Comptia Security+ SY0-501 (FedVTE): Risk Management

Comptia Security+ SY0-501 (FedVTE): Risk Management Security Policy Awareness Purpose - To enhance security by: - Improving awareness of the need to protect system resources - Developing skills/knowledge so computer uses can perform their jobs more securely End User Training - - Purpose, explanation, importance of adhering to security policy/procedures - Training should be initial, periodic, and ongoing Role Based Training - Specialized training that is customized to the specific role that an employee holds in the organization. Key Stakeholder Awareness - Promote security programs to executive leadership - Presenting all issues in context of business needs/objectives - Communicating risks, cost/benefit analysis, and residual risk - Gaining their support Data Classification - The practice of evaluating the risk level of the organization's information to ensure that the information receives the appropriate level of protection - Assign sensitivity, criticality, security priorities - Identify data value Data Privacy - The relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal/political issues surrounding them - Must classify to apply privacy - PII HIPAA - Health Insurance Portability and Accountability Act Classifications vs Clearances - People have clearances, Data has classifications. Access control is used to enforce which subjects have clearance to which classification of data Data Handling - Policies/procedures should be developed for handling and disposing of different classifications of data. Risk Avoid