Security+ SY0-601 Domains
The new security+ SY0-601 version contains 5 domains.
Domain 1.0: Attacks and Threats (24%)
Domain 2.0: Architecture and Design (21%).
Domain 3.0: Implementation (25%).
Domain 4.0: Operations & Incident Response (16%)
Domain 5.0: Governance and Risk Management (14%)
This blog will discuss domain 5.0 Governance and Risk as well as Compliance.
Governance, Risk and Compliance
Security+ (SY0-501) was a domain that only covered risk management. However, the latest Security+ (SY0-601) domains 5 and 6 include an important concept: Governance Risk Compliance.
GRC, or Governance, Risk, and Compliance, is the process of aligning and integrating IT and Business objectives to ensure that risks are successfully managed and that business operations are compliant with all applicable industry laws. This domain accounts for 14% of the exam’s weightage.
Below are the topics covered by this domain:
Compare and contrast different types of controls
Explain the importance of any applicable regulations, standards, and frameworks that affect the organization’s security posture
Explain the importance of policies for organizational security
Summarize risk management concepts and processes
Explain privacy and sensitive data concepts in connection to security
1. Compare and contrast different types of controls. This part tests candidates’ ability to compare and analyze various security controls. This subdomain will cover the following categories of controls: Operational control, Managerial control, and Technical control. We will be able to identify the types of risk control: Preventive and Detective, Corrective, Deterrents, Compensating, and Deterrents.
2. Explain the importance of regulations, standards, and frameworks that affect organizational security posture. In this subdomain, you will learn about various Regulations Standards, Legislation, and more. This section will include the General Data Protection Regulation (GDPR), National and Territory laws, as well as the Payment Card Industry Data Security Standard(PCI DSS).
This section explains the fundamental frameworks of security. This part will discuss the following topics:
Center for Internet Security (CIS).
National Institute of Standards and Technology (NIST), Cybersecurity Framework (CSF), and Risk Management Framework (RMF).
International Organization for Standardization (ISO) 27001/27002/27701/31000
SSAE SOC 2, Type I/II
Cloud security alliance
Explanation of the Cloud control matrix
This part also includes Benchmarks/secure configuration guidelines, Platform /vendor specific guides, Web server and OS, Application server, and Network infrastructure devices.
3. Explain the importance policies have on organizational security. In this subdomain you will learn about Personnel management control, Third party risk management, Data, Credentials policies and Organization policies. We will cover topics such as Acceptable use policy and Mandatory vacation. Separation of duties. Clean desk space. Background checks. Social media analysis. Onboarding, offboarding. Gamification. Phishing campaigns. Phishing simulations. Computer-based training.
Third-party risk management is focused on two types of agreements: SLA (Service level agreement) and BPA (Business partnership arrangement). This section also covers topics such as Supply chain, Memorandum o understanding (MOU), and End of service life.
4. Summarize risk management concepts and processes This subdomain will summarize the concepts of risk management. We will discuss the different types of risk such as external risk and internal risk.