Security+ (SY0-601) Cram Notes

Previous   Contents   Next

2. Compliance and Operational Security

2.1 Explain risk related concepts

Security controls: Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability (C.I.A.) of the information system. Security controls fall in three classes


  • Access Control , firewalls

  • Audit and Accountability

  • Identification and Authentication

  • System and Communications Protection


  • Certification, Accreditation, and Security Assessments

  • planning

  • Risk Assessment

  • System and Services Acquisition


  • Awareness and Training

  • Configuration Management

  • Contingency Planning

  • Incident Response

  • Maintenance

  • Media Protection

  • Personnel Security

  • Physical and Environmental Protection

  • System and Information Integrity

  • Maintenance

False positives: False positives are when the system reads a legitimate event as an attack or other error. When a system authenticates a user who should not be allowed access to the system. For example, when an IDS/IPS blocks legitimate traffic from passing on to the network.

Privacy policy: This policy is used to secure user identities and other information related to user. If an internet based application provided by an organization require users to register with them using name and email id then this information provided by the user should be secure and not shared with any third party without user knowledge. Privacy policy should state what information is stored and will be accessed by whom, it should also state if information will be shared with third party.

Acceptable use: This policy restricts how a computer network and other devices and systems will be used. It states what users can do and what not with technology infrastructure of an organization. It is signed by the employees before they begin working on any systems. This protects the organization from employees misusing the systems or network. The policy may put limits on personal use of resources, and resource access time.

Security policy: A company's security policy outlines the security measures to be taken. Implementing the security policy is the first thing that needs to be done. Some issues that need to be taken care of, while planning security policies are:

  • Due care, acting responsibly and doing right thing.

  • Privacy, letting the employees and administrator know of the privacy issues

  • Separation of duties :It ensures that the vital activities are bifurcated among several individuals. This ensures that one or two individuals can not perform a fraud.

  • Need to know, providing employees only the information required to perform their role or duties.

  • Password management, auditing the passwords

  • Disposal and destruction

  • Human rights policies, and

  • Incident response, should take care of response to an act.

  • least privilege principle means a user should be given only the minimum privileges that are required to do his/her works accurately and completely. Other choices are not appropriate.

  • The security policy should clearly state that no one is ever allowed to share his/her password with anyone else. Secondly, the security policy should state that the help desk can only change or assign a new password after positive identification of the individual requesting the information

Risk Management: Risk management can be defined as the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks.

  • Risk transference: The purpose of this action is to take a specific risk, which is detailed in the insurance contract, and pass it from one party who does not wish to have this risk (the insured) to a party who is willing to take on the risk for a fee, or premium (the insurer). Example organization that purchases insurance for a group of servers in a data center. The organization still takes on the risk of losing data in the case of server failure, theft, and disaster, but transfers the risk of losing the money those servers are worth in the case they are lost.

  • Risk avoidance: It refers to not carrying out a proposed plan because the risk factor is too great. If an organization decided not to implement a new website based on its calculation that too many attackers would attempt to hack it.

  • Risk acceptance: Also known as risk retention. Most organizations are willing to accept a certain amount of risk. Sometimes, vulnerabilities that would otherwise be mitigated by the implementation of expensive solutions are instead dealt with when and if they are exploited.

  • Risk reduction: This is the main aim of risk management that is to reduce the risk to an acceptable level.

Previous   Contents   Next

Copyright © Anand Software and Training Private Limited.