CompTIA SecurityX

Risk management Obj 1.0

Risk Assesment

Risk management lifecycle

• Identification
• Assessment
• Control

• Review of risks

• Quantitative Analysis

  • Uses numerical data and statistical methods to measure risk
• Qualitative Analysis
  • Uses subjective, non-numerical criteria and experience of analysts
• Risk Appetite
  • Amount of risk an organization is willing to accept
• Risk Tolerance
  • Specific level of acceptable risk
• Risk Prioritization
  • Ranking of risks based on their potential impact and likelihood
• Risk Response
  • Implementation of controls to mitigate identifed risk
    • Validation
    • Severity impact
    • Remediation

---

Risk assesment frameworks

• NIST RMF (National Instiute of standards and technology) Risk management Framework. (DOD and healthcare)
• ISO (International organization of standardization/internation electrotechnical commission) (Information security and risk in general)
• COSO ERM (Committee os sponsoring organizations of the Treadway commission enterprise risk management) (Corporate statedgy)
• OCTAVE (Operationally critical threat, asset, and vulnerability evaluation) (IT infrastructures)
• FAIR (Risk threat framework (financial))

---

Impact Analysis

• Evaulating the potential consequences of identified risks on organizational operations, assets, and objectives.
• Identify and analyze events
• evaluate impact
• develop scenarios
• assess the outcomes
• implement mitigation strategies

---

Third party risk management

• Vendors
• Sub Processors (out sources services)
• Supply chain risks

---

Compliance Obj 1.2

Industry compliance

Requires organizations meet established laws, regulations, guidelines, and specifications to protect sensitive data, maintain customer trust, and avoid regulatory pentalties.

Compliance requirements (Frameworks)

• Government

  • NIST RMF (National institute of standards and technology risk management framework) Provides a method for managing risk, including categorizing information systems, selecting security control and monitoring effectivness.
  • FISMA (Federal information security management act) Requires federal agencies to develop and implement robust security programs to protect information.
  • CMMC (Cyberseurity maturity model certification) 5 levels of certification:
    • Level 1 . Basic cybersecurity hygiene
    • Level 2. Intermediate practices
    • Level 3. Full implementation of NIST SP 800-171 guidelines
    • Level 4. Proactive security
    • Level 5. Optimized defenses

  Essential for government contractors to safeguard Controlled Unclassified Information (CUI) CUI is sensitve information that isn't gov-classified but till requires protection.

• Healthcare

  • HIPAA (health insurance portability and accountability act) Focuses on protecting patient's sensitive health information and privacy
  • HITECH (Health information technology for economic and clinical health act) Builds on HIPAA by encouraging healthcare providers to adopt electronic health records

• Financial

  • GLBA (Gramm-Leach-Bliley Act) Targets data privacy and protection in financial sector Ensure that banks and financial institutions protect customer's personal financial information
  • SOX (Sabanes-Oxley Act) Focus on integrity of financial reporting in public companies Focus on making sure public companies maintain accurate financial records and implement control to prevent fraud
  • PCI-DSS (Payment card industry data security standard) Applies to any business handling credit card transactions Enforces 6 key security goals
  • 1. Maintain a secure network
  • 1. Manage vulnerabilities
    2. 1. Continuously monitor systems
    3. 1. Encrypt cardholder data
    4. 1. Enforce strict access controls
    5. 1. Have a robust information security policy

• Utilites

  • NERC-CIP (North american electric reliability corporation critical infrastructure protection) Ensures power companies have strong security practices in place
  • FERC (Federal energy regulatory commission) Oversees and enforces compliance in the energy industry

---

Industry standards Obj 1.3

Established guidelines and practices that organizations within a specific industry are expected to follow.

PCI-DSS payment card industry, keep CC data safe.

ISO-IEC 27K series NOT LEGALLY ENFORCED - 27001: Focuses on establishing, implementing, maintaining and continual improving and organizations information security management system (ISMS) - 27002: Focuses on security controls defined in 27001 - 27005: Information security risk management offering guidance on identifying and assessing risks to better protect sensitive information. - 27017: Cloud security - 27018: Protecting personal data in the cloud

DMA controls for "Gatekeepers" Regulating large tech companies Companies that control key digital services like online search engines, social networking, and app stories - FANG companies (Facebook/Meta, Amazon, Google, TikTok, Apple) - prevents companies to hold a monopoly - Anti-monopoly laws

---

Security Frameworks

• Foundational best practices Key frameworks and standards that help organizations protect data, manager risks, and stay secure across different industries. e.g, ISO-IEC, NIST, COBIT, PCI-DSS, COSO, GDPR, ITIL, CMMC,HIPAA
• Benchmarks
• Measureable standards Baselines, use a benchmark to compare to industry standards.
• CIS (Center for internet security benchmarks) Set of globally recognized, best practice securiyt configurations that help organizations secure thier systems and data against cyber threats. * Step by step guidelines.*

---

SOC2 (Security Or# CompTIA SecurityX

Risk management Obj 1.0

Risk Assesment

Risk management lifecycle

• Identification
• Assessment
• Control

• Review of risks

• Quantitative Analysis

  • Uses numerical data and statistical methods to measure risk
• Qualitative Analysis
  • Uses subjective, non-numerical criteria and experience of analysts
• Risk Appetite
  • Amount of risk an organization is willing to accept
• Risk Tolerance
  • Specific level of acceptable risk
• Risk Prioritization
  • Ranking of risks based on their potential impact and likelihood
• Risk Response
  • Implementation of controls to mitigate identifed risk
    • Validation
    • Severity impact
    • Remediation

---

Risk assesment frameworks

• NIST RMF (National Instiute of standards and technology) Risk management Framework. (DOD and healthcare)
• ISO (International organization of standardization/internation electrotechnical commission) (Information security and risk in general)
• COSO ERM (Committee os sponsoring organizations of the Treadway commission enterprise risk management) (Corporate statedgy)
• OCTAVE (Operationally critical threat, asset, and vulnerability evaluation) (IT infrastructures)
• FAIR (Risk threat framework (financial))

---

Impact Analysis

• Evaulating the potential consequences of identified risks on organizational operations, assets, and objectives.
• Identify and analyze events
• evaluate impact
• develop scenarios
• assess the outcomes
• implement mitigation strategies

---

Third party risk management

• Vendors
• Sub Processors (out sources services)
• Supply chain risks

---

Compliance Obj 1.2

Industry compliance

Requires organizations meet established laws, regulations, guidelines, and specifications to protect sensitive data, maintain customer trust, and avoid regulatory pentalties.

Compliance requirements (Frameworks)

• Government

  • NIST RMF (National institute of standards and technology risk management framework) Provides a method for managing risk, including categorizing information systems, selecting security control and monitoring effectivness.
  • FISMA (Federal information security management act) Requires federal agencies to develop and implement robust security programs to protect information.
  • CMMC (Cyberseurity maturity model certification) 5 levels of certification:
    • Level 1 . Basic cybersecurity hygiene
    • Level 2. Intermediate practices
    • Level 3. Full implementation of NIST SP 800-171 guidelines
    • Level 4. Proactive security
    • Level 5. Optimized defenses

  Essential for government contractors to safeguard Controlled Unclassified Information (CUI) CUI is sensitve information that isn't gov-classified but till requires protection.

• Healthcare

  • HIPAA (health insurance portability and accountability act) Focuses on protecting patient's sensitive health information and privacy
  • HITECH (Health information technology for economic and clinical health act) Builds on HIPAA by encouraging healthcare providers to adopt electronic health records

• Financial

  • GLBA (Gramm-Leach-Bliley Act) Targets data privacy and protection in financial sector Ensure that banks and financial institutions protect customer's personal financial information
  • SOX (Sabanes-Oxley Act) Focus on integrity of financial reporting in public companies Focus on making sure public companies maintain accurate financial records and implement control to prevent fraud
  • PCI-DSS (Payment card industry data security standard) Applies to any business handling credit card transactions Enforces 6 key security goals
  • 1. Maintain a secure network
  • 1. Manage vulnerabilities
    2. 1. Continuously monitor systems
    3. 1. Encrypt cardholder data
    4. 1. Enforce strict access controls
    5. 1. Have a robust information security policy

• Utilites

  • NERC-CIP (North american electric reliability corporation critical infrastructure protection) Ensures power companies have strong security practices in place
  • FERC (Federal energy regulatory commission) Oversees and enforces compliance in the energy industry

---

Industry standards Obj 1.3

Established guidelines and practices that organizations within a specific industry are expected to follow.

PCI-DSS payment card industry, keep CC data safe.

ISO-IEC 27K series NOT LEGALLY ENFORCED - 27001: Focuses on establishing, implementing, maintaining and continual improving and organizations information security management system (ISMS) - 27002: Focuses on security controls defined in 27001 - 27005: Information security risk management offering guidance on identifying and assessing risks to better protect sensitive information. - 27017: Cloud security - 27018: Protecting personal data in the cloud

DMA controls for "Gatekeepers" Regulating large tech companies Companies that control key digital services like online search engines, social networking, and app stories - FANG companies (Facebook/Meta, Amazon, Google, TikTok, Apple) - prevents companies to hold a monopoly - Anti-monopoly laws

---

Security Frameworks

• Foundational best practices Key frameworks and standards that help organizations protect data, manager risks, and stay secure across different industries. e.g, ISO-IEC, NIST, COBIT, PCI-DSS, COSO, GDPR, ITIL, CMMC,HIPAA
• Benchmarks
• Measureable standards Baselines, use a benchmark to compare to industry standards.
• CIS (Center for internet security benchmarks) Set of globally recognized, best practice securiyt configurations that help organizations secure thier systems and data against cyber threats. * Step by step guidelines.*

---

SOC2 (Security Organization Control Type 2)

Designed to ensure that companies, especially those offering cloud-based services handle customer data securely Created by CFA (Accountants) Audit in process that evaluates an organization's ability to manage and protect data across five key areas. Based on 5 principles 1. Availability 2. confidentiality 3. Process Integrity 4. Privacy 5. Security

SOC3 report is the public facing SOC2 report

TYPES: SOC2 TYPE 1: Assesses the design of an organization's controls for managing sensitive customer data at a specific point in time.

SOC2 TYPE 2: Evaluates not only design of the controls but also their operational effectiveness over a period of time, usually 6 to 12 months.

SOC3 Reports: Simplified public version of the more detailed SOC 2 report, designed for organizations that want to show that they have a strong security and data protection practices in place.

---

NIST (CSF) cyber security framework

Designed to be flexible across diffrent industries Five core functions 1. Identify: Asset management software such as , SolarWinds or Lansweeper is used to map out critical systems, hardware, and data. 2. Protect: Organization's rely on firewalls, encryption and access management solutions to control access and safeguard sensitive data. 3. Detect: Intrusion detection systems and security information and event management (SIEM) solutions to continuously monitor their networks for suspicious activity or potential threats. (splunk, snort) 4. Respond: IBM resilient , crowdstrike are used to contain security incidents, investigate root causes and notify the right personnel to handle the situation effectively. 5. Recover: Organizations rely on backup and recovery tools such as Veeam or Acronis to restore lost data and services after a security incident.

---

CSA (Cloud Security Alliance) framework

Set of guidelines and best practices designed to help organizations secure cloud computing environments Provides a way to manage and mitigate risks associated with cloud services. CSA STAR (Security, Trust , Assurance, and Risk) provides various certifications. Areas: Certificate for cloud service providers. 1. Data protection 2. Security management 3. Compliance

Two levels or certification: 1. Self Audit 2. Requires third-party audior

---

Privacy regulations

• COPPA (Children's online privacy act) in the US Requirements for website operators and online servcies for children under the age of 13
• LGDP (General data protection law) in Brazil
• CCPA (California consumer privacy act) In California US
• GDPR (General Data Protection Regulation) In the EUganization Control Type 2) Designed to ensure that companies, especially those offering cloud-based services handle customer data securely Created by CFA (Accountants) Audit in process that evaluates an organization's ability to manage and protect data across five key areas. Based on 5 principles
• Availability
• confidentiality
• Process Integrity
• Privacy
• Security

SOC3 report is the public facing SOC2 report

TYPES: SOC2 TYPE 1: Assesses the design of an organization's controls for managing sensitive customer data at a specific point in time.

SOC2 TYPE 2: Evaluates not only design of the controls but also their operational effectiveness over a period of time, usually 6 to 12 months.

SOC3 Reports: Simplified public version of the more detailed SOC 2 report, designed for organizations that want to show that they have a strong security and data protection practices in place.

---

NIST (CSF) cyber security framework

Designed to be flexible across diffrent industries Five core functions 1. Identify: Asset management software such as , SolarWinds or Lansweeper is used to map out critical systems, hardware, and data. 2. Protect: Organization's rely on firewalls, encryption and access management solutions to control access and safeguard sensitive data. 3. Detect: Intrusion detection systems and security information and event management (SIEM) solutions to continuously monitor their networks for suspicious activity or potential threats. (splunk, snort) 4. Respond: IBM resilient , crowdstrike are used to contain security incidents, investigate root causes and notify the right personnel to handle the situation effectively. 5. Recover: Organizations rely on backup and recovery tools such as Veeam or Acronis to restore lost data and services after a security incident.

---

CSA (Cloud Security Alliance) framework

Set of guidelines and best practices designed to help organizations secure cloud computing environments Provides a way to manage and mitigate risks associated with cloud services. CSA STAR (Security, Trust , Assurance, and Risk) provides various certifications. Areas: Certificate for cloud service providers. 1. Data protection 2. Security management 3. Compliance

Two levels or certification: 1. Self Audit 2. Requires third-party audior

---

Privacy regulations

• COPPA (Children's online privacy act) in the US Requirements for website operators and online servcies for children under the age of 13
• LGDP (General data protection law) in Brazil
• CCPA (California consumer privacy act) In California US
• GDPR (General Data Protection Regulation) In the EU