This chapter covers the first objective in Domain 5.0, Security Program Management and Oversight, of the CompTIA Security+ exam.

In this first chapter, we will examine the policies required to maintain effective governance. We’ll first consider guidelines and how they differ from policies, before carrying out a detailed study of the relevant policies needed for effective governance. This review of various governance standards will be followed by an exploration of procedure and governance structures as well as a breakdown of data roles and their responsibilities.

This chapter will give you an overview of why companies rely on these processes to keep their environments safe and ensure you are prepared to successfully answer all exam questions related to these concepts for your certification.

Note

A full breakdown of Exam Objective 5.1 will be provided at the end of the chapter.

Guidelines provide structured recommendations and principles that serve as a framework for guiding decision-making and behavior. Unlike policies, which will be discussed in the next section, they are not rigid rules that look at operations in a granular fashion. Instead, guidelines are adaptable and informed suggestions. These suggestions help individuals or groups to achieve specific objectives or meet certain standards while allowing for adjustments based on situational factors. In essence, guidelines serve as a valuable source of best practices and recommendations to assist in the efficient and effective completion of tasks.

While guidelines are top-level suggestions that are designed to meet a certain goal, policies create a rigid prescriptive framework of what needs to be done to ensure guidelines are met. Policies set the rules and procedures that define how different aspects of operations, from resource utilization to data security and business continuity, are managed. Some of the most common data and security policies are the following:

• Acceptable Use Policy (AUP): An AUP sets the ground rules for how employees and stakeholders can utilize an organization’s resources. It outlines acceptable and unacceptable behaviors, such as appropriate use of email, internet access, and social media, while emphasizing the importance of responsible and ethical use.
• Information security policies: Information security policies are policies that define the procedures and controls that protect sensitive information from unauthorized access, data breaches, and cyber threats. They encompass...

Choosing the right software methodology is crucial to successfully create new software. There are two prominent approaches to this. The first is the Waterfall methodology, which is a traditional and linear approach to software development, meaning that each new stage may only commence following the successful completion of the previous stage.

The other main methodology is Agile, which is more flexible and can lead to rapid deployment. Agile breaks up a project into short, iterative cycles known as sprints that can be completed in any order, thus allowing for frequent adaptation and improvement. Agile allows for quicker delivery, reducing the time to market.

The SDLC consists of four stages, as illustrated in Figure 23.1:

Figure 23.1: Software Development Life Cycle (SDLC)

Let’s now look at each of these in turn.

As shown in the diagram, the first stage is software development. It is important to use the most...

Standards provide a common framework for security practices to ensure consistency and alignment with industry best practices and regulatory requirements. Adhering to these standards promotes a security-conscious environment and establishes a foundation for measuring and enhancing security posture. This section covers each of the organizations and standards you will need to be familiar with for your exam.

The International Organization for Standardization (ISO) has produced the following:

• ISO 27001 Security: This is a comprehensive and internationally recognized framework for Information Security Management Systems (ISMSs) that has seen global acceptance, making it a valuable credential for organizations operating on a global scale. It takes a holistic view of security, considering organizational and human factors in addition to technical aspects, and places a strong emphasis on risk assessment and management, allowing organizations to tailor security controls to...

Procedures are a set of documented steps or guidelines designed to standardize and streamline processes within an organization. They provide clarity and consistency in how tasks are performed, decisions are made, and changes are implemented. Let’s look at procedures for change management, onboarding, offboarding, and playbooks:

• Change management: Change management procedures outline the steps and protocols for initiating, evaluating, implementing, and monitoring changes within an organization. They ensure that transitions (whether in technology, processes, or policies) are authorized and executed smoothly, minimizing disruptions and optimizing outcomes.
• Onboarding: Onboarding is the process of integrating new team members into an organization’s culture and workflows. Onboarding procedures create a structured path for introducing newcomers, including orientation, training, and the provisioning of necessary resources, such as phones and laptops. These...

External considerations shape an organization’s compliance, operations, and strategic decisions. They ensure adherence to laws, industry standards, and global trends, and may influence an organization’s success, risk mitigation, and ethical conduct in an interconnected world. These considerations include several factors, described in the following list:

• Regulatory: Governments and regulatory bodies enact laws and regulations to ensure fair practices, protect consumers, and maintain industry standards. Staying compliant with these regulations is essential to avoiding legal consequences and maintaining public trust. Whether it’s data privacy, financial reporting, or environmental standards, organizations must navigate the intricate web of regulations that apply to their industry and jurisdiction.
• Legal: Legal factors encompass not only regulatory compliance but also broader legal issues that organizations face, such as contracts...

Cybersecurity governance demands vigilance. Organizations are responsible for monitoring and evaluating their cybersecurity policies, procedures, and standards on an ongoing basis. This involves a multi-faceted approach that spans across different aspects:

• Regular audits and assessments: Routine audits, inspections, and assessments are conducted to gauge compliance levels and identify potential vulnerabilities. These evaluations help organizations stay ahead of threats by ensuring that their existing controls align with current requirements.
• Policy and procedure revisions: The results of compliance reports, technological advancements, changes in business processes, newly identified risks, or evolving legal requirements can necessitate revisions to cybersecurity policies and procedures. Organizations must ensure they know the latest standards and frameworks and revise their policies accordingly as these revisions are essential to address emerging...

Governance structures guide organizations, institutions, and governments through management and decision-making. There are several such structures, each with its own unique characteristics and roles that contribute to the overall effectiveness of governance. These governance structures are described in the following list:

• Boards: Boards of directors or governing boards are fundamental to governance in numerous organizations, including corporations, non-profits, and educational institutions. These boards are entrusted with setting the strategic direction, overseeing management, and safeguarding stakeholders’ interests. Boards ensure accountability through governance, oversight, transparency, and ethical leadership.
• Committees: Committees are internal task forces within larger governance structures that focus on specific functions or tasks. They play a critical role in breaking down complex governance responsibilities into manageable...

Within data management, defining clear roles and responsibilities is paramount to ensuring the integrity, security, and compliant use of valuable digital assets. These roles include the following:

• Data owner: Data owners bear the responsibility of safeguarding data and overseeing the enforcement of policies that govern its proper usage to ensure the protection and responsible handling of data.
• Data controller: The data controller writes the policies that relate to data collection and processing. They are legally responsible for ensuring compliance with the up-to-date regulations for each type of data and ensuring that data subjects are acknowledged, their permission to use the data is granted, and all necessary procedures related to privacy notices are correctly implemented in their policies, promoting transparency and data protection.
• Data processor: The data processor must handle and process the data on behalf of data...

This chapter summarized elements of effective security governance, reviewing the relevant policies and standards that are required for effective security governance. This was followed by change management, onboarding/offboarding, and playbooks, as well as governance structures, such as boards, committees, and governmental entities, and the roles of these in protecting our data.

The knowledge gained in this chapter will prepare you to answer any questions relating to Exam Objective 5.1 in your CompTIA Security+ certification exam.

The next chapter of the book is Chapter 24, Explain elements of the risk management process.

Summarize elements of effective security governance.

• Guidelines: Informed suggestions for task completion
• Policies: Organizational rules for specific areas:
  • AUP: Guidelines for acceptable system usage
  • Information security policies: Rules for protecting data and systems
  • Business continuity: Strategies for operational sustainability
  • Disaster recovery: Plans to restore operations post-disaster
  • Incident response: Protocols for addressing security incidents
  • SDLC: Framework for software development processes
  • Change management: Managing changes in a structured manner
• Standards: Established criteria for consistency and quality:
  • Password: Requirements for secure password management
  • Access control: Control access to systems
  • Physical security: Physical methods to protect assets and premises
  • Encryption: Cryptographic techniques used to secure data
• Procedures: Established methods for task completion:
  • Change management: Structured approach to change implementation
  • Onboarding...

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. As a compliance officer in a healthcare organization, you are tasked with ensuring adherence to industry regulations and standards. Which type of governance structure would be most concerned ensuring compliance with external regulatory requirements?
   1. Boards
   2. Centralized governance
   3. Committees
   4. Government entities
2. You are the Chief Financial Officer (CFO) of an e-commerce company that processes credit card transactions. To ensure the secure handling of cardholder data and maintain compliance, which of the following regulations should your organization adhere to?
   1. ISO 27001
   2. ISO/IEC 27017...