SYO-701 Security Program Management and Oversight Study Guide for the CompTIA Security+

Effective Security Compliance

Effective security compliance requires a multi-faceted approach to ensure all applicable regulations and objectives are met. For the Security+ exam, you must be able to summarize the various elements of effective security compliance.

Compliance Reporting

Compliance reporting is the process of documenting the methods used to inform interested parties of how an organization meets the applicable standards and regulations. Compliance reporting may be completed for internal or external stakeholders.

Internal

Internal compliance reporting is designed to present compliance data to high-level entities, such as upper management or a board of directors, within the organization. Internal compliance reports may include reports on gaps in compliance, the current security posture, and recommendations for improvement, which can be used in the compliance decision-making process.

External

External compliance reporting is often a requirement by governing agencies or external business partners and provides proof of compliance with applicable regulations and laws.

Consequences of Non-Compliance

When an organization suffers from a data breach or is found to be non-compliant, sensitive information could be leaked to unauthorized entities. Consequences of non-compliance range from material consequences, such as financial losses, to more intangible consequences, such as damage to an organization’s reputation.

Fines

Depending on the regulations and laws that pertain to the entity, when a data breach or non-compliance occurs, the entity may incur monetary penalties for not properly protecting the sensitive information that it has been entrusted with.

Sanctions

A sanction is a formal penalty that can be applied to an organization when non-compliance occurs. Sanctions vary in severity from warnings to criminal charges. Sanctions may include financial penalties, limitations on business functions, or even prison.

Reputational Damage

When a data breach or non-compliance occurs, damage can be done to an organization’s reputation, or how the public perceives the organization. While this may seem like a minor consequence, an organization’s business can be affected by reputational damage, including experiencing a loss in sales or having business partners withdraw support.

Loss of License

Organizations are often required to obtain licenses to perform certain business functions. When non-compliance occurs, the organization may lose its license to perform those functions for variable durations and may be required to prove compliance prior to reinstatement of the license.

Contractual Impacts

Contacts between business entities are legally binding. When non-compliance occurs, the stipulations included in the contracts may be affected, possibly leading to termination of the contract.

Compliance Monitoring

Compliance monitoring is a vital aspect of compliance. Effective compliance monitoring is a continual process and includes internal and external controls that ensure your organization is secure and operating as it should be.

Due Diligence/Care

Due diligence refers to a process by which an organization stays abreast of changes in compliance requirements, such as regulation updates or emerging threats to compliance. Due care is ensuring that the policies and processes used to achieve compliance are continually monitored and maintained.

Attestation and Acknowledgement

Acknowledgment occurs when an organization formally states that the organization and entities within the organization are aware of applicable compliance requirements. Attestation occurs when an organization formally states that they not only acknowledge compliance requirements but also meet these requirements.

Internal and External

Internal compliance monitoring is used to ensure that compliance is met and maintained and may include audits, reviews, and policy checks. External compliance monitoring is conducted by a third party to ensure that compliance is being maintained.

Automation

Automation can be used internally to assist in ensuring compliance and identifying potential lapses in compliance. Automated systems are capable of monitoring very large and complex organizations more efficiently than a person. For example, compliance software may use automation to continuously scan network logs for activity that falls outside of pre-defined compliance thresholds and send an alert if non-compliant activity is identified.

Privacy

Maintaining the privacy and security of data is one of the primary goals of cybersecurity professionals. You should be familiar with common concepts related to data privacy and security and how these concepts relate to the field of cybersecurity.

Legal Implications

Data, especially personally identifiable information (PII), is subject to numerous legal protections and regulations that require compliance. Data privacy is subject to legal protections at the local, national, and global level, with additional legal regulations placed on organizations handling data in specific fields, such as health care or finance.

Local/Regional

Local and regional laws and regulations only apply to data within a defined geographical area, such as a specific city or state. For example, California and Utah have each passed state-specific consumer privacy acts that protect consumer data.

National

National laws and regulations pertain to larger geographical areas such as a nation. For example, the US has the Privacy Act of 1974 and HIPAA.

Global

While there are no legally binding laws pertaining to data privacy on the global level, there are internationally accepted standards, frameworks, and best practices that are adhered to by much of the industry throughout the world. For example, the International Organization for Standardizations (ISO) is a global federation that facilitates the sharing of knowledge between countries to develop international standards to support innovation and provide solutions to global challenges, including cybersecurity issues.

Data Subject

The data subject is the entity attached to the data being used, such as an employee or a customer. The data subject commonly has rights regarding how their personal data may be used, shared, and retained.

Controller vs. Processor

The data controller is the entity that decides the reason for processing private data and sets the methods through which that data is processed. The data processor is the entity that does the actual processing for the data controller. The data controller retains responsibility for the data, while the processor provides the service through which that data is processed.

Ownership

Ownership is used to protect data privacy by creating clear boundaries as to who is responsible for what data, with the responsible entity typically being a high-level employee in the related sector. For example, the head of the Human Resources department may be assigned ownership of employee data.

Data Inventory and Retention

Data inventory is used to identify what types of sensitive or private information data may contain, with different types of data being subject to different laws and regulations. For example, data may be personally identifiable information, health information, financial information, or legal information. Data retention is how long data at the end of the data lifecycle must be held prior to secure destruction.

Right to Be Forgotten

The right to be forgotten (RTBF) is a concept used in data protection regulations, especially in GDPR regulations, which states that an individual has the right to request data deletion in certain scenarios, such as when the data is no longer needed, consent is withdrawn, or the data was not obtained legally.

Audits and Assessments

Audits and assessments are used to ensure that the security measures used to protect data privacy are adequate and compliant to standards and regulations. For the Security+ exam, you must be able to explain the different types and purposes of these audits and assessments.

Attestation

Attestation is the formal review of an organization used to assure interested parties that the organization complies with required standards and regulations. Attestation may be conducted on an organization’s risk management or data protection policies and procedures.

Internal

Internal audits and assessments are conducted within the organization by auditing staff and are typically intended for internal use only. For internal audits and assessments to be unbiased, they should be conducted by entities that have no overlap with the process being assessed.

Audit Committee

An audit committee is a selected group of individuals who are responsible for evaluating internal audits and to recommend changes if needed.

Self-Assessments

A self-assessment attempts to look at the organization from an external point of view, as if it were an evaluation by a third party. Internal audits and assessments can be used for self-assessment to identify lapses or vulnerabilities.

External

External audits and assessments are conducted by a third party. External audits are commonly accepted as valid and reliable due to the independent nature of the auditing entity.

Independent Third-Party Audit

An independent third-party audit, for the purposes of the CompTIA Security+ exam, is one that is requested by an outside entity, such as a customer or regulator, rather than from within the organization.

Assessment

An assessment, unlike an audit, is used to evaluate the technical systems of an organization to identify flaws or vulnerabilities using techniques such as penetration testing.

Regulatory

External audits or assessments are commonly initiated by an organization or by its governing body and may be conducted to ensure an organization is meeting all regulatory requirements.

Examinations

An examination is similar to an audit but with a narrower scope or focus. For example, an audit may be conducted on an organization’s entire cybersecurity program, while an examination may be focused only on the implementation of employee cyber-awareness training.

Penetration Testing

Penetration testing can take on many forms and may use techniques and tactics employed by actual attackers. You should be able to explain the differences in penetration testing techniques.

Physical

Physical penetration testing is designed to attempt to infiltrate the physical environment of a network or organization. For example, a physical penetration tester may attempt to pick locking mechanisms, bypass security access controls, or compromise surveillance equipment.

Offensive

An offensive penetration test is one that uses tools or a simulated attack to attempt to infiltrate the logical network of the target and test for vulnerabilities in the system. The entity performing an offensive penetration test is commonly referred to as the red team. There are numerous tools that can be used for offensive penetration testing, including Kali Linux, Metasploit, Meterpreter, and Burp Suite.

Defensive

A defensive penetration test is designed to test an organization’s response to an attack to identify the effectiveness of the organization’s current technologies, policies, and procedures. The entity performing the defensive penetration test is commonly referred to as the blue team. There are numerous tools that can be used for defensive penetration testing, such as Wireshark, Nessus, and NMap.

Integrated

An integrated penetration test combines offensive and defensive techniques to create a more comprehensive evaluation of the entire organization.

Known Environment

A known environment, also known as a white box environment, refers to the amount of information given to the tester (or pen test team) prior to penetration testing. A known environment is one in which the penetration tester is given all of the information about the system that they are going to attack.

Partially Known Environment

A partially known environment, also known as a gray box environment, is one in which the penetration tester is given partial information into a system and must use additional resources to procure the other information needed to perform the penetration test.

Unknown Environment

An unknown environment, also known as a black box environment, is one in which a penetration tester is given no information prior to engagement. With an unknown or black box test, the penetration tester must perform all reconnaissance on the system using the same techniques and tactics as an actual attacker.

Reconnaissance

Reconnaissance is the process of collecting information about a target. It can be either passive or active.

Passive

Passive reconnaissance refers to the process of collecting information from sources outside of the target system, such as social media or news reports.

Active

Active reconnaissance refers to the process of collecting information by interacting with the target system directly, such as by using packet capture programs to garner information.

Security Awareness Practices

The most frequent cause of data breaches is the human factor. To mitigate this threat, a comprehensive security awareness program can be implemented to provide continuous security training to employees. Given a scenario, you must be able to implement the appropriate security awareness practice.

Phishing

A phishing simulation is a training tool that sends fake phishing messages to employees to elicit a response and gauge the level of phishing awareness and recognition by employees. A simulation may link to a training video if the employee falls for the phishing attempt, or it could provide a reward if the phishing simulation is flagged and reported for review.

Campaigns

A phishing campaign is a training method that provides awareness of phishing types and techniques through a pre-established program. Phishing campaigns may include funny posters depicting phishing techniques or offer rewards for flagging potential phishing emails.

Recognizing a Phishing Attempt

Training employees to identify potential phishing messages is a vital component of phishing campaigns. Employees are taught to recognize suspicious activity commonly used in phishing attacks. This might include a false message that demands urgent action, such as alerting a target to the presence of malware and saying they need to address it immediately using a provided (fake) link. Alternatively, the message may make a request for sensitive information, such as a bank notification that states the target needs to verify their personal information to keep the account active.

Responding to Reported Suspicious Messages

Training employees to recognize phishing attempts is only one component of effective phishing training and awareness. Responding properly to the phishing attempt is just as important as recognition. The best practice can involve training employees to forward the suspicious message to a predetermined location for further analysis.

Anomalous Behavior Recognition

Anomalous behavior is any behavior that is out of the norm. An effective security awareness training program teaches employees to identify anomalous behavior in their coworkers and environment.

Risky

Risky anomalous behavior is behavior that may pose a potential threat to an organization. For example, if an employee has been promoted to a position that requires memorization of access passcodes, the employee may write the passcodes on a sticky note until they’re memorized, which would be risky anomalous behavior.

Unexpected

Unexpected anomalous behavior is behavior that is unusual or out of the ordinary. For example, if an employee works a Monday to Friday shift every week, the employee being on the premises on a Saturday would be unexpected anomalous behavior.

Unintentional

Unintentional anomalous behavior is an action that may create an unintended consequence of which the individual is unaware. For example, an employee placing a call on speakerphone if their hands are occupied could unintentionally result in an unauthorized entity overhearing the conversation.

User Guidance and Training

To address the vulnerability of the human factor, user training policies are implemented to aid in keeping employees up to date with their security awareness and the risks associated with their environment and roles. User guidance and training methods vary and are designed to elicit the highest retention rates based on the desired outcome.

Policy/Handbooks

Policies and handbooks provide a written resource that can be used to find security procedures and protocols.

Situational Awareness

Situational awareness training is the process of by which employees are informed of current threats and the indicators that can be used to recognize them.

Insider Threat

Employees should be trained to identify anomalous behavior from an insider threat, which is one that comes from within the organization, including employees, contractors, and others who have continual access to the organization.

Password Management

Training should be used to inform employees of the organization’s password creation requirements, as well as techniques to protect and manage the security of passwords.

Removable Media and Cables

Training should include education on removable media and cables, including teaching employees that they should never connect unauthorized external devices to networking devices.

Social Engineering

Continual social engineering training should include all aspects of social engineering, including physical techniques, in-person techniques, and technical social engineering attacks.

Operational Security

Operational security training includes educating employees on how to use and protect data during normal working functions, such as understanding access controls and their importance and not discussing sensitive information around unauthorized entities.

Hybrid/Remote Work Environments

Securing a network in a hybrid or remote work environment includes training employees to connect to a network using a secure method, such as via a virtual private network (VPN), monitoring physical access to business devices, and providing awareness as to hybrid and remote work policies and procedures.

Reporting and Monitoring

Reporting on and monitoring the organization’s security awareness program is vital in ensuring its effectiveness. Training participation, employee feedback, and knowledge assessments can provide insights to stakeholders during the effectiveness evaluations.

Initial

An initial assessment is created prior to beginning security awareness training to establish a baseline that can be used as a point of comparison for later evaluations.

Recurring

Recurring assessments are used to identify the effectiveness of a security awareness training program as well as to identify any areas that may require reevaluation.

Development

When developing a security awareness program, multiple techniques and methods should be used to create a program that is diverse, digestible, informative, and stimulating to elicit the best retention from participants. If the training is static and the same every time, employees may disregard the training and view the threats covered in the training as insignificant. Also, different employees retain information better through different learning techniques, which is another reason why diversification is so important.

Execution

A security awareness training program is only as effective as its execution. Proper execution includes sticking to a set schedule, creating an inclusive and open learning environment, and providing appropriate feedback, both positive and negative, to participants.