Operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance

Operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance Detailed Explanation

This topic covers how to ensure an organization's security strategies comply with laws, regulations, and corporate governance frameworks while effectively managing risks. Understanding these principles is crucial for maintaining legal compliance and building a strong security foundation.

Core Concepts

1. Common Regulations

Organizations must comply with various international, regional, or industry-specific regulations to avoid legal consequences and build trust with customers.

General Data Protection Regulation (GDPR) – European Union
- Purpose: Protect the personal data and privacy of EU citizens.
- Key Points:
  - Organizations must obtain clear consent to process personal data.
  - Customers have the right to access, modify, and delete their data ("right to be forgotten").
  - Violations can result in fines of up to €20 million or 4% of annual global revenue.
- Example: Encrypting all customer data to avoid unauthorized access.
California Consumer Privacy Act (CCPA) – United States
- Purpose: Enhance privacy rights for California residents.
- Key Points:
  - Consumers have the right to know what personal data is collected and how it's used.
  - They can request deletion of their data and opt out of data sales.
  - Businesses must provide a "Do Not Sell My Information" link.
- Example: Implementing clear privacy notices on websites.
Health Insurance Portability and Accountability Act (HIPAA) – United States
- Purpose: Protect sensitive healthcare information.
- Key Points:
  - Safeguards must ensure the confidentiality, integrity, and availability of electronic health records (EHR).
  - Breach notifications are required if patient data is compromised.
- Example: Using secure communication channels for sharing patient information.
Sarbanes-Oxley Act (SOX) – Global
- Purpose: Ensure accuracy and transparency in financial reporting for public companies.
- Key Points:
  - Mandates internal controls for financial systems to detect and prevent fraud.
  - IT systems must track and log financial transactions.
- Example: Regular audits of financial systems to verify compliance.

2. Corporate Governance Principles

Corporate governance focuses on ensuring security strategies align with business objectives while safeguarding organizational assets. Effective governance requires a structured approach using industry standards and frameworks.

Frameworks for Security Governance:
- COBIT (Control Objectives for Information and Related Technologies):
  - Focus: Align IT goals with business goals while ensuring security.
  - Example: Establishing clear responsibilities for IT teams to implement secure systems.
- ISO 27001 (Information Security Management):
  - Focus: Provide a systematic approach to managing sensitive information securely.
  - Example: Developing an Information Security Management System (ISMS) that includes policies for data encryption, access control, and incident response.
Key Corporate Governance Activities:
- Policy Development:
  - Create policies to define acceptable behavior, access control, and data protection requirements.
  - Example: An "Acceptable Use Policy" for employee devices.
- Auditing and Monitoring:
  - Conduct regular audits to ensure compliance with policies and frameworks.
  - Example: Checking if employees follow the organization's password policies.
Governance Outcomes:
- Clear accountability for IT and security teams.
- Continuous improvement in security practices.
- A structured response to emerging threats and changes in regulations.

3. Risk Management

Risk management is the process of identifying, analyzing, and addressing potential threats to the organization’s assets, reputation, and operations.

Risk Assessment
- Definition: Evaluating the likelihood and impact of potential threats.
- Steps:
  - Identify risks: List all possible internal and external threats.
    - Example: Insider threats, phishing attacks, natural disasters.
  - Analyze risks: Use tools like risk matrices to assess:
    - Likelihood: How likely is the risk to occur? (Low, Medium, High).
    - Impact: How severe would the consequences be? (Minimal, Moderate, Severe).
  - Example: A phishing attack might have a high likelihood and a moderate impact.
Risk Mitigation
- Definition: Implement measures to reduce the likelihood or impact of risks.
- Common Measures:
  - Preventive controls: Actions to stop risks from occurring.
    - Example: Deploying firewalls and anti-malware software.
  - Detective controls: Systems to identify and alert you about risks.
    - Example: Monitoring systems using a SIEM tool to detect abnormal activity.
  - Corrective controls: Measures to recover from incidents.
    - Example: Data backups and disaster recovery plans.
Risk Documentation
- Maintain a Risk Register:
  - A document tracking all identified risks, their assessments, mitigation strategies, and statuses.
- Example Entry:
  
  Risk Likelihood Impact Mitigation Plan Owner
  
  Phishing attack High Medium Conduct employee training IT Security

Risk	Likelihood	Impact	Mitigation Plan	Owner
Phishing attack	High	Medium	Conduct employee training	IT Security

Why This is Important

Legal Compliance:
- Failing to comply with regulations like GDPR or HIPAA can result in severe fines and reputational damage.
Structured Risk Management:
- Identifying and addressing risks ensures business continuity and protects against financial losses.
Aligning IT with Business Goals:
- Governance frameworks like COBIT and ISO 27001 help align security strategies with organizational objectives.

Operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance (Additional Content)

1. Data Owner vs. Data Custodian – Role and Responsibility Clarification

Understanding the distinct roles in data governance is crucial for both compliance and security operations. The Security+ exam often asks about these two roles in terms of who does what.

Data Owner

Who they are: Usually a senior-level business manager or department head.
Responsibilities:
- Classify data based on sensitivity (e.g., public, internal, confidential)
- Define access control policies (who can access what)
- Approve data handling procedures
Example: The head of HR determines that employee records are “confidential” and decides only HR personnel should have access.

Data Custodian

Who they are: Typically an IT administrator or security operations team member.
Responsibilities:
- Implement access controls and enforce policies set by the data owner
- Perform data backups and restore operations
- Maintain data integrity and security infrastructure
Example: The IT team ensures employee records are stored securely, access is logged, and regular backups are completed.

Exam Tip:

Data owners make decisions, while data custodians carry them out.

2. Due Diligence vs. Due Care

These are legal and ethical concepts often tested in governance and risk contexts. The Security+ exam may ask you to distinguish between the two.

Due Diligence – Investigate and Identify

Definition: The effort to identify risks through proper investigation and analysis.
Example Activities:
- Performing a formal risk assessment
- Reviewing vendor security practices before signing a contract
- Auditing existing systems to find vulnerabilities

Due Care – Act Responsibly

Definition: Taking appropriate action based on what was discovered.
Example Activities:
- Applying software patches
- Implementing access controls
- Disabling outdated protocols

Simple Analogy:

Due Diligence = Think before you act.
Due Care = Do the right thing after you know.

3. Data Retention and Disposal Policies

Proper handling of data throughout its lifecycle is not just good practice — it’s often a legal requirement.

Data Retention Policies

Define how long data should be kept.
Must comply with:
- Legal requirements (e.g., tax, health records)
- Industry standards (e.g., PCI DSS, HIPAA)
- Business needs (e.g., historical analysis)
Example: Keep transaction records for 7 years.

Data Disposal Policies

Define how to safely dispose of data that is no longer needed.
Include physical and digital media:
- Shredding paper records
- Using tools like DBAN for digital erasure
- Wiping SSDs using secure delete protocols
Must ensure that no residual data is left that could be exploited

GDPR Emphasis:

Requires that organizations do not retain data longer than necessary
The “right to be forgotten” mandates secure and complete deletion upon user request

4. Risk Treatment Strategies – Adding Transference

While you already cover Preventive, Detective, and Corrective controls well, Security+ also expects you to know the four types of risk response strategies:

Strategy	Description	Example
Avoidance	Eliminating the risk altogether	Not launching a high-risk web service
Mitigation	Reducing likelihood or impact of the risk	Applying patches, network segmentation
Transference	Shifting the risk to a third party	Purchasing cyber insurance, outsourcing DDoS protection
Acceptance	Acknowledging the risk but choosing not to act	Leaving a low-priority system unpatched because risk is minimal

Why Transference Matters:

It’s a frequent distractor option in Security+ exam questions.
Candidates must recognize that transference does not eliminate the risk — it shifts responsibility or cost to another entity.

Where to Integrate These Enhancements

Concept	Suggested Integration Point
Data Owner vs. Custodian	In the Governance section, under role-based access and accountability
Due Diligence vs. Due Care	In the Risk Management section before or after risk assessment
Retention & Disposal Policies	In the Regulations section, when covering GDPR, HIPAA, etc.
Risk Transference	In the Risk Mitigation section, alongside preventive/detective/corrective

Shopping cart

Subtotal:

SY0-701 Operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance