Visit www.kodekloud.com to learn more.

Hi, and welcome to the final section of our CompTIA Security Plus Preparation Course. In this section, we'll discuss Security
Program Management and Oversight.
In this section, we'll discuss Security Program Management and Oversight. In the process, we'll cover topics such as
Security Governance, Managing Risk, Compliance, Audits and Assessments, and then we'll wrap up with Security Awareness
Practices. These are very important topics when managing security of any organization for any size, and especially for
anyone taking the Security Plus Certification Exam. As you can see, we have a lot to cover in this section, so if you're ready,
let's begin.
Before we get too deep into our discussion of Security Governance, let's summarize some of the key elements of Security
Governance. This will help us later determine if we're doing it correctly and whether we're missing any of the elements
that are needed.
What is Security Governance? Well, as CISA, the Cybersecurity Infrastructure Security Agency defines it, Security
Governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the
interruption of activities due to cyber threats or attacks. I know that's a lot to remember, but keep this in mind. The end
goal of any governance is to manage the security risk to an organization.
Now, we'll talk more about what risks are later, but for now, understand that many components and tools are involved in
accomplishing this goal, including guidelines, policies, standards, procedures, external considerations, such as vendor
management.
Also, you must regularly monitor and revise anything you put in place because the threats are ever-changing. This also
includes your governance structures, such as any boards, committees, and government agencies that oversee your industry
or your activities.
It's also important to understand the systems and data roles and responsibilities that apply to how you collect, process,
and store personal data.
Now, when it comes to guidelines, policies, procedures, and standards, keep in mind the various categories of controls we
discussed in our earlier section.
What are management controls? Well, management controls are one of the tools you have for security governance. These
are the controls that management puts in place and the employees are required to follow. As you've seen, humans are one
of the biggest concerns when it comes to security because we can all make mistakes or be unknowingly compromised, and
that can open attack vectors that can later be exploited. So, many of the policies that are handed down and enforced by
management are actually designed to help manage human behavior and guide employees to become better stewards of
security.
These can include requiring all employees and sometimes even customers to review and agree to an acceptable use policy
that outlines what is allowed and what is not allowed when using applications and system resources. It also includes
requiring business continuity and disaster recovery planning, and more importantly, testing to validate that the company is
prepared for these. Repeat. It also includes requiring business continuity and disaster recovery planning, and more
importantly, testing to validate that the company is prepared. Repeat. It also includes requiring business continuity and
disaster recovery planning, and more importantly, disaster recovery testing to validate that the company is prepared in
11

case a situation occurs. Repeat. It also includes requiring business continuity and disaster recovery planning,
and more importantly, disaster recovery testing to validate that the business is prepared in the event of an
unexpected situation that could affect availability.
Many times, these are the types of activities that could be overlooked until you need them the most. It should make sure
disaster recovery exercises are scheduled, the results are reviewed, and improvements are made if needed. It's also
important to take the time to define your critical metrics, such as the RTO or the recovery time objective, which is the
maximum amount of time it should take to restore the systems. Also, your RPO, which is the recovery point objective, or
how much data loss is acceptable, and then put those things in place that will allow the business to meet those key
objectives.
12

This may also require committing resources to make sure all of this gets done, and that is exactly why
management involvement is key to effective security governance. It should also include adhering to a
software development lifecycle.
Okay, let's pause here, because you may be wondering what the SDLC has to do with cybersecurity. Well, think about all of
those application threats we discussed earlier, like SQL injection attacks, buffer overflows, exploiting outdated code, etc.
Well, many of those can and actually should be mitigated during the software development process with things such as
peer reviews, the inclusion of input validation, etc., while the software is being written rather than afterwards. So, creating
an SDLC, repeat, the inclusion of input validation, repeat, I'm going to repeat that whole paragraph, it should also include
adhering to a software development lifecycle.
Using playbooks that have been prepared for certain types of incidents can help to make sure the responses are consistent
and that nothing important is missed.
Following onboarding and offboarding procedures can help prevent the issues that can occur when managing permissions
and access for large numbers of employees.
Management can also ensure that employees are following standards that have been reviewed and adopted for things
such as creating passwords, including password complexity and password length requirements, which can make it more
difficult to crack someone's passwords if they are able to obtain the hash.
Standards surrounding access control can help to enforce the principle of least privilege and reduce privilege creep, which
is the accumulation of a lot of permissions over time, especially for employees that have been around for a long time or
have had multiple job titles and roles.
Another important area is enforcing physical security. Examples of this could include requiring key cards to enter certain
locations and not allowing piggybacking or tailgating through doors and turnstiles. It also includes the use of encryption,
including when encryption is required, which algorithms can be used, how keys are managed, etc. These can take a lot of
the inconsistency and guesswork out of the equation in all of these various areas. With the involvement of management,
these are not only best practices, but can be required as part of the employee's jobs. And it can also make the employee's
jobs easier at the same time. Many of the human errors that can lead to issues can be addressed in these standards,
19

policies, and procedures.

Security Governance also involves considering external factors and organizations. Certain industries are regulated and
must adhere to specific security requirements.
For example, hospitals and companies in the healthcare industry must adhere to HIPAA requirements to protect patient
health information.
Other regulated industries include energy, banking, and telecommunications among others. And even if you aren't in a
regulated industry, you may still be required to adhere to certain regulations as part of doing business. For example, PCI or
Payment Card Industry regulations must be adhered to protect credit card information provided by cardholders and
transmitted over the internet, and this applies to any retailer that accepts credit card payments.
The regulatory environment may be local, regional, national, or even global. An example of global regulation includes the
GDPR or General Data Protection Regulation, which is a European Union law that covers the way private customer data is
used, processed, and stored. But it doesn't only cover companies based in the European Union. It covers any company that
has customers in the European Union and data for any citizen of the EU.
There are also data sovereignty rules in some jurisdictions around the world that cover where data can and cannot be
stored and under what conditions. Thanks to the internet, many companies have a global reach for their goods and services
now. But along with this tremendous benefit comes the requirement to be aware of any laws and regulations that you
must follow when doing business in certain areas. This is another key part of security governance.
And the last part of effective security governance will cover is systems and data roles and responsibilities.
Data privacy is an extremely important area of security governance, not only because of the impact it can have on someone
whose data is compromised, but also because it's an area that is covered by several regulations, and not complying with
these rules can result in severe penalties, fines, sanctions, or loss of reputation for an organization. For example, we
mentioned the GDPR earlier, which specifically covers data privacy for EU citizens and companies that handle their data.
From a security governance standpoint, to understand data privacy requirements, it's important to understand the various
roles and what each of these roles are responsible for. The relevant roles are data owners, data controllers, data
processors, and finally, the custodians or stewards of the data. Let's start with the data controllers and processors. Legally,
the data controller can be a person or an organization. The important thing to remember about data controllers is that
they are the ones who are ultimately held accountable for the data and making sure data privacy laws and regulations are
adhered to.
Their duties include compliance to all data laws and regulations, obtaining consent to collect and store the data,
implementing policies and procedures to protect the data, and providing privacy notices, among other things. If anything
goes wrong, the authorities usually go to the data controller first. The data controllers have a special relationship with the
data processors. It's the data processors that actually do most of the work with the data, but at the request of the data
controller.
The data processor must only do what they are legally authorized to do and what the data controllers ask them to do. They
don't make any independent decisions when it comes to the data. That's the job of the data controllers. They only process
the data in the way they are asked to do so by the controller, but they do have some responsibilities. The data processor is
responsible for implementing security measures, ensuring data confidentiality and integrity, and keeping records of all
data processing activities. Data processors can be internal within the same company as the data controller, or they can be
an external entity. Their responsibilities are the same either way.
Examples of data processors can include cloud service providers and payroll companies, for example. Data custodians and
data stewards are similar, but with some unique differences. Data custodians provide the technical environment in which
data is stored and transmitted. Data stewards are more focused on the data itself or the contents of the data, for example,
the quality of that data, what the data is being used for in the business, and things like that. To help us review the different
roles, just use the following scenario.
One of the common examples used to describe the various data roles involves a payroll system. Let's say your company
collects employee data that must be used for payroll. This can include employee address information to mail the checks,
bank information for transfers and deposits, and other personal information. The entity that uses the data is the data
controller and would be held accountable for the use or misuse of the data. So they are ultimately responsible. In this
scenario, it could be your company, HR department, or payroll department. The data controller will also determine how the
data will be processed. In this case, they may hire a third-party company to process payroll every two weeks. This third-
34

party company would be the data processor and must use the data in exactly the way the HR department
directs them to do so.
Without putting in their own measures to protect the data, the custodian will be the company IT department that provides
the servers and resources where the data is stored, along with any data at rest or data in transit encryption where the data
is stored or transmitted to the third-party company for processing. And the data steward may be someone in the payroll
department that verifies the salary, paydates, timesheets, etc. Okay, you may have noticed that we haven't talked about
the data owners yet, and we saved that one for last for a reason. In some ways, the concept of data ownership is the most
tricky part of them all. In many cases, people often confuse data subjects with the data owners. To keep them straight, just
35

remember this. If it is your personal data that's being handled, then you are the data subject.
That is important to remember because many laws, such as the GDPR, puts the emphasis on the data subject or protecting
the privacy rights of the data subject and providing additional rights, such as the right to be forgotten or to have your data
removed permanently upon request. These laws are usually focused heavily on making sure the data subjects retain
control and protection over their personal data, and companies that use their data are transparent about what they do
with it. Okay, then who owns the data once the data subject provides it to the company? Well, usually the person or
department that oversees the use of the data will be the data owner.
Okay, that was a lot of information about the elements of effective security governance. We went over policies,
procedures, standards, external considerations, and the various data roles and responsibilities. Please join me in the next
section where we'll discuss risk management.
Hi and welcome back, Next we will delve into the critical aspects of effective security governance, focusing on monitoring
and revision, as well as the various types of governance structures. Effective security governance is essential for ensuring
that security measures align with organizational objectives and adapt to evolving threats. We will discuss the importance
of monitoring and revision in maintaining robust security governance and explore different governance structures,
including boards, committees, government entities, and centralized/decentralized models. By the end of this lecture, you
will have a comprehensive understanding of these key elements and their roles in security governance.
So let’s start with
Monitoring and Revision
Monitoring and revision refer to the ongoing processes of evaluating security measures, assessing their effectiveness, and
making necessary adjustments to address emerging threats and changes in the organizational environment.
40

This is Important for several reasons including (list then description)

•Continuous Improvement: Ensures that security measures remain effective and up-to-date.
•Threat Adaptation: Allows for the identification and mitigation of new and evolving threats.
•Compliance: Helps maintain compliance with regulatory requirements and industry standards.
•Accountability: Ensures that security responsibilities are being met and documented.
Key Monitoring and Revision Activities include regular audits and assessments, continuous monitoring, and policy
and procedure revisions.
1. Regular Audits and Assessments
Audits and assessments involve systematic evaluations of security policies, procedures, and controls to ensure they are
effective and compliant with regulations.
41

They are Important to (list then descriptions)

•Identify Gaps: Helps identify weaknesses and areas for improvement.
•Verify Compliance: Ensures adherence to laws, regulations, and standards.
2. Continuous Monitoring
Continuous monitoring involves the real-time tracking of security events and system performance to detect and respond to
potential threats.
This provides (list then description)
42

•Early Detection: Identifies security incidents promptly, allowing for quick response.
•Ongoing Visibility: Provides continuous visibility into the security posture of the organization.
An Example would be
Implementing a Security Information and Event Management (SIEM) system to monitor network traffic and
detect anomalies.
3. Policy and Procedure Revisions
Revising policies and procedures involves updating security policies and operational procedures to reflect changes in the
threat landscape and organizational environment.
This helps to (list then descriptions)
43

•Stay Current: Ensures that policies remain relevant and effective.

•Adapt to Changes: Allows for adjustments in response to new technologies, threats, and business processes.
A good Example would be
Updating the incident response policy to include procedures for handling ransomware attacks, reflecting the
increase in such threats.
Ok next let’s cover the Types of Governance Structures
Starting with 1. Boards
Boards are formal bodies, such as boards of directors or advisory boards, responsible for overseeing and guiding an
organization's security strategy and policies.
Boards provide (list then descriptions)
45

•Strategic Oversight: Provides high-level oversight and strategic direction.

•Accountability: Holds the organization accountable for its security practices.
2. Continuous Monitoring
Continuous monitoring involves the real-time tracking of security events and system performance to detect and respond to
potential threats.
This provides (list then description)
46

•Early Detection: Identifies security incidents promptly, allowing for quick response.
•Ongoing Visibility: Provides continuous visibility into the security posture of the organization.
An Example would be
Implementing a Security Information and Event Management (SIEM) system to monitor network traffic and
detect anomalies.
The next term is committees. Committees are specialized groups within an organization that focus on specific aspects of
security governance, such as risk management or compliance. They are important because they provide focused expertise
and detailed oversight. They leverage specialized knowledge and expertise in specific areas and provide detailed oversight
as well as management of specific security functions.
The next type of structure is 3. Government Entities
Government entities are public sector organizations responsible for setting security regulations, standards, and guidelines that
organizations must follow.
They are especially Important in terms of (list then descriptions)
48

•Regulatory Compliance: Ensures that organizations comply with laws and regulations.
•Standardization: Provides standardized frameworks and best practices for security governance.
An Example would be
The National Institute of Standards and Technology (NIST) providing cybersecurity frameworks and guidelines
for organizations to follow.
So what about 4. Centralized/Decentralized Governance

Centralized Governance
Centralized governance involves a single, central authority responsible for managing and overseeing all security functions
within an organization.
The main benefits of this structure are (list then descriptions)
•Consistency: Ensures consistent application of security policies and procedures across the organization.
•Efficiency: Streamlines decision-making and resource allocation.
An Example would be
50

A central security team responsible for all cybersecurity initiatives and reporting to the Chief Information Security
Officer (CISO).
On the other hand there is Decentralized Governance
Decentralized governance involves distributing security responsibilities across various departments or units within the
organization.
The benefits of this type of structure include (list then descriptions)
•Flexibility: Allows for tailored security measures to meet the specific needs of different departments.
•Responsiveness: Enables quicker response to security issues at the departmental level.
An Example would be
52

Each department having its own security officer who reports to a central security committee.
So Conclusion
Effective security governance requires ongoing monitoring and revision to ensure that security measures remain effective and
up-to-date. Different governance structures, including boards, committees, government entities, and centralized/decentralized
models, play crucial roles in guiding and overseeing security initiatives. By implementing robust monitoring and revision
processes and adopting appropriate governance structures, organizations can enhance their security posture, manage risks
effectively, and ensure compliance with regulatory requirements.
Okay, now let's turn our attention to risk management.
When it comes to security governance, one of the most basic elements to understand is risk. So what is risk?
Risk is the potential for breach or loss to your organization. In simple terms, risk is basically the possibility that something
bad or something that we don't want to happen may happen.
We've already spent a lot of time covering many of the things that can happen and what can cause them. But no matter
what we do, there will remain a possibility that something we didn't think of could still happen. So we must always address
or manage our security risks.
The first parts of risk management that we'll cover are risk identification and risk assessment Risk can come in many
different forms and identifying those risks as the first part of addressing and managing them We've talked about the
various security risks throughout discourse,
and they can include a wide range of things such as insider threats, phishing, malware, application threats, equipment
that is not supported,
and even nontechnical things such as the lack of policies when granting access permissions, or ineffective user training,
for example Some or all of these may apply to your company, or you may have some unique risks due to your applications
or the way you do business
So how can you identify your risks?
There are several tools and methods such as performing vulnerability assessments, security audits, penetration testing,
participating in bug bounties, and more Any process that helps you point out problems in your system can be beneficial
When it comes to risk identification,
you also have formal risk assessment processes, which are structured and involve evaluating data that is collected using
any of the risk identification methods I just mentioned During the risk assessment process, you review all of the risks that
have been identified and determine how they can affect your organization These risk assessments can be done ad hoc,
which means after an incident has already occurred or as needed, for example, maybe a new threat has been identified
or some new malware is in the news and you wanna make sure your company is not exposed You may decide to do an ad
hoc risk assessment at that time The frequency can be one time, like after a new rollout or major project, for example, or
64

it can be continuous through the use of real time software and threat intelligence or a risk assessment can
be scheduled at regular intervals
Risk assessments also involve using what you've learned to prioritize the risks based on their potential impact and the
likelihood of them occurring It's not uncommon to uncover multiple risks during an assessment So this last part is
extremely important Which of the risks will you focus on addressing?
First, well, understanding which of them can cause the most damage and are most likely to occur can help you manage
your resources in addressing them
For example, a single computer being infected by malware may have a relatively small impact and could have a high
likelihood of occurring
But what if the malware infections spreads or becomes a ransomware attack? Then the severity is greatly increased and
could potentially bring your entire enterprise down if you aren't able to get to any of your files or pay the ransom
So even something that starts as a low risk should never be ignored because it could still grow into a major problem with
high impact
Risk analysis, however, are more formal processes and can be done in either a quantitative or qualitative manner.
Quantitive risk analysis involve putting a dollar amount on the risk. In other words, how much could this cost me or what
will be the financial impact if the risk were to occur?
Factors used in a quantitative risk analysis include the Single Loss Expectancy or SLE which is the amount of loss from a
single event. Annualized Rate of Occurrence which is how many times we expect this event to happen in a year. And once
you have the cost of a single event , the SLE, and the number of times it could occur in a year, the ARO, we can calculate
the Annualized Loss Expectancy which is the total cost of the risk that occurs over a year.
This dollar figure can help us determine whether certain mitigation options are viable. For example, if we calculate that a
certain risk will cost us $1million per year in loss but the cost to upgrade our systems will cost us $500 thousand dollars,
well then, the cost may be well justified.
A qualitative risk analysis is different because it doesn't use dollar figures but instead assigns a high, med, and low value to
our risks and is usually displayed using graphs and color charts to visually depict the severity of risks. It's more subjective
and oftentimes used when an organization doesn't have the time of dollar figures or metrics needed to perform a
quantitative risk analysis.
Hi and welcome back, next we will discuss the critical processes involved in risk management.
Effective risk management is essential for identifying, assessing, and mitigating risks that could impact an organization's
objectives and operations. Specifically, we will focus on the use of a risk register, key risk indicators, risk owners,
risk thresholds, and the concepts of risk tolerance and risk appetite. By the end of this lecture, you will have a better
understanding of these processes and how they contribute to a robust risk management strategy.
Let’ s start with
1. Risk Register
A risk register is a tool used to document and track risks, their potential impacts, and the actions taken to mitigate them.
It’ s Important for (list then description)
79

•Centralized Documentation: Provides a comprehensive view of all identified risks and their statuses.
•Accountability: Assigns responsibility for managing each risk.
•Monitoring: Facilitates the ongoing monitoring and review of risks.
The Key Components of a risk register are key risk indicators, risk owners, and the risk threshold.
a. Key Risk Indicators (KRIs)
Key Risk Indicators (KRIs) are metrics used to monitor the level of risk exposure and provide early warning signals of potential
issues.
They provide (list then descriptions)
•Early Detection: Helps identify emerging risks before they escalate.
•Quantifiable Metrics: Provides measurable indicators to assess risk levels.
Then we have b. Risk Owners
Risk owners are individuals or teams responsible for managing and mitigating specific risks.
Risk Owners provide (list then descriptions)
•Accountability: Ensures that each risk is actively managed and monitored.
•Responsibility: Clearly defines who is responsible for taking action on each risk.
An Example would be
84

Assigning the Chief Information Security Officer (CISO) as the risk owner for cybersecurity risks.
And the third component is the c. Risk Threshold
Risk threshold is the level of risk that an organization is willing to accept before taking action to mitigate it.
This is Important for (list then description)
•Decision-Making: Guides decision-making processes regarding when to escalate and address risks.
•Prioritization: Helps prioritize risks based on their potential impact.
Next let’s talk about 2. Risk Tolerance
Risk tolerance is the degree of variability in outcomes that an organization is willing to withstand in pursuit of its objectives.
Knowing the risk tolerance give us (list then descriptions)
•Flexibility: Defines the acceptable level of risk for different activities and decisions.
87

•Guidance: Provides guidance on how much risk can be taken in various scenarios.
For Example
An organization with high risk tolerance might invest in high-risk, high-reward ventures, while one with low risk
tolerance might prefer safer, more stable investments.
On the other hand we have 3. Risk Appetite
Risk appetite is the amount and type of risk an organization is willing to pursue or retain to achieve its strategic objectives.
This is Important for (list then descriptions)
•Strategic Alignment: Ensures that risk-taking aligns with the organization's strategic goals.
88

•Resource Allocation: Guides the allocation of resources to various risk management activities.
There are 3 Categories of risk appetite, expansionary, conservative, and neutral
a. Expansionary
Expansionary risk appetite is a high willingness to take on risk to achieve aggressive growth and expansion goals.
It’s Characteristics are (list then descriptions)
•High Growth: Pursues high-risk, high-reward opportunities.
•Innovative: Embraces new technologies and market ventures.
An Example would be
91

A tech startup investing heavily in R&D to develop groundbreaking products despite significant financial risks.
The next category is b. Conservative
Conservative risk appetite is a low willingness to take on risk, prioritizing stability and preservation of capital.
It’s Characteristics are (list then description)
•Low Risk: Focuses on maintaining stability and avoiding significant losses.
•Cautious: Prefers proven strategies and incremental growth.
An Example of this would be
93

A traditional manufacturing company focusing on steady, incremental improvements and cost-saving measures.
And the final category is c. Neutral
Definition
Neutral risk appetite balances risk and reward, aiming for steady growth while managing risks effectively.
Characteristics of this type are (list then descriptions)
•Balanced Approach: Weighs potential risks against rewards.
•Moderate Growth: Pursues opportunities with a balanced risk-reward profile.
A good Example would be
95

A mid-sized business expanding into new markets while maintaining a strong focus on risk management and
compliance.
It’s also possible to Integrating Risk Management Processes for example you could (list then descriptions)
1.Establish a Risk Register: Document all identified risks, including KRIs, risk owners, and risk thresholds.
2.Define Risk Tolerance and Appetite: Clearly articulate the organization's risk tolerance and appetite to guide decision-
making.
96

3. Assign Risk Owners: Designate individuals responsible for managing and mitigating each risk.
4.Monitor and Review: Continuously monitor risks using KRIs and review the risk register regularly.
5.Adjust Strategies: Update risk management strategies based on changing conditions and risk assessments.
Here’s an Example Scenario
Consider an organization assessing the risk of a major data breach:
6.Risk Register: Document the risk of a data breach, including potential impacts and mitigation strategies.
7.Key Risk Indicator (KRI): Number of attempted unauthorized access incidents per month.
97

8. Risk Owner: Chief Information Security Officer (CISO).

9.Risk Threshold: No more than 5 attempted unauthorized access incidents per month.
10.Risk Tolerance: Medium – willing to accept some level of risk but requires strong mitigation measures.
11.Risk Appetite: Neutral – balancing the need for security with the need for operational efficiency.
So in Conclusion
Effective risk management involves understanding and integrating key processes such as maintaining a risk register, defining
risk tolerance and appetite, and assigning risk owners. By implementing these processes, organizations can identify, assess,
and mitigate risks effectively, ensuring alignment with strategic goals and maintaining resilience in the face of uncertainties.
And finally we have Risk Management Strategies which are ways to address the risks we've identified. The 4 Risk
Management Strategies are transfer, accept, avoid, and mitigate.
An example of risk transfer would be insurance. For example some companies purchase ransomware insurance to help pay
the cost of a ransom if an attack were to happen.
In doing so they are transferring the risk to a third party, in this case the insurance company who will pay if an attack
happens.
Sometimes a company may decide to accept a risk, this can sometimes happen if the cost to mitigate the risk is deemed
too costly or if the system or application related to the specific risk isn't considered mission critical.
Risks can also be avoided by not using the technology, system, or process that could be exploited and finally we could take
steps to mitigate or address the risk.
For example, maybe we add a Web Application Firewall to identify and mitigate SQL injection attacks along with other
steps such as input validation and code reviews. This is intended to reduce the likelihood or prevent the risk from
happening.
To further illustrate how Risk Management works let's imagine a scenario where you are in a car, dressed in your best suit
or dress and heading to an important event where you will be the guest of honor or receiving a very prestigious award
where they will be taking a lot of pictures of you.
But you have to make a quick stop to the store to pick something up before you arrive at the event. Now imagine a heavy
rainstorm suddenly starts before you get out of the car to walk up to the store.
Getting out in this rain will get you wet and may ruin your appearance.
You know that if you get out of the car in the middle of this rainstorm you will get wet and it may ruin
your appearance. That is the risk. Now let's go through our options. You could Avoid the risk by not going into the store
and foregoing whatever it is we were going to buy. You could Accept the risk and get out of the car anyway knowing that
you will get wet and your clothes and hair possibly ruined before your big event. You could mitigate the risk by using an
umbrella or if you don't have one possibly something else to protect you from the rain. and what about Risk transfer? How
would you transfer the risk? Well maybe there is another person in the car that volunteers to go into the store for you and
109

get wet from the rain instead. In that case they would take on the possibility of getting wet and you transfer
the risk to them instead.
Okay, now let's review another important process called the Business Impact Analysis or BIA. The Business Impact Analysis
helps companies understand the potential impact of disruptions to their business.
Remember the CIA triad and remember what the A stands for?
That's right, availability, and this is By doing a BIA, a company can develop plans for recovering from certain types of events
and therefore minimize the impact when they do occur. For example, if a DDoS attack were to occur or if the company
were to experience an outage on their internet connection, how would they recover? Well, maybe they prepared for this by
proactively implementing failover or highly available systems that can quickly restore functionality. the area the Business
Impact Analysis is focused on. The BIA involves several important terms that we must know. Some of these we discussed in
other sections, but let's briefly cover them again.
The first term, the first term is the Recovery Point Objective or RPO. This is the maximum amount of data your
organization can lose and still function.
To better understand the RPO, think of it in terms of your backups. In other words, if your organization were to be
impacted by a ransomware attack right now or lose all of your data right now, how could you recover from your backups?
Could you recover from your backups? How often do you do your backups?
If you say every day, well, that means you could lose up to one day of your data during the event because the earliest
backup you could recover from is yesterday's backup. If you do backups once a week, then you'll lose a week's worth of
data and so on. So how much data loss can your organization tolerate? Well, that's your RPO, and that's how often you
should be doing your backups.
The next term is RTO, which stands for Recovery Time Objective. That's the maximum amount of time it will take to restore
an application or system from an interruption. This shouldn't be confused with the RTTR, which is the average time it takes
you to recover from a failure.
The RTO is the maximum time that is tolerable, just like the RPO is the maximum amount of data that's tolerable. Repeat.
The RTO is the maximum downtime that is tolerable, just like the RPO is the maximum amount of data loss that's tolerable
to your business.
And finally, we have the MTBF, which is the mean time between failures, which is the average amount of time your system
stays up between failures.
Comprehensive security governance should not only include a full evaluation of your own company's systems, but also of
your vendors.
There have already been several well-known examples of bad actors gaining access to a company's systems or data by
compromising one of their vendors first and then using that access to enter their primary target company.
After all, doing business with your vendors usually involves setting up connectivity to them and then trusting them with
access to exchange information. So, assessing your vendors must be included in security governance, and in some
industries is a requirement.
So, how do you assess your vendors' systems and networks when you don't own them?
Well, there are several methods and techniques that we'll discuss here. The first is through penetration testing. You can
either perform penetration testing or request evidence from your vendor that they have had penetration testing
conducted on their own. These tests can identify potential vulnerabilities before bad actors discover and exploit them.
Oftentimes, penetration testing will involve the same types of tests that are performed in the early reconnaissance phases
of a real attack. So, they're really valuable in showing what an outsider would see. This can also help prove whether a
vendor's security controls are effective or not.
The next thing we'll cover is the right to audit clause that can be included in your vendor agreements. This legally gives
your company the authority to conduct audits and assessments on that particular vendor. These are intended to help you
evaluate whether a vendor is in compliance with any regulations or requirements that they've agreed to adhere to. In the
same way that federal agencies will often audit companies to validate that they are in compliance,
you can also audit your vendors either yourself or through the use of third-party independent auditors working on your
behalf.
Evidence of internal audits is another important component of due diligence, as are independent assessments that have
been completed by third parties. And finally, a thorough supply chain analysis can be conducted to include an end-to-end
review of all the interconnected systems and networks that are involved in making, distributing, and delivering goods or
services. A supply chain analysis should include all of the vendors that are part of the product ecosystem, including
suppliers, manufacturers, transporters, retailers, and more. This will help to identify any weak links or potential security
issues in the supply chain.
Hi and welcome back, next we will discuss the essential processes associated with third-party risk assessment and
management. With organizations increasingly relying on third-party vendors for various services and products, managing
the risks associated with these relationships is crucial. We will focus on three key processes: vendor monitoring,
questionnaires, and rules of engagement.
So let’s start with
1. Vendor Monitoring
Definition
Vendor monitoring is the ongoing process of assessing and evaluating a vendor’s performance, security practices, and
133

compliance with contractual obligations.

This provides (list then description)
•Continuous Assurance: Ensures that vendors continue to meet the organization’s security and performance
standards over time.
•Early Detection: Identifies potential issues early, allowing for timely intervention.
•Accountability: Holds vendors accountable for maintaining agreed-upon standards.
Key Activities in Vendor Monitoring include performance reviews, security audits, and continuous monitoring

a. Performance Reviews
Means Regularly reviewing the vendor’s performance against predefined metrics and service level agreements (SLAs).
134

These are Important to (list then descriptions)

•Ensure Quality: Ensures that the vendor consistently delivers high-quality services.
•Identify Gaps: Identifies any deviations from expected performance and addresses them promptly.
An Example would be
Conducting quarterly performance reviews with a cloud service provider to assess uptime, response times, and
support quality.
a. Performance Reviews
Means Regularly reviewing the vendor’s performance against predefined metrics and service level agreements (SLAs).
These are Important to (list then descriptions)
•Ensure Quality: Ensures that the vendor consistently delivers high-quality services.
135

•Identify Gaps: Identifies any deviations from expected performance and addresses them promptly.
An Example would be
Conducting quarterly performance reviews with a cloud service provider to assess uptime, response times, and
support quality.
b. Security Audits
Definition
This involves Conducting regular security audits to evaluate the vendor’s security controls and practices.
Doing regular security audits helps (list then description)
136

•Ensure Security: Ensures that the vendor maintains robust security measures to protect sensitive data.
•Compliance: Verifies compliance with regulatory and contractual security requirements.
A good Example would be
Performing an annual security audit of a vendor handling sensitive customer data to ensure compliance with data
protection regulations.
And we should also include
c. Continuous Monitoring
Which means Using tools and technologies to continuously monitor the vendor’s security posture and performance.
This will provide (list then description)
137

•Real-Time Awareness: Provides real-time visibility into the vendor’s security status and performance.
•Proactive Management: Allows for proactive management of potential risks.
An Example would be
Implementing a continuous monitoring solution to track a vendor’s network security, detecting any anomalies or
vulnerabilities.
Next let’s talk about 2. Questionnaires
Questionnaires are structured sets of questions sent to vendors to gather information about their security practices, policies, and
compliance with relevant standards.
They provide (list then description)
138

•Detailed Insight: Provides detailed insights into the vendor’s security posture and risk management practices.
•Standardized Assessment: Offers a standardized method for assessing multiple vendors.
The Key Components to keep in mind for questionnaires are around security practice, compliance, and risk management,
a. Security Practices
are Questions related to the vendor’s security policies, procedures, and controls.
They are important because the help us
•Understand Security Posture: Helps assess the robustness of the vendor’s security measures.
140

For Example
You could Include questions about data encryption, access controls, and incident response procedures in the
questionnaire.
Questions about b. Compliance also important
These are Questions related to the vendor’s compliance with relevant laws, regulations, and standards.
Ther are important to
•Ensure Compliance: Ensures that the vendor complies with applicable legal and regulatory requirements.
141

An Example would be
Including questions about GDPR compliance, industry-specific standards, and certification status.
And then there is also c. Risk Management
Questions related to the vendor’s risk management practices and policies.
These help us to
•Assess Risk Management: Assesses the vendor’s ability to identify, assess, and mitigate risks.
142

A good Example would be

Including questions about risk assessment processes, risk mitigation strategies, and incident history.
The next third party process we’ll talk about are called 3. Rules of Engagement
Rules of engagement are the formal guidelines and protocols that govern the interactions and expectations between the
organization and its vendors.
They are Important because they provide (list then descriptions)
143

•Clear Expectations: Sets clear expectations for both parties.

•Structured Interaction: Provides a structured approach for managing vendor relationships.
•Risk Management: Helps manage risks by defining acceptable behaviors and actions.
The Key Elements of the Rules of Engagement are contract obligations, communication protocols, and security
requirements
a. Contractual Obligations
are Clearly defined contractual obligations that the vendor must adhere to.
They are Important for (line by line)
•Legal Protection: Provides legal protection for the organization.
145

•Accountability: Ensures that the vendor is accountable for fulfilling their obligations.
An Example would be
Including clauses in the contract that specify data protection requirements, service levels, and penalties for non-
compliance.
b. Communication Protocols
Protocols for communication between the organization and the vendor.
They allow for (line by line)
•Effective Communication: Ensures effective communication and collaboration.
146

•Issue Resolution: Facilitates timely resolution of issues and concerns.

For Example you could
Establish regular meetings and reporting requirements to ensure ongoing communication and issue resolution.
And you should also include c. Security Requirements
Specific security requirements that the vendor must meet.
This
• Helps mitigate security risks by ensuring the vendor meets specified security standards.
147

For Example you could

Require the vendor to implement multi-factor authentication, conduct regular security training, and maintain up-to-
date security certifications.
So in Conclusion
Effective third-party risk assessment and management are crucial for ensuring that external vendors and service providers meet
the organization’s security and performance standards. By implementing robust processes for vendor monitoring, utilizing
detailed questionnaires, and establishing clear rules of engagement, organizations can mitigate risks, ensure compliance, and
foster successful vendor relationships.
148

Thank you
Okay, next we'll talk about security compliance.
Compliance involves determining whether an organization is adhering to regulations, standards, and best practices that
are aimed at protecting sensitive information, minimizing risk, and guaranteeing the confidentiality, integrity, and
availability of data.
Effective compliance means establishing and enforcing security policies, procedures, controls, and using technology that
can help the organization to successfully align with the mandates stipulated by regulatory authorities and to meet their
legal responsibilities. So what could happen if a company does not comply with or is found to be non-compliant? Well,
failure to comply with the appropriate laws and regulations could lead to significant repercussions for the organization.
The consequences can be different depending on the jurisdiction and which specific regulation was breached.
Some of the typical outcomes of non-compliance could include legal penalties such as fines, they could be found liable by a
court of law, they can experience damage to their reputation, and an erosion of customer trust. Sanctions are one of the
measures that can be reinforced by regulatory bodies or authorities in response to violations of laws or regulations. They
can include hefty fines imposed by regulatory agencies, which could reach into the millions or billions of dollars, depending
on the severity of the breach. There could also be legal actions initiated by other organizations or individuals or potentially
data subjects that could result in expensive lawsuits and settlements. A company's reputation could also be damaged as a
152

result of non-compliance and could lead to lost business opportunities and affect future earnings.
In addition, non-compliant organizations could face increased regulatory scrutiny such as investigations, more frequent
audits, or mandatory corrective actions. To avoid these risks, organizations must be sure to prioritize compliance with any
applicable regulations, implement strong security measures, conduct regular risk assessments, and stay informed about
any evolving legal requirements in their industry.
Hi and welcome back, in this lesson we will explore the critical topic of privacy, focusing on its legal implications and key
concepts. In an era where data is an invaluable asset, understanding privacy and its associated legal requirements is
essential for both individuals and organizations. We will discuss legal implications at local, national, and global levels, and
delve into important concepts such as the data subject, controller vs. processor, ownership, data inventory and retention,
and the right to be forgotten. By the end of this lecture, you will have an understanding of privacy and how to manage it
effectively.
So let’s start with the Legal Implications of privacy
Starting with 1. Local/Regional
Local or regional privacy laws are regulations enacted by state or regional authorities to protect the personal data of residents
within their jurisdictions.
(descriptions only)
•Compliance: Organizations must comply with local laws to avoid legal penalties.
•Tailored Protection: Addresses specific privacy concerns and needs of local populations.
An Example would be
158

The California Consumer Privacy Act (CCPA) which is a regional privacy law that grants residents in the state of
California specific rights regarding their personal data.
2. National
National privacy laws are regulations enacted by a country to protect the personal data of its citizens..
They provide (descriptions only)
•Uniform Standards: Provides a consistent framework for data protection across the country.
•Legal Compliance: Organizations operating within the country must adhere to these laws.
An Example is
160

The General Data Protection Regulation (GDPR) is a comprehensive privacy law in the European Union that applies
to all member states.
And there are also 3. Global privacy laws
Global privacy regulations encompass international agreements and standards that aim to protect personal data across multiple
countries.
They’re Important in the areas of (list then descriptions)
•Cross-Border Data Transfers: Facilitates the protection of personal data in international contexts.
•Global Compliance: Multinational organizations must comply with various international standards.
An Example is
162

The Privacy Shield Framework between the EU and the US facilitates compliant data transfers between these
regions.
Next let cover some Key Concepts in Privacy
Starting with 1. Data Subjects
A data subject is an individual whose personal data is collected, stored, or processed by an organization.
Knowing the data subject is Important to ensure (descriptions only)
•Rights Protection: Ensuring the rights and privacy of individuals are protected.
•Consent and Control: Empowering individuals to control how their data is used.
For Example
165

An employee whose personal information is stored in an HR database is a data subject.

So what about the 2. Controller vs. Processor
Controller
A data controller determines the purposes and means of processing personal data.
Processor
166

A data processor processes data on behalf of the controller.

•Different legal obligations apply to controllers and processors.
For Example
A company (controller) that collects customer data and uses a third-party service (processor) to analyze that data.
Next let’s talk about 3. Ownership
Ownership in the context of data refers to the legal rights and control over personal data.
It’s Important because it (descriptions only)
•Control: Determines who has the authority to make decisions about data usage.
•Accountability: Establishes accountability for data protection and management.
For Example
168

A user owns the data they generate on a social media platform and can control its visibility and usage.
Next we have 4. Data Inventory and Retention
Data Inventory
A comprehensive record of all personal data assets within an organization.
Data Retention
169

Policies and practices for how long personal data is stored and when it is deleted.
They help us with (list then descriptions)
•Data Management: Ensures accurate and up-to-date records of data assets.
•Compliance: Helps comply with legal and regulatory requirements for data retention and disposal.
An Example would be
170

Maintaining an inventory of customer data and setting a retention period of five years after the last transaction.
And the last term is the 5. Right to Be Forgotten
Definition
The right to be forgotten, or the right to erasure, allows individuals to request the deletion of their personal data.
This is Important for (list then descriptions)
•Privacy Control: Empowers individuals to have their data removed from databases and systems.
•Legal Compliance: Organizations must comply with requests unless there are overriding legal grounds to retain the data.
An Example would be
172

A former customer requests the deletion of their personal data from a company’s database.
So in Conclusion
Understanding and managing privacy is crucial for organizations in the digital age. Legal implications at local, national, and global
levels must be considered, and key concepts such as the data subject, controller vs. processor, ownership, data inventory and
retention, and the right to be forgotten must be thoroughly understood. By implementing effective privacy practices, organizations
can protect individual rights, comply with legal requirements, and maintain trust with their customers and stakeholders.
173

Thank you
And next we come to external audits. As we said before, audits are related to compliance to regulations.
Regulatory authorities conduct evaluations to verify whether a company is adhering to particular laws and regulations.
They can typically include inspections, reviews of procedures, practices, and most importantly, a thorough review of
security controls to confirm compliance, identify areas for improvement, and enforce regulatory responsibilities. They're
crucial for safeguarding public interest and protecting consumers.
In regulated sectors, they also mitigate risk, promote fair competition, and improve transparency and accountability. Just
as an internal audit involves assessments, so do external audits, and for the same reasons.
Assessments are a great tool for evaluating technology and processes against a set of metrics and measurements to
identify areas needed for improvement. In addition to a review of security controls, external audits can also involve
evaluating the accuracy and reliability of an organization's financial statements and processes.
Their purpose is to verify the accuracy of information and ensure compliance with any relevant laws, regulations, or
industry norms. These external audits are usually performed by independent third-party auditors.
Third-party audits that are conducted independently offer impartial and unbiased evaluations of an organization's systems,
controls, processes, and their adherence to regulations. They provide an unbiased external viewpoint.
When done correctly, they build trust among stakeholders, including the company's customers, business partners,
regulatory authorities, and investors by confirming that an organization is dedicated to quality, compliance, and effective
governance.
They also enable organizations to showcase their transparency, accountability, and alignment with industry standards and
regulations.
Penetration testing falls into the area of assessments and can be of various types, including unknown, known, and partially
known.
Unknown penetration test is when you give the tester full documentation of your environment or application and ask them to
identify any vulnerabilities. A known penetration test is when they perform the assessment without you providing any
documentation beforehand, and partially known involves providing some information, as the name implies.
Penetration testing is different from the vulnerability tests we talked about earlier in that they involve actually trying to exploit a
vulnerability to see if an attack is possible. For example, a vulnerability test may reveal that a server has outdated software
patches, but a penetration test may try to execute a buffer overflow attack to see if it's possible to compromise the server.
Penetration testing is very similar to the type of reconnaissance the bad actors perform in an early stage of an attack. It's
designed to gather information about your systems so that they know which types of attacks they may be open to.
Reconnaissance can be done in an active or passive manner. Active reconnaissance is intrusive and involves sending traffic
to a target system. Examples of active reconnaissance methods include port scanning, enumeration, which means to interact
with the services running on a host to gather information such as software versions and configuration details, and even
website crawling, among other things.
Reconnaissance can be done in an active or passive manner. Active reconnaissance is intrusive and involves sending traffic
to a target system. Examples of active reconnaissance methods include port scanning, enumeration, which means to interact
with the services running on a host to gather information such as software versions and configuration details, and even
website crawling, among other things.
Passive reconnaissance, on the other hand, can be done without engaging in the target systems directly. They usually involve
more research using tools and information, such as using open source intelligence or OSINT to collect publicly available
information, such as searching the web, who is database, to find out who owns a particular domain, for example. It can also
involve passively monitoring network traffic to identify IP addresses and ports, or even social media account monitoring and
social engineering.
As we've covered earlier, social engineering or hacking a human is one of the main attack vectors available today.
You can install all of the patches and implement all of the latest security equipment and a breach will still be possible
because of the humans that work for and with your organizations. So how do we address this issue?
When it comes to preparing and educating people about emerging security threats, user awareness training is the solution.
Using a diverse set of training techniques can help to improve retention and engagement from your employees.
These could include one-time workshops, events, mentoring, both group and individual training, and making resources
available online. Since user awareness training can include many important elements, let's cover some of them here. Users
should know where to find security-related policies and handbooks.
We said earlier that part of security governance involves creating policies such as the Acceptable Use Policy to help protect
the organization, and it's just as important that users readily know where to find them so they can adhere to the policies.
Repeat. We said earlier that part of security governance involves creating policies such as the Acceptable Use Policy to help
protect the organization, and it's just as important that users readily know where to find them so they can adhere to the
policies.
Situational awareness training emphasizes the importance of being vigilant, observing surroundings, and promptly
reporting any unusual or problematic incidents. This type of training can help to improve your users' ability to recognize
and respond to potential security threats early.
Insider threats are another important area to cover. Training employees to recognize signs of insider threats and to be
aware of the potential risks can be very effective and is often the best way to address them. Since passwords are
susceptible to compromise, they can sometimes be the weak line of defense.
Password management training can guide users on creating strong, unique passwords and implementing best practices for
securing and safeguarding passwords. It can also educate them on the importance of regularly updating passwords and
using multi-factor authentication. Using removable media can provide convenience for many users, but it also comes with
significant security risks. Therefore, removable media training should be included in security awareness training to educate
users about some of the risks, such as the potential for loss or theft that could lead to data breaches, as well as malicious
charging cables that are designed to provide unauthorized device access, among other things.
Social engineering training helps to raise awareness about common social engineering tactics employed by attackers, such
as phishing, pretexting, or baiting. It can be very effective at helping employees recognize and avoid falling victim to these
manipulations. Many of the well-known techniques repeat. It can be very effective at helping individuals recognize and
avoid falling victim to these manipulative and well-known techniques.
Rather than being seen as a one-time event or something done infrequently, security best practices should be
incorporated into day-to-day activities and remain consistent. Operational training is one way to focus on these types of
practices and could include things like physical security, securing workstations, classifying data, and securing
communications at all times.
And finally, we talk about remote access. Many companies provide remote or hybrid working for their employees. This also
comes with some inherent risks that can be reduced by including this topic in your user awareness training and discussing
things such as Wi-Fi security and maintaining data security when working remotely.
After developing and executing the training program, it's then important to evaluate its effectiveness both initially and
over time. Initial effectiveness involves evaluating the immediate influence the security awareness training had on its
participants.
You're basically looking for observable changes in behavior immediately following the completion of training. Evaluation
methods may include pre- and post-assessments, quizzes, and surveys designed to gauge participants' understanding of
security concepts before and after the training session. This can tell you how well the participants observed the training
content and whether they have integrated it into their behavior.
Recurring effectiveness, on the other hand, evaluates the long-term impact and sustainability of the security awareness
training. It examines whether participants have retained and are still applying the knowledge and skills they learned over
an extended period.
Both initial and recurring effectiveness...repeat...both initial and recurring assessments are important for evaluating the
impact of security awareness training comprehensively, while initial effectiveness measures...repeat...both initial and
recurring effectiveness assessments are important for evaluating the impact of security awareness training
comprehensively. While initial effectiveness measurements capture immediate outcomes and knowledge uptake, recurring
effectiveness evaluations ensure that the training contributes to enduring improvements in security practices and a
sustained culture of security awareness.
In addition to the pre- and post-training quizzes and exams, the evaluation can also include tracking incident-reported
metrics to look for any trends or patterns, conducting phishing simulations and campaigns.
As discussed earlier, observations and feedback from managers and supervisors about employees' security practices and
behaviors, metrics and performance indicators, such as tracking the number of reported incidents, the number of
password-related changes, and employee compliance with security policies. And then we can also track training
completion rates. And finally, we can also track training completion rates.
Visit www.kodekloud.com to learn more.