Risk Assessment:

• Ad Hoc: Informal and unscheduled risk assessments conducted as needed.
• Recurring: Regularly scheduled risk assessments to continually evaluate and manage risks.
• One-Time: A single, comprehensive risk assessment performed at a specific point in time.
• Continuous: Ongoing and dynamic risk assessment processes that adapt to changes in the organizational environment.

Risk Analysis:

• Qualitative: Subjective evaluation of risks based on factors such as severity, likelihood, and impact.
• Quantitative: Objective assessment involving numerical values, often expressed in monetary terms.
• Single Loss Expectancy (SLE): The potential monetary loss associated with a single occurrence of a specific risk.
• Annualized Loss Expectancy (ALE): The expected monetary loss from a risk over the course of a year.
• Annualized Rate of Occurrence (ARO): The anticipated frequency of a specific risk occurring within a year.
• Probability: The likelihood of a specific risk event occurring.
• Likelihood: The chance of a risk event taking place.
• Exposure Factor: The percentage of loss expected if a specific risk occurs.
• Impact: The potential harm or severity of consequences associated with a risk event.

Risk Register:

• Key Risk Indicators: Metrics used to assess and monitor the status of risks within an organization.
• Risk Owners: Individuals or entities responsible for overseeing and managing specific risks.
• Risk Threshold: The predefined level at which a risk is considered unacceptable or requires action.

Risk Tolerance:

The level of acceptable variation an organization is willing to tolerate in achieving its objectives.

Risk Appetite:

• Expansionary: A willingness to take on more risk to pursue opportunities for growth.
• Conservative: A preference for minimizing risk and maintaining stability.
• Neutral: A balanced approach, accepting a moderate level of risk.

Risk Management Strategies:

• Transfer: Shifting the impact or responsibility of a risk to another party, often through insurance or outsourcing.
• Accept:
  • Exemption: Acknowledging the risk but exempting certain assets or processes from specific controls.
  • Exception: Acknowledging the risk but allowing specific deviations from established controls.
• Avoid: Eliminating or withdrawing from activities or processes that pose significant risks.
• Mitigate: Implementing measures to reduce the likelihood or impact of a risk.

Risk Reporting:

Communicating information about identified risks, their analysis, and the effectiveness of risk management strategies.

Business Impact Analysis:

• Recovery Time Objective (RTO): The targeted duration for restoring operations after a disruption.
• Recovery Point Objective (RPO): The acceptable data loss measured in time before a disruption.
• Mean Time to Repair (MTTR): The average time it takes to restore a system or process after a failure.
• Mean Time Between Failures (MTBF): The average time between the occurrences of failures or disruptions.

5.3 Explain the processes associated with third-party risk assessment and management.

Vendor Assessment:

• Penetration Testing: Evaluating the security of a vendor’s systems and infrastructure through simulated attacks.
• Right-to-Audit Clause: A contractual provision that grants the customer the right to assess and audit the vendor’s processes, controls, and compliance.
• Evidence of Internal Audits: Documentation or proof of internal audits conducted by the vendor to assess their own controls and compliance.
• Independent Assessments: Evaluations conducted by third-party entities to provide an unbiased review of a vendor’s security posture.
• Supply Chain Analysis: The examination and evaluation of a vendor’s supply chain to identify and mitigate potential risks.

Vendor Selection:

• Due Diligence: Thorough research and investigation to assess a vendor’s capabilities, financial stability, and overall suitability.
• Conflict of Interest: Identifying and managing situations where a vendor’s interests may conflict with the customer’s interests.

Agreement Types:

• Service-Level Agreement (SLA): Defines the expected level of service, performance metrics, and responsibilities between a customer and a vendor.
• Memorandum of Agreement (MOA): A formal document outlining the terms and understanding between parties involved in an agreement.
• Memorandum of Understanding (MOU): Similar to an MOA, outlining a mutual understanding between parties but may not be legally binding.
• Master Service Agreement (MSA): An overarching agreement that outlines general terms and conditions for future transactions or services.
• Work Order (WO)/Statement of Work (SOW): Details the specific tasks, deliverables, and timeline for a particular project or service.
• Non-Disclosure Agreement (NDA): A legal agreement outlining the protection and confidentiality of shared information.
• Business Partners Agreement (BPA): A comprehensive agreement defining the terms of a business partnership.

Vendor Monitoring:

• Questionnaires: Surveys or forms used to gather information from vendors about their practices, security measures, and compliance.
• Rules of Engagement: Guidelines defining the scope, limitations, and rules for interactions with a vendor, particularly in activities like testing or assessments.

5.4 Summarize elements of effective security compliance.

Compliance Reporting:

• Internal: Reporting on compliance status within the organization, typically for internal stakeholders and management.
• External: Reporting to external entities, such as regulatory bodies, auditors, or certification agencies, to demonstrate adherence to standards and regulations.

Consequences of Non-Compliance:

• Fines: Monetary penalties imposed for failing to comply with regulations or standards.
• Sanctions: Punitive measures, often imposed by regulatory bodies, for violations of specific rules or laws.
• Reputational Damage: Harm to the organization’s reputation due to perceived non-compliance, which can affect customer trust and relationships.
• Loss of License: Revocation or suspension of licenses or certifications necessary for the organization to operate in certain industries.
• Contractual Impacts: Breach of contractual agreements leading to legal consequences, financial penalties, or termination of contracts.

Compliance Monitoring:

• Due Diligence/Care: Conducting thorough research and assessments to ensure compliance with relevant laws, regulations, and standards.
• Attestation and Acknowledgment: Formal statements or acknowledgments from responsible parties affirming compliance with specific requirements.
• Internal and External: Monitoring and ensuring compliance both within the organization and with external regulations and standards.
• Automation: Using automated tools and systems to streamline and enhance compliance monitoring processes.

Privacy:

• Legal Implications:
  • Local/Regional: Adherence to privacy laws specific to a particular geographic area.
  • National: Compliance with national privacy laws and regulations.
  • Global: Addressing privacy considerations on an international scale.
• Data Subject: Individuals to whom the personal data pertains.
• Controller vs. Processor: Distinguishing roles and responsibilities between the entity controlling the data (controller) and the one processing it on behalf of the controller (processor).
• Ownership: Clarifying who owns and is responsible for the personal data within an organization.
• Data Inventory and Retention: Documenting and managing the types of data collected, processed, and the duration for which it is retained.
• Right to Be Forgotten: Granting individuals the right to request the deletion of their personal data from an organization’s records.

5.5 Explain types and purposes of audits and assessments.

Attestation:

• Internal:
  • Compliance: Affirmation or confirmation of adherence to internal policies, procedures, or standards.
  • Audit Committee: Formal declarations or confirmations of compliance made to the audit committee within the organization.
  • Self-Assessments: Evaluations conducted by internal stakeholders to assess and confirm compliance.
• External:
  • Regulatory: Confirmation of compliance with external regulations imposed by regulatory bodies.
  • Examinations: Formal reviews or inspections of processes and controls to validate compliance.
  • Assessment: Evaluations conducted to assess adherence to specific criteria or standards.
  • Independent Third-Party Audit: External audits performed by third-party entities to provide an unbiased assessment.

Penetration Testing:

• Physical: Assessing the security of physical infrastructure, facilities, and access points.
• Offensive: Simulating real-world attacks to identify vulnerabilities and weaknesses.
• Defensive: Evaluating the effectiveness of existing security defenses and measures.
• Integrated: Coordinated testing that combines various approaches to comprehensively assess security.
• Known Environment: Testing within an environment where information about the systems is disclosed.
• Partially Known Environment: Conducting tests with limited information about the systems being assessed.
• Unknown Environment: Simulating attacks in an environment where minimal information is provided.
• Reconnaissance:
  • Passive: Collecting information without actively engaging with the target systems.
  • Active: Proactively probing and interacting with the target systems to gather information.

5.6 Given a scenario, implement security awareness practices.

Phishing:

• Campaigns: Coordinated and systematic efforts to deceive individuals into divulging sensitive information or performing actions that compromise security.
• Recognizing a Phishing Attempt: Identifying signs of phishing, such as suspicious emails, messages, or websites designed to trick individuals.
• Responding to Reported Suspicious Messages: Taking appropriate actions when users report potential phishing incidents, including investigation and mitigation.

Anomalous Behavior Recognition:

• Risky: Identifying behaviors that pose a high level of risk to security.
• Unexpected: Recognizing activities or actions that deviate from normal or expected patterns.
• Unintentional: Identifying actions taken without deliberate intent but may still pose a security risk.

User Guidance and Training:

• Policy/Handbooks: Providing documented guidelines and policies to educate users on security best practices.
• Situational Awareness: Training users to be aware of their surroundings and to recognize and respond to security threats.
• Insider Threat: Educating users about the potential risks and indicators of insider threats within the organization.
• Password Management: Providing guidance on creating, managing, and protecting passwords securely.
• Removable Media and Cables: Educating users about the risks associated with using removable media and cables, and safe practices.
• Social Engineering: Training users to recognize and resist manipulation attempts through social engineering techniques.
• Operational Security: Instructing users on practices to safeguard sensitive information and maintain operational security.
• Hybrid/Remote Work Environments: Providing guidance and training specific to security considerations in hybrid and remote work setups.

Reporting and Monitoring:

• Initial: Reporting and documenting the first instance of a security incident or anomaly.
• Recurring: Ongoing reporting and monitoring to detect and respond to repeated incidents or patterns.

Development:

The process of creating and improving systems, applications, or solutions.

Execution:

The process of carrying out plans, tasks, or activities, often in the context of implementing security measures or responding to incidents.