Organizational Security
Chapter 1 Chapter 2 Chapter 3 Organizational Security and Compliance Security Training and Incident Response Business Continuity and Disaster Recovery

Explain risk-related concepts Carry out appropriate risk mitigation strategies

As part of an overall company strategy, security should be officially recognized as a critical business objective just like any other important business objective. In

the past, the IT department had to define security and access controls for the company network and data. In today’s Internet world, corporate management adapts the

legalities of the business world to computer networks by ensuring that electronic transfer of information is secure to protect both the company and their customers. To

protect their assets, employees, and customers from security risks, organizations must analyze their security practices to identify the threats to their operations and

protect themselves in the most cost-efficient way. Risks to your organization must be assessed based on their probability and impact (both quantitative and

qualitative), and then security measures are implemented based on this risk analysis. To ensure security across the organization, and to assure customers that the

company can be trusted, overall security policies must be implemented to include several component policies and procedures that govern how the organization uses

computer networks, protects and distributes data, and offers services to customers. Each component of the security policy defines specific security best practices for

a particular topic, such as a password policy. These policies and procedures include rules on company Internet use, customer data privacy, company structure, and human

resources hiring and termination practices. Many companies, such as those in the financial and health care sector, must now comply with several government regulations

for the protection and privacy of customer data in their industry. Organizations must be diligent in crafting their policies to adhere to these regulations, and they

must employ risk mitigation techniques to avoid violating these strict standards. For a company’s security policies to be effective, they must be communicated properly

to the employees to ensure companywide knowledge and compliance. Rules won’t be followed if nobody knows they exist. Many companies make use of consultants to create

and draft security policies and procedures, but these policies often aren’t communicated to the user community and aren’t used. Employees need to be aware of security

issues and procedures to protect not only themselves but also the company’s services and data. This chapter describes general risk assessment and mitigation

strategies, and organizational policies that should be in place to protect an organization, its networks and data, its employees, and its customers.

CHAPTER 1 Organizational Security and Compliance

5

Objective 1.01
CompTIA Security+ Objective 2.1

Explain Risk-Related Concepts

R

isk management is the act of identifying, assessing, and reducing the risk of security issues that can impact your organization’s operations and assets. The following

sections describe these risk-related concepts:

• • • •

Risk Control Types Risk control types can be separated into three logical divisions: management, operational, and technical. Each risk control type is a separate but

cooperative layer in your overall risk management strategy. Risk Assessment Use risk assessments to understand your current risks, their probability and impact, and

the solutions to prevent them. Risk Management Options Depending on the type of risk, you have several options based on the nature and probability of the risk, and the

cost of the solution: avoidance, transference, acceptance, mitigation, and deterrence. Using Organizational Policies to Reduce Risk Your organizational security is

critical for ensuring that your company’s risk management plan is properly detailed, communicated, and adhered to by your employees in all its activities through the

use of policies.

Risk Control Types
Risk control types can be separated into three basic functions: management, technical, and operational.

Management
Risk management is an ongoing high-level function within your organization. Risk management begins with the risk assessment and analysis to identify the risk of

security breaches against company assets, assessing the probability of a risk and estimating its impact, and defining the steps to reduce the level of that risk. The

solutions to these risks must be properly analyzed and budgeted to ensure that the probability and impact of the risk are properly factored into a cost-effective

solution.

6

MIKE MEYERS’ COMPTIA SECURITY+ CERTIFICATION PASSPORT

Technical
Technical risk control describes the actual technical measures used to prevent security risks in your organization. From physical access controls (perimeter fencing,

security passes, surveillance) to environmental controls (fire suppression, temperature controls), and deep-level network and system security (firewalls, antivirus

scanning, content filters, and other network security devices), these controls perform the risk mitigation and deterrence that have been defined in your organization

risk analysis.

Operational
Finally, there is an overall operational risk control that must be created and implemented throughout your company. This risk control strategy is concerned with how

you conduct your daily organizational business to minimize the security risk to your organization and its business activities. These include company-wide policies that

must be created, distributed, and used to educate your employees on how to conduct their day-to-day activities while being vigilant about organization security.

Operational risk management also includes user education and vigilant monitoring and testing to make sure your plans are being adhered to by your organization and its

activities are constantly analyzed to protect against new threats.

Exam Tip
Management risk controls the high-level risk management, assessment, and mitigations plans that define your overall organization security. Technical risk controls are

the technical measures deployed to prevent security risks. Operation risk controls deal with security for your day-to-day organizational business activities.

Risk Assessment
Risk assessment and mitigation deals with identifying, assessing, and reducing the risk of security breaches against company assets. By assessing the probability of a

risk and estimating the amount of damage that could be caused as a result, you can take steps to reduce the level of that risk. Suppose, for example, that your company

file server contains confidential company data. The file server asset is considered extremely valuable to the company, its clients, and its competitors. A considerable

amount of financial damage would be incurred by the company in the event of loss, damage, or theft of the server. The risks and threats posed to the server could be

physical—such as damage caused by a natural disaster or a hardware malfunction—or nonphysi-

CHAPTER 1 Organizational Security and Compliance

7

cal—such as viruses, network hacker attacks, and data theft if the server is easily accessible through a network. The costs associated with reducing these risks are

mitigated by the potential costs of losing data on the file server. To help reduce these risks, you can take several actions:

• • • • •

Use multiple hard drives and power supplies for fault tolerance. Implement a good backup scheme. Protect the server through physical security such as door access

controls. Install antivirus software. Disable unused network services and ports to prevent network attacks.

To identify the risks that pose a security threat to your company, you can perform a risk analysis on all parts of the company’s resources and activities. By

identifying risks and the amount of damage that could be caused by exploiting a system vulnerability, you can choose the most efficient methods for securing the system

from those risks. Risk analysis and assessment can identify where too little or even too much security exists, and where the cost of security is more than the cost of

the loss because of compromise. Ultimately, risk analysis and assessment is a cost/benefit analysis of your security infrastructure. Risk analysis and assessment

involves three main phases:

• • • •

Asset identification Risk analysis and threats.

Identify and quantify the company’s assets.

Identify and assess the possible security vulnerabilities

Risk likelihood and impact Rate your various risks according to how likely they are to occur and their impact. Cost of solutions Identify a cost-effective solution to

protect assets.

Asset Identification
Company assets can include physical items such as computer and networking equipment, and nonphysical items such as valuable data. Asset identification involves

identifying both types of assets and evaluating their worth. Asset values must be established beyond the mere capital costs—acquisition costs, maintenance, the value

of the asset to the company, the value of the asset to a competitor, what clients would pay for the asset or service, the cost of replacement, and the cost if the

asset were compromised should also be considered. For example, a list of a company’s clients can be easily re-created from backup if the original is lost or destroyed,

but if the list finds its way into the hands of a competitor, the resulting financial damage could be devastating. Ultimately, the value of the assets you’re trying to

protect drives the costs involved in securing that asset.

8

MIKE MEYERS’ COMPTIA SECURITY+ CERTIFICATION PASSPORT

Risk Analysis
Risk analysis deals with identifying, assessing, and reducing the risk of security breaches against company assets. By assessing the probability of a risk and

estimating the amount of damage that could be caused as a result, you can take steps to reduce the level of that risk. To identify the risks that pose a security

threat to your company, you can perform a risk analysis on all parts of the company’s resources and activities. Quantitative risk analysis is a strict dollar-amount

calculation of the exact cost of the loss or a specific company asset because of a disaster. This is a straightforward method that can be applied for simple

situations. For example, if a hard drive in a RAID (redundant array of inexpensive disks) system fails, it is simply replaced with a new hard drive. There is no loss

of data because the information is rebuilt from the rest of the array. Qualitative risk analysis must take into account tangible and several other, intangible factors

in determining costs. Consider a denial-of-service network attack on your company’s web store server that causes four hours of downtime and corrupted data on a back-

end transactional database. You are not only faced with the monetary loss from your web site being down and customers not being able to order products for many hours,

but the time it takes to perform countermeasures against the attack, get your web server back into operation, recover any lost data from your database, and also take

into account data that cannot be recovered. The costs in this scenario include the manpower hours in recovering from the attack, the loss of orders from the web store

during the downtime, monetary loss from corrupted data that cannot be restored, and even potential loss of future business from disgruntled customers.

Exam Tip
Quantitative risk analysis is a dollar-amount calculation of the exact cost of the loss due to a disaster. Qualitative risk analysis includes intangible factors, such

as loss of potential business, in determining costs. There are additional risks often ignored in a risk analysis in regard to virtualization technology and cloud

computing. Using virtualization technology, a computer can host multiple instances of an operating system environment all running from the same computer on the same

hardware. The consolidation of many different types of services on the same hardware creates a security risk that if that system is hacked or fails, it will take down

every virtualized server that runs on the system.

CHAPTER 1 Organizational Security and Compliance

9

The risk of a single point of failure for cloud computing is very similar. Cloud computing aggregates services in a virtual environment where all aspects of the cloud,

from the platform, to the software, to the entire infrastructure, are based on a distributed web service. If the cloud service fails, you may lose all access to your

services and data until the cloud service is restored.

Travel Assistance
See Chapter 8 for more detailed information on virtualization and cloud computing. Overall, your risk assessment must be wide in scope to use both quantitative and

qualitative analysis to determine your risk factors from all aspects of your company’s operations.

Risk Likelihood and Impact
As part of your risk assessment and mitigation strategy, you will need to rate your various risks according to how likely they are to occur and their impact. The risks

more likely to occur and their calculated impact are ranked toward the top of the list to indicate where solution efforts should be most concentrated. For example,

within a company that already practices strict physical security and access control methods, the priority of risk scenarios could be geared toward nonphysical threats,

such as viruses and network hackers, because this would have a greater impact on their ability to operate. The likelihood and impact of a risk has a strong measure on

your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is annual loss expectancy (ALE). You must

calculate the chance of a risk occurring, sometimes called the annual rate of occurrence (ARO), and the potential loss of revenue based on a specific period of

downtime, which is called the single loss expectancy (SLE). By multiplying these factors together, you arrive at the ALE. This is how much money you expect to lose on

an annual basis because of the impact from an occurrence of a specific risk. Using the ALE, you can properly budget the security measures to help protect against that

particular risk from occurring. For example, if a file server is at 25 percent risk of being infected by a virus, its ARO is 0.25. During the time the file server is

down and data is being recovered, none of your employees can work. For a downtime of two hours, you calculate $8000 of lost time and productivity. By multiplying these

two factors (0.25 and $8000), you get an ALE value of $2000. You can use this amount to budget for additional antivirus software protection to help lower this risk and

save money in your next annual budget.

10

MIKE MEYERS’ COMPTIA SECURITY+ CERTIFICATION PASSPORT

Exam Tip
The Annual Loss Expectancy (ALE) is calculated by multiplying the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

Solutions and Countermeasures
After you’ve assessed and defined risk and management procedures, you’ll have collected the following information:

• • • •

Asset identification A list of your assets, including physical assets such as server hardware and hard disks, and nonphysical assets such as the valuable customer data

stored on the hard drives. Threat profiles A list of every possible threat against your assets. Risks An evaluation of the potential risk of each threat—such as the

risk of a malicious hacker being able to compromise a database server. If the server itself is compromised, but the valuable and confidential data on the database

server is leaked by the hacker, the risk is far greater for this asset. Impact The potential loss in the event your assets are attacked or compromised by threats,

including the asset’s capital value (such as hardware cost), plus how much it will cost to replace that asset, especially lost customer data. A failed hard drive can

be a relatively low cost to recoup, but if you have no backup of customer data that was stored on that hard drive, you might have lost tens of thousands of dollars’

worth of data. Probability The risks more likely to occur are ranked toward the top of the list to indicate where solution efforts should be most concentrated. For

example, within a company that already practices strict physical security and access control methods, the priority of risk scenarios could be geared toward nonphysical

threats, such as viruses and network hackers.

•

Once this process is complete, a list of solutions and countermeasures to protect against each threat should be reviewed and documented. Examine your solutions with

respect to what current security measures are in place and what needs to be done to make them more effective. Ensure that the functionality and effectiveness of the

solution is sufficient to reduce the risk of compromise. Purchasing a fire extinguisher for the server room could seem like a fire-prevention solution, for example,

but only an automatic fire detection and suppression system can fully protect a room full of servers from a large, out-of-control fire that

CHAPTER 1 Organizational Security and Compliance

11

occurs in the middle of the night. Similarly, buying a firewall to protect your servers from outside Internet traffic is a great idea for network security, but if the

network administrator hasn’t been trained to configure it properly, the firewall might not be effective at all. Any solutions must be cost-effective to ensure that the

benefits of the solution are in line with the actual value of the assets. For example, there’s no point in spending $100,000 on a security solution to protect data

that’s worth only $40,000 to the company if it’s lost or damaged. Ongoing maintenance also needs to be factored into the final calculations. Although a large initial

cost is incurred for a tape backup solution, costs of purchasing new tapes as they’re needed will be ongoing, and you’ll pay for offsite storage of used tapes.

Exam Tip
The cost of the risk management solution shouldn’t exceed the value of the asset if it’s lost. For example, if a file server and its data are valued at $35,000 and the

proposed security solution to protect it costs $150,000, then it doesn’t make sense to implement the proposed solution.

Risk Management Options
When you have completed your risk analysis, and depending on your operations and budgets, you have several options for dealing with each risk:

•

Avoidance Depending on the type of risk, you can opt to avoid the risk altogether. This option is typically used when the cost to mitigate a threat, especially if it

is unlikely or has little impact, means it is not worth implementing. This can also mean you take certain steps to avoid a risk altogether, such as disabling a rarely

used feature in a web application because the benefits aren’t worth the great security risk it causes. Transference The organization can also transfer or “pass on” the

risk to a third party, for example, an insurance company who will pay out your damages in the event a certain risk occurs, or trusting a third-party provider to store

your offsite backup media. Acceptance In most cases in information security, there is a level of risk that must be accepted with any type of information system

network. For example, your organization may want to sell its products directly from their web site, and the potential revenues greatly outweigh the potential network

security risks involved. On the other hand, if the risk is deemed too great in comparison to the benefit, the service may not be offered, or additional mitigation

techniques required.

• •

12

MIKE MEYERS’ COMPTIA SECURITY+ CERTIFICATION PASSPORT

• •

Mitigation Based on your risk analysis, there are specific risks that must be mitigated using countermeasures—for example, implementing a network firewall for network

security, installing desktop and server antivirus protection, and implementing fault-tolerant systems to mitigate the impact of failed hardware. Deterrence Risk

deterrence is an extension of mitigation in which more active levels of control are used to deter security threats. On the network level, this can include intrusion

detection systems and threat prevention devices that proactively monitor and deter network and system attacks. This can also include honeypot devices that attract

network attacks to specific “false” devices and services to ward away attacks from vital networking and service infrastructure.

False Positives and Negatives
A false positive is a legitimate action that is perceived as a risk or threat. A false positive is a term often used in e-mail security scanning to indicate a

legitimate message that was classified as a security issue such as spam, content violation, or poor reputation check. False positives can be applied to almost any type

of security scenario where security controls block what is essentially a legitimate action. For example, an intrusion detection system may send out constant alarms

even though the traffic it’s detecting is legitimate traffic. The administrator becomes lax in responding to alarms because he knows they are more likely than not

false positives. This can allow other more serious intrusions to be ignored. Occasional false positives are a fact of life when it comes to strict security controls,

but too many can become difficult to manage and put a lot of burden on both the administrators and the end users to manage. Excessive false positives in your

environment means that your security controls are too aggressive and need to be reconfigured. Most security systems can be fine-tuned to allow future attempts from the

legitimate action, as long as you can verify it is being performed by an authorized user or process in a secure way. In the example of legitimate e-mail messages being

blocked, end users can create lists of trusted known senders so that future messages from the same sender can bypass certain types of scanning such as content

filtering. Intrusion detection systems can have their thresholds redefined to a lower value to prevent an increase in false positives. Security controls that are not

aggressive enough can result in false negatives. A false negative is a security issue that has passed your security controls as legitimate. For example, an e-mail

message that is spam or contains illegal content may pass through your e-mail security controls and content filters as if it were

CHAPTER 1 Organizational Security and Compliance

13

legitimate mail. An intrusion detection system may let through a denial-ofservice attack because it detects the event as normal operation. Security controls require

continuous baselining and adjustments to properly set their thresholds to detect the difference between normal behavior and serious security issues. The baseline

provides you with a report of what is considered normal activity, and then you set your thresholds on your security controls to detect anomalies to that normal

activity. This period of recording baselines and making configuration adjustments can take several weeks to result in ideal security thresholds, but this ensures that

you will have fewer issues with false positives and negatives in the future.

Exam Tip
A false positive is a legitimate action that is perceived as a risk or threat. A false negative is a security issue that has passed your security controls as a

legitimate action.

Use Organizational Policies to Reduce Risk
To provide effective security, security policy and procedure creation must begin at the top of an organization with senior management. These policies and procedures

must then flow throughout the company to ensure that security is useful and functional at every level of the organization. Understanding company security must begin

with an understanding of the basic laws, regulations, and legal liability issues to which the company must adhere to protect the company and its assets, as well as the

employees and customers. Security policies and procedures are official company communications that are created to ensure that a standard level of security guidelines

exists across the entire organization. These policies define how the employees interact with company computer systems to perform their job functions, how to protect

the computer systems and their data, and how to service the company’s clients properly. The upcoming sections outline policies and procedures in the following areas:

• • •

Security policies Network access policies Human resources policies

Security Policies
The following policies concern general organizational security, including physical access, access control to data, and security through proper organizational

structures and data security principles.

14

MIKE MEYERS’ COMPTIA SECURITY+ CERTIFICATION PASSPORT

Physical Access Security Policy As part of your organization’s overall access control policy, you must have a strong physical access policy and ensure that all

employees are educated on its use. Depending on the security level of the company, physical security may include guarded or nonguarded entrances. Even on guarded

premises, the use of security access cards makes sure that only identified and authenticated employees can enter a facility. Security access cards are coded with the

authorization level of the user, who will be able to access only areas of the facility that are required by his job function. For example, only network and systems

administrators would be able to access a server and networks communications room with their access card. Employees must be trained to always close automatically

locking doors behind them, and not allow other, unidentified people to follow them through. Most security access cards have photographs on them to further identify

users in the event they are challenged for their identity. Employees must be encouraged to report suspicious individuals within the premises who are unfamiliar and do

not have proper identification. A published organizational security policy for physical access allows your employees to have proper knowledge of security procedures

and be equally active in the responsibility for physical security. Access Control Policies The following access control policies help provide a consistent

organizational structure and procedures to prevent internal fraud and corruption in your organization.

• • • •

Least privilege The least privilege principle grants users only access rights they need to perform their job functions. This requires giving users the least amount of

access possible to prevent them from abusing more powerful access rights. Separation of duties A separation of duties ensures that one single individual isn’t tasked

with high-security and high-risk responsibilities. Certain critical responsibilities are separated between several users to prevent corruption. Job rotation Job

rotation provides improved security because no employee retains the same amount of access control for a particular responsibility for a period of time. This prevents

internal corruption from employees that take advantage of their long-term position and security access. Mandatory vacations Mandatory vacation policies require

employees to use their vacations at specific times of year or use all of their vacation

CHAPTER 1 Organizational Security and Compliance

15

days allotted for a single year. This policy helps detect security issues with employees, such as fraud or other internal hacking activities, because the anomalies

might surface while the user is away.

Travel Assistance
These access control concepts and best practices are discussed in more detail in Chapter 6.

Network Security Policies
Several policies provide standard guidelines for network security within a company and encompass areas such as the Internet and internal network use, data privacy,

security incident response, human resources issues, and document security. Acceptable Use Policy An acceptable use policy is a set of established guidelines for the

appropriate use of computer networks within an organization. The policy is a written agreement, read and signed by employees, that outlines the terms, conditions, and

rules of the Internet and internal network use for the company. An acceptable use policy helps educate employees about the kinds of tools they will use on the network

and what they can expect from those tools. The policy also helps to define boundaries of behavior and, more critically, specify the consequences of violating those

boundaries. The policy also specifies the actions that management and the system administrators may take to maintain and monitor the network for unacceptable use, and

they include the general worst-case consequences or responses to specific policy violation situations.

Exam Tip
An acceptable use policy is a set of established guidelines for the appropriate use of computer networks within an organization. Developing an acceptable use policy

for your company’s computer network is extremely important for organizational security and to limit legal liability in the event of a security issue. Acceptable use

policies should cover the following issues:

•

Legality The company’s legal department needs to approve the policy before it’s distributed for signing. The policy will be used as a legal document to ensure that the

company isn’t legally liable for any type

16

MIKE MEYERS’ COMPTIA SECURITY+ CERTIFICATION PASSPORT

of Internet-related incident and any other transgressions, such as cracking, vandalism, and sabotage.

• • • •

Uniqueness to your environment The policy should be written to cover the organization’s specific network and the data it contains. Each organization has different

security concerns—for example, a medical facility needs to protect data that differs significantly from that of a product sales company. Completeness Beyond rules of

behavior, your policy should also include a statement concerning the company’s position on Internet use. Adaptability Because the Internet is constantly evolving, your

policy will need to be updated as new issues arise. You can’t anticipate every situation, so the acceptable use policy should address the possibility of something

happening that isn’t outlined. Protection for employees If your employees follow the rules of the acceptable use policy, their exposure to questionable mate