Security+: Governance, Risk, and Compliance Competency (Intermediate Level)

Topics covered

• compare different roles and responsibilities, as in data owners, controllers, processors, custodians, and stewards
• compare risk types, such as internal, external, and multiparty
• define data policies, like data classification, governance, and retention
• define regulations, standards, and legislation, such as PCI-DSS, GDPR, and various national, territory, or state laws
• define risk analysis terms, as in risk register, inherent risk, residual risk, and control risk
• define various data type classifications, like public, sensitive, and critical
• describe business impact analysis concepts, like recovery time vs. recovery point objectives, mean time to repair, and mean time between failures, and outline a disaster recovery plan
• describe credential policies, including service accounts, administrator, and root accounts
• describe personnel policies, like AUP, job rotation, mandatory vacations, separation of duties, least privilege, clean desk space, background checks, and non-disclosure agreements (NDAs)
• describe privacy-enhancing technologies, such as tokenization, data minimization and masking, and anonymization
• describe risk management strategies, like acceptance, avoidance, transference, and mitigation
• describe the purpose of various AWS cloud computing services, such as CloudWatch, CloudTrail, and AWS Config
• examine common Windows logs, like security, application, and system logs
• examine key frameworks like CIS, NIST, RMF/CSF, ISO 27001/27002/27701/31000, SSAE SOC 2 type II/III, and Cloud Security Alliance (CSA)
• explore privacy concepts, like information's life cycle, impact assessment, terms of agreement, and privacy notices
• explore the consequences of breaches, such as fines and identity theft
• identify lessons learned and their relationship to AARs
• list disasters and classify their types, such as environmental, human-made, and external
• outline how to use Linux logging utilities, such as systemd and auditd
• outline how to work with Wireshark's output
• recognize the importance of log aggregation and collection tools
• summarize the best practices and guidelines for dealing with visibility and reporting
• survey third-party risks concepts, such as vendors, supply chains, business partners, SLA, MOU, MSA, BPA, EOL, EOS, and NDA
• survey various benchmarks and secure configuration guides, as in platform/vendor-specific guides for web servers, OS, application servers, and network infrastructure devices
• survey various organizational polices, such as change management , change control, and asset management