CompTIA Security+ Study Notes
Home
Buy Me A Coffee
Discord
Quizlet
Search…
About
Donors
CompTIA Security+
Acronyms
Common Ports
Domain 1 - Threats, Attacks, & Vulnerabilities
Domain 2 - Technologies & Tools
Domain 3 - Architecture & Design
Domain 4 - Identity & Access Management
Domain 5 - Risk Management
Personnel Policies
Business Impact Analysis
Risk Assessment
Incident Response
Forensics
Disaster Recovery & Business Continuity Plans
Controls
Data Privacy
Domain 6 - Cryptography & PKI
Powered By
GitBook
Personnel Policies
Policies
Policies form the foundation of any security program.
Policies define:
How IT will approach security.
How users approach security.
How certain situations will be handled.
Policy Document Types
Policies - General management rules.
Standards - Specific mandatory controls (based on a given policy).
Guidelines - Recommendation or good practices.
Procedures - Instructions on how to implement a policy or standard.
Policy Elements
Overview
Purpose
Scope
Target Audience
Definitions
Version
Implementation Date
Compliance / Exceptions
Policy Statements
Common Policies
Acceptable Use Policy (AUP)
Access Policy
Authentication Policy
Backup & Recovery Policy
Data Classification Policy
Email/Messaging Policy
Social Media Policy
Physical Security Policy
Physical Security Policy
Incident Response Policy
Mobile Device Policy
Network Security Policy
Wireless Policy
Remote Access Policy
Policies should be short.
Standard Operating Procedure (SOP)
Standard set of instructions for workers to carry out routine operations.
Aim to achieve efficiency and consistent output.
Agreement Types
Non-Disclosure Agreement (NDA)
Protects against sensitive information disclosure.
Business Partner Agreements (BPAs)
Specifies partner financial and fiduciary responsibilities (profit sharing).
Service-Level Agreements (SLAs)
Specifies nature and level of service by a provider (uptime).
Memorandum of Understanding (MOU)
and
Memorandum of Agreement (MOA)
Outlines the terms and details of an agreement.
An agreement between two or more parties where the parties cannot create a legally enforceable agreement.
​
https://csrc.nist.gov/publications/detail/sp/800-47/final
​
Interconnection Security Agreement (ISA)
Personnel Management
Mandatory Vacations
Job Rotation
Separation of Duties
Clean Desk
Role-based awareness training based on job responsibilities.
Continuing Education
Separation of Duties
When user accounts are created by one employee and user permissions are configured by another employee.
An admin who is responsible for creating user account should not have the authorization to configure the permissions associated with the account.
Requires more than one individual to accomplish a critical task.
Ensures that no individual can compromise a system.
Considered valuable in deterring fraud.
Can be static or dynamic.
Static: refers tot eh assignment of individuals to roles and the allocation of transactions to roles.
An individual can be either an initiator of the transaction or the authorizor of a transaction.
Dynamic: An individual can initiate as well as authorize transactions.
Change Management
Change management stipulates that multiple changes to a computer system should not be made at the same time.
This makes tracking any problems that can occur much simpler.
Change management includes the following rules:
Distinguish between your system types.
Document your change process.
Develop your changes based on the current configuration.
Always test your changes.
Do not make more than one change at a time.
Document your fallback plan.
Assign a person whoi is responsible for change management.
Regularly report on the status of change management.
CompTIA Security+ - Previous
Domain 5 - Risk Management
Next
Business Impact Analysis
Last modified
1yr ago
Copy link
On this page
Policies
Policy Document Types
Policy Elements
Common Policies
Standard Operating Procedure (SOP)
Agreement Types
Personnel Management
Separation of Duties
Change Management