Lesson 1

Comparing Security Roles and Security Controls

Topic 1A
Compare and Contrast Information Security Roles

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Information Security

• CIA Triad
• Confidentiality
• Information should only be known to certain people
• Integrity
• Data is stored and transferred as intended and that any modification is
authorized
• Availability
• Information is accessible to those authorized to view or modify it
• Non-repudiation
• Subjects cannot deny creating or modifying data

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Cybersecurity Framework

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
 Cybersecurity Framework
• A cybersecurity framework provides a common language and set of standards for security
leaders across countries and industries to understand their security postures and those of
their vendors. With a framework in place it becomes much easier to define the processes
and procedures that your organization must take to assess, monitor, and mitigate
cybersecurity risk.
• NIST Cybersecurity Framework
• ISO 27001 and ISO 27002
• SOC2
• NERC-CIP
• HIPAA
• GDPR
• FISMA
Information Security Competencies

• Risk assessments and testing

• Specifying, sourcing, installing, and configuring secure devices and
software
• Access control and user privileges
• Auditing logs and events
• Incident reporting and response
• Business continuity and disaster recovery
• Security training and education programs

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Information Security Roles and Responsibilities

• Overall responsibility
• Chief Security Officer (CSO)
• Chief Information Security Officer
(CISO)
• Managerial
• Technical
• Information Systems Security
Officer (ISSO)
• Non-technical
• Due care/liability
Image credit: Shannon Fagan © 123rf.com.

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Information Security Business Units

• Security Operations Center (SOC)

• DevSecOps
• Development, security, and
operations
• Incident response
• Cyber incident response team
(CIRT)
• Computer security incident
response team (CSIRT)
• Computer emergency response
team (CERT)
Image credit: John Mattern/Feature Photo Service for IBM

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
 Activities
1. What are the properties of a secure information processing system?
2. What term is used to describe the property of a secure network where a sender
cannot deny having sent a message?
3. A multinational company manages a large amount of valuable intellectual property
(IP) data, plus personal data for its customers and account holders. What type of
business unit can be used to manage such important and complex security
requirements?
4. A business is expanding rapidly and the owner is worried about tensions between its
established IT and programming divisions. What type of security business unit or
function could help to resolve these issues?
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Topic 1B
Compare and Contrast Security Control and Framework
Types

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Syllabus Objectives Covered

• 5.1 Compare and contrast various types of controls

• 5.2 Explain the importance of applicable regulations, standards, or
frameworks that impact organizational security posture

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Security Control Categories

• Technical
• Controls implemented in operating
systems, software, and security appliances
• Operational
• Controls that depend on a person for
implementation
• Managerial
• Controls that give oversight of the system

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Security Control Functional Types (1)
• Preventive
• Physically or logically restricts
unauthorized access
• Operates before an attack
• Detective
• May not prevent or deter access, but
it will identify and record any
attempted or successful intrusion
• Operates during an attack
• Corrective
• Responds to and fixes an incident
and may also prevent its
Images © 123rf.com.
reoccurrence
• Operates after an attack

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Security Control Functional Types (2)

• Physical
• Controls such as alarms, gateways, and locks that deter access to premises and
hardware
• Deterrent
• May not physically or logically prevent access, but psychologically discourages
an attacker from attempting an intrusion
• Compensating
• Substitutes for a principal control

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
NIST Cybersecurity Framework

• Importance of frameworks
• Objective statement of current capabilities
• Measure progress towards a target capability
• Verifiable statement for regulatory compliance reporting
• National Institute of Standards and Technology (NIST)
• Cybersecurity Framework (CSF)
• Risk Management Framework (RMF)
• Federal Information Processing Standards (FIPS)
• Special Publications

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
ISO and Cloud Frameworks

• International Organization for Standardization (ISO)

• 27K information security standards
• 31K enterprise risk management (ERM)
• Cloud Security Alliance
• Security guidance for cloud service providers (CSPs)
• Enterprise reference architecture
• Cloud controls matrix
• Statements on Standards for Attestation Engagements (SSAE)
Service Organization Control (SOC)
• SOC2 evaluates service provider
• Type I report assesses system design
• Type II report assesses ongoing effectiveness
• SOC3 public compliance report
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Benchmarks and Secure Configuration Guides

• Center for Internet Security (CIS)

• The 20 CIS Controls
• CIS-RAM (Risk Assessment Method)
• OS/network platform/vendor-specific guides and benchmarks
• Vendor guides and templates
• CIS benchmarks
• Department of Defense Cyber Exchange
• NIST National Checklist Program (NCP)
• Application servers and web server applications
• Client/server
• Multi-tier—front-end, middleware (business logic), and back-end
(data)
• Open Web Application Security Project (OWASP)

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Regulations, Standards, and Legislation

• Due diligence
• Sarbanes-Oxley Act (SOX)
• Computer Security Act (1987)
• Federal Information Security Management Act (FISMA)
• General Data Protection Regulation (GDPR)
• National, territory, or state laws
• Gramm–Leach–Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• California Consumer Privacy Act (CCPA)
• Payment Card Industry Data Security Standard (PCI DSS)

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
 Activities
1. You have implemented a secure web gateway that blocks access to a social
networking site. How would you categorize this type of security control?
2. A company has installed motion-activated floodlighting on the grounds around its
premises. What class and function is this security control?
3. A firewall appliance intercepts a packet that violates policy. It automatically updates
its Access Control List to block all further packets from the source IP. What TWO
functions is the security control performing?
4. If a security control is described as operational and compensating, what can you
determine about its nature and function?

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Lesson 1
Summary

CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23