Presentation is loading. Please wait.

Presentation is loading. Please wait.

CompTIA Security+ Study Guide (SY0-501)

Published byJonathan Bridges Modified over 6 years ago

Similar presentations

Presentation on theme: "CompTIA Security+ Study Guide (SY0-501)"— Presentation transcript:

1 CompTIA Security+ Study Guide (SY0-501)
Chapter 1: Managing Risk

2 Chapter 1: Managing Risk
Explain how resiliency and automation strategies reduce risk Explain the importance of policies, plans, and procedures related to organizational security

3 Threat Assessment Threats can be categorized as environmental, manmade, and internal vs. external Risk assessment (risk analysis) Risk assessment Deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or information itself Key components of risk assessment Risks to which the organization is exposed Risks that need addressing Coordination with BIA

4 Computing Risk Assessment
Methods of measurement Annualized rate of occurrence (ARO) Likelihood, often from historical data, of an event occurring within a year ARO can be used in conjunction with: Single loss expectancy (SLE) Annual loss expectancy (ALE) Formula: SLE x ARO = ALE

5 Computing Risk Assessment Continued
Risk assessment can be qualitative or quantitative Qualitative Opinion-based and subjective Quantitative Cost-based and objective

6 Risk Measurements MTBF: Mean Time Between Failures
MTTF: Mean Time To Failure MTTR: Mean Time To Restore RTO: Recovery Time Objective RPO: Recovery Point Objective

7 Acting on Your Risk Assessment
Risk avoidance Involves identifying a risk and making the decision to no longer engage in actions associated with that risk Risk transference Sharing some of the burden of the risk with someone else Risk mitigation Accomplished anytime steps are taken to reduce risk

8 Acting on Your Risk Assessment
Risk acceptance Often the choice you must make when the cost of implementing any of the other choices exceeds the value of the harm that would occur if the risk came to fruition

9 Risks and Cloud Computing
Using the Internet to host services and data instead of hosting it locally Three ways to implement cloud computing Platform as a Service Software as a Service Infrastructure as a Service

10 Risks and Cloud Computing
Risk-related issues associated with cloud computing Regulatory compliance User privileges Data integration/segregation

11 Risks Associated with Virtualization
Breaking out of the virtual machine Network and security controls can intermingle Hypervisor: the virtual machine monitoring the software that allows the virtual machines to exist

12 Developing Policies, Standards, and Guidelines
Implementing policies Policies provide people in an organization with guidance about their expected behavior Well-written policies are clear and concise and outline the consequences when they are not followed

13 Key Areas of a Good Policy
Scope statement Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses Policy overview statement Provides goal of the policy, why it’s important, and how to comply with it Policy statement Should be as clear and unambiguous as possible Accountability statement Provides additional information to readers about who to contact if a problem is discovered Exception statement Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy

14 Chapter 1: Measuring and Weighing Risk
Incorporating standards: five points Scope and purpose Roles and responsibilities Reference documents Performance criteria Maintenance and administrative requirements

15 Following Guidelines Guidelines
Help an organization implement or maintain standards by providing information on how to accomplish policies and maintain standards Four Minimum Contents of Good Guidelines Scope and purpose Roles and responsibilities Guideline statements Operational considerations

16 Business Policies Primary Areas of Concern
Mandatory vacations Job rotation Separation of duties Clean desk Background checks Nondisclosure Onboarding Continuing education Exit interviews Role-based awareness

17 Business Policies Primary Areas of Concern Continued
Acceptable use policies (AUP) Adverse actions General security policies Network/application policies

18 Chapter 1: Measuring and Weighing Risk
False positives Events that aren’t really incidents Risk management best practices Business impact analysis (BIA)

19 Redundant Array of Independent Disks
Redundant array of independent disks (RAID) A technology that uses multiple disks to provide fault tolerance Several designations for RAID levels RAID Level 0 RAID 0 is disk striping. RAID Level 1 RAID 1 is disk mirroring. RAID Level 3 RAID 3 is disk striping with a parity disk. RAID Level 5 RAID 5 is disk striping with parity

Download ppt "CompTIA Security+ Study Guide (SY0-501)"

Similar presentations

1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.

1 Documentation Legal Framework Air Navigation Orders Guidelines ATS Manual Airport Manual Safety Management Manual ICAO Annexes Licenses / Certificates.
1 Regulation. 2 Organisational separation 3 Functional Separation.

1 Regulation. 2 Organisational separation 3 Functional Separation.
1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google