Concise Guide to CompTIA Security +

Organization Security and Compliance

1 1.01- Risk Related Concepts

Risk Assessment

Asset Identification

Risk Analysis

Risk Likelihood and Impact

Solutions and Countermeasures

Risk Management Options

Using Organizational Policy to Reduce Risk

Security Policies

Physical Access Security Policies

Access Control Policy

Network Security Policies

Acceptable Use Policy

Due Care, Diligence & Process

Privacy Policy

Human Resources Policies

Objective 1.02 – Implementing Appropriate Risk Mitigation Strategies

Objective 1.03 – Integrate with Third Parties

Interoperability Agreements

Service Level Agreements

Business Partners Agreements (BPA)

Interconnection Security Agreements

Privacy Considerations

Risk Awareness

Unauthorized Data Sharing

Data Ownership

Data Backup

Verification of Adherence

Security Training and Incident Response

Objective 2.01 – Social Engineering

Threat Awareness

Security Metrics

Data and Documentation

Standards and Guidelines

IT documentation

Best Practices

Clean desk policy

Personally Owned Devices

Data Handling

Instant messaging

P2P Applications

Social Network/Media

Regulatory Compliance

Objective 2.02 - Execute Appropriate Incident Response

Incident Identification

First Responders

Incident Isolation

Damage and loss control

Data Breaches

Escalation Policy

Reporting and Notification

Mitigation and Recovery

Objective 2.03 – Implement Basic Forensic Procedures

Collection and Preservation of Evidence

Order of Volatility

Capture a System Image

Network and System Logs

Time Offset

Use Hashing to protect Evidence Integrity

Chain of Custody

Interview Witnesses

Track Resources

Big Data Analysis

Business Continuity and Disaster Recovery

Objective 3.01 – Compare and contrast aspects of business continuity

Risk Analysis

Disaster Recovery and IT Contingency Plans

Objective 3.02 Execute Disaster Recovery Plans and Procedures

Service Levels

Redundant Servers

Data Backup Planning

Objective 3.03 – Select the Appropriate control to meet security needs

Objective 3.04 – Explain the Impact and Proper Use of Environmental Controls

Location Planning

Cryptography and Encryption Basics

Objective 4.01 - Utilize the concepts of cryptography

Information Assurance

Objective 4.02 – Use and Apply Appropriate Cryptographic Tools and Products

Asymmetric Encryption Algorithms

Public Key Infrastructure

Objective 5.01 – Explain the core concepts of Public Key Infrastructure

Digital Certificates

Objective 5.02 – Management and Associated Components

Access Control

Objective 6.01 – Explain the fundamental concepts and best practices related to authentication, authorization and access control

Users and Resources

Objective 6.02 – Implementing Appropriate Security Controls When Performing Account Management

Authentication And Authorization

Objective 7.01 - Authentication and Identity Management

Network Security

Objective 8.0.1 – Implementing security functionality on network devices and other technologies

Firewalls

Objectives 8.02 – Compounds

Secure Network Administration

Objective 9.01 – Understand the OSI model

Objective 9.03 – Identify Commonly Used Default Network Ports

Objective 9.04 - Analyze and Differentiate Among Types of Network Attack

Objective 9.05 - Apply and Implement Secure Network Administration Principles

Securing Wireless Networks

Objective 10.01 – Implementing wireless networks in a secure manner

Objective 10.02 – Analyze and Differentiate Among Types of Wireless Attacks

Objective 11.01 – Analyze and differentiate among type of malware

Objective 11.02 – Carry Out Appropriate Procedures to Establish Host Security

Objective 11.03 – Understanding Mobile Security Concepts and Technologies

Security Management

Objective 12.01

Objective 12.02 – Explain the Importance of application security

Objective 12.03 – Explain the Importance of Data security

Monitoring for Security Threats

13.01 – Analyze and differentiate among types of mitigation and deterrent techniques

Security Posture

Objective 14.02 – Within the realm of Vulnerability assessment, explain the proper use of penetration testing versus vulnerability scanning.

Organization Security and Compliance

Today companies are responsible for implementing reasonable security measures to protect their customers and their own data. This is a sea change from previous common practice, where the business considered security to be an offshoot of IT and a discipline that they needed to define and support. IT would then apply to the best of their ability and knowledge sufficient security and control methods to protect the network and the corporate data. However, some major security breaches in large corporate networks changed that approach and the business leaders such as the CEO and CFO can now be held responsible for any noncompliance and willful neglect of reasonable security measures. For that reason businesses must be diligent in designing security policies that govern how the organization uses the computer networks, protects and distributes its data and offers secure services to customers. These policies will include rules on company internet use, customer data privacy, company structure and human resources hiring and termination procedures. It is the responsibility of the business to ensure due diligence when constructing and implementing sufficient security controls and policy via risk assessment and mitigation strategies. The company is also responsible for disseminating that information throughout the company by way of security awareness training.

1 1.01- Risk Related Concepts

Risk management is the act of identifying, assessing and mitigating the risk of potential security issues that may affect the company's operations and assets. There are several risk related concepts that a security practitioner should be aware.

Risk Assessment – is used to assess current risks, their probability and potential impact the aim being to discover and implement controls to mitigate the risk

Risk Management Options – the potential optional available to manage risk are, avoidance, transference, acceptance, mitigation and deterrence

Risk Control Types – the categories of risk are, management, operational and technical each control type is a separate but cooperative layer in the overall risk management strategy

Organizational policy – These are the best practices that should include physical access controls, environmental controls, network and system security, secure application design and identity and access management of entities.

With regards risk control types; management risk control is concerned with high-level risk management, assessment and mitigation plans that define the overall organizational security of the company. Technical risk controls are the actual technical measures deployed to deal with the operational and management security risks. Operational risk deals with the security of the day-to-day organizational business activity.

Operational risk controls