CompTIA Security+ (SY0-701): Security Program Management and Oversight Literacy (Beginner Level)

Topics covered

• compare types of governance structures like boards, committees, government entities, and centralized/decentralized structures
• compare various agreement types including the non-disclosure agreement (NDA), memorandum of agreement (MOA), memorandum of understanding (MOU), service-level agreement (SLA), master service agreement (MSA), work order (WO), statement of work (SOW), and business partners agreement (BPA)
• define external audit and attestation with regulatory, examinations, assessment, and independent third-party audits
• define risk management
• define risk registers and ledgers, key risk indicators, risk owners, and risk thresholds
• define roles and responsibilities such as owners, controllers, processors, custodians, stewards, and officers
• define security governance
• define standards such as password, access control, and encryption; and policies like acceptable use policy (AUP), Information security, business continuity, and change management
• describe external governance considerations like regulatory, legal, industry, local/regional, national, and global
• describe internal and external compliance reporting
• describe risk identification and assessment, including ad hoc, recurring, one-time, and continuous
• describe risk reporting techniques
• describe risk treatment and handling methods such as transfer, accept, and exemption, and risk appetite approaches like expansionary, conservative, and neutral
• describe security governance procedures, including playbooks, monitoring, and revision
• describe vendor assessment and selection using penetration testing, the right-to-audit clause, supply chain analysis, due diligence, conflict of interest, and rules of engagement
• explain security training monitoring and reporting techniques
• identify how to recognize a phishing attempt and respond to reported suspicious messages
• identify the consequences of non-compliance
• outline privacy considerations like legal implications, data subjects, ownership, and the right to be forgotten
• provide an overview of business impact analysis, including concepts like Recovery Time Objective (RTO), Recovery Point Objective (RPO), mean time to repair (MTTR), and mean time between failures (MTBF)
• provide an overview of compliance monitoring, including concepts such as due diligence/care, attestation, acknowledgment, and compliance automation
• provide an overview of internal audit and attestation, including compliance, audit committee, and self-assessments
• provide an overview of penetration testing, including known environment, partially known environment, unknown environment, physical, offensive, defensive, integrated, passive, and active reconnaissance
• provide an overview of risk analysis, including concepts like qualitative and quantitative risk analysis, probability/likelihood, and impact/magnitude
• provide an overview of user guidance and training involving policy/handbooks, situational awareness, insider threats, password management, removable media and cables, social engineering, operational security, anomalous behavior recognition, and hybrid/remote work environments best practices
• provide an overview of various organizations that specialize in security guidelines, standards, and best practices