CompTIA Security+ Study Guide (SY0-401) Chapter 11: Security Administration
Chapter 11: Security Administration Summarize the security implications of integrating systems and data with third parties. Explain the importance of security related awareness and training. Given a scenario, select the appropriate control to meet the goals of security. Summarize mobile security concepts and technologies. Compare and contrast alternative methods to mitigate security risks in static environments.
Third-Party Integration Transitioning Ongoing Operations
Providing Education and Training Organization’s training and educational programs need to be tailored for at least three different audiences: The organization as a whole (the so-called rank and file employees) Management Technical staff
Training Topics Clean Desk Policy Compliance with Laws, Best Practices, and Standards Data Handling Dealing with Personally-Owned Devices Personally Identifiable Information Prevent Tailgating
Training Topics Continued Safe Internet Habits Smart Computing Habits Social Networking Dangers The Need for All Computing to Be Safe The Value of Strong Passwords Understanding Data Labeling and Handling What to Do When Disposing of Old Media Responding to Hoaxes
Classifying Information Three Primary Categories of Information: Public Use Internal Use Restricted Use
Chapter 11: Security Administration Private Information intended only for use internally in the organization. Internal Information includes personnel records, financial working documents, ledgers, customer lists, and virtually any other information that is needed to run a business. Restricted Information could seriously damage the organization if disclosed. It includes proprietary processes, trade secrets, strategic information, and marketing plans. placed on a need-to-know basis
Information Access Controls Access control defines the methods used to ensure that users of your network can access only what they’re authorized to access. Implicit Denies Least Privilege Job Rotation
Complying with Privacy and Security Regulations Regulatory and governmental agencies are key components of a security management policy. As a security professional, you must stay current with these laws because you’re one of the primary agents to ensure compliance.
Regulations Health Insurance Portability and Accountability Act (HIPAA) a regulation that mandates national standards and procedures for the storage, use, and transmission of personal medical information. The Gramm-Leach-Bliley Act also known as the Financial Modernization Act of 1999, requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy.
Regulations The Computer Fraud and Abuse Act (CFAA) this act gives federal authorities, primarily the FBI, the ability to prosecute hackers, spammers, and others as terrorists. The Family Educational Rights and Privacy Act (FERPA) dictates that educational institutions may not release information to unauthorized parties without the express permission of the student or, in the case of a minor, the parents of the student. The Computer Security Act of 1987 requires federal agencies to identify and protect computer systems that contain sensitive information.
Regulations Cyberspace Electronic Security Act (CESA) gives law enforcement the right to gain access to encryption keys and cryptography methods. Cyber Security Enhancement Act of 2002 allows federal agencies relatively easy access to ISPs and other data-transmission facilities to monitor communications of individuals suspected of committing computer crimes using the Internet. The Patriot Act This law gives the U.S. government extreme latitude in pursuing criminals who commit terrorist acts.
Chapter 11: Security Administration Mobile Devices BYOD Issues Alternative Methods to Mitigate Security Risks Control redundancy and diversity SCADA (Supervisory Control and Data Acquisition)