10/19/2019
CompTIA Security+ Study Guide
(SY0-501)
Chapter 1:
Managing Risk
Chapter 1: Managing Risk
• Explain how resiliency and automation
strategies reduce risk
• Explain the importance of policies, plans,
and procedures related to organizational
security
1
� 10/19/2019
Threat Assessment
• Threats can be categorized as
environmental, manmade, and
internal vs. external
• Risk assessment (risk analysis)
– Risk assessment
• Deals with the threats, vulnerabilities, and impacts of a
loss of information-processing capabilities or information
itself
– Key components of risk assessment
• Risks to which the organization is exposed
• Risks that need addressing
• Coordination with BIA
Computing Risk Assessment
• Methods of measurement
– Annualized rate of occurrence (ARO)
• Likelihood, often from historical data, of an event
occurring within a year
– ARO can be used in conjunction
with:
• Single loss expectancy (SLE)
• Annual loss expectancy (ALE)
• Formula:
SLE x ARO = ALE
2
� 10/19/2019
Computing Risk Assessment
Continued
• Risk assessment can be qualitative or
quantitative
– Qualitative
• Opinion-based and subjective
– Quantitative
• Cost-based and objective
Risk Measurements
• MTBF: Mean Time Between
Failures
• MTTF: Mean Time To Failure
• MTTR: Mean Time To Restore
• RTO: Recovery Time Objective
• RPO: Recovery Point Objective
3
� 10/19/2019
Acting on Your Risk Assessment
• Risk avoidance
– Involves identifying a risk and making the
decision to no longer engage in actions
associated with that risk
• Risk transference
– Sharing some of the burden of the risk with
someone else
• Risk mitigation
– Accomplished anytime steps are taken to
reduce risk
• Risk acceptance
– Often the choice you must make when the cost
of implementing any of the other choices
exceeds the value of the harm that would occur
if the risk came to fruition
Risks and Cloud Computing
• Cloud computing
– Using the Internet to host services and
data instead of hosting it locally
• Three ways to implement cloud
computing
1. Platform as a Service
2. Software as a Service
3. Infrastructure as a Service
4
� 10/19/2019
Risks and Cloud Computing
• Risk-related issues associated with cloud
computing
– Regulatory compliance
– User privileges
– Data integration/segregation
Risks Associated with
Virtualization
• Breaking out of the virtual machine
• Network and security controls can
intermingle
– Hypervisor: the virtual machine
monitoring the software that allows the
virtual machines to exist
5
� 10/19/2019
Developing Policies,
Standards, and Guidelines
• Implementing policies
– Policies provide people in an
organization with guidance about
their expected behavior
– Well-written policies are clear and
concise and outline the
consequences when they are not
followed
Key Areas of a Good Policy
• Scope statement
– Outlines what the policy intends to accomplish and which
documents, laws, and practices the policy addresses
• Policy overview statement
– Provides goal of the policy, why it’s important, and how to
comply with it
• Policy statement
– Should be as clear and unambiguous as possible
• Accountability statement
– Provides additional information to readers about who to
contact if a problem is discovered
• Exception statement
– Provides specific guidance about the procedure or process
that must be followed in order to deviate from the policy
6
� 10/19/2019
Chapter 1: Measuring and
Weighing Risk
Incorporating standards: five points
1. Scope and purpose
2. Roles and responsibilities
3. Reference documents
4. Performance criteria
5. Maintenance and administrative
requirements
Following Guidelines
• Guidelines
– Help an organization implement or maintain
standards by providing information on how to
accomplish policies and maintain standards
Four Minimum Contents of Good Guidelines
1. Scope and purpose
2. Roles and responsibilities
3. Guideline statements
4. Operational considerations
7
� 10/19/2019
Business Policies Primary Areas
of Concern
• Mandatory vacations
• Job rotation
• Separation of duties
• Clean desk
• Background checks
• Nondisclosure
• Onboarding
• Continuing education
• Exit interviews
• Role-based awareness
Business Policies Primary Areas
of Concern Continued
• Acceptable use policies (AUP)
• Adverse actions
• General security policies
• Network/application policies
8
� 10/19/2019
Chapter 1: Measuring and
Weighing Risk
• False positives
– Events that aren’t really incidents
• Risk management best practices
– Business impact analysis (BIA)
Redundant Array of
Independent Disks
• Redundant array of independent disks (RAID)
– A technology that uses multiple disks to provide fault
tolerance
Several designations for RAID levels
• RAID Level 0 RAID 0 is disk striping.
• RAID Level 1 RAID 1 is disk mirroring.
• RAID Level 3 RAID 3 is disk striping with a parity disk.
• RAID Level 5 RAID 5 is disk striping with parity
