CompTIA Security+

SY0-701

Attention Attendees:
Remember to type your messages to all panellists and attendees
Course Structure

Week / Module 1
Introduction & Security Fundamentals

Week / Module 2
Compliance & Operational Security

Week / Module 3
Threats & Vulnerabilities

Week / Module 4
Application, Data & Host Security

Attention Attendees:
Remember to type your messages to all panellists and attendees
Compliance & Operational Security
Security Governance Concepts
Policies
• Vital in establishing effective governance and ensuring organizational compliance
• Form the framework for operations, decision-making, and behaviors, and rules for a compliant and
ethical corporate culture
• Align the organization around common goals, prevent misconduct, and remove inefficiencies
• Common Policies
• Acceptable Use Policy (AUP)
• Information Security Policies
• Business Continuity & Continuity of Operations Plans (COOP)
• Disaster Recovery
• Incident Response
• Software Development Life Cycle (SDLC) Policy
• Change Management

Attention Attendees:
Remember to type your messages to all panellists and attendees
Policies (cont’d)
Guidelines:
• Recommendations that steer actions in a particular job role or department
• They are more flexible than policies and
• Allow flexibility for their implementation

Attention Attendees:
Remember to type your messages to all panellists and attendees
Procedures
• Define step-by-step instructions and checklists
• Ensure a task is completed in a compliant and repeatable way
• Playbooks
• Collection of critical actions generally associated with Security Operations (SOC)
• Examples
• Onboarding/Offboarding
• Background Checks
• Service/Software Provisioning
• Desktop Deployment
• Patching and updating
• “Go-Live” actions
• After hours support
• Ticket management

Attention Attendees:
Remember to type your messages to all panellists and attendees
Standards
• Define a set of best practices and include specific details
• Often associated with regulations and polices
• Regulations and policies use standards to offload details
• Standard can change often while policy remains the same
• Standard can be managed by subject matter experts
• Industry Standards
• ISO 27k series, NIST 800 series Special Publications, PCI-DSS, FIPS, many others…
• Internal Standards
• Encryption, coding Practices, audit, many others…

Attention Attendees:
Remember to type your messages to all panellists and attendees
Legal Environment
• Governance committees ensure their organizations abide by all applicable cybersecurity laws and
regulations to protect them from legal liability
• Frameworks, benchmarks, and configuration guides may be used to demonstrate compliance with
legal/regulatory requirements
• Global Law
• National Law
• State/Local Law
• Industry Regulations
• Privacy Legislation

Attention Attendees:
Remember to type your messages to all panellists and attendees
Legal Environment (cont’d)
• Privacy • Healthcare
• GDPR • Health Insurance Portability and
• CCPA Accountability Act (HIPAA) (United States)
• Many others • Financial Services
• Energy • Gramm-Leach-Bliley Act (GLBA) (United
• North American Electric Reliability States)
Corporation (NERC) (United States and • Payment Card Industry Data Security
Canada) Standard (PCI DSS) (Contractual obligation)
• Education & Children • Government
• Family Educational Rights and Privacy • Federal Information Security Modernization
Act (FERPA) (United States) Act (FISMA) (United States)
• Children's Internet Protection Act (CIPA) • Criminal Justice Information Services
(United States) Security Policy (CJIS) (United States)
• Children's Online Privacy Protection Act • The Government Security Classifications
(COPPA) (United States) (GSC) (United Kingdom)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Compliance & Operational Security
Change Management
Change Management Programs

• Systematic approach that manages all changes made to a product or system

• Ensures that methods and procedures are used to handle changes efficiently and effectively
• Helps minimize risks associated with changes
• Ensure changes do not negatively impact security, availability, or performance

Attention Attendees:
Remember to type your messages to all panellists and attendees
Change Management Programs (cont’d)

• Stakeholder Input
• Change Review Board
• Impact Analysis
• Test Results
• Rollout Plans
• Backout Plans
• Maintenance Windows
• Standard Operating Procedures (SOPs)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Allowed & Blocked Changes

• Allow lists and deny lists play a role in change

management practices.
• Allow lists help streamline change management
by reducing the time and effort required for
trusted changes.
• Deny lists includes blocked software, hardware,
and specific change types.
• Allow and deny lists also refer to technical controls
that exists in different context such as access
controls, firewall rules, and software restriction
mechanisms.

Attention Attendees:
Remember to type your messages to all panellists and attendees
Restarts, Dependencies & Downtime

• Typically have a direct impact on business operations

• Dependencies complicate changes because a service restart in one area may
significantly impact another
• Primary goal of change management is to minimize these disruptions
• Processes include communication requirements designed to inform/update
stakeholders
• Legacy Systems and Applications
• Often critical to business operations and difficult to manage
• Legacy features often have compatibility issues when implementing changes

Attention Attendees:
Remember to type your messages to all panellists and attendees
Documentation & Version Control

• Assessing how a change impacts existing policies, procedures,

documentation and diagrams is essential, and change management
plans should include provisions requiring updates to these documents
as part of the implementation
• Version control
• Tacking and controlling changes to documents, diagrams, code, or other
important data
• Historical record of changes

Attention Attendees:
Remember to type your messages to all panellists and attendees
Compliance & Operational Security
Automation & Orchestration
Automation & Scripting

• Critical tools in modern IT operations

• Streamline processes
• Enhance security
• Improve efficiency
• Enforce security policies
• Reduce the risk of human error
• Reduce implementation time
• Provide clear audit trails

Attention Attendees:
Remember to type your messages to all panellists and attendees
Automation & Orchestration Implementation

• Enhance efficiency by enabling repetitive tasks to be performed quickly and

consistently
• Mitigate operator fatigue
• Orchestration enhances the impact of automation by coordinating automated
tasks across different systems and software tools

Attention Attendees:
Remember to type your messages to all panellists and attendees
Compliance & Operational Security
Data Classification & Compliance
Data Types

• Categorizing or classifying data based on its inherent characteristics, structure, and intended use
• Regulated Data
• Trade Secrets
• Intellectual Property
• Legal and Financial Data
• Many Others

Attention Attendees:
Remember to type your messages to all panellists and attendees
Data Classifications

• Identifying the importance and associated protections

required to protect different types of data
• Typically defined in 3 levels

Attention Attendees:
Remember to type your messages to all panellists and attendees
Data Sovereignty and Geographical Considerations

• Data Sovereignty
• A legal jurisdiction restricting processing and storage of data on systems
that do not physically reside within that jurisdiction
• Geographical Considerations
• Organizations must ensure data remains within a designated boundary
• Access controls to validate a user's geographic location

Attention Attendees:
Remember to type your messages to all panellists and attendees
Privacy

• Personally identifiable or sensitive information associated with an

individual's personal, financial, or social identity
• Data that could infringe upon an individual's privacy rights, if exposed or
mishandled
• Data protection and privacy laws safeguard both data types
• Rapidly evolving legal environment
• Privacy data is closely associated with the rights of individuals to control the
use and disclosure of their personal information
• Individuals have the right to access, correct, and request the deletion of their
privacy data

Attention Attendees:
Remember to type your messages to all panellists and attendees
Privacy (cont’d)

• Legal Implications
• Protecting privacy data carries significant local, national, and global legal implications
• Many countries have specific privacy laws and regulations that dictate how personal data should
be handled within their jurisdiction
• The General Data Protection Regulation (GDPR) in the European Union has had a substantial
impact globally by setting high privacy and data protection standards
• GDPR applies to organizations that process the personal data of EU residents, regardless of their
physical location
• Roles and Responsibilities
• Data Controller and Data Processor
• Both roles are responsible for ensuring personal data protection in compliance with data protection laws
and regulations
• Data Subject

Attention Attendees:
Remember to type your messages to all panellists and attendees
Privacy (cont’d)

• Right to Be Forgotten
• Fundamental principle outlined in the General Data Protection Regulation (GDPR)
• Grants data subjects the right to request the deletion of their personal data under certain
circumstances
• Ownership of Privacy Data
• It is not easy to attribute traditional notions of ownership to privacy data
• Many data protection laws place the emphasis on protecting the data subject
• Data Inventories and Retention
• Detailed record of personal data being collected, processed, and stored
• Retain personal data only for as long as necessary to fulfill the intended purpose or as required by
law

Attention Attendees:
Remember to type your messages to all panellists and attendees
Privacy Breaches and Data Breaches

• When information is read, modified, or deleted without authorization

• Organizational Consequences
• Reputation damage
• Identity theft
• Fines
• Intellectual Property (IP) theft
• Breach Notification
• Requirements for different types of breach are established in laws and in regulations
• Public Notification and Disclosure

Attention Attendees:
Remember to type your messages to all panellists and attendees
Compliance

• Security compliance refers to organizations' adherence to applicable

security standards, regulations, policy and best practices
• Compliance Issues
• Legal & Regulatory Noncompliance
• Software Licensing
• Contractual Noncompliance

Attention Attendees:
Remember to type your messages to all panellists and attendees
Monitoring & Reporting

• Systematically assessing, evaluating, and reporting an organization's adherence to

laws, regulations, contracts, and industry standards
• Internal and External Compliance Reporting
• Compliance Monitoring

Attention Attendees:
Remember to type your messages to all panellists and attendees
Data Protection and Data Loss Prevention

• Data requires different protection

methods for each state
• Data at rest
• Data in motion
• Data in use
• Data Loss Prevention
• Automates the discovery and
classification of data types and enforce
rules so that data is not viewed or
transferred without a proper authorization

Attention Attendees:
Remember to type your messages to all panellists and attendees
Questions

• Next week’s Lab – ParrotSec:

• If you also want to complete the Lab you can get the install here: Parrot
Security

Attention Attendees:
Remember to type your messages to all panellists and attendees