5.1 - CompTIA Security+

Guidelines

Documentation that provides best practices and suggestions on completing tasks effectively and helping individuals comply with relevant policies.

Policies

Strictly enforceable rules that determines how tasks should be completed.

Acceptable Use Policy (AUP)

A policy that outlines the proper use of an organization's information technology resources.

Information security policies

Documents detailing requirements for protecting technology and information assets from threats and misuse.

Business continuity policies

Documents ensuring an organization maintains normal operations during or after an adverse event.

Disaster recovery policies

Documentation detailing steps to restore operations to normal after an adverse event.

Incident response policies

A structured approach followed after a security breach, detailing steps for identifying, controlling, and mitigating incidents.

Software Development Lifecycle (SDLC) policies

Policies governing the planning, analysis, design, implementation, and maintenance of software development.

Change management policies

Policies outlining how changes to IT systems and software are requested, reviewed, approved, and implemented.

Standards

Expected outcome or state of a task that has been performed in accordance with policies and procedures - can be determined internally, or measured against external frameworks.

Password standards

Standards for creating and managing secure passwords, including complexity and transmission requirements.

Access control standards

Standards outlining authorized uses for systems/data and access control models.

Physical security standards

Standards for the physical protection of IT assets, including surveillance and visitor management.

Encryption standards

Standards defining methods and protocols for securing data through encryption techniques.

Procedures

Documents that provide step-by-step instructions and checklists for ensuring tasks are completed in ways that comply with organizational policies.

Onboarding/offboarding procedures

Procedures determining how individuals are introduced to or leave an organization.

Playbooks

Documents outlining how security protocols and procedures should be implemented.

Regulations

Legal rules and guidelines formulated to safeguard digital information and systems.

Legal requirements

Formal processes for the IT team to report illegal activities and maintain data storage compliance.

Industry requirements

Formal processes for managing security specific to different industries.

Local/regional security requirements

Regulations for implementing security measures to safeguard sensitive data in local areas (e.g., CCPA)

National security requirements

Regulations for security implementation at a national level.

Global security requirements

Regulations for security implementation on a multinational level (e.g., GDPR).

Monitoring and revision

The process of regularly evaluating and updating security procedures.

Governance boards

Groups of senior executives responsible for setting strategy and ensuring compliance.

Governance committees

Leaders responsible for defining policies and standards within a domain.

Government entities

Organizations that create and enforce regulations impacting cybersecurity practices.

Centralized security governance

A model where security is managed by a single authority for consistency.

Decentralized security governance

A model allowing individual units to develop their own protocols.

Owner (data governance)

A senior role responsible for maintaining data confidentiality, integrity, and availability.

Controller (data governance)

An entity that determines the reasons and methods for data handling.

Processor (data governance)

An entity that stores or analyzes personal data on behalf of the data collector.

Custodian/steward (data governance)

Individuals responsible for managing systems storing data assets and enforcing security measures.