Virtualization can increase IT agility, flexibility and

scalability while creating significant cost savings. Greater

workload mobility, increased performance and availability
of resources, automated operations – they’re all benefits of
virtualization that make IT simpler to manage and less
costly to own and operate.
Software
 Vmware
 Virtualbox

1. Lesson 1: Comparing Security Roles and Security Controls

 Compare and Contrast Information Security Roles
 Compare and Contrast Security Control and Framework Types
Information security (or infosec) refers to the protection of data resources from
unauthorized access, attack, theft, or damage. Data may be vulnerable because of
the way it is stored, the way it is transferred, or the way it is processed. The systems
used to store, transmit, and process data must demonstrate the properties of security
Secure information has three properties, often referred to as the :
 means that certain information should only be known to certain
people.
 means that the data is stored and transferred as intended and that any
modification is authorized.
 means that information is accessible to those authorized to view or
modify it.

Some security models and researchers identify other properties that secure systems
should exhibit. The most important of these is non-repudiation.
means that a subject cannot deny doing something, such as creating, modifying, or
sending a resource. For example, a legal document, such as a will, must usually be
witnessed when it is signed. If there is a dispute about whether the document was
correctly executed, the witness can provide evidence that it was.
IT professionals working in a role with security responsibilities must be competent in

a wide range of disciplines, from network and application design to procurement and

human resources ( ). The following activities might be typical of such a role:

Participate in risk assessments and testing of security systems and make

recommendations.
Specify, source, install, and configure secure devices and software.
Set up and maintain document access control and user privilege profiles.
Monitor audit logs, review user privileges, and document access controls.
Manage security-related incident response and reporting.
Create and test business continuity and disaster recovery plans and procedures.
Participate in security training and education programs.
A is a formalized statement that defines how security will be

implemented within an organization. It describes the means the organization will

take to protect the confidentiality, availability, and integrity of sensitive data and

resources. It often consists of multiple individual policies. The implementation of a

security policy to support the goals of the might be very different for a school

a multinational accountancy firm, or a machine tool manufacturer. However, each of

these organizations, or any other organization (in any sector of the economy, whether

profit-making or non-profit-making) should have the same interest in ensuring that its

employees, equipment, and data are secure against attack or damage.

As part of the process of adopting an effective organizational security posture,

employees must be aware of their responsibilities. The structure of security

responsibilities will depend on the size and hierarchy of an organization, but these

roles are typical.

 Overall internal responsibility for security might be allocated to a dedicated

department, run by a (CSO) or

(CISO). Historically, responsibility for security

might have been allocated to an existing business unit, such as

(ICT) or accounting.
 However, the goals of a network manager are not always well-aligned with the
goals of security; network management focuses on availability over confidentiality.
Consequently, security is increasingly thought of as a dedicated function or business
unit with its own management structure.

 Managers may have responsibility for a domain, such as building control, ICT, or
accounting.

 Technical and specialist staff have responsibility for implementing, maintaining,

and monitoring the policy. Security might be made a core competency of systems
and network administrators, or there may be dedicated security administrators. One
such job title is (ISSO).

 Non-technical staff have the responsibility of complying with policy and with any
relevant legislation.

 External responsibility for security (due care or liability) lies mainly with directors
or owners, though again it is important to note that all employees share some
measure of responsibility.
A security operations center (SOC) is a location where security professionals

monitor and protect critical information assets across other business functions, such

as finance, operations, sales/marketing, and so on. Because SOCs can be difficult to

establish, maintain, and finance, they are usually employed by larger corporations, like

a government agency or a healthcare company.

Network operations and use of cloud computing make ever-increasing use of

automation through software code. Traditionally, software code would be the

responsibility of a programming or development team. Separate development and

operations departments or teams can lead to silos, where each team does not work

effectively with the other.

is a cultural shift within an organization to

encourage much more collaboration between developers and system administrators.

By creating a highly orchestrated environment, IT personnel and developers can build,

test, and release software faster and more reliably. Many consider a DevOps approach

to administration as the only way organizations can take full advantage of the potential

benefits offered by cloud service providers

A dedicated (CIRT)

(CSIRT) (CERT) as a single point-of-

contact for the notification of security incidents. This function might be handled by the

SOC or it might be established as an independent business unit.

Information and cybersecurity assurance is usually considered to take place within

an overall process of business risk management. Implementation of cybersecurity

functions is often the responsibility of the IT department. There are many different

ways of thinking about how IT services should be governed to fulfill overall business

needs. Some organizations have developed IT service frameworks to provide best

practice guides to implementing IT and cybersecurity. These frameworks can shape

company policies and provide checklists of procedures, activities, and technologies that

should ideally be in place. Collectively, these procedures, activities, and tools can be

referred to as security controls.

A is something designed to make give a system or data asset the

properties of confidentiality, integrity, availability, and non-repudiation. Controls can be

divided into three broad categories, representing the way the control is implemented:

—the control is implemented as a system (hardware, software, or

firmware). For example, firewalls, anti-virus software, and OS access control models

are technical controls. Technical controls may also be described as logical controls.

—the control is implemented primarily by people rather than systems.

For example, security guards and training programs are operational controls rather

than technical controls.

 —the control gives oversight of the information system. Examples could

include risk identification or a tool allowing the evaluation and selection of other

security controls.
Security controls can also be classified in types according to the goal or function they

perform:

 —the control acts to eliminate or reduce the likelihood that an attack can

succeed. A preventative control operates before an attack can take place. IPS or Access

control lists (ACL) configured on firewalls and file system objects are preventative-

type controls. Anti-malware software also acts as a preventative control, by blocking

processes identified as malicious from executing. Directives and standard operating

procedures (SOPs) can be thought of as administrative versions of preventative

controls.

 —the control may not prevent or deter access, but it will identify and

record any attempted or successful intrusion. A detective control operates during

the progress of an attack. Logs provide one of the best examples of detective-type

controls.or IDS

 —the control acts to eliminate or reduce the impact of an intrusion

event. A corrective control is used after an attack. A good example is a backup

system that can restore data that was damaged during an intrusion. Another

example is a patch management system that acts to eliminate the vulnerability

exploited during the attack.

While most controls can be classed functionally as preventative, detective, or

corrective, a few other types can be used to define other cases:

 —Controls such as alarms, gateways, locks, lighting, security cameras, and
guards that deter and detect access to premises and hardware are often classed
separately.
 —The control may not physically or logically prevent access, but
psychologically discourages an attacker from attempting an intrusion. This could
include signs and warnings of legal penalties against trespass or intrusion.
 —The control serves as a substitute for a principal control, as
recommended by a security standard, and affords the same (or better) level of protection
but uses a different methodology or technology.
 NIST, IEEE, IOS

The International Organization for Standardization ( ) has produced a cybersecurity

framework in conjunction with the International Electrotechnical Commission ( )

ISO 27001 is part of an overall 27000 series of information security standards, also known
as 27K
NIST Cybersecurity Framework
A cybersecurity framework ( ) is a list of activities and objectives undertaken to
mitigate risks. The use of a framework allows an organization to make an objective
statement of its current cybersecurity capabilities, identify a target level of capability,
and prioritize investments to achieve that target. This is valuable for giving a structure
to internal risk management procedures and provides an externally verifiable
statement of regulatory compliance. Frameworks are also important because they save
an organization from building its security program in a vacuum, or from building the
program on a foundation that fails to account for important security concepts.
There are many different frameworks, each of which categorize cybersecurity activities
and controls in slightly different ways. These frameworks are non-regulatory in the
sense that they do not attempt to address the specific regulations of a specific industry
but represent "best practice" in IT security governance generally. Most organizations
will have historically chosen a particular framework; some may use multiple
frameworks in conjunction.
Most frameworks are developed for an international audience; others are focused on
a domestic national audience. Most of the frameworks are associated with certification
programs to show that staff and consultants can apply the methodologies successfully.
The National Institute of Standards and Technology ( ) Cybersecurity Framework
( ) is a relatively new addition to the IT governance space and distinct from other
frameworks by focusing exclusively on IT security, rather than IT service provision more
generally (nist.gov/cyberframework). It is developed for a US audience and focuses
somewhat on US government, but its recommendations can be adapted for other
countries and types of organizations.

NIST's Risk Management Framework ( ) pre-dates the CSF. Where the CSF focuses
on practical cybersecurity for businesses, the RMF is more prescriptive and principally
intended for use by federal agencies (csrc.nist.gov/projects/risk-management/rmf-
overview).
As well as its cybersecurity and risk frameworks, NIST is responsible for issuing the
Federal Information Processing Standards ( ) plus advisory guides called Special
Publications (csrc.nist.gov/publications/sp). Many of the standards and technologies
covered in CompTIA Security+ are discussed in these documents.

International Organization for Standardization (ISO) 27K

The International Organization for Standardization ( ) has produced a cybersecurity
framework in conjunction with the International Electrotechnical Commission ( ). The
framework was established in 2005 and revised in 2013. Unlike the NIST framework,
the ISO 27001 Information Security Management standard must be purchased
(iso.org/standard/54534.html). ISO 27001 is part of an overall 27000 series of
information security standards, also known as 27K. Of these, 27002 classifies security
controls, 27017 and 27018 reference cloud security, and 27701 focuses on personal
data and privacy.
ISO 31K
Where ISO 21K is a cybersecurity framework, ISO 31K (iso.org/iso-31000-risk-
management.html) is an overall framework for enterprise risk management ( ).
considers risks and opportunities beyond cybersecurity by including financial,
customer service, competition, and legal liability factors. ISO 31K establishes best
practices for performing risk assessments.

The not-for-profit organization Cloud Security Alliance ( ) produces various

resources to assist cloud service providers ( ) in setting up and delivering secure
cloud platforms. These resources can also be useful for cloud consumers in evaluating
and selecting cloud services.
Security Guidance (cloudsecurityalliance.org/research/guidance)—a best practice
summary analyzing the unique challenges of cloud environments and how on-
premises controls can be adapted to them.
Enterprise reference architecture (ea.cloudsecurityalliance.org)—best practice
methodology and tools for CSPs to use in architecting cloud solutions. The
solutions are divided across a number of domains, such as risk management and
infrastructure, application, and presentation services.
Cloud controls matrix (cloudsecurityalliance.org/research/working-groups/cloud-
controls-matrix)—lists specific controls and assessment guidelines that should be
implemented by CSPs. For cloud consumers, the matrix acts as a starting point
for cloud contracts and agreements as it provides a baseline level of security
competency that the CSP should meet.