Security+ Flashcards: Governance, Risk, Compliance, Frameworks, Security Policies

The NIST Cybersecurity Framework organizes cybersecurity activities into five core functions: Identify, which involves understanding assets, risks, and governance; Protect, which implements safeguards including access control, training, and data security; Detect, which establishes monitoring and anomaly detection capabilities; Respond, which defines incident response planning and communication; and Recover, which plans for resilience and restoration after incidents. Each function contains categories and subcategories mapping to specific controls.

A risk assessment is the overall process of identifying threats, vulnerabilities, and potential impacts to an organization's assets, resulting in a prioritized list of risks. It answers what can go wrong, how likely it is, and how bad it would be. Risk analysis is a component within the assessment that evaluates the likelihood and impact of identified risks, either qualitatively using ratings like high, medium, and low, or quantitatively using monetary values.

Key regulatory frameworks include HIPAA, which protects healthcare information with administrative, physical, and technical safeguards; PCI DSS, which secures payment card data through 12 requirement categories; SOX, or the Sarbanes-Oxley Act, which requires internal controls over financial reporting; GLBA, or the Gramm-Leach-Bliley Act, which protects financial institution customer data; FERPA, which protects student education records; and GDPR, which protects personal data of EU residents.

The principle of least privilege grants users, processes, and systems only the minimum access rights needed to perform their specific tasks. It limits the damage from accidents, insider threats, and compromised accounts. Implementation includes role-based access control assigning permissions by job function, just-in-time access granting elevated privileges only when needed, regular access reviews to remove unnecessary permissions, separate administrative accounts from daily user accounts, and application whitelisting restricting which software can run.

An acceptable use policy, or AUP, defines how employees and authorized users may use organizational IT resources including computers, networks, email, internet access, and mobile devices. It should cover permitted and prohibited uses, personal use guidelines, social media conduct, email and messaging standards, software installation restrictions, data handling requirements, monitoring and privacy expectations, password requirements, consequences for violations, and acknowledgment that the user has read and understands the policy.

Security awareness training educates employees about security threats, policies, and best practices to reduce human-caused security incidents. It should cover phishing recognition, password hygiene, social engineering tactics, physical security, data handling, mobile device security, incident reporting procedures, and the organization's specific security policies. Training should occur at onboarding for new employees, annually for all staff, and supplementally through ongoing campaigns like simulated phishing tests, security newsletters, and brief monthly modules.

The shared responsibility model defines which security obligations belong to the cloud provider and which belong to the customer, varying by service model. In Infrastructure as a Service, the provider secures the physical infrastructure and hypervisor while the customer secures the operating system, applications, and data. In Platform as a Service, the provider additionally manages the operating system and runtime while the customer secures applications and data.