CASP+ Domain #4: Governance, Risk & Compliance [2022 update]

Greg Belding
March 10, 2022 by
Greg Belding

Are you an advanced-level security architect or senior security engineer and want to verify your high level of cyber security skills? Do you want to prove to hire organizations that you have the knowledge that is up to the task of leading and improving your organization’s cyber security readiness? If so, the CompTIA Advanced Security Practitioner, or CASP+, may be the certification for you. To earn the cert, you will first have to pass the certification exam covering four domains of knowledge. 

Earn your CASP+, guaranteed!

Earn your CASP+, guaranteed!

Enroll in a CompTIA CASP+ boot camp and earn one of the industry’s most respected certifications — guaranteed.

What is CASP+?

CASP+ is an advanced-level cyber security certification that is intended for cyber security practitioners. Successful certification candidates will have the knowledge and skill required to:

  • Architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise
  • Use monitoring, detection, incident response, and automation to proactively support ongoing security operations in an enterprise environment
  • Apply security practices to cloud, on-premises, endpoint, and mobile infrastructure, while considering cryptographic technologies and techniques
  • Consider the impact of governance, risk, and compliance requirements throughout the enterprise

What has changed since the last CASP+ exam version?

The latest CASP+ exam version is CAS-004, and much has changed since CAS-003. The CASP+ certification exam has dropped a Domain (down to four), and all Domain names and respective percentages of exam material have all changed. Below is a comparison:

CAS-004 Exam Domains CAS-003 Exam Domains

1.0 Security Architecture (29%) 1.0 Risk Management (19%)

2.0 Security Operations (30%) 2.0 Enterprise Security Architecture (25%)

3.0 Security Engineering and Cryptography (26%) 3.0 Enterprise Security Operations (20%)

4.0 Governance, Risk and Compliance (15%) 4.0 Technical Integration of Enterprise Security (23%)

5.0 Research, Development, and Collaboration (13%)

CASP+ Domain 4: Governance, Risk and Compliance

4.1 Given a set of requirements, apply the appropriate risk strategies

1. Risk assessment

  • Likelihood
  • Impact
  • Qualitative vs quantitative
  • Exposure factor
  • Asset Value
  • Total cost of ownership (TCO)
  • Return on investment (ROI)
  • Mean time to recovery (MTTR)
  • Mean time between failure (MTBF)
  • Annualized loss expectancy (ALE)
  • Annualized rate of occurrence (ARO)
  • Single loss expectancy (SLE)
  • Gap analysis

2. Risk handling techniques

  • Transfer
  • Accept
  • Avoid
  • Mitigate

3. Risk types

  • Inherent
  • Residual
  • Exceptions

4. Risk management life cycle

  • Identify
  • Assess
  • Control
    • People
    • Process
    • Technology
    • Protect
    • Detect
    • Respond
    • Restore
  • Review
  • Frameworks

5. Risk tracking

  • Risk register
  • Key performance indicators
    • Scalability
    • Reliability
    • Availability
  • Key risk indicators

6. Risk appetite vs. risk tolerance

  • Tradeoff analysis
  • Usability vs. security requirements

7. Policies and security practices

  • Separation of duties
  • Job rotation
  • Mandatory vacation
  • Least privilege
  • Employment and termination procedures
  • Training and awareness for users
  • Auditing requirements and frequency

4.2 Explain the importance of managing and mitigating vendor risk

1. Shared responsibility model (roles/responsibilities)

  • Cloud service provider (CSP)
    • Geographic location
    • Infrastructure
    • Compute
    • Storage
    • Networking
    • Services
  • Client
    • Encryption
    • Operating systems
    • Applications
    • Data

2. Vendor lock-in and vendor lockout

3. Vendor viability

  • Financial risk
  • Merger or acquisition risk

4. Meeting client requirements

  • Legal
  • Change management
  • Staff turnover
  • Device and technical configurations

5. Support availability

6. Geographical considerations

7. Supply chain visibility

8. Incident reporting requirements

9. Source code escrows

10. Ongoing vendor assessment tools

11. Third-party dependencies

  • Code
  • Hardware
  • Modules

12. Technical considerations

  • Technical testing
  • Network segmentation
  • Transmission control
  • Shared credentials

4.3 Explain compliance frameworks and legal considerations, and their organizational impact

1. Security concerns of integrating diverse industries

2. Data considerations

  • Data sovereignty
  • Data ownership
  • Data classifications
  • Data retention
  • Data types
    • Health
    • Financial
    • Intellectual Property
    • Personally identifiable information (PII)
  • Data removal, destruction, and sanitation

3. Geographic considerations

  • Location of data
  • Location of data subject
  • Location of cloud provider

4. Third-party attestation of compliance

5. Regulations, accreditations, and standards

  • Payment Card Industry Data Security Standard (PCI DSS)
  • General Data Protection Regulation (GDPR)
  • International Organization for Standardization (ISO)
  • Capability Maturity Model Integration (CMMI)
  • National Institute of Standards and Technology (NIST)
  • Children’s Online Privacy Protection Act (COPPA)
  • Common Criteria
  • Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)

6. Legal considerations

  • Due diligence
  • Due care
  • Export controls
  • Legal holds
  • E-discovery

7. Contract and agreement types

  • Service-level agreement (SLA)
  • Master service agreement (MSA)
  • Non-disclosure agreement (NDA)
  • Memorandum of understanding (MOU)
  • Interconnection security agreement (ISA)
  • Operational-level agreement
  • Privacy-level agreement

4.4 Explain the importance of business continuity and disaster recovery concepts

1. Business impact analysis

  • Recovery point objective
  • Recovery time objective
  • Recovery service level
  • Mission essential functions

2. Privacy impact assessment

3. Disaster recovery plan (DRP)/business continuity plan (BCP)

  • Cold site
  • Warm site
  • Hot site
  • Mobile site

4. Incident response plan

  • Roles/responsibilities
  • After-action reports

5. Testing plans

  • Checklist
  • Walk-through
  • Tabletop exercises
  • Full interruption test
  • Parallel test/simulation test

Earn your CASP+, guaranteed!

Earn your CASP+, guaranteed!

Enroll in a CompTIA CASP+ boot camp and earn one of the industry’s most respected certifications — guaranteed.

CASP+ Domain #4

CASP+ is an advanced-level security architecture and senior security engineering cybersecurity certification. To earn this cert, you will have to pass the CASP+ certification exam covering four Domains of knowledge. Use this article to help you map out your study outline for Domain 4, and you will be one step closer to earning the CASP+ cert for yourself.



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.