ITPro.TV: CompTIA Security+ (SY0-601)

CompTIA Security+ Exam Cram

Today I’ll be reading Chapter 33 of the Security+ Exam Cram, “Organizational Security Policies”.

Policy Framework

Parts of a framework:

The policy → procedure flow above transforms descriptive statements into prescriptive ones.

Human Resource Management Policies

Policies should be reviewed by both legal and HR.

Background Checks

The Exam Cram lumps everything from reference checks to more traditional background checks and drug testing here.

Onboarding and Offboarding

The Exam Cram recommends that employees sign formal ethics statements.

Mandatory Vacations

The Exam Cram recommends mandatory vacations (to check for operational gaps) and regular rotation of duties (for cross-training purposes).

Separation of Duties

The Exam Cram emphasizes making sure that no one individual controls a process or transaction. Not sure how to reconcile this with the concept of a “single wringable neck” (perhaps by not allowing someone responsible for a process actually perform the process?).

Job Rotation

The Exam Cram also positions job rotation and mandatory vacations as a way of having admins check each other’s work.

Clean Desk Policies

Basically, keeping work areas free of any information is a simple way to make sure that they do not contain unattended sensitive information.

Role-Based Awareness and Training

User types:

Typically System administrators work under data and system owners (who may be the same person, or may head up parallel teams).

Executives and data/system owners are the people who should be designing and pushing policies, standards, and procedures (I’d expect the latter to be delegated to system admins sometimes).

Acceptable Use Policy / Rules of Behavior

Ah, codes of conduct.

Exam Cram suggests that all users get notifications about network/computer use being monitored on logon.

Disciplinary and Adverse Actions

Exam Cram notes that all policy documents should include jurisdictional information in case they become subject to a legal dispute or part of a criminal action.

Interoperability Agreements

Types of third-party IT/security agreements:

Exam Cram notes that only an ISA actually spells out security requirements.

ITPro.TV: CompTIA Security+ (SY0-601)

Organizational Security Policies — Personnel

Policies that help detect/prevent malicious behavior:

Adam Gordon makes an interesting point: Separation of duties implies that roles like “backup administrator” should actually be split into “backup administrator” and “restore administrator”. It does seem like perhaps these duties should be rotated, though?

Permission = The ability to do something

Right = The authorization to do something

Privilege = Permissions + Rights

Policies related to employee/vendor lifecycle:

Policies related to security awareness and training:

Organizational Security Policies — 3rd Party Risk

Elements the go into understanding the structure of third-party risk:

Contractual vehicles that bind supply chains together:

Adam Gordon notes that BPAs basically formalize MOUs into full business relationships.

A new term: Measurement Systems Analysis (MSA). This is the process of determining how much variation occurs in the act of measuring a thing, and how this contributes to our understanding of process variability. Components:

(It’s not clear here what the difference between “repeatability” and “reproducibility” is here…)

Software/Hardware lifecycle components:

Note that EOS (when security patches are no longer available) comes after EOL (when the system is no longer sold or actively supported). Note that increasingly EOL = EOS (for example, with Chrome OS devices), but this is not always true (Windows…).

PPRR risk management model for third-party & supply chain risk:

Nathan Acks
April 27, 2022