SY0-601 Governance, Risk, and Compliance Study Guide for the CompTIA Security+
Page 2
Policies and Organizational Security
Organizational security extends beyond technical controls and best practices to include every person or entity interacting with an organization. Policies are statements that define management intent and objectives and are highly useful in maintaining and establishing organizational security. You must be able to understand and explain the importance of different policies related to organizational security.
Personnel
Personnel refers to the people employed by an organization or entity, from the CEO to the janitorial staff. Personnel policies are designed to outline the dos and don’ts established by an organization that should be followed to maintain organizational security.
Acceptable Use Policy (AUP)
An AUP defines how a user can use a company’s network, system, or device. For example, an AUP may include a prohibition against using company devices for personal matters.
Job Rotation
A job rotation policy requires certain personnel, especially ones in sensitive roles, to rotate duties and positions on a set basis. One of the primary reasons for job rotation policies is to detect and deter fraud or concealment activities.
Mandatory Vacation
A mandatory vacation policy sets specific requirements for employee vacations, such as duration and yearly requirements. Mandatory vacation policies are another method of fraud detection and deterrent. For example, if a payroll employee goes on vacation, the covering employee will be able to see the transactions the vacationing employee has completed. If fraudulent activity has occurred, the covering employee may be able to identify it.
Separation of Duties
A separation of duties policy requires that a sensitive task composed of two components cannot be completed by a single person. For example, a transfer of funds may require two people to complete, one to request the transfer and another to process the transfer.
Least Privilege
A least privilege policy is a policy that requires user permissions to be set at the minimum amount needed to complete job functions. For example, an accounting employee would not have privileges set to allow them access to human resources files.
Clean Desk
A clean desk policy protects sensitive data by requiring papers and materials to be locked up when a desk is left unattended.
Background Checks
A background check policy requires that employees have a background screening of a certain rigor prior to employment or job change.
Non-Disclosure Agreement (NDA)
An NDA is a contract that requires employees to protect sensitive data during and after employment. For example, a tech company may require an employee to sign an NDA that states that any and all technological discoveries an employee may be privy to are protected and may not be disclosed to any unauthorized entity.
Social Media Analysis
A social media policy is a policy that states that an employee’s public, personal, or business social media accounts may be analyzed for adherence to specific company policies. For example, a company may monitor an employee’s social media account for content that may reflect negatively on the company.
Onboarding
Onboarding is the process of adding a new employee to a network or company. Onboarding policies standardize this process and outline the specific steps to follow to add a new employee securely.
Offboarding
Offboarding is the process of removing an employee from a network or company after termination. Offboarding policies define the necessary steps to securely remove an employee, including the revocation of permissions and user accounts, exit interviews, and retention of assets.
User Training
The most prolific vulnerability to a company is the human factor. To address this vulnerability, user training policies are implemented to aid in keeping employees up to date with their security awareness and the risks associated with their environment and roles. User training methods vary and are designed to elicit the highest retention rates based on the desired outcome.
gamification—Gamification is the use of a game-style format for training purposes. Gamification aims to increase user engagement and retention during the training process.
capture the flag—Capture the flag is a gamification technique that pits two users or groups against one another to achieve a goal. For example, during a penetration test, there may be two teams, the red team that is attempting to gain access to a specific file (the flag), while the blue team attempts to protect the file.
phishing campaigns—A phishing campaign is a training method that provides awareness of phishing types and techniques through a pre-established program. For example, a phishing campaign may include funny posters depicting phishing techniques or rewards for flagging potential phishing emails.
phishing simulations—A phishing simulation is a training tool that sends fake phishing messages to employees to elicit a response and gauge the level of phishing awareness and recognition by employees. For example, a phishing simulation may be sent to an employee to gauge their response. The simulation may link to a training video if the employee falls for the phishing attempt or provide a reward if the phishing simulation is flagged and reported for review.
computer-based training (CBT)—CBT leverages computer assets to assist with the training of employees by providing simulations that approximate real-world situations. This allows employees to learn how to deal with and respond to threats that they may face in their computing environment.
role-based training—Role-based training addresses the specific level of training needed for employees based on their roles within an organization.
Diversity of Training Techniques
Using a diverse set of training techniques is the most effective way to elicit the highest amount of employee retention. If the training is static and the same every time, employees may disregard the training and view the threats covered in the training as insignificant. Also, different employees retain information through different learning techniques, which is another reason why diversification is so important.
Third-Party Risk Management
Most organizations interact with outside or third-party entities regularly. While an organization has control over how its employees are trained, there is no way to ensure that third parties have the same security measures or training in place. To reduce the vulnerabilities incurred by the use of third parties, there are techniques that can be employed for third-party risk management.
Vendors
Vendors are companies that an organization uses to purchase equipment and services. To reduce the risk of using third-party vendors, contracts and agreements can be implemented, such as master services agreements, statements of work, service level agreements , or memoranda of understanding. The principle of least access can also be used to reduce the scope of the vendor’s interaction with a network.
Supply Chain
The supply chain is how a product gets from a business to a consumer. There can be numerous moving parts in the supply chain that make it difficult to secure. The same contracts and agreements used with vendors can be applied to supply chain risk management. It is also important to understand how a product runs through the supply chain and what outside vendors the supply chain may be in contact with.
Business Partners
Business partners are two or more companies that agree to do business with one another. One way to mitigate risk when working with business partners is to have a clearly defined business partnership agreement (BPA). The extent of the BPA depends on the partnership and may include defined profit-sharing specifications, the delegation of duties and responsibilities, and minimum security requirements and best practices.
Service Level Agreement (SLA)
An SLA is a contract that outlines the minimum level of service that a provider is expected to maintain and what the service provider will do if those minimums are not met.
Memorandum of Understanding (MOU)
An MOU is an informal agreement that outlines the relationship between parties. An MOU provides a guideline for the relationship, but it is not legally binding.
Master Service Agreement (MSA)
An MSA is a contract that specifies a baseline of expectations between a vendor and a user over a prolonged period of time. This is the primary contract that may outline the baseline security and privacy requirements of the vendor. When new projects with a vendor are started, a statement of work (SOW) may be created to address specific requirements for that particular project and commonly refer back to the MSA already in place.
Measurement Systems Analysis (MSA)
An MSA is a method of mathematically measuring variation in a measurement. When an organization is working with third-party entities, it may require the ability to run an MSA to determine the validity of an entity’s measuring system. For example, if a third-party claims that, by their computations, their system provides a 99% stop rate on malware intrusions, the primary organization can run an MSA on their computations to see how accurate they are.
Note: While the acronyms for master service agreement and measurement systems analysis are the same, they refer to two very different concepts. To avoid confusion on the CompTIA Security+ exam, be sure to evaluate the context of the question prior to answering.
Business Partnership Agreement (BPA)
A BPA outlines the expectations and responsibilities between two or more entities.
End of Life (EOL)
EOL refers to the discontinuation of a product and support of a product. An EOL agreement between a vendor and a user specifies what happens when a product is discontinued, including how long after discontinuation support will remain and what to expect during the EOL process.
End of Service Life (EOSL)
EOSL is similar to EOL but refers to a service rather than a product. For example, if a service provider is phasing out offering hardline phone service, an EOSL agreement may be introduced to specify what the process will look like, including how long it will be supported and options for mitigating service interruptions during the EOSL process.
NDA
As discussed previously, an NDA is a contract that can be used with individuals or third-party providers that specifies how sensitive information is treated during and after employment or use. NDAs may specify what information can be discussed or who information can be shared with, and they are commonly used to protect sensitive information, such as PII, trade secrets, or proprietary information.
Data
Data is prolific in today’s business and computing environment, from PII to credit card information to browsing history. Numerous regulations, laws, and industry standards must be considered to maintain the security of this massive amount of data.
Classification
Data is classified into different types depending on its content. Each data classification type is subject to specific rules and regulations pertaining to usage, storage, and retention. For example, medical data has to adhere to the Health Insurance Portability and Accountability Act (HIPAA) regulations, while credit card data is required to meet the PCI DSS standards.
Governance
Data governance refers to the management of data, including ensuring that all pertinent rules and regulations are followed, as well as enforcing accountability for data collection, usage, storage, and retention. The person or persons who are in charge of this data management is the data steward. The steward monitors data classification, privacy, and accuracy.
Retention
Data retention refers to how data is kept. Different industries and organizations require different retention policies, which may include how often data is backed up, how long data is kept, how data is stored, and how data is destroyed.
Credential Policies
Credential policies are managerial policies pertaining to the use and security of credentialing information, such as usernames, passwords, and ID badges. Credentialing policies may also include how credentialing data is stored or transmitted.
personnel—Credential policies pertaining to personnel may include onboarding and offboarding policies, password requirements, and shared usage as well as access requirements.
third-party—A third-party credential may refer to credentials used by third-party vendors or credentials used by employees to gain access to a network from outside the network, such as using a cloud account to access the network. Along with traditional credential policies, such as password requirements, third-party credential policies may have additional requirements, including multi-factor authentication (MFA).
devices—Device credential policies can pertain to how specific devices authenticate into a network or how devices use, store, and transmit credentialing information. For example, some devices or applications on devices have an autosave function for passwords. This function can be a security concern if an unauthorized user gains access to the device.
service accounts—Service accounts are accounts that run in the background of a device to access specific servers, networks, applications, etc. Service accounts use credentials to authenticate for access. However, because these service accounts run in the background, maintaining credential security is more difficult. Policies should be put in place to address the management of service account credentialing.
administrator/root accounts—Administrator and root accounts provide the user with complete access to a device’s OS, making them highly valuable targets for threat actors. Administrator and root account credential policies should include MFA as well as the minimal number of users with access to the account.
Organizational Policies
An organizational policy is a policy set in place by an entity to set guidelines, intent, and best practices that pertain to different sectors and aspects related to how the organization should be run. Organizational policies are often part of the larger information security framework and address such topics as staff requirements for the protection of sensitive data, acceptable use policies, credential management policies, ethics policies, change management policies, and asset policies, among others.
Change Management
A change management policy provides an outline of when, if, and how changes will occur in an organization over a longer term and from a broader perspective. Change management evaluates the potential change before, during, and after implementation to reduce the potential impacts that the change may incur.
Change Control
Change control is a more specific type of change management that evaluates how a specific change will be sourced, analyzed, and managed to provide a roadmap for the most effective implementation of the change.
Asset Management
Asset management follows assets from procurement, through usage, and to disposal. Asset management also outlines the processes and procedures that should be used throughout the life cycle of an asset to ensure secure implementation, usage, and destruction.
All Study Guides for the CompTIA Security+ are now available as downloadable PDFs