CompTIA CySA+ Objective 4.1

Photo by Josh Sorenson from Pexels

Explain the relationship between frameworks, common policies, controls, and procedures.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Regulatory Compliance

Security analysts must be aware of the regulations for the countries and industries in which their organization operates.

  • Sarbanes-Oxley Act (SOX/SARBOX): Officially the Public Company Accounting Reform and Investor Protection Act of 2002, Sarbanes-Oxley, affect any publicly traded company in the United States. It regulates accounting methods and financial reporting for the organizations. Failure to comply can result in penalties and even jail time for executive officers.
  • Health Insurance Portability and Accountability Act (HIPAA): Also known as the Kennedy-Kassebaum Act, HIPAA regulates all healthcare facilities, insurance companies and others that deal with protected health information (PHI). Enforcement is done by the Office of Civil Rights of the Department of Health and Human Services. It defines standards and procedures for storing, using, and transmitting PHI.
  • Gramm-Leach-Bliley Act (GLBA): GLBA affects financial institutions and provides for securing all financial information and prohibits sharing of it to third parties.
  • Computer Fraud and Abuse Act (CFAA): The CFAA was enacted in 1986 and affects any entities that engaged in hacking of “protected computers”. It was amended several times including by the USA PATRIOT Act and the Identity Theft Enforcement and Restitution Act. A “protected computer” is defined as a computer used exclusively by a financial institution, the US Government or one that is used in interstate or foreign commerce.
  • Federal Privacy Act of 1974: The Federal Privacy Act affects any computer that contains records used by a federal agency. It provides guidelines on the use and dissemination of PII.
  • Federal Intelligence Surveillance Act (FISA) of 1978: FISA gives law enforcement and intelligence agencies guidelines for the collection of electronic evidence related to foreign powers and agents.
  • Electronic Communications Privacy Act (ECPA) of 1986: ECPA extended wiretap laws to include transmission of electronic data by computer. It has been amended by CALEA, USA PATRIOT ACT, and the FISA Amendments.
  • Computer Security Act of 1987: The Computer Security Act of 1987 has been superseded by the Federal Information Security Management Act (FISMA). This was the first law to require a written computer security plan.
  • United States Federal Sentencing Guidelines of 1991: These guidelines provide the sentencing for cyber crimes and other felonies.
  • Communications Assistance for Law Enforcement Act (CALEA): CALEA requires telecommunications carriers and equipment manufacturers to ensure that they have built-in surveillance capabilities for federal agencies.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian regulation to protect PII.
  • Basel II: Basel II affects financial businesses. It addresses minimum capital requirements, supervisory review and market discipline.
  • Federal Information Security Management Act (FISMA) of 2002: FISMA affects all federal agencies and requires them to develop, document and implement an information security program.
  • Economic Espionage Act of 1996: Covers the protection of trade secrets.
  • USA PATRIOT Act: The USA PATRIOT Act enhances the investigation tools for law enforcement.
  • Health Care and Education Reconciliation Act of 2010: This act increased some security measures for PHI.
  • Employee Privacy Issues and Expectation of Privacy: This act provided for notification to employees of monitoring done by their employer.
  • European Union: The EU has implemented several regulations on security and privacy including the Principles on Privacy, Data Protection Directive and the General Data Protection Regulation.
    • Safe Harbor – an entity that conforms to all ofhte EU Principles on Privacy
    • Data Haven – A country that fails to legally protect personal data.


National Institute of Standards and Technology (NIST)

NIST SP 800-53 is the security controls framework from NIST. It divides the controls into technical operational and management. The control families are as follows:

Access Control (AC)Technical
Awareness and Training (AT)Operational
Audit and Accountability (AU)Technical
Security Assessment and Authorization (CA)Management
Configuration Management (CM)Operational
Contingency Planning (CP)Operational
Identification and Authentication (IA)Technical
Incident Response (IR)Operational
Maintenance (MA)Operational
Media Protection (MP)Operational
Physical and Environmental Protection (PE)Operational
Planning (PL)Managment
Program Management (PM)Management
Personnel Security (PS)Operational
Risk Assessment (RA)Management
System and Services Acquisition (SA)Management
System and Communication Protection (SC)Technical
System and Information Integrity (SI)Operational

NIST Cybersecruity Framework focuses on IT security.

  • Framework Core: Presents five cybersecurity functions which are divided into subfunctions.
  • Implementation tiers: Tiers are levels of sophistication for organizations to try to reach. They are Partial, Risk Informed, Repeatable, and Adaptive.
  • Framework profiles: Profiles are used to compare current state to a target state.

International Organization for Standardization (ISO)

Created the ISO/IEC 27000 series with the International Electrotechnical Commission (IEC).

Control Objectives for Information and Related Technology (COBIT)

Divides IT into four domains.

  • Plan and Organize (PO)
  • Acquire and Implement (AI)
  • Deliver and Support (DS)
  • Monitor and Evaluate (ME)

COBIT aligns with ITIL, PMI, IOS and TOGAF and is used in the private sector.

COBIT’s security controls development framework has five principles:

  • Meeting stakeholder needs
  • Covering the enterprise end-to-end
  • Applying a single integrated framework
  • Enabling a holistic approach
  • Separating governance from management

These principles drive the control objects that are seven enablers:

  • Principles, policies and frameworks
  • Processes
  • Organizational structures
  • Culture, ethics and behavior
  • Information
  • Services, infrastructure and applications
  • People, skills and competencies

Sherwood Applied Business Security Architecture (SABSA)

SABSA is an enterprise security architecture using the six questions of what, where, when, why, who, and how. These intersect with the layers of operational, component, physical, logical, conceptual and contextual.

The Open Group Architecture Framework (TOGAF)

An enterprise architecture framework. The latest version is TOGAF 9.1. It is based on four interrelated domains:

  • Business architecture
  • Applications architecture
  • Data architecture
  • Technical architecture

Information Technology Infrastructure Library (ITIL)

ITIL is a process management standard developed by the US Government’s Office of Management and Budget. It does have a security component, but that is only a part of it.


Password Policy

Password policies rely on some basic terminologies around passwords.

  • Standard word passwords: A single word, easy to crack or break.
  • Combination passwords: mix of multiple dictionary words with mixed case and numbers.
  • Static passwords: Stay the same for each login (opposite of OTP)
  • Complex passwords: Forces a mixture of upper, lowercase, numbers and special characters. Hard to crack, but harder to remember and enter correctly.
  • Passphrase passwords: A long phrase that is easier to remember and harder to attack.
  • Cognitive passwords: Security questions, used to validate who you are.
  • One-Time Passwords (OTP): Dynamic passwords used only once.
  • Graphical Passwords: Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
  • Numeric passwords: PINs
  • Password life: How long a password is valid.
  • Password history: How long before a password can be reused.
  • Authentication period: How long a user can remain logged in.
  • Password complexity: How a password is structured.
  • Password length: How many characters a password must have.

Acceptable Use Policy (AUP)

AUPs let users know what is allowed and not allowed and how violations will be handled.

Data Ownership Policy

The data owner is the person that is responsible for the data. Often this is the creator, but the policy could set a department head or other individual. This is often combined with a data classification policy as the owner is often the one that does the classification.

Data Retention Policy

Details how data is stored and how long. Regulatory environments may dictate length and type of data that must be stored. This policy often interacts with the data classification policy.

  • What are the legal/regulatory requirements and business needs for the data?
  • What are the types of data?
  • What are the retention periods and destruction needs of the data?

Account Management Policy

It is important to have a policy that determines how new accounts are created, how current ones are maintained and when accounts should be deleted. Some questions to ask:

  • Is there a current list of authorized users and is it maintained and approved?
  • Are passwords changed at least every 90 days?
  • Are inactive user accounts disabled after a period?

Proper management of accounts includes:

  • A formal MAC-D procedure for accounts.
  • Periodic audits.
  • Implement a process for tracking access authorizations.
  • Periodic re-screening for sensitive positions.
  • Periodically verify the legitimacy of accounts.

Data Classification Policy

Data should be classified based on sensitivity and value to the organization. Assigning value helps evaluate the resources used to protect the data.

Sensitivity and Criticality: Sensitivity measures how freely or not freely data can be handled and by whom. This may be subject to regulation and corporate policies. Criticality is the importance of the data. Part of that determination includes will you be able to recover it in a disaster, how long will it take to recover and what is the effect of this inaccessibility?

Commercial Business Classifications: Generally business classifications are divided into four levels.

  • Confidential: examples are trade secrets and intellectual data
  • Private: examples are personnel data, medical records and salary information
  • Sensitive: examples are organizational financial information
  • Public: data that would not negatively impact if disclosed

Military and Government Classifications:

  • Top Secret: weapon blueprints, spy satellite information, national security information, aliens
  • Secret: troop deployment plans, missile placement
  • Confidential: patents, trade secrets
  • Sensitive but unclassified: medical or personal data
  • Unclassified: All other data. Accessible under FOIA.


Controls are countermeasures to vulnerabilities and are divided into categories.

  • Compensative: Compensative controls are there to mitigate risks as a substitute for a primary access control. Examples would be requiring two keys owned by different people to open a safety deposit box.
  • Corrective: Corrective controls reduce the effect of an attack. Examples include new firewall rules and restoring services using images to a previous state.
  • Detective: Detective controls detect an attack and report it. Examples would be IDS and log monitoring.
  • Deterrent: Deterrent controls discourage attackers. Examples include user identification and authentication and security policies.
  • Directive: Directive controls specify acceptable practices. They formalize policy to employees. An example is an AUP.
  • Preventive: Preventive controls prevent attacks. Examples include IPS, AV and INFOSEC awareness training.
  • Recovery: Recovery controls recover systems after an attack. Examples are DR plans, backups, and offsite backups.

Control Selection Based on Criteria

Controls are selected based on the way the vulnerability is to be addressed and the cost to mitigate versus the cost of an attack.

Handling Risk

  • Risk avoidance: Terminating the activity that causes the risk.
  • Risk transfer: Pass the risk to a third party, insurance.
  • Risk mitigation: define what acceptable risk the organization can take and reduce it to that level
  • Risk acceptance: Understand the risk and accept it as well as potential damage.

Quantitative Risk Analysis
Quantitative Risk Analysis places numeric values on the risks faced.

  • SLE: Single loss expectancy
  • ALE: Annual loss expectancy
  • AV: Asset Value
  • EF: exposure factor
  • ARO: annualized rate of occurrence

Qualitative Risk Analysis
Qualitative Risk Analysis does not assign monetary values. Instead a group is chosen to evaluate the risks and the likeliness of them occurring. The data is combined into a single report. The disadvantage is that this method is more subjective.

Countermeasure (Control) Selection
Cost-effectiveness is the most common reason to choose a safeguard. To calculate the cost-benefit analysis you use the equation (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard Value

Total Risk vs. Residual Risk
Total risk is the risk if no safeguards are in place. Residual risk is the total risk minus the countermeasures.

Organizationally Defined Parameters

Most concepts apply to all organizations, but each environment will have unique situations that dictate unique approaches.

Physical Controls

Physical controls include some of the following:

  • Fencing
  • Locks
  • Fire extinguisher
  • Badges
  • Motion Detectors
  • Data backups

Logical (Technical) Controls

Logical controls include some of the following:

  • Passwords
  • Biometrics
  • Encryption
  • Firewalls
  • Auditing
  • Configuration Standards

Administrative (Management) Controls

Management controls include some of the following:

  • Personnel procedures
  • Security policies
  • Separation of duties
  • DR Plan
  • Background checks


Continuous Monitoring

Continuous monitoring requires that an organization know what the normal baseline is. These baselines must be updated when changes are made.

Evidence Production

  • Identify what type of system to seize
  • Identify the search and seizure team members
  • Determine the risk of the suspect destroying evidence


Patching procedures should go through a life cycle:

  • Determine the priority of patches and schedule deployment.
  • Test the patches prior to deployment.
  • Install the patches in the live environment.
  • Ensure patches are working properly.

Compensating Control Development

Developing compensating controls depends on the likelihood of the vulnerability being exposed, sensitivity of the resource and the cost of implementation vs the cost of an exploit.

Control Testing Procedures

Testing of controls can be manual or automated. Automated checks are preferred. SCAP is a method to enable automatic testing based on standards.

Manage Exceptions

Any exceptions need to be made in a standard way and documented.

Remediation Plans

Best Practices:

  • Budget for security testing
  • Streamline the testing and re-testing
  • Train teams on secure coding
  • Give information security the final call on application release

Characteristics of remediation plans:

  • Specific
  • Measurable
  • Attainable
  • Relevant
  • Time-bound

Verifications and Quality Control


Audits done by a third party help to validate an enterprise’s security team is properly implementing policy and procedures. An audit plan should include the following:

  • Minimum of annual audits
  • Determine organizational objectives for audits
  • Set ground rules before the audit including date and times.
  • Choose auditors with security experience
  • Involve business unit managers early and often
  • Ensure the auditors have experience, not just checklists.
  • Make sure the report reflects risk identified by the organization.
  • Ensure the audit is performed properly
  • The audit should cover all systems, policies and procedures.

The Statement on Standards for Attestation Engagements (SSAE) 16 is a standard for verification of controls and processes. It has multiple types of reports.

Report TypeWhat it ReportsWho Gets the Report
SOC 1Internal controls over financial reportingAuditors and controller
SOC 2Security, availability, confidentiality and privacy controlsManagement, regulators
SOC 3Security, availability, confidentiality and privacy controlsPublicly available


Typically compare configuration settings and patch status with a security baseline checklist to ensure the organization is implementing what it set out to do.


Can be internal external and focus on the effectiveness of the current controls.

Maturity Model

Capability Maturity Model Integration (CMMI) is a set of. guidelines for all phases of the software development life cycle.


Certification evaluates the technical system and accreditation is accepting the system security at a management level. One certification is the National Information Assurance Certification and Accreditation Process (NIACAP).

NIACAP has four phases: definition, verification, validation, and post accreditation. There are three types of accreditation: Type, System, and Site.

The ISO/IEC27001:2013 standard is the most popular for organizations to be certified for information security.