CompTIA SecurityX

Risk management Obj 1.0

Risk Assesment

Risk management lifecycle

• Identification
• Assessment
• Control

• Review of risks

• Quantitative Analysis

  • Uses numerical data and statistical methods to measure risk
• Qualitative Analysis
  • Uses subjective, non-numerical criteria and experience of analysts
• Risk Appetite
  • Amount of risk an organization is willing to accept
• Risk Tolerance
  • Specific level of acceptable risk
• Risk Prioritization
  • Ranking of risks based on their potential impact and likelihood
• Risk Response
  • Implementation of controls to mitigate identifed risk
    • Validation
    • Severity impact
    • Remediation

Risk assesment frameworks

• NIST RMF (National Instiute of standards and technology) Risk management Framework. (DOD and healthcare)
• ISO (International organization of standardization/internation electrotechnical commission) (Information security and risk in general)
• COSO ERM (Committee os sponsoring organizations of the Treadway commission enterprise risk management) (Corporate statedgy)
• OCTAVE (Operationally critical threat, asset, and vulnerability evaluation) (IT infrastructures)
• FAIR (Risk threat framework (financial))

Impact Analysis

• Evaulating the potential consequences of identified risks on organizational operations, assets, and objectives.
• Identify and analyze events
• evaluate impact
• develop scenarios
• assess the outcomes
• implement mitigation strategies

Third party risk management

• Vendors
• Sub Processors (out sources services)
• Supply chain risks

Compliance Obj 1.2

Industry compliance

Requires organizations meet established laws, regulations, guidelines, and specifications to protect sensitive data, maintain customer trust, and avoid regulatory pentalties.

Compliance requirements (Frameworks)

• Government

  • NIST RMF (National institute of standards and technology risk management framework) Provides a method for managing risk, including categorizing information systems, selecting security control and monitoring effectivness.
  • FISMA (Federal information security management act) Requires federal agencies to develop and implement robust security programs to protect information.
  • CMMC (Cyberseurity maturity model certification) 5 levels of certification:
    • Level 1 . Basic cybersecurity hygiene
    • Level 2. Intermediate practices
    • Level 3. Full implementation of NIST SP 800-171 guidelines
    • Level 4. Proactive security
    • Level 5. Optimized defenses

  Essential for government contractors to safeguard Controlled Unclassified Information (CUI) CUI is sensitve information that isn't gov-classified but till requires protection.

• Healthcare

  • HIPAA (health insurance portability and accountability act) Focuses on protecting patient's sensitive health information and privacy
  • HITECH (Health information technology for economic and clinical health act) Builds on HIPAA by encouraging healthcare providers to adopt electronic health records

• Financial

  • GLBA (Gramm-Leach-Bliley Act) Targets data privacy and protection in financial sector Ensure that banks and financial institutions protect customer's personal financial information
  • SOX (Sabanes-Oxley Act) Focus on integrity of financial reporting in public companies Focus on making sure public companies maintain accurate financial records and implement control to prevent fraud
  • PCI-DSS (Payment card industry data security standard) Applies to any business handling credit card transactions Enforces 6 key security goals
  • 1. Maintain a secure network
  • 1. Manage vulnerabilities
    2. 1. Continuously monitor systems
    3. 1. Encrypt cardholder data
    4. 1. Enforce strict access controls
    5. 1. Have a robust information security policy

• Utilites

  • NERC-CIP (North american electric reliability corporation critical infrastructure protection) Ensures power companies have strong security practices in place
  • FERC (Federal energy regulatory commission) Oversees and enforces compliance in the energy industry

Industry standards Obj 1.3

Established guidelines and practices that organizations within a specific industry are expected to follow.

PCI-DSS payment card industry, keep CC data safe.

ISO-IEC 27K series NOT LEGALLY ENFORCED - 27001: Focuses on establishing, implementing, maintaining and continual improving and organizations information security management system (ISMS) - 27002: Focuses on security controls defined in 27001 - 27005: Information security risk management offering guidance on identifying and assessing risks to better protect sensitive information. - 27017: Cloud security - 27018: Protecting personal data in the cloud

DMA controls for "Gatekeepers" Regulating large tech companies Companies that control key digital services like online search engines, social networking, and app stories - FANG companies (Facebook/Meta, Amazon, Google, TikTok, Apple) - prevents companies to hold a monopoly - Anti-monopoly laws

Security Frameworks

• Foundational best practices Key frameworks and standards that help organizations protect data, manager risks, and stay secure across different industries. e.g, ISO-IEC, NIST, COBIT, PCI-DSS, COSO, GDPR, ITIL, CMMC,HIPAA
• Benchmarks
• Measureable standards Baselines, use a benchmark to compare to industry standards.
• CIS (Center for internet security benchmarks) Set of globally recognized, best practice securiyt configurations that help organizations secure thier systems and data against cyber threats. * Step by step guidelines.*

SOC2 (Security Organization Control Type 2)

Designed to ensure that companies, especially those offering cloud-based services handle customer data securely Created by CFA (Accountants) Audit in process that evaluates an organization's ability to manage and protect data across five key areas. Based on 5 principles 1. Availability 2. confidentiality 3. Process Integrity 4. Privacy 5. Security

SOC3 report is the public facing SOC2 report

TYPES: SOC2 TYPE 1: Assesses the design of an organization's controls for managing sensitive customer data at a specific point in time.

SOC2 TYPE 2: Evaluates not only design of the controls but also their operational effectiveness over a period of time, usually 6 to 12 months.

SOC3 Reports: Simplified public version of the more detailed SOC 2 report, designed for organizations that want to show that they have a strong security and data protection practices in place.

NIST (CSF) cyber security framework

Designed to be flexible across diffrent industries Five core functions 1. Identify: Asset management software such as , SolarWinds or Lansweeper is used to map out critical systems, hardware, and data. 2. Protect: Organization's rely on firewalls, encryption and access management solutions to control access and safeguard sensitive data. 3. Detect: Intrusion detection systems and security information and event management (SIEM) solutions to continuously monitor their networks for suspicious activity or potential threats. (splunk, snort) 4. Respond: IBM resilient , crowdstrike are used to contain security incidents, investigate root causes and notify the right personnel to handle the situation effectively. 5. Recover: Organizations rely on backup and recovery tools such as Veeam or Acronis to restore lost data and services after a security incident.

CSA (Cloud Security Alliance) framework

Set of guidelines and best practices designed to help organizations secure cloud computing environments Provides a way to manage and mitigate risks associated with cloud services. CSA STAR (Security, Trust , Assurance, and Risk) provides various certifications. Areas: Certificate for cloud service providers. 1. Data protection 2. Security management 3. Compliance

Two levels or certification: 1. Self Audit 2. Requires third-party audior

Privacy regulations

• COPPA (Children's online privacy act) in the US Requirements for website operators and online servcies for children under the age of 13
• LGDP (General data protection law) in Brazil
• CCPA (California consumer privacy act) In California US
• GDPR (General Data Protection Regulation) In the EU