Security+ Domain #2: Compliance and Operational Security (SY0-401) [DECOMMISSIONED ARTICLE]

Fakhar Imam
October 21, 2017 by
Fakhar Imam

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


Compliance and operations security falls into the second domain of CompTIA’s Security+ exam (SYO-401) and contributes 18% to the exam objectives. To pass the Security+ test and learning how to implement security, the candidates must understand the basic concepts and terminologies related to compliance and operations security as discussed below.

Explain the Importance of Risk-Related Concepts

Risk management—The security professionals, using risk management, identify some factors that could disclose or damage data. After that, they recommend and implement cost-effective solutions for mitigating risks.

False negatives and false positives—A false negative takes place when an alert or alarm isn’t triggered by abnormal or malicious events. A false positive takes place when an alert or alarm is caused by normal or benign events.

Privacy policy and private policy—A privacy policy aimed at protecting the confidentiality of personally identifiable information (PII). A security policy is a procedural document that ensures that the executives and employees in organizations while performing any activity comply with the provisions as depicted in the security policy.

MTTR, MTTF, and MTBF—Hardware gets old with the passage of time and needs a repair or replacement. Some best practices help in managing the hardware life cycle. These techniques include knowing the mean time to repair/restore (MTTR), mean time to failure (MTTF), and mean time between failures (MTBF).

Recovery time objective (RTO) and recovery point objective (RPO)—RTO is the amount of time in which a function or loss can be recovered when a disruption occurs in the organization. RPO is a measurement of how much loss can be accepted by the company in the event of a disaster.

Security Implications of Integrating Systems and Data with Third Parties

Whenever systems and data are integrated with third parties, there is a huge risk of data loss, compromise, or leakage. Therefore, the security professionals must consider the security implications of integrating systems and data with third parties before implementation.

On-boarding/off-boarding—On-boarding is the process of hiring new employees. The identity and access management (IAM) is a system that holds members’ records. The off-boarding process is the process of removing employers from IAM once they are terminated or retired.

Service-level agreement (SLA) and business partners agreement (BPA)—An SLA contract is an agreement between a customer and a supplier. On the other hand, a BPA contract is an agreement between two entities that determines their business relationship.

Memorandum of understanding (MOU)—An MOU is the nonbinding agreement between two parties outlining the details and terms of understanding, including the requirements and responsibilities of each party.

Implement Appropriate Risk Mitigation Strategies

Once a risk assessment has been carried out, the security professionals must select and implement the mitigation, assignment, avoidance, or acceptance solutions. The various aspects of risk mitigation include the following strategies.

Change management—Change management ensures that changes don’t compromise the security of the IT infrastructure. Change to an organization’s secure IT environment can introduce overlaps, loopholes, oversights, and missing objects that can lead to new vulnerabilities and threats. To manage change, the security professionals maintain security through extensive planning, logging, testing, auditing, and monitoring the activities with regard to security controls.

The principle of least privilege—This principle is a rule of thumb suggesting that the user should be granted only the level of access which is necessary to perform a particular assigned task and should not be given unlimited access.

Data loss prevention (DLP)—DLP involves hardware and software tools used to detect and prevent unauthorized access to sensitive data.

Implement Basic Forensic Procedures

Forensics is the acquisition, protection, and analysis of digital evidence from the scene of a crime to present the facts in the courtroom. To make the evidence admissible in court proceedings, forensic analysts must ensure that the “chain of custody” was not broken and that the evidence is collected and preserved properly.

Chain of custody—a chain of custody is a document that contains every detail about evidence across its life cycle, such as when and where the evidence was collected, who collected it, who preserved it, who transported it, and who examined it.

Evidence preservation—the evidence must be protected from change, damage, corruption, and alteration throughout its life cycle.

Big data analysis—This requires the high-performance analytics running on massively distributed or parallel processing systems.

Common Incident Response Procedure

Whenever a security breach occurs, the common incident response procedure must be followed. These procedures are discussed below.

Incident identification—The first thing that the specialist should do is to detect and identify the incident and then document all the details.

Escalation and notification—The incident responders cannot publicly reveal the information about the security breach. Only those in particular positions of authority are privy to this information and they should be notified about the breach.

Recovery/reconstitution procedures—Recovery/reconstitution is a process of removing any damaged element from the system and replacing it with a new one, and then altering its configuration settings and adding new security features.

First responders—First responders constitute a team of security specialists who initiate the incident response when a violation is detected.

Importance of Security-Related Awareness and Training

Users must be aware of security to carry out their day-to-day tasks. Security training is essential for this purpose and should be part of all companies’ security policies. The underlying techniques are used for awareness and training purposes.

User awareness—Each user must be aware of his/her company’s security policy. The security management should play a crucial role in this regard. Security awareness can easily thwart social-engineering attacks.

Security education—Security education is imparted to the users to guide them in how to perform their everyday tasks securely.

Compliance with laws, best practices, and standards—Compliance checking or compliance testing is a technique that ensures that all essential elements of security solutions are properly deployed. For an efficient security deployment, users must comply with laws, policies, guidelines, best practices, and standards.

Threat awareness—Threats are dynamic in nature and are being created every day. Users must do daily research about newly emerging threats, especially phishing attacks and viruses.

Social networking and peer-to-peer (P2P) services—Social networks and P2P (torrent) file sharing can be risky activities. Social networking is merely a waste of resources in the organization. Besides, the viruses can quickly be dispatched through P2P file sharing. Hence, P2P should be blocked altogether.

Compare and Contrast Physical Security and Environment Controls

Physical security is a prerequisite for overall security in the organizations. Hence, physical security controls should be implemented in the same manner as security controls are deployed for the IT infrastructure.

Environmental controls—The humidity level should be kept at between 40% and 60%. Fire detection and suppression is also essential. If an incident occurs, fire detection and suppression not only save human lives but also minimize damage to facility and equipment. Another important environmental control is shielded cabling that prevents electromagnetic disturbances in the cables. Moreover, hot and cold aisles are used to maintain a temperature in the room where large servers operate.

Physical security—A very important consideration for physical security is the use of physical access controls to manage and control entrance into an organization. A mantrap is a high-security barrier entrance device used to control entrance into a location. Besides, physical IDSs (intrusion detection systems), also known as burglar alarms, detect unauthorized activities and notify the security management.

Control types—Control types ensure that only those who need it who have authorized access to resources. Control types include detective, preventive, recovery, deterrent, and corrective.

Risk Management Best Practices

Business continuity planning (BCP)—BCP involves the assessment of various risks to organizational processes and creating plans, procedures, and policies to mitigate the impact of those risks.

Succession planning—This helps in selecting people for leadership positions.

Fault tolerance—A system can resist any fault, failure, or problem. Fault tolerance ensures the continuity of a system. In fact, it prevents the breakdown of the whole system by avoiding any single point (hardware or software) of failure within the system.

Disaster recovery—disaster recovery is necessary to continue business operations, and it’s carried out when a primary site breaks down. To prevent failure, there should be offsite storage to prevent data loss in the event of a catastrophe. Occasional backups of valuable data would also be helpful.

Select the Appropriate Control to Meet the Goals of Security

Confidentiality, integrity, availability (CIA) –Confidentiality ensures that valuable data is not available to unauthorized users. Integrity assures that the information or data isn’t altered. Availability protects the use of resources in an efficient and timely manner.

Where Should You Focus Your Study Time?

Quizzing and appearing in mock exams are the best ways to assess your understanding of this subject and your preparation before taking the Security+ exam. Taking notes and test questions on the CD can also be helpful in this regard.

Moreover, studying the right material is very important. Some official books recommended by the CompTIA for Security+ exam, SYO-401, include:

  • Cert-SYO-401, written by David L. Prowse
  • CompTIA Security + All-in-One Exam Guide: Fourth Edition, published by McGraw Hill
  • CompTIA Security + Certification Study Guide, published by McGraw Hill

How Is This Information Useful in the Real World?

Digital literacy is an essential survival skill in a digital world. Your Security+ certification proves that you have the skills and knowledge to solve security problems in any business environment. Also, more than 25 million IT professionals worldwide are Security+ certified. Security+ certification is a proof of your professional achievement; it increases your marketability, provides an opportunity for advancement, and fulfills training requirement.

Today, business communities worldwide are looking for the Security+ certified professionals to implement compliance and security operations to protect them from internal and external security threats. According to a report issued by Osterman Research after analyzing the most significant business continuity incidents occurred in 2016, nearly 50 percent companies had to deal with ransomware attacks. It demonstrates that the disaster recovery (backups and offsite backups) is an important part of business planning.

InfoSec Security+ Boot Camp

The InfoSec Institute offers a Security+ Boot Camp that teaches you information theory and reinforces the theory with hands-on exercises that help you learn by doing.

InfoSec also offers thousands of articles on all manner of security topics.

Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.