CompTIA CASP+ CAS-004 Exam Guide: A-Z of Advanced Cybersecurity Concepts, Mock Exams, Real-world Scenarios with Expert Tips (English Edition)

CHAPTER 1

Introduction to CASP

Introduction

The CompTIA Advanced Security Practitioner (CASP) certification is a popular security certification. There are several popular vendor-specific certifications in the IT industry, but CASP is a unique, vendor-neutral certification. This certification is a stepping-stone to other specialized, vendor-specific certifications. CASP exam topics are generic and apply to several varied security technologies, irrespective of the vendors. This book has multiple examples of vendor tools, configurations, and technologies. For specific vendor products, training regarding that vendor hardware, device, or software can be found in training specific to that vendor.

Structure

In this chapter, we will cover the following topics:

Objectives of the book and CASP certifications

Intended audience

Steps to exam preparation: To become CASP, this section explains the process involved in achieving the certification

Exam details and objectives: These include details and information about the exam, time, questions, recommended experience, and the domain breakup

Exam topics: Describes the chapters and subtopics that are covered

Book objectives

The objective of this book is to understand the topics and technologies covered by the CASP blueprint from CompTIA. This book will enhance your knowledge and help you master the goal of clearing the CASP exam. To help you understand the CASP certification objectives, the chapters provide the following:

Opening topics list, which defines all the topics covered in that chapter.

Key topic icons indicate the important figures, tables, or information. These icons are available throughout the chapters and are also summarized in a table format at the end.

Memory tables help memorize the important information for the CASP topics.

Key terms are listed at the end of each chapter; try to learn and understand the definitions of each term and check your understanding of that chapter.

This book will summarize external and business influences on security, compare organizational security policies and procedures, analyze and perform risk mitigations and controls, integrate network and OS architecture to comply with security requirements, and design and select appropriate security controls.

Intended audience

Readers of this book can vary from those attempting to attain specialist or lead role in the IT security domain to those who want to sharpen their technical skills to apply for new project roles or even go for the certification as per organization mandate that wants them to take the new CASP exam. Those seeking to acquire additional skills and certification beyond the CASP certification, say those planning for CISSP, CISM certifications, and beyond will find this book useful.

The book is designed to offer an easy transition for future certifications for experienced security architects, security specialists, technical leads, and security application engineers, who seek to enhance their skills and expertise, along with work experience to rise to leverage their experience and grow in the security career.

To be successful for this certification, first you will need to bring your work experience, with a recommendation of having around 10 years of hands-on, core technical security real-world experience. The expectation is to build and use your home lab of virtual machines and tools, which will provide you with an environment to make-break and test your security skills. This would include network security, operating systems, cloud, governance, risk, and tons of security tools. The practitioners will learn to analyze a real-world scenario involving cloud, virtualization, networks, servers, applications, and end-user systems to select and implement appropriate security controls and perform assessments and recover procedures at the enterprise level.

Steps to exam preparation

Suggested strategy while preparing for the CASP exam is to read and understand the book chapters, and take down notes of key topics and concepts on a notepad or a separate paper book. It is highly advised to download the latest CASP exam objective list from the CompTIA certification site at http://certification.comptia.org/examobjectives.aspx.

Practice exams have been included in this book and you are recommended to attempt the practice exams, find out areas where you lack confidence, and review the specific concepts. After you review those specific areas, re-attempt the practice exams a second time to rate yourself. As you attempt the exams, you will become familiar with the terms, questions, and keywords. After a few attempts, you would feel confident in your understanding and skills. Then, schedule the CompTIA CASP exam from a center near you. Refer to Pearson VUE for any information when planning to register for the exam at www.pearsonvue.com/comptia.

Exam Details:

Maximum questions: 90

Type of questions: Multiple-choice (MCQ) and performance-based

Test duration: 165 minutes

Recommended experience:

Minimum of ten years of general hands-on IT experience, with at least five of those years being broad hands-on IT security experience

Network+, Security+, CySA+, Cloud+, and PenTest+ or equivalent certifications

Pass score: Pass/Fail only

Exam objectives

Table 1.1 lists the domains measured by this examination and the extent to which they are being represented:

Table 1.1: Exam domains

Exam topics description

The exam chapter descriptions are mentioned in the following section, which lists the chapter names along with the objectives, descriptions, and keyword topics for each chapter.

Chapter 1: Introduction to CASP+ exam

Description: This chapter introduces CompTIA Advanced Security Practitioner (CASP+) certification, describing CASP sponsoring bodies, goals, and the value of CASP as a career and business driver. The official objectives covered on the CASP exam and steps to become CASP are explained along with the information on the CompTIA certification exam policies. This book presents the topics with detailed subject contents, including key learnings and essential keywords at the end of each chapter.

Exam topics covered:

CASP goals

Target audience

Steps to CASP

Exam topics description

Chapter 2: Business and Industry Trends, Influences, and Risks

Description: Security and IT teams don’t operate independently; the work and tasks are highly influenced by the organization’s business objectives, which define the IT roadmap and decisions. However, factors outside the enterprise’s control, like constant attacks, technology changes and upgrades, regulations, and compliance add to the complexity of securing the organization’s security ecosystem. This chapter includes the various security technology and market trends, influences, and global risks affecting IT security.

Exam topics covered:

Business and industry influences

External and internal factors

New and changing business models/strategies

Risk management

Dynamic business models

New strategies

Security concerns during integration

External and internal influence

De-Perimeterization

Chapter 3: Organizational Security Policies and Documents

Description: IT security policy and governance procedures are implemented to secure organizational assets. This chapter presents the creation, implementation, and management of the security policy life cycle. Use of business contracts for service level agreements and project documents to support security are also covered.

Exam topics covered:

Organization security policies

Enterprise security procedures

Security process life cycle management

Business documents for security management

Legal support and compliance

Research security requirements

Privacy principles

Chapter 4: Risk Mitigation Strategies

Description: Security teams ensure organizations have proper risk mitigation strategies and controls in place. Using risk management frameworks helps identify and implement the appropriate controls. This chapter covers the steps involved in risk mitigation, which include asset identification, CIA triad, determination of threats, the likelihood of attacks, implementing countermeasures, and conducting a risk analysis to determine the security threshold level.

Exam topics covered:

Asset classification

Threat identification

Risk determination

Countermeasures and controls

CIA-impact decisions

Aggregate score for security controls

Worst case scenario

Technical to business risk

Risk controls

Business continuity planning

Chapter 5: Enterprise Risk Measurement and Metrics

Description: Securing an organization should be assigned the highest priority, yet the business and senior management need to be convinced to allocate budget and resources for ensuring top-notch security. Security heads need to justify implementing security controls or buying new security technologies. After the security controls have been implemented, this chapter presents the review and assessment of the effectiveness of the risk controls by gathering and analyzing the risk metrics. The results are further interpreted for future trends, existing security levels, and trends against industry standards and baselines.

Exam topics covered:

Effective security control review

Create risk metrics

KPI, RCO, TCO

Compare security baselines

Anticipate future needs

Risk review of controls

Analyze metrics

Benchmarks

Baselines

Data analysis and interpretation

Judgmental solutions

Chapter 6: Components of Network Security

Description: Any organization seeks to implement secure architecture for its network infrastructure. The secure design needs to have an understanding of the organization’s services and delivery components like servers, and networks to include in the secure design. To implement security features, IT teams need to account for users’ ease of use, performance cost, and security standards and principles. This chapter presents the building blocks for implementing a secure architecture for enterprises and critical infrastructures, which include physical, virtual, and network devices.

Exam topics covered:

Physical and virtual network devices

Application-aware technologies

Secure and complex traffic flow

Network management

Critical infrastructure

Security zones

Network components

Complex network security

Software-defined networks

Critical systems

Chapter 7: Securing Host Systems and Devices

Description: Securing an enterprise does not stop at network traffic monitoring, since Cyberattacks are initiated to exploit servers and user systems (hosts). This chapter presents the various controls for protecting and securing servers and user systems. This includes the use of trusted OS, bootloader security, OS hardening, and endpoint security vulnerabilities.

Exam topics covered:

Trusted OS

Bootloader security

OS hardening process

Endpoint security

Hardware & software vulnerabilities

Application delivery

Terminal services

Chapter 8: Secure Storage Controls

Description: Most organizations implement network security controls and perform audits, as security assessments. If every component of the organization is not included, the assessment is incomplete and leaves the organization exposed. This chapter presents a defense-in-depth strategy that needs to be implemented, which should include physical, virtual, cloud, on-premise, and user devices connecting to the office network. This chapter presents the assessment tools for performing security assessments at all levels.

Exam topics covered:

Storage controls

Cloud storage

Geotagging

Wearable technologies

Encrypted and unencrypted communication

Resource provisioning and de-provisioning

Data flow security

Resilience issues

Data security considerations

Cloud and on-premise data security

Chapter 9: Internet of Things

Description: Disruptive new-age devices and their related technologies have changed how work is done and has created new options to use technologies in offices, homes, healthcare, manufacturing, agriculture, and other domains. While such technologies are revolutionary, they are not always secure. Security is not always the primary focus in a rush to have disruptive technology into the markets. Organizations and users adopting such cutting-edge ‘things on the internet’ often ride on the bleeding edge of the technology.

Exam topics covered:

Internet of things

Insecure IoT deployments

IoT security challenges and requirements

Managing IoT security services

Future IoT security

Wearable devices

Chapter 10: Cloud and Virtualization Security

Description: The primary focus of cloud computing was to ensure resources were available via web-based data centers accessible from any location. Virtualization of servers and network devices became a key to reducing the physical footprint in data centers. This enabled software applications, hardware infrastructure, and computing environments for multi-tenants. It changed the landscape and brought about cloud and virtual server security issues.

Exam topics covered:

Cloud architecture and design

Cloud data security

Cloud application security

Virtualization operations

Technical deployment models

Virtualization advantages and disadvantages

Cloud augmented security services

Host provisioning and De-provisioning

Chapter 11: Application Vulnerability Controls

Description: Enterprise security controls and mitigations must be assessed, upgraded, or implemented in the latest security technologies. Technology changes quickly to keep up with the new-age sophisticated attacks and risks. System applications need to be designed using secure development coding practices and design. Trained professionals must understand the new attack trends and security controls for applications. This chapter covers the security activities across IT lifecycles, including ongoing best practices to implement and mitigate application vulnerability controls.

Exam topics covered:

Application security design

Security issues in applications

Sandboxing

Database security

Firmware security

Design considerations

Web application firewalls

Client-server side

Encrypted enclaves

Database monitoring

OS and firmware vulnerabilities

Chapter 12: Security Assessments

Description: Before securing an organization’s infrastructure, its security weaknesses and gaps need to be analyzed. A vulnerability assessment of the current state of the infrastructure presents the existing weaknesses. To resolve these, multiple methods and assessment tools need to be used. This chapter discusses the different types of assessments and the weakness each is designed to reveal. The chapter also discusses methods for security weaknesses that cannot be discovered with those tools.

Exam topics covered:

Reconnaissance

Fingerprinting

OSINT

Social engineering

Malware sandboxing

Memory dumping

Runtime debugging

Vulnerability scan

Penetration testing

Assessment methods and types

Chapter 13: Selecting Vulnerability Assessment Tools

Description: While considering network and OS security, the hardening or rules are implemented. However, vulnerability assessments involve a lot more. It can be argued that proper security cannot be achieved without sufficient network and physical security. Moreover, a defense-in-depth strategy with layered security is often considered at the network, host, and physical levels. This chapter looks at the vulnerability assessment tools used to perform assessments at each of these levels.

Exam topics covered:

Port scanners

Protocol analyzers

Application interceptors

Exploitation frameworks

Visualization tools

Log analysis tools

Physical security tools

Analysis tools

Chapter 14: Securing Communication and Collaborative Solutions

Description: Office staff working from home or remote areas are increasingly relying on new methods of communication and collaborations to work together, even as enterprises are adopting these new technologies in the environments. This change has introduced new security concerns, and there is a high priority focus on implementing controls and mitigating these security issues. This chapter describes these new collaborative technologies and security issues and suggests mitigation methods to secure these new workflow processes.

Exam topics covered:

Remote access

Unified collaboration

VoIP, Web, and video integration

Chapter 15: Implementing Cryptographic Techniques

Description: Cryptography is a crucial factor in protecting the data at rest and in transit. Cryptography concerns CIA or confidentiality, integrity, and authentication, but not availability. The security tenet covering confidentiality, integrity, and availability is the CIA triad. Cryptography includes two of these tenets and prevents fraudulent insertion, modification, or deletion of data. Cryptography also provides non-repudiation by providing proof of origin. These concepts are discussed in this chapter.

Exam topics covered:

SSL/TLS

Cryptographic applications

Hashing

SMIME/Message authentication

Code signing

DRM watermarks

PKI

Chapter 16: Identification, Authentication, and Authorization

Description: Identifying users and devices and determining the actions permitted by a user or device form the foundation of access control models. While this paradigm has not changed since the beginning of network computing, the methods used to perform this important set of functions have changed greatly and continue to evolve. This chapter covers evolving technologies and techniques that relate to authentication and authorization.

Exam topics covered:

User identification processes

User validation and authentication

Authorization

Chapter 17: Security Incidents and Response

Description: To monitor and detect security incidents, and then investigate and respond, organizations have in-house or outsourced security operations. The incident response is a well-defined document for normal operations about actions to be performed during an attack or breach. This serves as a baseline for ensuring operational recovery and back to normal activities. This helps security analysts recognize security incidents or anomalies and a process to respond. Every organization gathers the attacks and response to create a baseline over some time and measures the security operational incident response and effectiveness.

Exam topics covered:

Asset identification

Security operations

Data risks and breaches

Incident response

Post-incident recovery

Chapter 18: Integrating Hosts, Networks, Storage, and Applications

Description: Organizations strive to integrate and secure end-user systems, hosts, networks, applications, and storage. The security practitioner ensures that the appropriate security controls are implemented. This includes secure data flows, security standards, handling the increasing reliance on technologies when integrating enterprise-level systems into networks with data storage, and enabling application integration.

Exam topics covered:

Adapt data flow security

Interoperability issues

Resilience and heterogeneous components

Design considerations during M&A

Security standards

Chapter 19: Security Activities across Technology Lifecycle

Description: When managing the security of an enterprise, security practitioners need to consider security across the entire technology life cycle. As the enterprise grows, new devices and technologies are introduced, maintained, or retired. Security practitioners need to ensure that the appropriate security controls are deployed. Providing security across the technology lifecycle includes understanding both the systems’ development life cycle.

Exam topics covered:

System development lifecycle

Secure software development

Asset inventory and control

Adopting disruptive technologies

Chapter 20: CASP+ Skill Assessment Exam-I

Description: As a learner, this chapter presents 90-exam preparation exercises and practice questions and answers in the form of multiple-choice questions.

Exam topics covered:

MCQs for chapters one to ten with answers

Chapter 21: CASP+ Skill Assessment Exam-II

Description: As a learner, this chapter presents 90-exam preparation exercises and practice questions and answers in the form of multiple-choice questions.

Topics Covered:

MCQs for chapters eleven to nineteen with answers

Chapter 22: Study Plan

Description: Time to move from studies and gathering knowledge to action; this section presents a study planner, which includes topics, task dates started and completed, and notes.

Topics covered:

Study plan

Status schedule

Sample practice questions

The following are a few exam questions picked verbatim from CompTIA’s portal to give you an idea of the type of questions you may face during the exam.

Reference: https://www.comptia.org/training/resources/practice-tests/casp-practice-questions

Question 1: The highest priority security-related concern for BYOD is

The filtering of sensitive data out of data flows at geographic boundaries

Removing potential bottlenecks in data transmission paths

The transfer of corporate data onto the mobile corporate device

The migration of data into and out of the network in an uncontrolled manner

Question 2: Your IT Security Head or the CISO is concerned that systems administrators with privileged access may be reading other users’ emails. A review of a tool’s output shows the administrators have used webmail to log into other users’ inboxes. Which of the following tools would show this type of output?

Log analysis tool

Password cracker

Command-line tool

File integrity monitoring tool

Question 3: A power outage is caused by a severe thunderstorm and a facility is on generator power. The CISO decides to activate a plan and shut down non-critical systems to reduce power consumption. Which of the following is the CISO activating to identify critical systems and the required steps?

BIA

CERT

IRP

COOP

Question 4: A pharmaceutical company is considering moving its technology operations from on-premises to externally hosted to reduce costs while improving security and resiliency. These operations contain data that includes the prescription records, medical doctors’ notes about treatment options, and the success rates of prescribed drugs. The company wants to maintain control over its operations because many custom applications are in use. Which of the following options represent the MOST secure technical deployment options? (Select THREE).

Single tenancy

Multi-tenancy

Community

Public

Private

Hybrid

SaaS

IaaS

PaaS

Question 5: Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

NDA

MOU

BIA

SLA

Question 6: During a security assessment, activities were divided into two phases: internal and external exploitation. The security assessment team set a hard time limit on external activities before moving to a compromised box within the enterprise perimeter. Which of the following methods is the assessment team most likely to employ NEXT?

Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices

Conducting a social engineering attack attempt with the goal of accessing the compromised box physically

Exfiltrating network scans from the compromised box as a precursor to social media reconnaissance

Open-source intelligence gathering to identify the network perimeter and scope to enable further system compromises

Question 7: During the decommissioning phase of a hardware project, a security administrator is tasked with ensuring no sensitive data is released inadvertently. All paper records are scheduled to be shredded in a crosscut shredder, and the waste will be burned. The system drives and removable media have been removed before e-cycling the hardware. Which of the following would ensure no data is recovered from the system drives once they are disposed of?

Overwriting all HDD blocks with an alternating series of data

Physically disabling the HDDs by removing the drive head

Demagnetizing the hard drive using a degausser

Deleting the UEFI boot loaders from each HDD

Question 8: A Chief Information Security Officer (CISO) is reviewing the controls in place to support the organization’s vulnerability management program. The CISO finds patching and vulnerability scanning policies and procedures are in place. However, the CISO is concerned the organization is siloed and is not maintaining awareness of new risks to the organization. The CISO determines systems administrators need to participate in industry security events. Which of the following is the CISO looking to improve?

Vendor diversification

System hardening standards

Bounty programs

Threat awareness

Vulnerability signatures

Question 9: While attending a meeting with the human resources department, an organization’s information security officer sees an employee using a username and password written on a memo pad to log into a specific service. When the information security officer inquires further as to why passwords are being written down, the response is that there are too many passwords to remember for all the different services the human resources department is required to use. Additionally, each password has specific complexity requirements and different expiration timeframes. Which of the following would be the BEST solution for the information security officer to recommend?

Utilizing MFA

Implementing SSO

Deploying 802.1XPushing SAML adoption

Implementing TACACS

Question 10: A security engineer is managing operational, excess, and available equipment for a customer. Three pieces of expensive leased equipment, which are supporting a highly confidential portion of the customer network, have recently been taken out of operation. The engineer determines the equipment lease runs for another 18 months. Which of the following is the BEST course of action for the engineer to take to decommission the equipment properly?

Remove any labeling indicating the equipment was used to process confidential data and mark it as available for reuse.

Return the equipment to the leasing company and seek a refund for the unused time.

Redeploy the equipment to a less sensitive part of the network until the lease expires.

Securely wipe all device memory and store the equipment in a secure location until the end of the lease.

CASP Answers:

Question 1

D. The migration of data into and out of the network in an uncontrolled manner

Question 2

A. Log analysis tool

Question 3

C. IRP

Question 4

A. Single tenancy, E. Private, and H. IaaS

Question 5

D. SLA

Question 6

A. Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices

Question 7

C. Demagnetizing the hard drive using a degausser

Question 8

D. Threat awareness

Question 9

B. Implementing SSO

Question 10

D. Securely wipe all device memory and store the equipment in a secure location until the end of the lease.

CHAPTER 2

Business and Industry Trends, Influences, and Risks

Introduction

In this chapter, we will learn about the challenges presented by constant yet dynamic business changes. The security and IT departments do not operate in silos. The tasks and aims are influenced by the organization’s business objectives and corporate policies, which guide and alter the decisions. The job of the security and IT professionals is more difficult due to the additional considerations, either introduced by factors that are outside the enterprise or out of their control, legal regulations, and partnerships or technical concerns. Add to this, the introduction of new, untested and unfamiliar technologies, and there is a perfect prescription for a security incident waiting to happen.

This chapter covers the security risks introduced by the dynamic business influences, along with some actions that are taken to minimize the risks.

Structure

In this chapter, we will cover the following topics:

Risk management from new technology partnerships, outsourcing, cloud, acquisition/merger and divestiture/demerger

Policies, regulations, and geographical trends

Competitors, auditors/audit findings, regulatory entities

Internal and external client requirements, and top-level management

Impact of telecommuting, cloud, mobile, BYOD, and outsourcing

Ensuring third-party providers have requisite levels of information security

Objective

After studying this chapter, you will get to understand the challenges presented by risks from new products, businesses, and technologies along with new partnerships outsourcing or during acquisitions and mergers. Security concerns due to cloud, internal, and external factors along with the constantly changing edge network boundaries are also discussed in this chapter.

Risk management of new technologies

For security experts, the list of new products, technologies, collaborations, and user behaviors is never-ending. It is neither conceivable nor advised to halt the technological tide, but it is always necessary to manage any associated hazards. Every new technology and behavior must be thoroughly examined as part of a systematic risk management procedure. The most important takeaway from this chapter is that risk management is a circular, never-ending activity. While the approach should result in a risk profile for each activity or technology, keep in mind that the elements that affect risk profiles and technology profiles are continually changing. When a company decides to implement new cutting-edge technology, there are always worries regarding the system’s maintenance and support operations. This is especially true for software applications; for instance, what would happen if the software provider shuts down or goes out of business? Include a source code provision in the contract to alleviate this worry. Source code is maintained by third-party providers. If the vendor goes out of business, they are accountable for giving the client the most recent updated source code.

To improve user performance, it’s important to stay on top of any changes in the tasks that users do on a daily basis. For example, if an organization’s users are increasingly interested in using chat sessions rather than emails when discussing sensitive issues, secure instant messaging communications become just as important as securing email systems.

To stay up-to-date with the ever-changing work habits of users, the security teams should monitor user activity frequently to uncover new threat vectors and protect themselves from expanding and changing the risk regions. Figure 2.1 illustrates the new trends in the IT domain. These reveal new performance-enhancing techniques used by office workers, as well as potentially dangerous habits such as writing passwords on sticky notes. Security policies and user awareness training assist to reduce, dissuade, and avoid hazards. The aim is to proactively anticipate harmful user behaviors by monitoring emerging mobile trends, such as cloud usage. Refer to Figure 2.1 that illustrates the upcoming technology trends:

Figure 2.1: Upcoming technology trends

Changing business models

The way an organization does business with others is the major cause for a change in the organization’s risk profile associated with a process or a specific activity. The organization’s security is influenced in some manner as new partnerships and collaborations are created, new assets are added or lost, and new technologies are introduced as a result of mergers or demergers. Establishing official or informal connections with other organizations necessitates the interchange of sensitive data and information. This inevitably results in new security concerns. The security procedures that must be followed while managing sensitive data sent between the two parties are spelled out in a third-party connection agreement, or TCA document. This agreement is used whenever the relationship necessitates relying on another organization to protect corporate data. Organizational collaborations do not always entail the exchange of sensitive information, but rather the provision of a shared service. These can be created between comparable company organizations in the same industry or with third-party affiliates. The TCA agreement defines the parties’ duties for securing data, connections, and sensitive information, regardless of the nature of the partnership. Learners should conduct the research and study on the following security organizations, which have adjusted their business models in response to the shifting trends:

Clear Biometrics https://www.clearme.com/

Onfido https://onfido.com/

Stanley Security https://www.stanleysecurity.com/

Telstra https://www.telstra.com.au/

TSA https://www.tsa.gov/

Outsourcing and partnerships

Outsourcing labor to third-party providers introduces liability, which many firms overlook when doing risk assessments. Outsourcing agreements must guarantee that the information entrusted to third parties is constantly secured by appropriate security procedures that meet legal and regulatory standards. Figure 2.2 presents the IT outsourcing contract and procurement processes, like third-party outsourcing agreements, that must be codified. Contract and procurement management processes should be established by organizations to guarantee that regulatory and legal obligations are satisfied. Periodic audits confirm that the contractual vendor organizations are adhering to the contract’s terms. Refer to Figure 2.2 that illustrates the IT outsourcing models:

Figure 2.2: IT outsourcing models

When a vendor subcontracts a function to another third party, outsourcing can become a problem for a corporation. In that instance, the firm that owns the data should immediately cancel the contract with the vendor if the vendor cannot show an agreement with the third party that assures the appropriate security for any data handled by the third party. When functions are distributed among numerous providers, the risks associated with outsourcing might be exacerbated. The separation of tasks amongst providers has a negative influence on strategic architecture. Vendor management expenses rise, limiting the organization’s ability to respond to the changing market conditions. Internal IT system expertise is dwindling, limiting future platform development. Because security restrictions and upgrades must be implemented across different borders, it takes longer. Finally, when outsourcing crosses national borders, other challenges emerge. The laws of certain countries are more stringent than those of others.

Cloud computing trends

The regulations of many countries or regulatory organizations must be addressed when it comes to cloud computing trends and cloud security in terms of data origin and storage. Because the laws in other nations are less stringent, businesses may be hesitant to do business with anyone. Regulatory compliance and security levels of environments, such as restrictions with credit and debit cards handled by shared hosting providers or outside the nation that does not follow PCI DSS, impede the use of the public cloud. Refer to Figure 2.3 that illustrates the cloud computing trends:

Figure 2.3: Cloud Computing Trends

Instead, a private cloud hosted on-site within the firm should be explored. Security concerns, cloud benefits, and drawbacks must be outlined in relation to the options, and a path forward should be recommended. Elasticity is a feature of cloud deployments since virtual resources are commissioned and decommissioned on the fly over a shared resource pool. The hardware platforms utilized are not disclosed to the organizations. Another risk is that data may be scraped from decommissioned hardware for a period of time after it has been stored on that platform. Hybrid clouds combine public and private environments that are separate but interconnected. An organization’s data might be stored on a private cloud that links to a public cloud-based business intelligence platform. In the event that massive demand exceeds the capacity of the private cloud, organizations may use a public cloud provider to access the services. A third-party or cross-company team serves as the supplier for community clouds shared by enterprises with a common objective to address. When a community cloud is set up, it may be beneficial to everyone because the overall cost is split among the participating organizations.

Merger and acquisition influences

Networks are joined, server systems and applications are integrated, and new infrastructures are occasionally created during mergers and acquisitions. Such conditions offer an opportunity to reconsider the idea of safeguarding the linked infrastructures. However, if one business uses different hardware manufacturers, network designs, or rules and processes than the others, things get difficult. During the integration planning and talks, all parties must consider security issues. This is known as the due diligence phase, which allows you to analyze and comprehend every area of the other company’s activities. Then, with a thorough understanding of the integrated infrastructure environment ahead of time to assure security, a suitable merger or acquisition is achievable. Penetration testing on both sides is required prior to merging the networks. Both businesses will have a comprehensive grasp of the current and future hazards as a result of this. An interconnection security agreement (ISA) that includes a full risk analysis of the acquired organization’s whole operating ecosystem is recommended. Systems and equipment that do not meet the requirements for compliance and security must be removed, changed, or rebuilt.

When a corporation splits or demerges sections of itself, a spin-off is executed, with the demerger resembling a divorce. The impacted parties or agencies must agree upon which entity’s assets, services, and infrastructure will be used. This normally entails removing all data from systems and reviewing security measures on both sides in preparation for the upgraded architecture. When components of an organization are sold to another firm, the parent company should verify that just the necessary data is transmitted to the acquiring company and nothing else. The hazard of integrated networks during the transition phase is the greatest risk faced by an organization selling a unit to another firm or acquiring from another company. It is vital to identify the data flow between the companies involved, and any data flow that is not required should be avoided. To achieve secure mergers or de-mergers, a due diligence team made up of professionals from both firms must be formed. This group is in charge of establishing a strategy for assessing current security measures as well as monitoring the process at each stage. The team also looks for security overlaps and gaps between the two integrating units. For each identified risk, risk profiles should be built, which includes transferring data and prioritizing procedures to identify those that require immediate attention. Auditors and compliance teams must ensure that security procedures and frameworks are in sync.

Data ownership

A changing company model has an impact on data ownership. Management must make judgments about data ownership based on the business model being used. Security experts must assess if data will stay as independent ownership or be integrated as part of a corporate purchase or merger. If a data merging is to take place, a strategy detailing the actions involved in the data merge should be created. Management must select which organization will control the data in a corporate sale or demerger. To guarantee that the required data is collected effectively, detailed plans and processes must be created.

Data reclassification

Security professionals need to examine the data classification model when an acquisition/merger or divestiture/demerger occurs. In the case of an acquisition/merger, the security professionals must decide whether to keep the data separate or merge the data into a single entity. In the case of a divestiture/demerger, security professionals must ensure that legally protected data is not given to an entity that is not covered under the same laws, regulations, or standards. Laws, regulations, and standards governing the two organizations must be considered. It may be necessary for the organization to carefully design the new data classification model and define the procedures for data reclassification. The laws, rules, and standards that regulate the organizations must be considered. When it comes to weather data, whether it’s being integrated, kept distinct, or split based on ownership, enterprises must make sure data security is a top concern. Assume a healthcare organization has decided to sell an application it has built. Management must collaborate with security experts to guarantee that all application data, source code, development plans, and marketing and sales data are supplied to the acquiring business. Management must guarantee that no confidential healthcare data is included in the data that will be taken as part of the divestiture by accident.

Security concerns of integrating industries

In many situations nowadays, businesses are combining business models that are vastly different from one another. Organizations are sometimes venturing into new domains with vastly diverse cultures, geographic locations, and regulatory regimes. This can lead to new business opportunities, but it can also lead to security flaws. The following sections provide an overview of some of the concerns that must be examined. When it comes to merging different industries, the problem is to strike a balance in terms of rules. While uniformity across all aspects of a company is a noble objective, imposing an unfamiliar set of regulations on one element of the company may result in resistance and morale issues.

A long-standing culture in one unit may be one of trusting users to administer their computers, which may include local administrator powers, but another unit may be hostile to allowing users such access. While standardizing regulations throughout a company may become necessary, it should not be done without first assessing the advantages and downsides. The advantages should be weighed against any opposition that may arise, as well as any potential productivity losses. However, due to localized concerns, it may be essential to have a few alternative regulations. This decision should be made by top management in collaboration with the security specialists.

Because policies are less likely to prescribe precise answers, they may be easier to standardize than the rules or regulations. Many rules use ambiguous terminology, such as "the utmost feasible data protection must be provided for data believed to be secret". This terminology gives each department the freedom to decide what is and is not a secret. However, when a business acquires or merges, its rules should be thoroughly examined to ensure that they are current, offer adequate security precautions, and are not unduly onerous to any unit within the firm. Government bodies (such as the DHS, FCC, and DOT) frequently adopt regulations to guarantee that specific areas of the sector are controlled. When corporations from severely regulated sectors are joined with companies from less heavily regulated industries, the degrees of regulation within each business unit will be vastly different. In many circumstances, this scenario should be recognized as usual, rather than being viewed as lacking standards.

Export controls

The laws and regulations that regulate the transfer or transmission of commodities from one nation to another are known as export controls. This includes the disclosure of technical data transfers to individuals outside the nation. Exports are governed by rules and regulations in both the United States and the European Union (EU). Concerns about exports emerge for three main reasons – the item’s qualities, the item’s intended destination, and the item’s probable final use. Export controls are in place to safeguard national security, carry out foreign policy, and retain the military and economic advantage. Governing organizations, such as those in the United States and the EU, publish lists of restricted items. Entity lists, disbarred parties, denied people, and embargoed states are common. While the export rules include exceptions, firms should consult with legal counsel before exporting any entities. Failure to follow export control laws can result in criminal charges, monetary penalties, and damage to one’s reputation, and the loss of export control licenses. Organizations with issues about export controls in the United States should contact the north-western university’s office for export controls’ compliance.

Legal requirements

Any organization’s security approach must include legal compliance. Organizations must understand the regulations that apply to their business to achieve legal compliance. Financial, healthcare, and industrial production are examples of industries with numerous federal, state, and municipal rules to consider. The following sections highlight a few of the laws and rules that organizations must consider. You do not need to remember the rules and regulations presented in these sections; nonetheless, you should have a broad understanding of how they influence businesses in order to analyze the scenarios you may experience on the CASP test.

Sarbanes-Oxley (SOX) Act

The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, impacts any company that is publicly traded in the United States. It governs the accounting practices and financial reporting for businesses, as well as imposing penalties and even jail time on senior officials. It requires significant modifications to the existing securities legislation as well as harsh new punishments for violators. This legislation was enacted in reaction to the financial crises involving publicly listed corporations such as Enron Corporation, Tyco International plc, and WorldCom in the early 2000s.

Health Insurance Portability and Accountability Act (HIPAA)

The Kennedy-Kassebaum Act, often known as HIPAA, applies to all healthcare institutions, health insurance companies, and healthcare clearinghouses. The Office of Civil Rights of the Department of Health and Human Services is in charge of enforcing it. It establishes rules and processes for the storage, use, and transmission of medical and healthcare data. Unless the state laws are tougher, HIPAA takes precedence. All covered businesses must perform the following to comply with the HIPAA security rule:

Ensure the confidentiality, integrity, and availability of all electronically protected health information

Detect and protect against any risks to the information’s security

Protect against anticipated impermissible uses or disclosures

Certify compliance by their workforce

Gramm-Leach-Bliley Act (GLBA)

All financial institutions are affected by the Gramm-Leach-Bliley Act (GLBA), including banks, lending firms, insurance companies, investment organizations, and credit card companies. It establishes security requirements for all financial data and forbids the sharing of financial data with third parties. This legislation has a direct impact on the protection of personally identifiable information (PII).

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how the private-sector businesses in Canada gather, use, and disclose personal data in the course of doing business. The legislation was enacted in response to EU concerns regarding the security of personal information (PII) in Canada. The legislation requires companies to acquire consent before collecting, using, or disclosing personal information, as well as to establish clear, intelligible, and easily accessible personal information policies.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) applies to all businesses that handle cardholder data for the main credit card issuers. PCI DSS Version 3.2 is the most recent. An organization’s compliance with the standard must be verified at least once a year. Despite the fact that the PCI DSS is not a law, it has influenced the implementation of various state legislation. Refer to Figure 2.4 that illustrates the PCI DSS framework:

Figure 2.4: PCI DSS Framework

Federal Information Security Management Act (FISMA)

Every federal agency, as well as suppliers and service providers, is affected by the Federal Information Security Management Act of 2002. It mandates that each federal agency establish, publish, and implement an information security program for the whole organization. FISMA mandates that federal entities create an effective risk management program for information security. The National Institute of Standards and Technology (NIST) provides detailed recommendations for compliance with FISMA. This strategy produces formal advice that helps agencies meet their cyber security standards while emphasizing the risk-based approach, which builds a program that is fit for purpose based on the circumstances while putting a special emphasis on cost-effective protection.

USA PATRIOT Act

The USA PATRIOT Act of 2001 has an impact on the US law enforcement and intelligence institutions. Its goal is to improve law enforcement’s investigative capabilities, such as email communications, phone records, Internet communications, medical records, and financial information. The Foreign Intelligence Surveillance Act and the Electronic Communications Privacy Act were both altered by this statute when it was passed. Although the USA PATRIOT Act does not prohibit private citizens from using investigative tools, there are some exceptions, for example, if a private citizen is acting as a government agent—even if not formally employed, if the private citizen conducts a search that would require law enforcement to obtain a warrant, if the government is aware of the private citizen’s search, or if the private citizen is performing a search to assist the government.

The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes, some of which include:

To strengthen U.S. measures to prevent, detect, and prosecute international money laundering and financing of terrorism

To subject to special scrutiny foreign jurisdictions, foreign financial institutions, and classes of international transactions or types of accounts that are susceptible to criminal abuse

To require all appropriate elements of the financial services industry to report potential money laundering

To strengthen measures to prevent the use of the U.S. financial system for personal gain by corrupt foreign officials and facilitate the repatriation of stolen assets to the citizens of countries to whom such assets belong

EU laws and regulations

Several legislation and regulations affecting security and privacy have been established by the EU. The EU Privacy Principles contain strong legislation to protect personal data. The EU’s Data Protection Directive outlines how to comply with the requirements contained in the principles. The Safe Harbor Privacy Principles were designed by the EU to assist U.S. firms in complying with the EU Privacy Principles. Some of the guidelines include the following:

Data should be collected following the law.

Information collected about an individual cannot be shared with other organizations unless the individual gives explicit permission for such sharing.

The information transferred to other organizations can be transferred only if the sharing organization has adequate security in place.

Data should be used only for the purpose for which it was collected.

Data should be used only for a reasonable period.

A safe harbor, according to the EU, is an entity that complies with all of the EU Privacy Principles. A data haven is a jurisdiction that does not safeguard personal data legally, with the primary goal of attracting data-gathering firms. Electronic signature principles are defined in the EU Electronic Security Directive. A signature must be uniquely connected to the signer and the data to which it refers according to this guideline, so that any future data modification may be detected. The signer’s signature must be able to identify him or her.

Geography

Geographical differences have a significant influence in ensuring that a merger or demerger goes as smoothly as feasible. Aside from any language obstacles that may exist, the kind of technology accessible in different regions of the world might vary dramatically. While an organization may have rules in place requiring the