CompTIA Security+ (SY0-701): Security Program Management and Oversight Literacy (Beginner Level)

  • 26m
  • 26 questions
The Security Program Management and Oversight Literacy (Beginner Level) benchmark measures your knowledge and skills in addressing the strategic management and oversight functions necessary for a robust security posture. You will be evaluated on your recognition of effective security governance key concepts, risk management procedures, security compliance and third-party risk considerations, and strategies for audits, assessments, and awareness. A learner who scores high on this benchmark demonstrates literacy in the governance of security programs, risk management processes, compliance with security-related regulations, management of third-party risks, and the implementation of security awareness programs through audits, assessments, and training.

Topics covered

  • compare types of governance structures like boards, committees, government entities, and centralized/decentralized structures
  • compare various agreement types including the non-disclosure agreement (NDA), memorandum of agreement (MOA), memorandum of understanding (MOU), service-level agreement (SLA), master service agreement (MSA), work order (WO), statement of work (SOW), and business partners agreement (BPA)
  • define external audit and attestation with regulatory, examinations, assessment, and independent third-party audits
  • define risk management
  • define risk registers and ledgers, key risk indicators, risk owners, and risk thresholds
  • define roles and responsibilities such as owners, controllers, processors, custodians, stewards, and officers
  • define security governance
  • define standards such as password, access control, and encryption; and policies like acceptable use policy (AUP), Information security, business continuity, and change management
  • describe external governance considerations like regulatory, legal, industry, local/regional, national, and global
  • describe internal and external compliance reporting
  • describe risk identification and assessment, including ad hoc, recurring, one-time, and continuous
  • describe risk reporting techniques
  • describe risk treatment and handling methods such as transfer, accept, and exemption, and risk appetite approaches like expansionary, conservative, and neutral
  • describe security governance procedures, including playbooks, monitoring, and revision
  • describe vendor assessment and selection using penetration testing, the right-to-audit clause, supply chain analysis, due diligence, conflict of interest, and rules of engagement
  • explain security training monitoring and reporting techniques
  • identify how to recognize a phishing attempt and respond to reported suspicious messages
  • identify the consequences of non-compliance
  • outline privacy considerations like legal implications, data subjects, ownership, and the right to be forgotten
  • provide an overview of business impact analysis, including concepts like Recovery Time Objective (RTO), Recovery Point Objective (RPO), mean time to repair (MTTR), and mean time between failures (MTBF)
  • provide an overview of compliance monitoring, including concepts such as due diligence/care, attestation, acknowledgment, and compliance automation
  • provide an overview of internal audit and attestation, including compliance, audit committee, and self-assessments
  • provide an overview of penetration testing, including known environment, partially known environment, unknown environment, physical, offensive, defensive, integrated, passive, and active reconnaissance
  • provide an overview of risk analysis, including concepts like qualitative and quantitative risk analysis, probability/likelihood, and impact/magnitude
  • provide an overview of user guidance and training involving policy/handbooks, situational awareness, insider threats, password management, removable media and cables, social engineering, operational security, anomalous behavior recognition, and hybrid/remote work environments best practices
  • provide an overview of various organizations that specialize in security guidelines, standards, and best practices