CompTIA Security+ Risk Management Concepts

CompTIA Security+ SY0-701 — Domain 15

🧮 Risk Management Process

  • Identify Assets: Hardware, software, personnel, and data that are valuable to the organization.
  • Identify Vulnerabilities: Weaknesses in systems, policies, or procedures (e.g., unpatched software).
  • Identify Threats: Adversarial (hackers), accidental (mistakes), environmental (floods).
  • Safeguards: Measures like firewalls, backups, and training to reduce exposure.
  • Acceptable Risk: Determining what level of risk is tolerable to the business.
  • Risk Types: Includes insider threats, third-party exposure, aging tech, and more.

🛡 Risk Control Strategies

  • Mitigation: Apply controls to reduce risk (e.g., MFA, encryption).
  • Avoidance: Discontinue risky activities altogether.
  • Transference: Outsource risk (e.g., insurance, MSPs).
  • Acceptance: Choose to live with low-probability risks.
  • Residual Risk: What remains after all mitigations are in place.

💥 Business Impact Analysis (BIA)

  • MEF (Mission Essential Functions): Core operations that must continue.
  • MTD (Maximum Tolerable Downtime): Max time before severe impact.
  • RTO (Recovery Time Objective): Target time to restore function.
  • RPO (Recovery Point Objective): Acceptable data loss window.
  • WRT (Work Recovery Time): Time after recovery to restore full operation.
  • Single Point of Failure: A weak link that can halt operations entirely.

🤝 Third-Party Risk & Legal Agreements

  • Vendors vs. Business Partners: Evaluate different trust levels and controls.
  • EOL/EOSL: End-of-life or end-of-support products lack updates and are high-risk.
  • NDA (Non-Disclosure Agreement): Legal contract protecting sensitive information.
  • SLA (Service Level Agreement): Ensures uptime, response time, and penalties.
  • MOU/BPA: Clarify shared expectations or ongoing responsibilities.

✅ Auditing & Assurance

  • Examination: Reviewing policies, user access, and logs for gaps.
  • Testing: Conducting simulated attacks, social engineering, or red team ops.
  • Audit Types: Internal, compliance, IT controls, financial.
  • Assurance: Ensures controls are functioning and aligns with business goals.

🧪 Penetration Testing Lifecycle

  • Reconnaissance: Passive and active data gathering on the target.
  • Exploitation: Use of discovered weaknesses to gain access.
  • Privilege Escalation: Moving from user to admin-level access.
  • Lateral Movement: Moving across systems to expand access.
  • Pivoting: Using one compromised machine to reach others.
  • Cleanup: Remove tools and logs to cover tracks.
  • Reporting: Document findings and remediation steps.