Security Plus Exam Cram Series 2024 - Domain 5: Security Program Management and Oversight

Jul 13, 2024

Security Plus Exam Cram Series 2024 - Domain 5: Security Program Management and Oversight

5.1 Effective Security Governance

  • Security governance: Establishes guidelines, policies, standards, and procedures essential for governance and oversight.

    • Guidelines: Recommendations and best practices (optional).
    • Policies: High-level directives and objectives (mandatory).
      • Types: Acceptable Use Policy, Information Security Policy, Incident Response, Software Development Life Cycle.
    • Standards: Specific technical requirements (mandatory).
      • Examples: Password complexity, access control, physical security, encryption standards.
    • Procedures: Step-by-step instructions (how-to implement standards).
      • Examples: Incident response, change management, onboarding/offboarding, playbooks.

  • Roles & Responsibilities:

    • Data roles: Data Owner, Data Custodian.
    • GDPR roles: Data Processor, Data Controller, Data Subject, Data Steward.

  • External considerations: Regulatory compliance, legal obligations, industry best practices.

  • Monitoring & Revision: Continuous process involving audits, reviews, and updates.

  • Governance structures: Board, committee, government entities (centralized vs. decentralized).

5.2 Risk Management

  • Risk Management Process:
    • Risk Identification: Identify threats and vulnerabilities.
    • Risk Assessment: Broader process including identification, analysis, evaluation, and prioritization.
      • Types: Ad hoc, recurring, one-time, continuous.
    • Risk Analysis: Qualitative (subjective scoring) vs Quantitative (numeric values, cost impact).
      • Key Formulas: Exposure Factor, Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), Annualized Loss Expectancy (ALE).
    • Risk Register: Tracks issues, prioritized visually (e.g., heat maps).
    • Risk Appetite & Tolerance: Levels of risk acceptance.
    • Risk Management Strategies: Acceptance, mitigation, transference, avoidance.
    • Reporting: Produces actionable guidance for mitigation.
    • Business Impact Analysis (BIA): Identifies critical functions, systems, maximum downtime, potential losses.
      • Key Metrics: Recovery Point Objective (RPO), Recovery Time Objective (RTO), Mean Time Between Failures (MTBF), Mean Time To Repair (MTTR).

5.3 Third-Party Risk Assessment

  • Vendor Assessment:

    • Methodologies: Penetration testing, internal audits, right to audit clauses, independent assessments, supply chain analysis.
    • Tools: Audit reports (e.g., SOC 2 Type 2), viability assessments, compliance reviews.
    • Conflict of Interest: Financial interests, ownership, kickbacks, information sharing, professional relationships.

  • Agreement Types:

    • Service Level Agreements (SLA)
    • Memorandums: MOUs vs. MOAs.
    • Master Service Agreement (MSA)
    • Statements of Work (SOW)
    • Non-Disclosure Agreements (NDA)
    • Business Partners Agreement (BPA)

  • Vendor Monitoring: Continuous process, periodic questionnaires, rules of engagement.

5.4 Security Compliance

  • Compliance Reporting: Internal (transparency) vs. External (regulatory).
  • Non-Compliance Consequences: Reputation loss, sanctions, contractual impacts, fines, loss of license.
  • Compliance Monitoring: Due diligence vs. Due care, attestation, audits.
  • Privacy: GDPR, U.S. regulations, data subject rights, controller vs. processor.
  • Confidentiality vs. Privacy: Privacy focuses on individual rights, confidentiality on data protection.

5.5 Audits & Assessments

  • Difference Between Audit & Assessment:
    • Audit: Compliance check (formal).
    • Assessment: Risk identification and mitigation (broader).
  • Internal: Compliance audits, self-assessments.
  • External: Regulatory audits, independent examinations.
  • Penetration Testing: Physical, offensive, defensive, and integrated types.
    • Environments: Known (white-box), unknown (black-box), partially known (gray-box).
    • Reconnaissance: Passive (indirect interaction) vs. Active (direct probing).

5.6 Security Awareness Practices

  • Key Principles of Social Engineering: Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, Urgency.
  • Fishing Awareness: Simulating phishing, recognizing red flags, reporting procedures.
  • Anomalous Behavior: Recognizing risky/unexpected/unintentional actions.
  • User Guidance & Training Topics: Security policy, situational awareness, insider threats, password management, removable media, social engineering, operational security, remote work.
  • Training Execution: Engaging materials, various methods (online, in-person).
  • Reporting and Monitoring: Initial assessment, recurring training, effectiveness tracking, frequent updates.