Comptia security+: security policies, regulations, standards, & frameworks

- Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users, and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow while in other cases, we're simply giving advice. Each of these roles requires communicating a little bit differently. That's where the Security Policy Framework comes into play. Most security professionals recognize a framework consisting of four different types of document: policies, standards, guidelines, and procedures. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They are often developed over a long period of time and are very carefully written to describe an organization's security expectations. Compliance with policies is mandatory and policies are often…

Download courses and learn on the go

Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.

Job rotation: Job rotation helps in managing the work with different people, thus reducing any down time when one of the employees has quit or on leave. Further, job rotation gives the employee the opportunity to develop skills in a variety of changing jobs.

NDA: It is important to review the NDA (Short for Non-Disclosure Agreement) that Company B has entered into with Company A. It can only enter into NDA with a third party (Company C) only if the NDA between the first and second party permit it. For example, if the NDA rules out sharing data with a third party, then B can not enter into NDA with C. It is important to verify whether the third party provider has relevant experience. However, it is not the first thing to be considered. An NDA with the third party is subject to NDA entered already between the first two parties. Similarly, having security policies in place for C is not relevant at this point.

Example1: A newly hired employee is asked to review security of the computers within the company premises. What he needs to do first?

Solution: He needs to go through the security policy first. A company's security policy outlines the security measures to be taken. Implementing the security policy is the first thing that needs to be done.

Example 2: A security manager observed that the incoming inspection of material as well as payment is done by the same person. He implemented a policy such that one employee does incoming inspection of material and another employee does the payment processing. This is an example of security enhancement by separation of duties.

Agreement Types:

SLA (Service Level Agreement): Service Level Agreement is the formal negotiated document between two parties. It is a legal document that binds both the parties during the tenure of the agreement. SLA usually pertains to performance expectations such as up-time, and mean-time-between-failures.

BPA (Business Partners Agreement): It defines the relationship between business partners, including their roles and responsibilities toward the partnership.

MOU (Memorandum of Understanding): A memorandum of understanding (MoU) describes a bilateral or multilateral agreement between two or more parties.

ISA (Interconnection Security Agreement): It specifies requirements for establishing, maintaining, and disconnecting a secure connection between two parties.

In the context of risk management, three types of control classes are defined. These are Management (or Administrative), Technical, Operational (or Physical). For each of these classes, there are four types of controls, namely, Preventive, Detective, Corrective, and Compensating.

Account recertification: Account re-certification refers to several account management principles. First, recertification refers to performing a periodic assessment of a user's responsibilities against their account permissions and rights, confirming the principle of least privilege. Recertification can also verify if a user has the proper level of skill or knowledge to have access to a certain account type. Finally, recertification of an IT system's account management controls can also occur, validating if a system can adhere to proper levels of account security.

Federated identity: A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

Account maintenance: Account maintenance is the regular or periodic activity of reviewing and assessing the user accounts of an IT environment. Any accounts that no longer required should be disabled, such as those used by previous employees or related to services that have been uninstalled.

Offboarding: Offboarding refers to the IAM(Identity and Access Management) processes surrounding the removal of an identity for an employee who has left the network.

Roles and responsibilities

Multiple personnel in an organization are associated with the control and administration of data. These data roles include data owners, data controllers, data processors, data custodian/stewards, and users

Data owners: All data elements in an organization should have defined requirements for security, privacy, retention, and other business functions. It is the responsibility of the designated data owner to define these requirements.

Data Controllers:The data controller is the person responsible for managing how and why data is going to be used by the organization.

Data Processors:The data processor is the entity that processes data given to it by the data controller. Data processors do not own the data, nor do they control it. Their role is the manipulation of the data as part of business processes.

Data custodian/steward: A data custodian or data steward is the role responsible for the day-to-day caretaking of data. The data owner sets the relevant policies, and the steward or custodian ensures they are followed.

Data Protection Officer(DPO): A data protection officer is a role within a company or organization whose responsibility is to ensure that the company or organization is correctly protecting individuals’ personal data according to current legislation.

International Organization for Standardization (ISO) 27001/27002/27701/31000:

ISO 27001 is the international standard defining an information security management system (ISMS).
ISO 27001 is one of many related standards in the 27000 family. ISO 27002 is a document that defines security techniques and a code of practice for information security controls.
ISO 27701 is a privacy extension to the 27000 series and adds the requirements to establish and maintain a privacy information management system. 

The ISO 31000 series is a set of guidelines, principles, framework, and process for managing risk. ISO 31000 addresses all forms of risk and management, not just cybersecurity risk

Payment Card Industry Data Security Standard (PCI-DSS) control objectives include:

  • Build and maintain a secure network and systems

  • Protect cardholder data

  • Maintain a vulnerability management program

  • mplement strong access control measures

  • Regularly monitor and test networks

  • Maintain an Information Security Polity

General Data Protection Regulation(GDPR): GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. 

Cyber Security Framework(CSF): The CSF is designed to assist organizations in the early stages of planning their cybersecurity posture.

Center of Internet Security (CIS): CIS is a not-for-profit NGO that develops its own Configuration Policy Benchmarks (CPB).

What is the difference between SY0

CompTIA Security+ (SY0-601) has 35 exam objectives, compared to 37 on SY0-501. The difference is that the exam objectives for SY0-601 include more examples under each objective – the number of examples increased by about 25%. This was intentional to help you better understand the meaning of each exam objective.

Is security plus 601 hard?

This exam is used to examine the basic level skills or the fundamental knowledge of the field. The CompTIA security+ SY0-601 exam is an entry-level exam, but it is a hard nut to crack. If you are looking for tips and tricks to pass the CompTIA security+ SY0-601 exam, this is the proper place for you.

How many questions is SEC+ 601?

Exam Code
Number of Questions
Maximum of 90 questions
Type of Questions
Multiple choice and performance-based
Length of Test
90 minutes
Passing Score
750 (on a scale of 100-900)
Security+ (Plus) Certification - › certifications › securitynull

Should I take security plus 501 or 601?

Different Priorities: The SY0-601 exam has newer priorities when it comes to domains. The 'Attacks, Threats and Vulnerabilities' domain holds 24% weightage, compared to 21% in the SY0-501. Also, the 'Architecture and Design' domain in the SY0-601 carries a 21% weightage, compared to 15% in the SY0-501.