SY0-601 Governance, Risk, and Compliance Study Guide for the CompTIA Security+

Page 1

General Information

Since this area of security involves mainly regulations, there are no questions that begin with a scenario. Questions about governance, risk, and compliance only make up about 14% of the questions on the entire CompTIA Security+ test, but you’ll need to be conversant in all topics to achieve a passing score on this test.

Types of Controls

As a security professional, you will need to be able to protect various aspects of the networking landscape, including physical and logical assets, to prevent incidents, limit their impact, and recover from them. In order to maintain the security of assets, varying controls must be employed. You need to be able to compare and contrast different categories and types of controls.


Security controls fall into three major categories: managerial, operational, and technical. Each is designed to achieve security through different mechanisms or how they reach objectives.


Managerial controls are controls that use procedural mechanisms, focusing on the risk management process. Examples of managerial controls include organization-wide security policies, organizational best practices, periodic risk assessments, and security-aware change management.


Operational controls are controls that focus on the day-to-day policies and practices used to secure assets. Examples of operational controls include security guards checking ID badges, user access reviews, and employee awareness training.


A technical control is a control designed to address technical, operational standards to uphold and enforce the CIA triad: confidentiality, integrity, and availability. Examples of technical controls include firewall rules, an intrusion prevention system (IPS) and intrusion detection system (IDS), and encryption standards.

Control Type

A control type refers to the desired effect of the control set in place. When implementing controls, many security mechanisms will fall into multiple control type categories.


A preventative control attempts to stop an incident before it occurs. For example, a firewall is set to prevent access to a network by stopping suspicious traffic.


A detective control is designed to identify security concerns that have occurred. For example, an IDS system monitors traffic for potential malicious traffic that has already occurred.


A corrective control aims to fix or recover from security issues that have already occurred. For example, after an incident has occurred, restoring from a backup is a corrective control.


A deterrent control is one that aims to dissuade a potential threat actor from trying in the first place. For example, bollards are a physical deterrent control that are meant to prevent a threat actor from breaching a location with a car.


A compensating control is designed to reduce the impact associated with an incident or the risk associated with exceptions to security policies. For example, a compensating control to reduce impact may be to have a server connected to an alternate power supply in case of power loss. A compensating control to reduce the risk associated with security exceptions could be isolating needed legacy software from the primary network.


A physical control is a control based in the physical realm. For example, security lighting, cable locks, and fire suppression systems are physical controls.

The Impacts of Regulations, Standards, and Frameworks

An organization’s cybersecurity program is commonly influenced by applicable government regulations, proven cybersecurity standards, and best practice frameworks. You should be able to identify common regulations, trusted industry groups, and accepted benchmarks, and secure configuration guides.

Regulations, Standards, and Legislation

To protect data and personally identifiable information (PII), government agencies have developed and adopted various regulations, standards, and legislation to define minimum security requirements, as well as suggested best practices. These standards and regulations may be based on the sector the business operates in or the location of the business.

General Data Protection Regulation (GDPR)—The GDPR is a set of security and privacy requirements that must be adhered to by any entity that interacts with the personal information of European Union residents.

national, territory, and state laws—National, territory, and state laws may be different from location to location but must be complied with by any industry or business that interacts with that location. For example, if a business is based in Florida but uses a data center in California, the business must comply with the laws and regulations set by both states.

Payment Card Industry Data Security Standard (PCI DSS)—The PCI DSS is a set of rules and requirements pertaining to the storage, processing, and transmission of credit and debit cards. PCI DSS, while not a law, is a contractual agreement for merchants and service providers that use credit and debit card transactions.

Key Frameworks

A framework is a set of security policy documents used to outline an organization’s cybersecurity program. Frameworks typically contain four primary components: policies, standards, guidelines, and procedures. These can vary in complexity between enterprises. Enterprises commonly leverage the use of industry-standard key frameworks provided by trusted entities.

Center for Internet Security (CIS)

CIS is a non-profit organization dedicated to helping businesses, individuals, and governments protect themselves from cybersecurity threats. The CIS Critical Security Controls (CSC; also known as the CIS Controls) is a cybersecurity framework subdivided into 18 measures that provide best practices for strengthening an entity’s cybersecurity posture. The CIS CSC also provides threat intelligence, secure configuration guides, and benchmarks for common systems.

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/Cybersecurity Framework (CSF)

NIST is a government agency that develops, maintains, and promotes metrics and standards for various industries, including cybersecurity. The NIST RMF is a framework that provides a seven-step process that entities can use to manage data security and privacy risks. The NIST CSF is a set of guidelines, standards, and best practices for managing and mitigating cybersecurity risks. These NIST frameworks merely provide guidance for implementation, unlike the CIS CSC, which is more definitive in scope.

International Organization for Standardization (ISO)

ISO is a global federation that facilitates the sharing of knowledge between countries to develop international standards to support innovation and provide solutions to global challenges, including cybersecurity issues.

  • ISO 27001, titled “Information technology – Security techniques – Information security management systems – Requirements,” provides control objectives in 14 categories pertaining to information security.

  • ISO 27002, titled “Information security, cybersecurity, and privacy protection – Information security controls,” expands on ISO 27001 and provides specific controls that can be implemented within an organization to increase its cybersecurity posture.

  • ISO 27701 is an extension of ISO 27001 and ISO 27002, which provides guidelines for privacy control management.

  • ISO 31000, titled “Risk management – Guidelines,” while not specific to cybersecurity, provides guidelines for risk management in an organization.

Statement on Standards for Attestation Engagements (SSAE) SOC 2 Type I/II

The SSAE is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA), which is used to independently evaluate an organization’s internal controls and provide a standard method of reporting on the audit. A System and Organization Controls (SOC) audit is an independent assessment of an organization’s security controls and comes in three categories: SOC 1, SOC 2, and SOC 3.

An SOC 2 audit evaluates the controls that impact the confidentiality, integrity, and availability of data stored in a system. There are two types of SOC reports:

  • Type 1 reports provide an assessment of security controls at a specific point in time.

  • Type 2 reports provide a more comprehensive evaluation by monitoring and auditing the security controls over a six-month or longer period.

Cloud Security Alliance (CSA)

CSA is a non-profit organization dedicated to providing best practices and education for cloud computing and the cloud environment.

Cloud Controls Matrix (CCM)

CSA provides a CCM framework that identifies standards, best practices, and regulations pertaining to the cloud environment.

Reference Architecture

A reference architecture provides recommendations for structures and integrations of technical products and services. A reference architecture is commonly composed of various documents containing industry-accepted standards and best practices for specific technologies.

Benchmarks/Secure Configuration Guides

Benchmarks and secure configuration guides are specific guidelines for the secure operation of common platforms, such as operating systems, servers, and network appliances. Benchmarks and secure configuration guidelines may be released by an organization, such as CIS, or by specific vendors and manufacturers.

Platform/Vendor-Specific Guides

Default configurations are not secure and need to be properly configured to reach optimum security. Platform and vendor-specific guides are guidelines to use with specific software and hardware for the purpose of hardening a system.

web server—Web server software provides a method of communication between a client and a web server and is most commonly public facing, leading to a potential data leak or breach. Web server hardening guides may contain security information, such as preventing data leakage through disabling directory browsing, running web server software on non-privileged accounts, and Secure Sockets Layer (SSL) configurations for encryption.

operating system (OS)—There are numerous guides for the hardening of specific OSs such as Windows, Android, or Linux. These guides may include password configuration guidelines, update and patching best practices, and endpoint security suggestions, such as the use of anti-malware.

application server—Application server software, sometimes referred to as middleware, is software that sits between a web server and the data on a device or system. Application server software contains the software needed to run an application, such as programming languages or required libraries. Application server hardening guides may include guidelines for disabling capability beyond what is needed to run the application, determining permissions, and limiting access to the OS.

network infrastructure devices—Network infrastructure devices, such as routers and switches, are typically standalone devices that contain their own embedded OS separate from the OS of connected devices and systems. Network infrastructure guides contain guidelines similar to those for securing OSs, as well as additional guidelines aimed at mitigating the lack of regular patches and updates for such devices.


All Study Guides for the CompTIA Security+ are now available as downloadable PDFs