Sy0 601 01

R
Lesson 1 NT E
C E
Comparing Security Roles and Security
L Controls
N A
SIO
S
OFE
P R
C I S
A
R
Topic 1A N T E
C E
Compare and Contrast InformationLSecurity Roles
N A
S IO
S
OFE
P R
C I S
A
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Information Security
• CIA Triad
E R
• Confidentiality
N T
• Information should only be known to certain people
C E
• Integrity
A L
• Data is stored and transferred as intendedNand that any modification is
authorized
S IO
• Availability E S
O
• Information is accessible Fthose authorized to view or modify it
to
• Non-repudiation PR
I S
• Subjects cannot
C deny creating or modifying data
A
Cybersecurity Framework
E R
N T
C E
A L
IO N
S S
F E
R O
S P
C I
A
Information Security Competencies
• Risk assessments and testing

E R
• Specifying, sourcing, installing, and configuring secure devices and software
N T
• Access control and user privileges C E
• Auditing logs and events A L
• Incident reporting and response
IO N
• Business continuity and disaster recovery
S S
• F E
Security training and education programs
R O
S P
C I
A
Information Security Roles and Responsibilities
R
• Overall responsibility
E
T (CSO)
• Chief Security Officer
N
(CISO)C
E
• Chief Information Security Officer
A L
• Managerial
N
I•OTechnical
S S Information Systems Security
F E •
Officer (ISSO)
R O • Non-technical
S P
C I • Due care/liability
A
Image credit: Shannon Fagan © 123rf.com.
Information Security Business Units
• Security Operations Center (SOC)

E R
• DevSecOps
N T
• Development, security, and
C E
operations
A L
• Incident response
IO N
Cyber incident response team
•
(CIRT) S S
• F
Computer security incident
E
R O
response team (CSIRT)
•
S P
Computer emergency response
I
team (CERT)
C
A Image credit: John Mattern/Feature Photo Service for IBM
R
Topic 1B N T E
C E
Compare and Contrast Security Control
L and Framework
Types NA IO
S S
F E
R O
S P
C I
A
Syllabus Objectives Covered
• 5.1 Compare and contrast various types of controls

E R
• 5.2 Explain the importance of applicable regulations, standards, or
N T
frameworks that impact organizational security posture
C E
A L
IO N
S S
F E
R O
S P
C I
A
Security Control Categories
• Technical
E R
• Controls implemented in operating
N T
systems, software, and security appliances
C E
• Operational L
• Controls that depend on a person for N A
implementation
S IO
• Managerial
E S
•
O Fof the system
Controls that give oversight
P R
I S
AC
Security Control Functional Types (1)
• Preventive
Physically or logically restricts
•
unauthorized access E R
• N
Operates before an attack T
• DetectiveC E
• May
A L not prevent or deter access, but
N it will identify and record any
IO attempted or successful intrusion
S S • Operates during an attack
OFE • Corrective
Responds to and fixes an incident
P R •
and may also prevent its
Images © 123rf.com.
C I S reoccurrence
A • Operates after an attack
Security Control Functional Types (2)
• Physical
E R
• Controls such as alarms, gateways, and locks that deter access
N Tto premises and
hardware
C E
• Deterrent
A L
I
an attacker from attempting an intrusionO N
• May not physically or logically prevent access, but psychologically discourages
• Compensating S S
F E
• Substitutes for a principal control
R O
S P
I
AC
NIST Cybersecurity Framework
• Importance of frameworks
E R
• Objective statement of current capabilities
N T
• Measure progress towards a target capability
C E
•
A L
Verifiable statement for regulatory compliance reporting
•
IO N
National Institute of Standards and Technology (NIST)
SS
• Cybersecurity Framework (CSF)
• Risk Management FrameworkE (RMF)
O F Standards (FIPS)
• Federal Information Processing
• Special PublicationsR
S P
I
AC
ISO and Cloud Frameworks
• International Organization for Standardization (ISO)

E R
• 27K information security standards
N T
• 31K enterprise risk management (ERM)
C E
• Cloud Security Alliance
A L
IO N
• Security guidance for cloud service providers (CSPs)
• Enterprise reference architecture
S S
•
• Cloud controls matrix
Statements on StandardsO F E
for Attestation Engagements (SSAE)
Service OrganizationP R (SOC)
Control
I
• SOC2 evaluatesS service provider
AC
• Type I report assesses system design
• Type II report assesses ongoing effectiveness
• SOC3 public compliance report
Benchmarks and Secure Configuration Guides
• Center for Internet Security (CIS)

E R
• The 20 CIS Controls
N T
•
• CIS-RAM (Risk Assessment Method)
C
OS/network platform/vendor-specific guides and benchmarks
E
• Vendor guides and templates A L
• CIS benchmarks
IO N
S
• Department of Defense Cyber Exchange
S
E (NCP)
• NIST National Checklist Program
F
•
R O server applications
Application servers and web
• Client/server
S P
C I
• Multi-tier—front-end, middleware (business logic), and back-end
(data)
A
• Open Web Application Security Project (OWASP)
Regulations, Standards, and Legislation
• Due diligence
E R
• Sarbanes-Oxley Act (SOX)
N T
• Computer Security Act (1987)
C E
•
A L
Federal Information Security Management Act (FISMA)
• General Data Protection Regulation (GDPR)
O N
• National, territory, or state laws SI
• Gramm–Leach–Bliley Act (GLBA) E S
O Fand Accountability Act (HIPAA)
• Health Insurance Portability
P
• California Consumer RPrivacy Act (CCPA)
•
C S
Payment Card IIndustry Data Security Standard (PCI DSS)
A
R
Lesson 1 N T E
C E
Summary L
N A
S IO
ES
O F
P R
C I S
A

Sy0 601 01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sy0 601 01

Uploaded by

Copyright:

Available Formats

R

• Risk assessments and testing

• Security Operations Center (SOC)

• 5.1 Compare and contrast various types of controls

• International Organization for Standardization (ISO)

• Center for Internet Security (CIS)

You might also like