From the prospective of the CompTIA Security+ certification exam, Risk Management is indeed huge. This article will detail the objectives of the Risk Management section of the Security+ certification exam. This article should not be solely used as a review resource but rather should be used as a brief refresher. For further information and guidance regarding all sections of the Security+ exam, please refer to the InfoSec Security+ Training Course and Infosec Security+ Boot Camp which can be found at here and here respectively.
Risk Management Outline
The following subtopics can be expected to be tested in the Risk Management section of the Security+ exam:
Importance of policies, plans, and procedures related to organizational security
Business impact analysis concepts
Risk management processes and concepts
Scenario-based incident response procedures
Basic concepts of forensics
Disaster recovery and continuity of operation concepts
Compare and contrast various types of controls
Scenario-based data security and privacy practices
Importance of Policies, Plans, and Procedures Related to Organizational Security
The broad-based approach taken by this subtopic indicates that it is all-encompassing and will most likely appear throughout Risk Management. Successful candidates will focus on an organization’s standard operating procedure, agreement types (such as BPA, SLA, etc.), personnel management, and general security policies (such as social media and personal email policies.
Of these, personnel management is the most in-depth and will probably be covered the most. Candidates should be able to explain mandatory vacation, job rotation, separation of duties, clean desk policy, background checks, exit interviews, and role-based awareness training. Role-based awareness training can include anyone from a basic user to a system administrator.
Business Impact Analysis
Candidates are expected to explain business impact analysis. Those preparing will want to focus on Recovery Time Objective (RTO)/Recovery Point Objective (RPO), Mean Time Between Failures (MTBF), Mean Time to Repair (MTTR), identification of critical systems, mission-essential functions, and privacy impact/threshold assessment. Particular focus should be paid to the impact itself, which can include life, property, safety, financial, and reputation.
Risk Management Process and Concepts
Risk management process and concepts is a core subtopic of this part of the Security+. The three major areas that candidates will have to explain, from heaviest to least weight, are Risk assessment, Threat assessment, and Change management.
Risk assessment covers Single-loss expectancy (SLE), Annual-loss expectancy (ALE), Annual rate of occurrence (ARO), Asset value, Risk register, Supply chain assessment, and Likelihood of occurrence. Also included are Qualitative and Quantitative Risk Assessment as well as Vulnerability and Penetration testing authorization.
Passing candidates will also have to explain Threat assessment. This includes having to explain both Environmental and Manmade Threat assessment and the differences between internal and external Threat assessment.
Incident Response Procedures
Given a scenario, candidates will have to explain the incident response procedures that are appropriate. This includes both Incident response plans and the Incident response process.
Regarding Incident response plans, you will have to explain documenting an incident (types/category definitions), roles/responsibilities, reporting requirements, and Cyber-incident response teams. Incident response process includes Preparation, Identification, Eradication, Containment, and recovery.
Basic Concepts of Forensics
There is a large nexus between Risk Management and Forensics, so logically it will be covered by the Security+ exam. Forensics includes Chain of custody, Legal hold, Order of volatility, data acquisition methods, and Preservation. Data recovery and Strategic intelligence/ Counterintelligence gathering will also be covered.
Sec+ Training – Resources (InfoSec)
Disaster Recovery and Continuity of Operation Concepts
Organizations highly-value a good disaster recovery/continuity of operation plan, and as such the concepts of carrying out these functions is also tested. Covered Disaster recovery material includes the different types of Recovery sites (Hot, Warm, and Cold sites), Order of restoration, Backup concepts (Differential, Incremental, Full, etc.), and Geographic considerations.
Continuity of Operation planning concepts will also be tested. These concepts include After-action reports, Failover, Alternate business practices, and Alternate processing sites. Real-world application of this knowledge will also have to be demonstrated with exercises.
Risk Management Controls
Security+ candidates will be required to compare and contrast various types of Risk Management controls. These controls include Deterrent, Preventive, Detective, Corrective, and Administrative just to name a few. Since comparing and contrasting normally does not use much scenario-based knowledge application, I would not expect to see that question type regarding Risk Management controls.
Scenario-Based Data and Security Privacy Practices
Saving the best for last, my personal favorite section of Security+ Risk Management is Scenario-based data security and privacy practices. Given a scenario, candidates will have to carry out the following real-world data security and privacy practices: Data destruction and media sanitization (Burning, Shredding, Purging, Wiping, etc.), Data sensitivity labeling and handling (including private, confidential, PHI, etc.), Data roles, Data retention, and Legal/Compliance. Being a seasoned healthcare IT professional, I can say that these practices are used in healthcare organizations daily and are a great area to test competency.