For Section 5 of the Security+ Sy-601 exam – Governance, Risk, and Compliance, we will be covering various topics like Regulation and Frameworks, Risk Management, and Organizational Policies.

1. Risk Management

In Section 1 of the CompTIA certification course, we read about risk and how it is related to Threats and Vulnerability. Basically, an attacker can use different Attack Vectors to take advantage of the Vulnerability in the system, which is a threat to its security and creates an element of Risk to all users of that system. As any system can have multiple vulnerabilities posing different levels of threats ranging from critical, to medium and low, similar planning is required for Risks before declaring their impact. Another factor to determine the risk associated is by checking the source of risk, like internal, external, legacy software, etc.

• Risk Assessment – Risk assessment helps in categorizing risks based on their likelihood of occurrence and impact on the system. This is assessment is vital, as it helps security experts decide whether a risk is High, Low, or Medium. This type of risk assessment is termed the Qualitative Risk Assessment. For better judgment, we can perform the data-oriented Qualitative Risk Assessment as well. For this, we can use the below factors and compute an actual cost associated with the risk,
  • Asset Value (AV) – Cost of the asset in the current market, calculated either via Asset Depreciation method, or Asset Replacement Method
  • Exposure Factor (EF) (%) – Damage incurred to our assets, in case of risk actually materializes
  • Single-Loss Expectancy (SLE) – It is calculated by multiplying Asset Value and Exposure Factor, to estimate the actual loss to the company if the risk materializes one time in a year.
  • Annualized Rate of Occurrence (ARO) – Any risk cannot be limited to a one-time occurrence, hence we need to include the number of times a risk can occur in a year using ARO.
  • Annualized Loss Expectancy (ALE) – Multiplying SLE and ARO values, we can determine the estimated loss incurred by an organization annually due to any risk.
  • Mean Time to Failure (MTTF) – Average time before a non-repairable asset fails
  • Mean Time to Before Failure (MTBF) – Average time before a repairable asset fails
  • Mean Time to Repair (MTTR) – Time to repair a repairable asset
• Risk Addressing – Once a risk is identified with its likelihood and impact, we need to address them. We have four options to address any risk,
  • Risk Avoidance – Risk Avoidance implies a situation where identified risk cannot be fixed, hence need an avoidance strategy to remove risk. One example of risk avoidance can be migrating your data center because the current location is prone to any natural disaster (External Risk).
  • Risk Transference – Risk Transference implies a situation where the impact of any identified risk is transferred from one organization to another. One example of risk transference can be buying insurance for your hardware or hiring managed service professionals with the liability of payment in case of failure.
  • Risk Mitigation – Risk Mitigation implies a situation where an organization actually designs and installs solutions to mitigate a risk instead of avoiding or transferring it. One example of risk mitigation is installing EDRs or buying DDoS solutions to mitigate risks arising from malware and security attacks.
  • Risk Acceptance – Not every risk can be avoided, transferred, or mitigated. Those risks are discussed thoroughly and accepted as it is. It means the organization doesn’t plan or implement any solution to fix the risk and is ready to bear the loss in case a risk actually impacts the business.
• Risk Register – A risk register is a record of all the risks associated with any system, along with their causes, impact, likelihood, and score based on different criteria. This help in keeping a common record of all the risks, helping their evaluation and plan mitigation later. The Risk register can be populated using sources like audits, threat intelligence, open-source intelligence, etc.

2. Security Controls

With each risk associated with the security of any system, we have to apply proper security controls. These controls are based on the risk profiles categorized as Inherent Risk (One which does not yet have any mitigation plan), Control Risk (One which has the mitigation plan in place), and Residual Risk (Those which are leftovers after the mitigation plan was decided, and are placed under Acceptance plan). For Security Control, multilayer security is recommended by professionals, termed as Defense-In-Depth. Various types of security controls presented to the security professionals are,

• Preventive Controls – Preventive controls are designed to prevent any security-related issue to happen in the first place itself. Example Firewall stops the access of unwanted IP Addresses right away before they can send malicious traffic.
• Detective Controls – Detective controls detect any potential security risk and call for further investigations. Example IDS detects the presence of any unwanted activity in the end system only when it is already committed.
• Corrective Controls – Corrective Controls work more towards the recovery of the system, once an issue has already happened. Example recovery of any system to RPO from the backup.
• Deterrent Controls – Deterrent controls are responsible for deterring (loosely can be termed as scaring) any attacker from trying an attack. For example, putting a barbed fence across buildings.

We can also have different types of security controls based on who is the owner of implementing them, like Managerial Controls, Technological Controls, and Operational Controls.

3. Security Policies and Frameworks

Security policies are written by security professionals to ensure everyone in the organization has a reference to follow. Security policies must be written in the generic language to keep them relevant for a longer duration. These policies must include details of the standard which should be followed for various aspects like data encryption, supply chain audits, approval processes, etc. Additionally, policies may include optional guidelines as well, like advisory on best security practices in the industry.

Various security frameworks are also used for different aspects of the security program. Few of them are discussed here,

• Risk Management Frameworks – NIST provides a predefined and solid risk management framework, which can be reused and referred by any organization in their journey to cyber security. This framework mainly has seven stages briefed below,
  1. Input Gathering – All existing system designs, architecture documents, organization’s mission, vision, strategies, and goals are gathered for reference and consideration.
  2. Categorize – based on the information gathered, systems are assessed and categorized according to the risk they face.
  3. Select – Selection of the security controls is conducted and decided based on categorization done in the previous steps.
  4. Implement – This step involves the actual implementation of the security controls for any system
  5. Assessment – Assessment of the implemented security controls is important to determine any changes or updates in the plan if required.
  6. Authorize – This step determines whether all residual risks are authorized to remain as it is or approve if require further solutions to mitigate them.
  7. Monitor – Post authorization, security controls are monitored and if found insufficient, the cycle begins again from the input gathering phase to improve the risk management.

• Control Frameworks – Control frameworks are used in industry on various levels for decades now. Few of them are discussed here,
  1. Control Objectives for IT (COBIT) – COBIT framework helps organizations decide on the management of information and technology (IT) systems in a holistic way to improve monitoring, performance, and governance.
  2. ISO – ISO provides multiple standards to refer to the different needs of an organization. ISO 27001 covers cybersecurity control objectives, ISO 27002 covers cybersecurity control implementation, ISO 27701 covers privacy controls and ISO 31000 covers risk management programs.
• Data Security Framework – The security of the data stored on various end devices is important for any organization. For the data security framework, the organization must follow written security policies for both data storage and data disposal. Additional data protection is required if stored information is either Personally Identifiable Information (PII) like Person’s name and Social Security number or Protected Health Information (PHII) like Person’s Health records. Data must be classified based on their access rights with tags like Confidential, Top-secret, Unclassified, and Sensitive. Besides data classification, it’s important to data clearly define,
  • data owners (who have overall responsibility for the data and usually are C-Level executives of an organization
  • data stewards (who report to data owners and are responsible for the day-to-day governance of data)
  • data custodians (who actually store the data in end devices and are responsible for maintaining systems on which data is stored including encryption and backups of the data)

3. Supply Chain Policies

An organization cannot build all the tools, hardware, and applications in-house, hence they need to buy services, software, or physical infrastructure from one or multiple vendors. This may lead to security risks in case the vendor selected to deliver a product doesn’t follow the same standard of security frameworks and privacy controls. These scenarios can be overcome if the purchasing organization follows pre-defined and mutually-agreed supply chain policies. These policies must be applied the moment vendor selection begins for any product and carries out till delivery of the product.

• Stage 1 – In Stage 1, the vendor for a product is selected after formally reviewing RFPs (Request for Proposal) and evaluating both vendor’s & product’s security based on the risk assessment. Post selection, the product is onboarded in the customer’s environment and all acceptance tests are conducted covering criteria like performance, security, availability, etc. The few formal documents signed during this stage are Non-Disclosure Agreements (NDA), Service Level Agreements (SLA), Memorandum of Understanding (MoU), and Statement of Work (SOW).
• Stage 2 – Post onboarding, actual data or user traffic is transferred to the new application and the customer continues to monitor performance, conduct security scans, and audits. This is important to ensure data stored on the application should remain under the ownership of the customer and the vendor has no right to reuse or repurpose that information. Audits must be conducted by a third-party auditor to ensure that report is without any discrepancy.
• Stage 3 – Offboarding, or termination of the contract, which means the customer is either migrating to a new vendor or stopping use of the existing application. This stage completes only when all the customer’s data is cleaned by the vendor and design documents and architecture information is handed over to the customer.

This ends Section 5 of the CompTIA Security+ Sy-601 exam. We have now covered all Sections of the CompTIA Sy+ 601 exam. Hopefully, you can revise all your concepts when going through these notes and clear the exam in the first attempt.