5.0 CompTIA Security+ (SY0-701) Security Program Management and Oversight

Attestation

The act of verifying or confirming the accuracy of something, such as financial statements or compliance with regulations.

Internal

Related to activities within an organization, including self-assessments and evaluations conducted internally.

Compliance

Adherence to laws, regulations, and standards set by regulatory bodies.

Audit committee

A group responsible for overseeing the auditing process and ensuring its independence and effectiveness.

External

Related to activities outside of an organization, such as independent third-party audits conducted by external entities.

Regulatory

Involving government regulations and requirements that organizations must comply with.

Examinations

Thorough reviews or inspections of an organization's processes, controls, and financial statements.

Assessment

Evaluation or appraisal of something, such as the effectiveness of security measures or the overall control environment.

Penetration testing

Testing the security of a system by attempting to exploit vulnerabilities, aiming to identify weaknesses and potential risks.

Physical

Related to the physical aspects of security, such as access control and protection of physical assets.

Offensive

Testing aimed at identifying vulnerabilities and weaknesses in an organization's systems and processes.

Defensive

Testing aimed at evaluating the effectiveness of security measures and the ability to detect and respond to threats.

Integrated

Combining different types of testing approaches, such as offensive and defensive testing, to provide a comprehensive evaluation.

Known environment

Testing conducted in a familiar and controlled setting, where the system and its vulnerabilities are already known.

Partially known environment

Testing conducted in a somewhat familiar setting, where some information about the system and its vulnerabilities is available.

Unknown environment

Testing conducted in an unfamiliar and unpredictable setting, where the system and its vulnerabilities are unknown.

Reconnaissance

Gathering information about a target system or network to understand its vulnerabilities and potential attack vectors.

Passive reconnaissance

Collecting information without directly interacting with the target system or network, often through passive monitoring or data analysis.

Active reconnaissance

Collecting information by directly interacting with the target system or network, such as through scanning or probing.

Phishing

A fraudulent attempt to obtain sensitive information, such as passwords or credit card details, by disguising as a trustworthy entity in electronic communication.

Campaigns

A coordinated series of actions aimed at achieving a specific goal, often used in the context of cybersecurity to describe organized efforts to deceive or compromise systems.

Recognizing a phishing attempt

The ability to identify and differentiate fraudulent emails or messages that aim to deceive individuals into revealing sensitive information or performing malicious actions.

Responding to reported suspicious messages

Taking appropriate action upon receiving reports of suspicious messages, such as investigating the content, verifying the source, and potentially reporting or blocking the sender.

Anomalous behavior recognition

The skill of identifying unusual or unexpected actions or patterns that deviate from normal behavior, which can indicate potential security threats or breaches.

Risky actions

Actions that pose a potential threat to the security of systems or sensitive information, often resulting from negligence, lack of awareness, or non-compliance with security policies.

Unexpected actions

Actions that deviate from the norm or expected behavior, potentially indicating malicious intent or security vulnerabilities that need to be addressed.

Unintentional actions

Actions that occur without purpose or awareness, often leading to security incidents or breaches due to human error or lack of knowledge.

User guidance and training

The provision of instructions, education, and resources to users to enhance their understanding of cybersecurity best practices and promote responsible behavior.

Policy and handbooks

Guidelines, rules, and manuals that outline expected user behavior, security protocols, and procedures to ensure compliance and mitigate risks.

Situational awareness

The state of being cognizant and attentive to the current environment and context, enabling individuals to identify potential threats or vulnerabilities and respond effectively.

Insider threat

The risk posed by individuals within an organization who have authorized access to systems or information but may misuse their privileges or act maliciously.

Password management

The practices and techniques used to create, store, and safeguard passwords, including the use of strong and unique passwords, password managers, and multi-factor authentication.

Removable media and cables

External devices and connectors that can be detached from a system, such as USB drives or network cables, which can introduce security risks if not properly managed or monitored.

Social engineering

The manipulation of individuals through psychological tactics to deceive or trick them into revealing sensitive information or granting unauthorized access.

Operational security

The measures and practices implemented to protect sensitive information and systems during day-to-day operations, including access controls, incident response, and security monitoring.

Hybrid and remote work environments

Work settings that combine in-person and remote work arrangements, often requiring additional security considerations to ensure the protection of data and systems.

Reporting and monitoring

The processes of notifying and observing activities for security purposes, including reporting suspicious incidents, monitoring system logs, and analyzing security events.

Initial occurrence

The first or starting instance of an event or action, often used in the context of identifying and addressing security incidents or breaches.

Recurring incidents

Security-related events or actions that happen repeatedly or in a pattern, indicating the need for further investigation, remediation, or preventive measures.

Development

The process of creating or building something, often referring to software development or system design with a focus on incorporating security measures and best practices.

Execution

The act of carrying out a plan or action, often used in the context of implementing security measures, conducting security tests, or executing incident response procedures.

Vendor assessment

Evaluation of a vendor's security measures and compliance with relevant standards and regulations.

Penetration testing

Simulated cyber attack conducted to identify vulnerabilities in a vendor's systems and networks.

Right-to-audit clause

Contractual provision that grants the right to audit a vendor's processes and controls to ensure compliance and security.

Evidence of internal audits

Documentation that demonstrates a vendor's internal audit activities, providing assurance of their adherence to established standards and practices.

Independent assessments

Third-party evaluations conducted to assess a vendor's security controls, ensuring objectivity and unbiased analysis.

Supply chain analysis

Thorough examination of a vendor's supply chain to identify potential risks and vulnerabilities that may impact the overall security of the organization.

Vendor selection

Process of carefully choosing a vendor based on predefined criteria and conducting due diligence to ensure their suitability for a specific purpose or project.

Due diligence

Comprehensive investigation and assessment of a vendor's background, capabilities, and reputation to ensure they meet the required standards and expectations.

Conflict of interest

A situation where personal interests or biases interfere with the objective fulfillment of professional duties and responsibilities.

Agreement types

Different categories of contracts and legal agreements that define the terms, conditions, and obligations between parties involved in a business relationship.

Service-level agreement (SLA)

A contractual agreement that outlines the expected performance levels, quality metrics, and responsibilities of both parties in a service-based relationship.

Memorandum of agreement (MOA)

A formal document that establishes the terms, conditions, and obligations of an agreement between parties, often used for collaborative projects or partnerships.

Memorandum of understanding (MOU)

A non-binding agreement that outlines the intentions, goals, and general understanding between parties involved in a cooperative effort or negotiation.

Master service agreement (MSA)

A comprehensive contract that governs future agreements and relationships between parties, providing a framework for ongoing services and obligations.

Work order (WO)/statement of work (SOW)

A document that specifies the tasks, deliverables, timelines, and other relevant details for a specific project or engagement with a vendor.

Non-disclosure agreement (NDA)

A legally binding contract that protects confidential information shared between parties, restricting its disclosure to unauthorized individuals or entities.

Business partners agreement (BPA)

A contract between business partners that outlines their relationship, roles, responsibilities, and terms for collaboration and mutual benefit.

Vendor monitoring

Ongoing evaluation and oversight of a vendor's performance, adherence to contractual obligations, and compliance with relevant standards and regulations.

Questionnaires

A structured set of questions designed to gather specific information from vendors, aiding in the assessment and evaluation process.

Rules of engagement

Guidelines and protocols that define the boundaries, expectations, and procedures for conducting vendor assessments, engagements, and interactions.

Compliance reporting

The process of reporting adherence to regulations and standards, both within an organization (internal compliance reporting) and to external entities (external compliance reporting). It involves documenting and communicating the extent to which an organization is complying with the required rules and guidelines.

Consequences of non-compliance

The penalties and negative impacts that result from the failure to comply with regulations and standards. Non-compliance can lead to various consequences such as fines, sanctions, reputational damage, loss of license, and contractual impacts.

Fines

Monetary penalties imposed for non-compliance with regulations and standards. Fines serve as a deterrent and punishment for organizations or individuals who fail to meet the required compliance obligations.

Sanctions

Punitive measures imposed for non-compliance with regulations and standards. Sanctions can include restrictions, penalties, or other actions taken against organizations or individuals who violate compliance requirements.

Reputational damage

Harm to the reputation of an individual or organization resulting from non-compliance with regulations and standards. Non-compliance can lead to a loss of trust and credibility, which can have long-lasting negative effects on an entity's reputation.

Loss of license

The revocation of permission or authority to operate due to non-compliance with regulations and standards. Losing a license can have severe consequences for organizations, as it may prevent them from conducting certain activities or providing specific services.

Contractual impacts

Negative effects on contractual agreements resulting from non-compliance with regulations and standards. Non-compliance can lead to breaches of contract, legal disputes, and financial liabilities for organizations involved in contractual relationships.

Compliance monitoring

The process of overseeing and evaluating adherence to regulations and standards. It involves continuous monitoring, assessment, and reporting to ensure that an organization is complying with the required rules and guidelines.

Due diligence/care

Thorough and careful attention to compliance requirements. It involves taking proactive measures to understand and fulfill compliance obligations, including conducting risk assessments, implementing controls, and maintaining documentation.

Attestation and acknowledgement

The formal declaration and recognition of compliance with regulations and standards. Attestation and acknowledgement may involve signing documents, providing evidence of compliance, or obtaining certifications to demonstrate adherence to specific requirements.

Automation

The use of technology to streamline compliance monitoring processes. Automation can help organizations efficiently collect, analyze, and report compliance data, reducing manual effort and improving accuracy.

Privacy

The protection of personal information and data. Privacy regulations and standards aim to safeguard individuals' privacy rights and ensure the secure handling and processing of their personal data.

Legal implications

The consequences and effects under the law resulting from non-compliance with privacy regulations and standards. Legal implications can include legal actions, penalties, or other legal remedies for organizations or individuals who violate privacy requirements.

Local/regional privacy

Privacy regulations and standards at a local or regional level. These regulations may vary across different jurisdictions and address specific privacy concerns relevant to a particular locality or region.

National privacy

Privacy regulations and standards at a national level. These regulations are applicable to an entire country and provide a framework for protecting individuals' privacy rights within that nation.

Global privacy

Privacy regulations and standards at a global level. These regulations aim to establish consistent privacy principles and practices across multiple countries or regions, ensuring a harmonized approach to privacy protection.

Data subject

An individual whose personal data is being collected and processed. Data subjects have rights and control over their personal information, including the right to access, rectify, and erase their data.

Controller vs. processor

The roles and responsibilities in relation to the processing of personal data. The controller determines the purposes and means of data processing, while the processor carries out the processing activities on behalf of the controller.

Ownership

The legal right of possession and control over data. Ownership determines who has the authority to make decisions regarding the collection, use, and sharing of data.

Data inventory and retention

The documentation and management of data assets and their storage duration. Data inventory involves identifying and categorizing data, while retention refers to the period for which data should be retained based on legal, regulatory, or business requirements.

Right to be forgotten

An individual's right to have their personal data erased or removed. This right allows individuals to request the deletion of their data when it is no longer necessary, unlawfully processed, or violates their privacy rights.

Acceptable Use Policy (AUP)

A set of guidelines that outline the proper use of IT resources

Information Security Policies

Guidelines that ensure the protection of information assets

Business Continuity Plan

A plan designed to ensure the continuous operation of IT systems during disruptions

Disaster Recovery Plan

A plan that outlines the steps to restore IT systems after a major incident

Incident Response Plan

A plan that addresses and mitigates security incidents

Software Development Lifecycle (SDLC)

A process for developing and maintaining software

Change Management Process

A process for controlling changes to IT systems

Password Standards

Requirements for creating and managing secure passwords

Access Control Standards

Requirements for granting and managing system access

Physical Security Standards

Requirements for protecting physical IT assets

Encryption Standards

Requirements for encrypting sensitive data

Change Management Procedures

Step-by-step instructions for requesting and implementing system changes

Onboarding/Offboarding Procedures

Step-by-step instructions for adding or removing users from IT systems

Incident Response Playbooks

Predefined response plans for common security incidents

Regulatory Considerations

Compliance with laws and regulations

Legal Considerations

Compliance with legal requirements and contracts

Industry Considerations

Compliance with industry standards and best practices

Local/Regional Considerations

Compliance with local or regional regulations