reflection

profiletamerrabee3
sy0-601-01v1.0.pptx

Comparing Security Roles and Security Controls

Lesson 1

This lesson aims to establish the context for the security role and introduce the concepts of security controls and frameworks.

Topics:

Compare and contrast information security roles.

Compare and contrast security control and framework types.

1

Compare and Contrast Information Security Roles

Topic 1A

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

This topic introduces the concept of the CIA triad and discusses roles and responsibilities in typical information security teams. This topic does not align to specific objectives, but it does cover some terminology from the acronyms list. You can skip this topic if students are familiar with these basic concepts and terminology and you would prefer to move quickly to covering syllabus content.

2

CIA Triad

Confidentiality

Information should only be known to certain people

Integrity

Data is stored and transferred as intended and that any modification is authorized

Availability

Information is accessible to those authorized to view or modify it

Non-repudiation

Subjects cannot deny creating or modifying data

Information Security

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Make sure that students can differentiate the goals of providing confidentiality, integrity, and availability (and non-repudiation). Note that the property of availability should not be overlooked.

An alternative acronym is PAIN (Privacy, Authentication, Integrity, Non-repudiation). We will discuss security versus privacy later in the course.

Cybersecurity Framework

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Use these functions to give students an overview of typical cybersecurity operations.

Make sure students are familiar with the work of NIST. Note also that links in the course will often include sites and white papers with considerable amounts of additional detail. This detail is not necessary to learn for the exam.

Start to develop the idea that cybersecurity is adversarial in nature, with threat actors continually seeking new advantages over defensive systems.

Information Security Competencies

Risk assessments and testing

Specifying, sourcing, installing, and configuring secure devices and software

Access control and user privileges

Auditing logs and events

Incident reporting and response

Business continuity and disaster recovery

Security training and education programs

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

If appropriate, ask students what security-relevant duties they have in their current employment.

Information Security Roles and Responsibilities

Overall responsibility

Chief Security Officer (CSO)

Chief Information Security Officer (CISO)

Managerial

Technical

Information Systems Security Officer (ISSO)

Non-technical

Due care/liability

Image credit: Shannon Fagan © 123rf.com.

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Discuss how responsibility for security might need to be clarified when there is a specialist security function combining with the responsibilities of different department managers.

Information Security Business Units

Security Operations Center (SOC)

DevSecOps

Development, security, and operations

Incident response

Cyber incident response team (CIRT)

Computer security incident response team (CSIRT)

Computer emergency response team (CERT)

Image credit: John Mattern/Feature Photo Service for IBM

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Students should learn this terminology, drawn from the acronym list. Note the advice in the syllabus document: "Candidates are encouraged to review the complete list and attain a working knowledge of all listed acronyms as part of a comprehensive exam preparation program.“

If appropriate, discuss how the security function is represented in the students' workplaces. Do any students currently work in a SOC or participate in DevSecOps projects?

7

Information Security Roles

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Review Activity

You can either complete the review questions in class with the students or simply make them aware of them as resources to use as they review the course material before the exam. Students can also review additional practice questions from the Practice tab for the course on the CompTIA Learning Center (https://www.learn.comptia.org). Note that the exam itself features multiple-choice questions. A multiple-choice practice test featuring questions and domain weightings similar to the actual exam is also available on the CompTIA Learning Center.

8

Assisted Labs

Exploring the Lab Environment

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Lab Activity

If you are using the CompTIA Labs activities option, these slides show the suggested point at which to use each activity. Each activity may be completed independently and skipped or designated as self-study as you see fit.

The lab series comprises two different types of activity with different rules for scoring:

Assisted labs confirm knowledge and guide students through the steps to achieve a given configuration. In an assisted lab, students may repeat scored items and achieve the correct answer. Students do not need a correct answer to move forward through the lab.

Applied labs challenge students’ ability to configure given settings and display knowledge of concepts, tools, and options without detailed step instructions. In an applied lab, the student may not repeat the question or change your answer. The student does not need a correct answer to move forward through the lab.

The type of activity—assisted or applied—is indicated in the lab title.

9

Compare and Contrast Security Control and Framework Types

Topic 1B

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

This is an important subject—students need to be able to distinguish between types of security controls. They will also often have to work within the compliance requirements of legislation, regulation, and frameworks.

10

5.1 Compare and contrast various types of controls

5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture

Syllabus Objectives Covered

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

11

Security Control Categories

Technical

Controls implemented in operating systems, software, and security appliances

Operational

Controls that depend on a person for implementation

Managerial

Controls that give oversight of the system

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Explain that a control category describes how it is implemented. For example, a document access policy is managerial, checking that permissions are applied according to the policy is operational, and the file system permissions are technical in nature. As with all classification systems, there is some degree of overlap, but the classification process is designed to help assess capabilities compared to frameworks and best practice guides.

12

Security Control Functional Types (1)

Preventive

Physically or logically restricts unauthorized access

Operates before an attack

Detective

May not prevent or deter access, but it will identify and record any attempted or successful intrusion

Operates during an attack

Corrective

Responds to and fixes an incident and may also prevent its reoccurrence

Operates after an attack

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Images © 123rf.com.

Where the category describes the implementation type, a functional type describes what the control is deployed to do.

Get the students to nominate examples of different types of controls:

Preventive—permissions policy, encryption, firewall, barriers, locks

Detective—alarms, monitoring, file verification

Corrective—incident response policies, data backup, patch management

13

Physical

Controls such as alarms, gateways, and locks that deter access to premises and hardware

Deterrent

May not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion

Compensating

Substitutes for a principal control

Security Control Functional Types (2)

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

Importance of frameworks

Objective statement of current capabilities

Measure progress towards a target capability

Verifiable statement for regulatory compliance reporting

National Institute of Standards and Technology (NIST)

Cybersecurity Framework (CSF)

Risk Management Framework (RMF)

Federal Information Processing Standards (FIPS)

Special Publications

NIST Cybersecurity Framework

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Businesses might be framework-oriented or they might need to use a framework because of a legal or regulatory requirement.

Note that we have already looked at the five functions of the CSF. Risk management is covered later in the course.

ISO and Cloud Frameworks

International Organization for Standardization (ISO)

21K information security standards

31K enterprise risk management (ERM)

Cloud Security Alliance

Security guidance for cloud service providers (CSPs)

Enterprise reference architecture

Cloud controls matrix

Statements on Standards for Attestation Engagements (SSAE) Service Organization Control (SOC)

SOC2 evaluates service provider

Type I report assesses system design

Type II report assesses ongoing effectiveness

SOC3 public compliance report

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

There is a lot of detail to take in here. Try not to spend too long in class, but students will need to be able to match the organizations and frameworks to typical industries and uses.

Benchmarks and Secure Configuration Guides

Center for Internet Security (CIS)

The 20 CIS Controls

CIS-RAM (Risk Assessment Method)

OS/network platform/vendor-specific guides and benchmarks

Vendor guides and templates

CIS benchmarks

Department of Defense Cyber Exchange

NIST National Checklist Program (NCP)

Application servers and web server applications

Client/server

Multi-tier—front-end, middleware (business logic), and back-end (data)

Open Web Application Security Project (OWASP)

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Explain the difference between a framework and benchmark. Note the use of benchmarks for both host/network appliance deployment (operations) and coding projects (development).

Regulations, Standards, and Legislation

Due diligence

Sarbanes-Oxley Act (SOX)

Computer Security Act (1987)

Federal Information Security Management Act (FISMA)

General Data Protection Regulation (GDPR)

National, territory, or state laws

Gramm–Leach–Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

California Consumer Privacy Act (CCPA)

Payment Card Industry Data Security Standard (PCI DSS)

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

The syllabus does not list specific examples of legislation, so these are illustrative rather than comprehensive. Students should focus on the fact that there can be many different sources of compliance requirements. Note the difference between vertical (sector-specific) and horizontal (consumer-specific, cross-sector) legislation.

Security Control and Framework Types

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Review Activity

Summary

Lesson 1

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Check that students are confident about the content that has been covered. If there is time, revisit any content examples that they have questions about. If you have used all the available time for this lesson block, note the issues, and schedule time for a review later in the course.

Optionally, discuss with students how the concepts from this lesson could be used within their own workplaces, or how these principles are already being put into practice.

20