Sec+ Set E Security Program

Security Governance

Framework of policies, standards, procedures, and guidelines ensuring security aligns with business objectives. Defines roles and responsibilities, accountability structures, and decision-making processes.

Security Policy

High-level document stating management’s intent and direction for security. Mandatory compliance. Examples - Acceptable Use Policy (AUP), Information Security Policy, Password Policy.

Security Standard

Specific mandatory requirements derived from policy. More detailed than policy. Example - passwords must be minimum 12 characters with complexity requirements.

Security Procedure

Step-by-step instructions for implementing a policy or standard. Operational guidance. Example - procedure for onboarding a new employee including account creation steps.

Security Guideline

Recommended (not mandatory) best practices. Provides flexibility. Example - guidelines for working remotely securely.

AUP (Acceptable Use Policy)

Defines how users may use organisational technology resources. Covers internet use, email, software installation, and data handling. Users must acknowledge and sign before access is granted.

Risk Management

The process of identifying, assessing, and responding to risks to minimise their impact on the organisation. Components - risk identification, risk assessment, risk response, risk monitoring.

Risk Identification

Finding and documenting potential risks to the organisation. Sources - threat intelligence, vulnerability scans, business process analysis, historical incidents.

Risk Assessment

Evaluating identified risks by likelihood and impact. Qualitative (high/medium/low) or quantitative (monetary value). Produces risk register.

Risk Register

A document listing identified risks, their likelihood, impact, risk score, owner, and treatment plan. Living document updated as risks change.

Risk Tolerance

The level of risk an organisation is willing to accept. Varies by organisation and data type. Informs risk treatment decisions.

Risk Appetite

The amount and type of risk an organisation is willing to pursue or retain. Broader than tolerance - a strategic stance on risk-taking.

Risk Treatment Strategies

Accept (acknowledge and live with the risk), Transfer (insurance, contract), Avoid (stop the risky activity), Mitigate (implement controls to reduce likelihood or impact).

Risk - Accept

Consciously deciding to accept a risk without additional controls because the cost of mitigation exceeds the potential impact. Must be documented and approved.

Risk - Transfer

Shifting financial impact of a risk to a third party. Cyber insurance transfers financial risk of a breach. Contracts can transfer liability to vendors.

Risk - Avoid

Eliminating the risk by not performing the risky activity. Example - not storing credit card data eliminates PCI DSS compliance risk.

Risk - Mitigate

Implementing controls to reduce the likelihood or impact of a risk to an acceptable level. Most common response. Examples - patches, encryption, access controls.

BIA (Business Impact Analysis)

Identifies critical business functions and the impact of their disruption. Determines recovery priorities, RTO, and RPO for each function. Foundation of BCP and DRP.

Quantitative Risk Analysis

Assigns monetary values to risks. ALE (Annual Loss Expectancy) = ARO × SLE. ARO = Annual Rate of Occurrence. SLE = Single Loss Expectancy (asset value × exposure factor). Objective but requires accurate data.

Qualitative Risk Analysis

Uses descriptive scales (high/medium/low) rather than monetary values. Faster and easier than quantitative. More subjective. Used when data for quantitative analysis is unavailable.

ALE (Annual Loss Expectancy)

Expected monetary loss per year for an asset from a specific risk. ALE = ARO (Annual Rate of Occurrence) × SLE (Single Loss Expectancy). Used in cost-benefit analysis for security controls.

Third-Party Risk Management

Assessing and managing security risks introduced by vendors, suppliers, and partners. Steps - vendor assessment, due diligence, contract requirements, ongoing monitoring.

Vendor Assessment

Evaluating a vendor’s security posture before engagement. Methods - security questionnaires, on-site audits, third-party certifications (SOC 2, ISO 27001), penetration test results.

SOC 2 Report

Auditor assessment of a service organisation’s controls for security, availability, processing integrity, confidentiality, and privacy. Type I - design of controls at a point in time. Type II - operating effectiveness over a period.

Rules of Engagement (RoE)

Formal agreement defining the scope, timing, and methods for a security assessment or penetration test. Protects both the tester and the organisation legally.

MOU (Memorandum of Understanding)

Non-binding agreement between parties outlining mutual expectations and responsibilities. Precursor to a formal contract. Defines intent to cooperate.

SLA (Service Level Agreement)

Contractual commitment to minimum service levels including uptime, response times, and support. Includes penalties for non-compliance.

NDA (Non-Disclosure Agreement)

Legal contract preventing parties from disclosing confidential information. Required before sharing sensitive information with vendors or consultants.

MSA (Master Service Agreement)

Overarching contract governing the relationship between parties for multiple projects. Reduces need to renegotiate terms for each engagement.

Compliance

Adhering to laws, regulations, standards, and contractual obligations. Non-compliance results in fines, legal liability, reputational damage, and loss of business.

GDPR (General Data Protection Regulation)

EU regulation governing personal data collection, processing, and storage. Key requirements - lawful basis for processing, breach notification within 72 hours, right to erasure, data minimisation, privacy by design.

HIPAA (Health Insurance Portability and Accountability Act)

US regulation protecting health information (PHI). Requires administrative, physical, and technical safeguards. Breach notification required.

PCI DSS (Payment Card Industry Data Security Standard)

Security standard for organisations handling payment card data. 12 requirements including network segmentation, encryption, access control, monitoring, and regular testing.

CCPA (California Consumer Privacy Act)

California law giving consumers rights over their personal data - right to know, delete, opt-out of sale. Influenced by GDPR. Applies to businesses serving California residents.

Data Privacy vs Data Security

Privacy - the right to control how personal information is collected and used. Security - protecting data from unauthorised access. Privacy requires security but security does not guarantee privacy.

Security Awareness Training

Educating users about security threats and best practices. Topics - phishing recognition, password security, social engineering, physical security, incident reporting. Reduces human error risk.

Phishing Simulations

Sending simulated phishing emails to employees to test and improve awareness. Employees who click are given immediate training. Measures and tracks improvement over time.

Penetration Testing - Black Box

Tester has no prior knowledge of the target. Simulates an external attacker. Most realistic but most time-consuming. Also called blind testing.

Penetration Testing - White Box

Tester has full knowledge of the target including source code, architecture, and credentials. Most thorough. Also called crystal box or glass box testing.

Penetration Testing - Grey Box

Tester has partial knowledge. Simulates an insider or attacker who has done reconnaissance. Balance between realism and efficiency.

Audit - Internal

Conducted by the organisation’s own staff or internal audit team. Less independent but lower cost and better knowledge of environment. Identifies issues before external auditors.

Audit - External

Conducted by an independent third party. More credible. Required for regulatory compliance (SOC 2, PCI DSS, ISO 27001). More expensive but provides unbiased assessment.

NIST Cybersecurity Framework (CSF)

Voluntary framework providing standards and guidelines for managing cybersecurity risk. Five functions - Identify, Protect, Detect, Respond, Recover. Widely adopted in US.

ISO 27001

International standard for information security management systems (ISMS). Certifiable standard. Provides systematic approach to managing sensitive information. Demonstrates security commitment to customers and partners.

CIS Controls

Prioritised set of cybersecurity best practices developed by the Center for Internet Security. 18 controls ranging from basic (asset inventory) to advanced (penetration testing). Practical implementation guidance.