Governance, Risk, and Compliance

This section covers Exam Objective 5 of the CompTIA Security+ SY0-701 exam. It focuses on the organizational side of security: managing risk, adhering to laws and regulations, and establishing effective policies.

⚖️ Risk Assessment

Risk management is the process of identifying, assessing, and prioritizing risks to minimize their impact.

• ▸ Qualitative vs. Quantitative: Qualitative uses subjective scales (High/Medium/Low), while Quantitative uses numerical data (SLE, ALE, ROI).
• ▸ Risk Register: A central repository for all identified risks, their severity, and mitigation plans.
• ▸ Risk Treatment: Strategies to handle risk: Avoid, Transfer (Insurance), Mitigate (Controls), or Accept.

📋 Compliance Frameworks

Organizations must adhere to various standards and regulations depending on their industry and location.

• ▸ GDPR & CCPA: Regulations focused on data privacy and user rights for EU and California residents.
• ▸ HIPAA: US standard for protecting sensitive patient health information.
• ▸ PCI-DSS: Security standards for organizations that handle branded credit cards.
• ▸ NIST & ISO: Frameworks (like NIST CSF or ISO 27001) providing best practices for information security management.

📜 Security Policies

Policies are high-level statements of management intent. They guide the behavior of employees and the configuration of systems.

• ▸ AUP (Acceptable Use Policy): Defines proper use of company assets and networks.
• ▸ NDA (Non-Disclosure Agreement): Legal contract outlining confidential material the parties wish to share but restrict access to.
• ▸ Personnel Policies: Mandatory vacations, separation of duties, and background checks to reduce insider threats.

🔒 Data Privacy

Protecting sensitive data is a core component of GRC. This involves classification, handling, and retention.

📚 Additional Resources

• ▸ Practice Questions for Security+ Exam
• ▸ NIST Cybersecurity Framework