Governance, Risk, and Compliance

Governance, Risk, and Compliance

Rating
Average: 3.5 (4 votes)
Cryptography and PKI
Course
Course
Cybersecurity
Subjects
Subjects
Career & Technical Education
Cybersecurity
Grade Levels
Grade Levels
10
11
12
Duration (hours)
Duration (Approx hours)
20
Overview
In this unit, students will implement and summarize risk management best practices
Standards
CompTIA Security+ (SYO-601) Objectives 5.1 – 5.5
Cyber Connections
Threats and Vulnerabilities
Hardware and Software
Cyber Hygiene
Digital Citizenship
Networks and Internet
Section Title
Lessons
Accordion Items
Title
5.1 - Compare and contrast various types of controls
Content
  • Category
    • Managerial
    • Operational
    • Technical
  • Control type
    • Preventative
    • Detective
    • Corrective
    • Deterrent
    • Compensating
    • Physical
Title
5.2 - Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture
Content
  • Regulations, standards, and legislation
    • General Data Protection Regulation (GDPR)
    • National, territory, or state laws
    • Payment Card Industry Data Security Standard (PCI DSS)
  • Key frameworks
    • Center for Internet Security (CIS)
    • National Institute of Standards and Technology (NIST) RMF/CSF
    • International Organization for Standardization (ISO) 27001/27002/27701/31000
    • SSAE SOC 2 Type I/II
    • Cloud security alliance
    • Cloud control matrix
    • Reference architecture
  • Benchmarks /secure configuration guides
    • Platform/vendor-specific guides
    • Web server
    • OS
    • Application server
    • Network infrastructure devices
Title
5.3 – Explain the importance of policies to organizational security
Content
  • Personnel
    • Acceptable use policy
    • Job rotation
    • Mandatory vacation
    • Separation of duties
    • Least privilege
    • Clean desk space
    • Background checks
    • Non-disclosure agreement (NDA)
    • Social media analysis
    • Onboarding
    • Offboarding
    • User training
    • Gamification
    • Capture the flag
    • Phishing campaigns
    • Phishing simulations
    • Computer-based training (CBT)
    • Role-based training
  • Diversity of training techniques
  • Third-party risk management
    • Vendors
    • Supply chain
    • Business partners
    • Service level agreement (SLA)
    • Memorandum of understanding (MOU)
    • Measurement systems analysis (MSA)
    • Business partnership agreement (BPA)
    • End of life (EOL)
    • End of service (EOS)
    • NDA
  • Data
    • Classification
    • Governance
    • Retention
  • Credential policies
    • Personnel
    • Third-party
    • Devices
    • Service accounts
    • Administrator/root accounts
  • Organizational policies
    • Change management
    • Change control
    • Asset management
Title
5.4 – Summarize risk management processes and concepts
Content
  • Risk types
    • External
    • Internal
    • Legacy systems
    • Multiparty
    • IP theft
    • Software  compliance/licensing
  • Risk management strategies
    • Acceptance
    • Avoidance
    • Transference
    • Cybersecurity insurance
    • Mitigation
  • Risk analysis
    • Risk register
    • Risk matrix/heat map
    • Risk control assessment
    • Risk control self-assessment
    • Risk awareness
    • Inherent risk
    • Residual risk
    • Control risk
    • Risk appetite
    • Regulations that affect risk posture
    • Risk assessment types
    • Qualitative
    • Quantitative
    • Likelihood of occurrence
    • Impact
    • Asset value
    • Single loss  expectancy (SLE)
    • Annualized loss expectancy (ALE)
    • Annualized rate of occurrence (ARO)
  • Disasters
    • Environmental
    • Person-made
    • Internal vs. external
  • Business impact analysis
    • Recovery time objective (RTO)
    • Recovery point objective (RPO)
    • Mean time to repair (MTTR)
    • Mean time between failures (MTBF)
    • Functional recovery plans
    • Single point of failure
    • Disaster recovery plan (DRP)
    • Mission essential functions
    • Identification of critical systems
    • Site risk assessment
Title
5.5 – Explain privacy and sensitive data concepts in relation to security
Content
  • Organizational consequences of privacy breaches
    • Reputation damage
    • Identity theft
    • Fines
    • IP theft
  • Notifications of breaches
    • Escalation
    • Public notifications and disclosures
  • Data types
    • Classifications
    • Public
    • Private
    • Sensitive
    • Confidential
    • Critical
    • Proprietary
    • Personally identifiable information (PII)
    • Health information
    • Financial information
    • Government data
    • Customer data
  • Privacy enhancing technologies
    • Data minimization
    • Data masking
    • Tokenization
    • Anonymization
    • Pseudo-anonymization
  • Roles and responsibilities
    • Data owners
    • Data controller
    • Data processor
    • Data custodian/steward
    • Data protection officer (DPO)
  • Information life cycle
  • Impact assessment
  • Terms of agreement
  • Privacy notice