5.0 Governance, Risk, and Compliance

5.1 Compare and contrast various types of controls.

--- Compensating

--- Operational

5.2 Explain the importance of applicable regulations, standards, or framworks that impact organizational security posture.

Benchmarks, standards, and legislation

--- International Organization for Standardization (ISO) _{27001/27002/27701/31000}

--- Cloud control matrix

--- General Data Protection Regulation (GDPR)

--- SSAE SOC ₂ Type I/II

--- Reference architecture

--- National territory or state laws

--- Cloud security alliance

Benchmarks/secure configuration guide

--- Payment Card Industry Data Security Standard (PCI DS)

--- Platform/vendor-specific guides

--- Web server

--- Center for Internet Security (CIS)

--- OS

--- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF)

--- Application server

--- Network infrastructure devices

5.3 Explain the importance of policies to organizational security.

--- Computer-based training (CBT)

--- Acceptable use policy

--- Role-based training

--- Classification

--- Job rotation

Diversity of training techniques

--- Separation of duties

Third-party risk management

--- Least privilege

Credential policies

--- Clean desk space

--- Supply chain

--- Background checks

--- Business partners

--- Third party

--- Non-disclosure agreement (NDA)

--- Service level agreement (SLA)

--- Social media analysis

--- Memorandum of understanding (MOU)

--- Service accounts

--- Measurement systems analysis (MSA)

--- Administrator/root accounts

--- Offboarding

--- Business partnership agreement (BPA)

Organizational policies

--- User training

--- End of life (EOL)

--- Change management

--- Gamification

--- End of service life (EOSL)

--- Change control

--- Capture the flag

--- NDA

--- Asset management

--- Phishing campaigns

--- Phishing simulations

5.4 Summarize risk management processess and concepts.

--- Risk control assessment

--- Risk awareness

--- Environmental

--- Inherent risk

--- Person-made

--- Legacy system

--- Residual risk

--- Internal vs. External

--- Control risk

Business impact analysis

--- Risk appetite

--- Recovery time objective (RTO)

--- Software compliance/licensing

--- Regulations that affect risk posture

--- Recovery point objective (RPO)

Risk management strategies

--- Risk assessment types

--- Mean time to repair (MTTR)

--- Qualitative

--- Mean time between failures (MTBF)

--- Quantitative

--- Functional recovery plans

--- Transference

--- Lilkelihood of occurrence

--- Single point of failure

--- Cybersecurity insurance

--- Disaster recovery plan (DRP)

--- Asset value

--- Mission essential functions

--- Single loss expectancy (SLE)

--- Identification of critical systems

--- Risk register

--- Annualized loss expectancy (ALE)

--- Site risk assessment

--- Risk matrix/heat map

--- Annualized rate of occurrence (ARO)

--- Risk control assessment

5.5 Explain privacy and sensitivity data concepts in relation to security.

Organizational consequences of privacy and data breaches

--- Personally identifiable information (PII)

Information life cycle

--- Reputation damage

--- Health information

Impact assessment

--- Identity theft

--- Financial information

Terms of agreement

--- Government data

--- Consumer data

Notifications of breaches

Privacy enhancing technologies

--- Data minimization

--- Public notifications

--- Data masking

--- Tokenization

--- Classifications

--- Anonymization

--- Public

--- Pseudo-anonymization

--- Private

Roles and responsibilities

--- Sensitive

--- Data owners

--- Confidential

--- Data controller

--- Critical

--- Data processor

--- Proprietary

--- Data custodian/steward

--- Data protection officer (DPO)