Section 1:
Security Throughout the Information
Lifecycle:
1. Importance of Security Across Phases:
- Security considerations should be integrated into every phase of the information lifecycle.
- Avoiding Band-Aid solutions at the end is crucial due to increased costs, time consumption, and
inadequate problem resolution.
2. Consent in Information Lifecycle:
- Consent is a critical aspect of the information lifecycle, involving both data collection and its
subsequent usage.
- Compliance with regulations, such as GDPR in the EU, highlights the necessity for clear awareness
and consent from individuals.
3. GDPR and Information Lifecycle Phases:
- GDPR specifies requirements for data collection, storage, processing, sharing, deletion, and
archiving.
- European Union citizens have rights concerning access, correction, and removal of their data,
irrespective of its physical storage location.
4. Protecting Sensitive Data:
- Personally Identifiable Information (PII) includes elements like social insurance numbers, credit
card details, etc.
- Protected Health Information (PHI) involves sensitive medical data. Laws and regulations aim to
safeguard such data.
5. Anonymization Techniques:
- Anonymization is crucial for privacy, and GDPR allows the use of anonymized data without user
consent.
- Techniques include pseudonymization, tokenization, and data masking to safeguard privacy while
enabling useful analysis.
6. Data Minimization:
- Data minimization involves limiting stored data to what is necessary and legally permissible.
- PCI DSS is an example, where only essential credit card information is retained for transaction
processing.
7. Data Sovereignty:
- Data sovereignty considers the physical location of data and its implications for applicable laws
and regulations.
- Azure Cloud example illustrates the importance of knowing where data is stored and replicated.
Business Impact Analysis:
1. RPO and RTO:
- Recovery Point Objective (RPO) defines the maximum tolerable data loss, influencing backup
frequency.
- Recovery Time Objective (RTO) sets the maximum allowable downtime, crucial for critical systems
like e-commerce.
2. Privacy Impact Assessment (PIA):
- PIA assesses the impact of a potential privacy breach and ensures compliance with data
protection laws.
3. Privacy Threshold Assessment (PTA):
- PTA is an initial step in understanding sensitive data, its nature, and applicable laws and
regulations.
Quantitative and Qualitative Risk
Assessments:
**1. Qualitative Risk Assessments:**
- Involves subjective opinions on threat likelihood, realized threat impact, and assigns severity
ratings.
**2. Quantitative Risk Assessments:**
- Involves calculating Single Loss Expectancy (SLE), Annual Loss Expectancy (ALE) for risk
assessment.
Security Controls:
**1. Security Control Types:**
- Deterrent controls (e.g., login warning banners), compensating controls (e.g., network isolation
for IoT devices).
**2. Security Control Categories:**
- Managerial/Administrative controls and Operational controls.
**3. Security Control Implementation:**
- Solutions like malware scanners mitigate threats and can be implemented differently based on
platforms, vendors, or user requirements.
Risk Management Concepts:
- **Risk Types:** Environmental, Person-made (riots, terrorism, sabotage), Internal (malicious
insider, malware), External (DDoS attacks).
### Threat Intelligence:
- Threat intelligence is a crucial aspect of risk management, providing insights into potential threats
and vulnerabilities.
Additional Concepts:
- **Data Classification:**
- Government classification, Standard classification (PII, PHI, Proprietary, Public/Private, Critical,
Financial).
- **Data Sovereignty and Azure Cloud:**
- Understanding the physical location of data and its replication to ensure compliance with laws.
**Note:** The notes cover a broad range of topics, emphasizing the importance of security, consent,
data protection, and risk management across various phases of the information lifecycle.
Data Destruction and Sanitization:
**1. Introduction:

The importance of securely decommissioning equipment, including storage media, to
prevent data recovery by unauthorized parties.
**2. Physical Destruction of Storage Media:

Various physical forms of data (paper documents, film, magnetic tape) can be destroyed
through methods like burning, pulping, shredding, or pulverizing.

Example: Hard disk shredding device physically destroys disks to prevent data retrieval.
3. Digital Media Sanitization:

For failed devices or end-of-life equipment, digital media sanitization is essential.

Organizations may have policies dictating the fate of decommissioned equipment (reuse,
donation, destruction).
4. Asset Inventory Management:

Updating asset inventory is crucial to reflect changes in the equipment's status, especially
when it reaches end-of-life.
5. Disk Wiping Tools:

Disk wiping tools are employed for both hard disk drives (HDD) and solid-state drives (SSD).

These tools ensure multiple overwrites of randomized data, making it challenging to recover
any information.
6. Degaussing for Hard Disk Drives:

Degaussing involves applying a strong magnetic field to HDD platters, rendering data
inaccessible by removing magnetism.

Not applicable to solid-state drives (SSD).
7. Hard Disk Scrubber Tool:

Demonstrated use of the Hard Disk Scrubber Tool for wiping a USB thumb drive.

Options for different scrubbing methods, including DOD-recommended nine-stage overwrite
for enhanced security.
8. Cryptographic Erasure:

Cryptographic erasure involves removing the encryption key, rendering encrypted data
inaccessible without decryption.

Particularly useful for decommissioning storage devices that used encryption, such as selfencrypting drives.
9. Importance of Secure Data Destruction:

Emphasizes the critical need to protect data at its end-of-life through physical and digital
destruction methods.

Highlighted methods include shredding, pulverizing, degaussing, multi-pass wipes, and
cryptographic erasure.
10. Considerations for Data Protection:

Acknowledges the importance of considering the ways to protect data at its end-of-life stage.

Encourages the adoption of secure data destruction practices to safeguard sensitive
information.
Conclusion:

Summarizes the various data destruction methods, emphasizing the significance of ensuring
data cannot be recovered when equipment is decommissioned
.
Managing Personnel and Organizational Security Policies
1. Standard Operating Procedures (SOP):

Consistent and repeatable ways for personnel to conduct tasks.

Example: Inserting a security card before sending sensitive emails.
2. Personnel Management Policies:

Enforcing policies like mandatory vacations and job role rotation to identify anomalies and
reduce fraud.

Separation of duties to prevent internal fraud, though collusion remains a challenge.
3. Hiring Policies and Background Checks:

Scrutinizing potential employees through social media scraping, internet searches,
background checks, and interviews.

National Security Agency (NSA) example: Detailed checks to avoid potential threats to
national security.
4. Third-Party Background Check Services:

Utilizing services like Hire Right for criminal record searches, credit reports, and employment
verifications.

Integral for risk management in human resources.
5. Onboarding Process:

Non-Disclosure Agreements (NDAs) to ensure confidentiality.

Security awareness training during onboarding.

Issuing security badges and devices, aligning with policies.
6. Clean Desk Policies:

Ensuring sensitive information is not left unattended.

Implementing shredding practices to mitigate dumpster diving.
7. Mobile Device Management (MDM) and BYOD:

MDM for centralized management of mobile devices.

Balancing the benefits and risks of Bring Your Own Device (BYOD) policies.
8. User Training and Awareness:

Periodic, role-specific training.

Computer-based training (CBT), gamification, and phishing simulations.

Lunch and learn sessions to make learning enjoyable.
9. Offboarding Process:

Termination or resignation letters and exit interviews.

Return of equipment and data backup.

Knowledge transfer to successors.

Account disablement and deletion based on organizational security policies.
10. Continuous Risk Management:

Background checks, onboarding, training, and offboarding contribute to a secure IT
ecosystem.

Balancing personnel management and security policies is essential for holistic risk
management.
Conclusion:

Robust personnel management, encompassing hiring, onboarding, training, and offboarding,
is crucial for effective risk management in an organization.

Alignment with security policies ensures a secure and resilient IT environment.
Managing Third-Party Risk in Organizations
1. Introduction to Third-Party Risk Management:

Organizations often outsource certain skill sets or services to third parties.

Third-party risk management involves ensuring the security of outsourced services and
products.
2. Measurement Systems Analysis (MSA) for Third Parties:

Used in quality assurance, especially in industries with robotic equipment.

Ensuring third-party skills, like recalibrating robotic machinery, meet security standards.
3. Risks Related to Outsourced Software and Hardware:

Risks associated with using unsupported or end-of-life hardware and software.

Examples include vulnerabilities arising from outdated operating systems.
4. Cloud Service Providers and Security:

Assessing the security of public cloud providers.

Overview of Amazon Web Services (AWS) security accreditations.

Shared responsibility model: Both cloud provider and consumer share compliance
responsibilities.
5. Supply Chain Security Risks:

Risks involving contractors accessing corporate resources.

Data privacy notices for temporary credentials.

Challenges and security considerations during company mergers.
6. Security in Software Development:

Ensuring developers use trusted components from third parties.

Trustworthiness of third-party components to prevent security vulnerabilities.
7. Encryption and Key Management in Cloud Services:

Demonstrating Microsoft Azure's default encryption for storage accounts.

Enabling customer-managed keys for regulatory compliance.

Overview of using Azure Key Vault for storing encryption keys.
8. Data Loss Prevention (DLP):

Preventing unauthorized data sharing with Data Loss Prevention (DLP).

Implementing policies like watermarking documents and encryption before email
attachment.

Various software DLP solutions for on-premises and cloud environments.
9. Conclusion on Third-Party Risk Management:

Managing third-party risks involves evaluating hardware, software, and services used in the
enterprise.

Addressing vulnerabilities, securing data, and implementing measures to prevent data
exfiltration.
10. Overall Implications for Risk Management:

Comprehensive risk management involves addressing personnel, security, and third-party
risks.

Ongoing assessment and adaptation of security measures ensure a resilient and secure
organizational ecosystem.
Business Agreements and Security Considerations
1. Interconnection Security Agreement (ISA):

Legally binding agreements for connecting networks between organizations or government
agencies.

May require compliance with specific security regulations, encryption standards, and
mandatory training.

Common in data sharing scenarios, business partnerships, and company mergers.
2. Service Level Agreement (SLA):

A contractual document between service providers and consumers, guaranteeing service
uptime.

SLAs include consequences for service unavailability and service credit policies.

Examined a Microsoft Azure SLA for virtual machines to understand terms and uptime
guarantees.
3. Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA):

MOU outlines broad terms of an agreement between two parties.

MOA is more detailed and specifies the terms of a business arrangement.

Used to establish mutual understanding and commitments between parties.
4. Business Partnership Agreement (BPA):

A legal document outlining obligations, investments, and decision-making powers in a
business partnership.

Defines responsibilities and contributions of each party involved in the agreement.
5. Non-Disclosure Agreement (NDA):

Protects sensitive information from being disclosed externally.

Commonly used during user onboarding, security audits, and in scenarios involving trade
secrets.

Examined an example of a penetration testing NDA that stipulates rules of engagement and
responsibilities.
6. Security Considerations in Agreements:

Input from cybersecurity specialists is crucial to ensure the right security controls are
applied.

Technical and business-based agreements require careful consideration of security
implications.

Awareness of various agreements and their applications in different scenarios is essential for
Security+ exam preparation.
7. Conclusion:

Understanding and navigating different types of business agreements is integral to effective
risk management.

Security professionals play a vital role in ensuring the inclusion of appropriate security
measures in agreements.

The Security+ exam assesses knowledge of these agreements and their application in realworld scenarios.
Sample Exam Question: Threat Actor in a DDoS Attack Scenario
Scenario:

A government official announces a new policy on a controversial social issue at a press
conference.

Attackers globally, with differing views from the government, launch a DDoS attack rendering
government websites unreachable.
Question: What type of threat actor is characterized in this scenario?
Options:
1. Hacktivist
2. Script Kiddie
3. State-Sponsored Attacker
4. Criminal Syndicate
Answer:

Hacktivist
Explanation:

Hacktivist: Individuals or groups with a common ideology, often launching attacks to make
their views known or influence public opinion.

Script Kiddie: Inexperienced individuals who use existing tools and tutorials for attacks.

State-Sponsored Attacker: Nation-state involvement in cyber-espionage or cyber-warfare.

Criminal Syndicate: Organized crime groups using IT for illicit activities.
Conclusion:

Understanding threat actor types and their motivations is crucial for analyzing scenarios and
identifying the most appropriate classification.

The Security+ exam may present scenarios requiring the application of knowledge about
threat actors and their characteristics.