5.1 - CompTIA Security+

Guidelines

• Guidelines: Documentation that provides best practices and suggestions on completing tasks effectively and helping individuals comply with relevant policies.

Policies

• Policies: Strictly enforceable rules that determines how tasks should be completed.

Acceptable use policy (AUP)

• Acceptable use policy (AUP): A policy that outlines the proper use of an organization's information technology resource (e.g., workstations and Internet).

Information security policies

• Information security policies: A document or series of documents that detail requirements for protecting technology and information assets from threats/misuse.

Business continuity

• Business continuity/COOP policies: Documents that enable an organization to maintain normal business operations during/after an adverse event (e.g., a natural disaster/cyberattack).

Disaster recovery

• Disaster recovery policies: Documentation that details the steps required to restore operations to normal after an adverse event (e.g., natural disaster/cyberattack).

Incident response

• Incident response policies: A structured approach to follow after a security breach or cyberattack occurs, detailing the steps for identifying, controlling and mitigating incidents.

Software development lifecycle (SDLC)

• Software development lifecycle (SDLC) policies: Policies that determine the planning, analysis, design, implementation, and maintenance that often govern software and systems development.

Change management

• Change management policies: Change management policies outline how changes to IT systems and software are requested, reviewed, approved, and implemented, including all documentation requirements.

Standards

• Standards: Expected outcome or state of a task that has been performed in accordance with policies and procedures - can be determined internally, or measured against external frameworks.

Password

• Password standards: Standards that describe the requirements for creating and managing secure passwords, including hashing, salting, secure transmission, length/complexity requirements, and password managers.

Access control

• Access control standards: Standards that outline the authorized uses for systems/data required for users. Include access control models (RBAC, DAC, MAC, etc.), user identify verification, and privilege management.

Physical security

• Physical security standards: Security standards that outline the physical protection of IT assets, including CCTV surveillance, datacenter/server room security, and visitor management.

Encryption

• Encryption standards: Standards that define the methods and protocols for securing data through encryption techniques, including encryption algorithms, key length, and key management.

Procedures

• Procedures: Documents that provide step-by-step instructions and checklists for ensuring tasks are completed in ways that comply with organizational policies.

Change management

Onboarding/offboarding

• Onboarding/offboarding procedures: Procedures that determine how an individual is introduced into (onboarding) or leaves an organization (offboarding). May involve account management and retrieval of company assets.

Playbooks

• Playbooks: Documents that outline how security protocols and procedures should be implemented, ensuring consistency and compliance across the organization.

External considerations

Regulatory

• Regulations: Cybersecurity regulations are legal rules and guidelines formulated by governments and regulatory bodies to safeguard digital information and systems from cyber threats.

Legal

• Legal requirements: A set of formal processes and procedures for the IT team to be able to report any illegal activities, including legal holds for obtaining ESI, or legal guidelines on data storage/retention.

Industry

• Industry requirements: Formal processes for managing security in different industries - e.g., public utilities may require some systems to be air-gapped to protect critical infrastructure from cyber-attacks, while healthcare organizations must comply with HIPAA regulations regarding patient data privacy and security.

Local/regional

• Local/regional security requirements: Regulations for how security measures must be implemented to safeguard sensitive data and infrastructure in a smaller area (e.g., state/municipality).

National

• National security requirements: Regulations for security implementation at a national level, including inter-state communication and increased data protection/encryption.

Global

• Global security requirements: Regulations for security implementation for a multi-national level, including continental requirements (e.g., GDPR).

Monitoring and revision

• Monitoring/revision: The process of regularly surveying, evaluating, and updating security procedures to ensure they match the security landscape.

Types of governance structures

Boards

• Governance boards: Senior executives and external stakeholders with responsibility for setting strategy and ensuring compliance.

Committees

• Governance committees: Leaders and subject matter experts with responsibility for defining policies, procedures, and standards within a particular domain or scope.

Government entities

• Government entities: Organizations at the federal, state, and local levels that create and enforce regulations impacting cybersecurity practices.

Centralized/decentralized

• Centralized security governance: Security governance model where security is directed and managed by a single authority or core team, ensuring consistency across all departments.

• Decentralized security governance: Security governance model that allows individual units to develop their own protocols, fostering flexibility, but may introduce variability in security controls.

Roles and responsibilities for systems and data

Owners

• Owner (data governance): A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

Controllers

• Controller (data governance): The entity that determines why and how personal data is collected, stored, and used.

Processors

• Processors (data governance): The entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

Custodians/stewards

• Custodians/stewards (data governance): Individuals who are responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.