SYO-701 Security Program Management and Oversight Study Guide for the CompTIA Security+
Page 1
General Information
This is study material for the CompTIA Security+ SYO-701 exam, which is the replacement for the old (as of July 31, 2024) CompTIA Security+ SYO-601 exam. Be very sure that you are studying for the right test.
About one in six of these questions begin with a scenario. The CompTIA Security+ SYO-701 exam devotes about one-fifth of its questions to security management and oversight, and you’ll need to be very familiar with all of the other concept areas to answer correctly.
Effective Security Governance
An organization’s cybersecurity program is commonly influenced by applicable government regulations, proven cybersecurity standards, and best practice frameworks. You should be able to identify common regulations, trusted industry groups, accepted benchmarks, and secure configuration guides. Additionally, you should be able to summarize all of these elements.
Guidelines
Guidelines are suggestions for best practices and recommendations that are not mandatory for meeting compliance. Guidelines can be used as reference points to create policies that meet the needs of the organization.
Policies
Organizational security extends beyond technical controls and best practices to include every person or entity interacting with an organization. Policies are statements that define management intent and objectives and are highly useful in maintaining and establishing organizational security. You must understand and be able to explain the importance of different policies related to organizational security.
Acceptable Use Policy (AUP)
An AUP defines how an employee or other entity can use a company’s network, system, or device. For example, it may include a prohibition against using company devices for personal matters.
Information Security Policies (ISP)
An ISP is an organizational policy that provides a broad overview of how an organization secures information and data. It may include high-level policies about all parts of information security including credential policies, facilities policies, change management, onboarding/offboarding, and encryption.
Business Continuity (BC) Plan
A BC plan is designed to ensure that a business continues to function even when a breach or incident occurs. For example, if an incident requires a set of servers to be contained and separated from the network, the BC plan will specify where the services running on those servers will be shifted to maintain functionality.
Disaster Recovery (DR) Plan
A DR plan is designed to address how an organization will respond to a major disaster, such as a tornado, fire, or flood, to restore or continue services as quickly and effectively as possible.
Incident Response (IR) Plan
An IR plan is a set of guidelines that outline what steps should be taken in response to an incident, from detection to lessons learned. In addition to involving the IR team, it may include a communication plan, a stakeholder management plan, a BC plan, a DR plan, a continuity of operations plan (COOP), and a retention plan.
Software Development Lifecycle (SDLC) Policy
An SDLC policy defines how software, either organizationally developed or vendor developed, will be secured through the entire software lifecycle. These policies commonly relate to the software environment, testing, execution, maintenance, and provisioning/deprovisioning, among other concerns.
Change Management Policy
A change management policy defines how a change will be submitted, approved, and implemented. These policies are designed to take both operational risk and cybersecurity into consideration during the change management process.
Standards
A standard is a specific set of mandatory security requirements that an organization must follow to meet compliance. Standards are used as a baseline for organizational security and may include mandatory minimal configurations and security controls. Standards are more fluid than policies and frequently change based on emerging security information.
Password
Password standards may include minimum requirements for password creation and use, including length, character use, reuse, and validity length.
Access Control
An access control standard defines minimum requirements pertaining to the account lifecycle and may include onboarding and offboarding policies, password requirements, shared usage, and access requirements. Access control standards may also include requirements for third-party vendors, as well as credentialing for devices and accounts, including service and administrative accounts.
Physical Security
Physical security standards include minimum requirements for securing the physical premises and assets of an organization. They often involve requirements for access control, security monitoring, and visitor entry.
Encryption
An encryption standard details the minimum requirements for data encryption at all organizational stages, including required minimum encryption algorithms for data at rest and in transit.
Procedures
A procedure is a detailed set of steps that are mandatory to follow for compliance under specific circumstances. Procedures are developed with higher level policies in mind, including organizational and regulatory guidelines, and used to establish standards specific to a situation or scenario. Procedures create consistency in a security program.
Change Management
Change management procedures, or change control procedures, are a more specific type of change management that evaluates how a specific change will be sourced, analyzed, and managed to provide a roadmap for the most effective implementation of the change.
Onboarding/Offboarding
Onboarding is the process of adding a new employee to a network or company. Onboarding procedures standardize this process and outline the specific steps to follow to add a new employee securely. Offboarding is the process of removing an employee from a network or company after termination. Offboarding procedures define the necessary steps to securely remove an employee, including the revocation of permissions and user accounts, exit interviews, and retention of assets.
Playbooks
A playbook is a procedural guide used to perform specific actions during an incident response. A playbook breaks down the steps needed to complete a task. For example, if a ransomware attack has been identified on a company device, a playbook could be used to identify the exact steps that should be taken to contain, eliminate, and recover from the ransomware attack.
External Considerations
When developing a security program, there are also external considerations to keep in mind. To protect data, government agencies have developed and adopted various regulations, standards, and legislation to define minimum security requirements, as well as suggested best practices. These standards and regulations may be based on the sector the business operates in or the location of the business.
Regulatory
Regulatory requirements are mandatory and legally enforceable security requirements that place standards and guidelines on how an organization protects itself, their data, and their customers from threats in the cyber landscape. Regulations can be industrywide, local, regional, national, or global in scope.
Legal
Legal considerations are legally enforced laws or regulations that may apply to an organization. Failure to comply may result in legal ramifications for the organization or individuals within the organization.
Industry
Industry considerations are the laws and regulations that are specific to an industry. For example, the Health Insurance Portability and Accountability Act (HIPAA) is a regulation for medically affiliated entities that sets security standards for the use, storage, and transmission of personal medical information.
Local/Regional
Local and regional laws may differ from location to location but must be complied with by any industry or business interacting with that location. For example, the General Data Protection Regulation (GDPR) is a set of security and privacy requirements that must be adhered to by any entity that interacts with the personal information of European Union (EU) residents. Similarly, if a business is based in Florida but uses a data center in California, the business must comply with the laws and regulations set by both states.
National
National requirements are commonly created by a country’s government to place mandatory requirements on organizations that operate within their boundaries. For example, the Federal Information Security Modernization Act (FISMA) places cybersecurity requirements on all federal information systems in the United States.
Global
Global considerations are created to provide internationally accepted best practices, guidelines, and recommendations for creating a secure cyber landscape. Global considerations are only guidelines and are not mandatory, as there is no single international governing body to enforce them.
Monitoring and Revision
As the cyber landscape evolves, guidelines and regulations may be revised to meet current security needs. Monitoring all applicable regulations for revisions is an important aspect of creating a viable cybersecurity program. Regulations established and maintained by smaller governing bodies are more prone to revision than regulations set by larger governing agencies.
Types of Governance Structures
Governance refers to the method that an organization uses to monitor and control their security program. Governance provides an organization, especially a very large organization, to protect the interests of the organization through oversight and policy implementation. Governance structures vary in size and organizational structure depending on the organization’s needs.
Boards
A board is a group of high-level individuals appointed by shareholders in the organization to delegate management duties to appropriate senior employees. A board, or a board of directors, is a component of a hierarchical structure. One common hierarchical structure has the shareholders on top, followed by the board of directors, upper management (such as the CEO and CFO), and so on through the lower levels of management. Each level of the structure answers to the level above.
Committees
A committee is a group of individuals chosen to oversee and manage a specific component of an organization. Committees may include subject matter experts and members of upper management.
Government Entities
Government entities are government-sponsored and supported groups that are appointed to oversee the creation of policies and compliance with said policies. For example, the Cybersecurity and Infrastructure Security Agency (CISA) is the government agency responsible for the security and resilience of critical infrastructures.
Centralized/Decentralized
Centralized governance is a hierarchical, top-to-bottom method of governance where a top entity is responsible for policies, standards, and the manner in which they are followed, which must then be complied with at all lower levels. A decentralized governance model is one that relies on the lower portions of the organization to uphold the security policies and standards of the primary organization in the manner in which they see fit. In other words, centralized governance provides the what and how, while decentralized governance provides the what but leaves the how up to the organization.
Roles and Responsibilities for Systems and Data
The most efficient method for protecting data is using clearly defined roles and responsibilities. These roles and responsibilities define who owns the data, who manages the data, who uses the data, and who protects the data, as well as the policies and procedures that each role should follow to maintain the highest level of data security and protection.
Owners
The data owner is at the highest level and is responsible for data. Data ownership should be placed in the hands of someone who best understands the data they are responsible for. For example, the data owner for employee data may be the head of the Human Resources department.
Controllers
A data controller is the person responsible for deciding what and why data needs to be collected and how that data should be processed. The term data controller is primarily used with European entities within the EU and is similar to a data owner.
Processors
Data processors are the intermediaries who process data for and according to the specifications of the data owner or data controller. For example, retailers have agreements with data processing companies that process their credit card transactions.
Custodians/Stewards
A data custodian or steward is the person responsible for the safekeeping and protection of data. A data custodian primarily focuses on the technical aspects of data security as opposed to the content or usage of the stored data. A data steward, however, is responsible for the content and usage of the data collected.
All Study Guides for the CompTIA Security+ are now available as downloadable PDFs