Security+ concepts: Risk Management [updated 2021]
Risk management is a huge part of the CompTIA Security+ certification exam. It isn’t a bad idea to read a refresher on the topic. For further information and guidance regarding all sections of the Security+ exam, please refer to the Infosec Security+ training course and Infosec Security+ Boot Camp which can be found here and here, respectively.
Risk management outline
The following subtopics can be expected to be tested in the risk management section of the Security+ exam:
- Importance of policies, plans and procedures related to organizational security
- Business impact analysis concepts
- Risk management processes and concepts
- Scenario-based incident response procedures
- Basic concepts of forensics
- Disaster recovery and continuity of operation concepts
- Compare and contrast various types of controls
- Scenario-based data security and privacy practices
Importance of policies, plans and procedures related to organizational security
The broad approach taken by this subtopic indicates that it is all-encompassing and will most likely appear throughout risk management. Successful candidates will focus on an organization’s standard operating procedure, agreement types (such as BPA, SLA etc.), personnel management and general security policies (such as social media and personal email policies).
Of these, personnel management is the most in-depth and will probably be covered the most. Candidates should be able to explain mandatory vacation, job rotation, separation of duties, clean desk policy, background checks, exit interviews and role-based awareness training. Role-based awareness training can include anyone from a basic user to a system administrator.
Business impact analysis
Candidates are expected to explain business impact analysis. Those preparing will want to focus on recovery time objective (RTO)/recovery point objective (RPO), mean time between failures (MTBF), mean time to repair (MTTR), identification of critical systems, mission-essential functions and privacy impact/threshold assessment. Particular focus should be paid to the impact itself, which can include life, property, safety, financial and reputation.
Risk management process and concepts
Risk management process and concepts is a core subtopic of this part of Security+. The three major areas that candidates will have to explain, from heaviest to least weight, are risk assessment, threat assessment and change management.
Risk assessment covers single-loss expectancy (SLE), annual-loss expectancy (ALE), annual rate of occurrence (ARO), asset value, risk register, supply chain assessment and the likelihood of occurrence. Also included are qualitative and quantitative risk assessments as well as vulnerability and penetration testing authorization.
Passing candidates will also have to explain threat assessment. This includes having to explain both environmental and manmade threat assessment and the differences between internal and external threat assessment.
Incident response procedures
Given a scenario, candidates will have to explain the incident response procedures that are appropriate. This includes both incident response plans and the incident response process.
Regarding incident response plans, you will have to explain documenting an incident (types/category definitions), roles/responsibilities, reporting requirements and cyber incident response teams. The incident response process includes preparation, identification, eradication, containment and recovery.
Basic concepts of forensics
There is a large nexus between risk management and forensics, so logically it will be covered by the Security+ exam. Forensics includes the chain of custody, legal hold, order of volatility, data acquisition methods and preservation. Data recovery and strategic intelligence/counterintelligence gathering will also be covered.
Disaster recovery and continuity of operation concepts
Organizations value a good disaster recovery/continuity of operation plan, and as such, the concepts of carrying out these functions is also tested. Covered disaster recovery material includes the different types of recovery sites (hot, warm and cold sites), order of restoration, backup concepts (differential, incremental, full etc.), and geographic considerations.
Continuity of operation planning concepts will also be tested. These concepts include after-action reports, failover, alternate business practices and alternate processing sites. Real-world application of this knowledge will also have to be demonstrated with exercises.
Risk management controls
Security+ candidates will be required to compare and contrast various types of risk management controls. These controls include deterrent, preventive, detective, corrective and administrative just to name a few. Since comparing and contrasting normally does not use much scenario-based knowledge application, I would not expect to see that question type regarding risk management controls.
Scenario-based data and security privacy practices
Saving the best for last, my favorite section of Security+ risk management is scenario-based data security and privacy practices. Given a scenario, candidates will have to carry out the following real-world data security and privacy practices: data destruction and media sanitization (burning, shredding, purging, wiping etc.), Data sensitivity labeling and handling (including private, confidential, PHI etc.), data roles, data retention, and legal/compliance. Being a seasoned healthcare IT professional, I can say that these practices are used in healthcare organizations daily and are a great area to test competency.
Conklin, W.A. (2018) CompTIA Security+ All-in-One Exam Guide, Fifth Edition (Exam SY0-501). New York, New York: McGraw Hill Education.
Myers, M. (2017) Mike Meyers’ CompTIA Security+ Certification Guide. New York, New York: McGraw-Hill Education.
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.