reflection
Comparing Security Roles and Security Controls
Lesson 1
This lesson aims to establish the context for the security role and introduce the concepts of security controls and frameworks.
Topics:
Compare and contrast information security roles.
Compare and contrast security control and framework types.
1
Compare and Contrast Information Security Roles
Topic 1A
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
This topic introduces the concept of the CIA triad and discusses roles and responsibilities in typical information security teams. This topic does not align to specific objectives, but it does cover some terminology from the acronyms list. You can skip this topic if students are familiar with these basic concepts and terminology and you would prefer to move quickly to covering syllabus content.
2
CIA Triad
Confidentiality
Information should only be known to certain people
Integrity
Data is stored and transferred as intended and that any modification is authorized
Availability
Information is accessible to those authorized to view or modify it
Non-repudiation
Subjects cannot deny creating or modifying data
Information Security
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Make sure that students can differentiate the goals of providing confidentiality, integrity, and availability (and non-repudiation). Note that the property of availability should not be overlooked.
An alternative acronym is PAIN (Privacy, Authentication, Integrity, Non-repudiation). We will discuss security versus privacy later in the course.
Cybersecurity Framework
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Use these functions to give students an overview of typical cybersecurity operations.
Make sure students are familiar with the work of NIST. Note also that links in the course will often include sites and white papers with considerable amounts of additional detail. This detail is not necessary to learn for the exam.
Start to develop the idea that cybersecurity is adversarial in nature, with threat actors continually seeking new advantages over defensive systems.
Information Security Competencies
Risk assessments and testing
Specifying, sourcing, installing, and configuring secure devices and software
Access control and user privileges
Auditing logs and events
Incident reporting and response
Business continuity and disaster recovery
Security training and education programs
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
If appropriate, ask students what security-relevant duties they have in their current employment.
Information Security Roles and Responsibilities
Overall responsibility
Chief Security Officer (CSO)
Chief Information Security Officer (CISO)
Managerial
Technical
Information Systems Security Officer (ISSO)
Non-technical
Due care/liability
Image credit: Shannon Fagan © 123rf.com.
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Discuss how responsibility for security might need to be clarified when there is a specialist security function combining with the responsibilities of different department managers.
Information Security Business Units
Security Operations Center (SOC)
DevSecOps
Development, security, and operations
Incident response
Cyber incident response team (CIRT)
Computer security incident response team (CSIRT)
Computer emergency response team (CERT)
Image credit: John Mattern/Feature Photo Service for IBM
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Students should learn this terminology, drawn from the acronym list. Note the advice in the syllabus document: "Candidates are encouraged to review the complete list and attain a working knowledge of all listed acronyms as part of a comprehensive exam preparation program.“
If appropriate, discuss how the security function is represented in the students' workplaces. Do any students currently work in a SOC or participate in DevSecOps projects?
7
Information Security Roles
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Review Activity
You can either complete the review questions in class with the students or simply make them aware of them as resources to use as they review the course material before the exam. Students can also review additional practice questions from the Practice tab for the course on the CompTIA Learning Center (https://www.learn.comptia.org). Note that the exam itself features multiple-choice questions. A multiple-choice practice test featuring questions and domain weightings similar to the actual exam is also available on the CompTIA Learning Center.
8
Assisted Labs
Exploring the Lab Environment
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Lab Activity
If you are using the CompTIA Labs activities option, these slides show the suggested point at which to use each activity. Each activity may be completed independently and skipped or designated as self-study as you see fit.
The lab series comprises two different types of activity with different rules for scoring:
Assisted labs confirm knowledge and guide students through the steps to achieve a given configuration. In an assisted lab, students may repeat scored items and achieve the correct answer. Students do not need a correct answer to move forward through the lab.
Applied labs challenge students’ ability to configure given settings and display knowledge of concepts, tools, and options without detailed step instructions. In an applied lab, the student may not repeat the question or change your answer. The student does not need a correct answer to move forward through the lab.
The type of activity—assisted or applied—is indicated in the lab title.
9
Compare and Contrast Security Control and Framework Types
Topic 1B
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
This is an important subject—students need to be able to distinguish between types of security controls. They will also often have to work within the compliance requirements of legislation, regulation, and frameworks.
10
5.1 Compare and contrast various types of controls
5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture
Syllabus Objectives Covered
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
11
Security Control Categories
Technical
Controls implemented in operating systems, software, and security appliances
Operational
Controls that depend on a person for implementation
Managerial
Controls that give oversight of the system
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Explain that a control category describes how it is implemented. For example, a document access policy is managerial, checking that permissions are applied according to the policy is operational, and the file system permissions are technical in nature. As with all classification systems, there is some degree of overlap, but the classification process is designed to help assess capabilities compared to frameworks and best practice guides.
12
Security Control Functional Types (1)
Preventive
Physically or logically restricts unauthorized access
Operates before an attack
Detective
May not prevent or deter access, but it will identify and record any attempted or successful intrusion
Operates during an attack
Corrective
Responds to and fixes an incident and may also prevent its reoccurrence
Operates after an attack
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Images © 123rf.com.
Where the category describes the implementation type, a functional type describes what the control is deployed to do.
Get the students to nominate examples of different types of controls:
Preventive—permissions policy, encryption, firewall, barriers, locks
Detective—alarms, monitoring, file verification
Corrective—incident response policies, data backup, patch management
13
Physical
Controls such as alarms, gateways, and locks that deter access to premises and hardware
Deterrent
May not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion
Compensating
Substitutes for a principal control
Security Control Functional Types (2)
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Importance of frameworks
Objective statement of current capabilities
Measure progress towards a target capability
Verifiable statement for regulatory compliance reporting
National Institute of Standards and Technology (NIST)
Cybersecurity Framework (CSF)
Risk Management Framework (RMF)
Federal Information Processing Standards (FIPS)
Special Publications
NIST Cybersecurity Framework
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Businesses might be framework-oriented or they might need to use a framework because of a legal or regulatory requirement.
Note that we have already looked at the five functions of the CSF. Risk management is covered later in the course.
ISO and Cloud Frameworks
International Organization for Standardization (ISO)
21K information security standards
31K enterprise risk management (ERM)
Cloud Security Alliance
Security guidance for cloud service providers (CSPs)
Enterprise reference architecture
Cloud controls matrix
Statements on Standards for Attestation Engagements (SSAE) Service Organization Control (SOC)
SOC2 evaluates service provider
Type I report assesses system design
Type II report assesses ongoing effectiveness
SOC3 public compliance report
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
There is a lot of detail to take in here. Try not to spend too long in class, but students will need to be able to match the organizations and frameworks to typical industries and uses.
Benchmarks and Secure Configuration Guides
Center for Internet Security (CIS)
The 20 CIS Controls
CIS-RAM (Risk Assessment Method)
OS/network platform/vendor-specific guides and benchmarks
Vendor guides and templates
CIS benchmarks
Department of Defense Cyber Exchange
NIST National Checklist Program (NCP)
Application servers and web server applications
Client/server
Multi-tier—front-end, middleware (business logic), and back-end (data)
Open Web Application Security Project (OWASP)
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Explain the difference between a framework and benchmark. Note the use of benchmarks for both host/network appliance deployment (operations) and coding projects (development).
Regulations, Standards, and Legislation
Due diligence
Sarbanes-Oxley Act (SOX)
Computer Security Act (1987)
Federal Information Security Management Act (FISMA)
General Data Protection Regulation (GDPR)
National, territory, or state laws
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
California Consumer Privacy Act (CCPA)
Payment Card Industry Data Security Standard (PCI DSS)
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
The syllabus does not list specific examples of legislation, so these are illustrative rather than comprehensive. Students should focus on the fact that there can be many different sources of compliance requirements. Note the difference between vertical (sector-specific) and horizontal (consumer-specific, cross-sector) legislation.
Security Control and Framework Types
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Review Activity
Summary
Lesson 1
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Check that students are confident about the content that has been covered. If there is time, revisit any content examples that they have questions about. If you have used all the available time for this lesson block, note the issues, and schedule time for a review later in the course.
Optionally, discuss with students how the concepts from this lesson could be used within their own workplaces, or how these principles are already being put into practice.
20