Security+: Governance, Risk, and Compliance Competency

  • 25m
  • 25 questions
The Security+: Governance, Risk, and Compliance Competency benchmark will measure your ability to recognize key terms and concepts related to governance, risk, and compliance. You will be evaluated on policies, regulations, standards, & frameworks and risk management, privacy, & sensitive data security. A learner who scores high on this benchmark demonstrates that they have the skills related to understanding key governance, risk, and compliance terminology and concepts.

Topics covered

  • compare different roles and responsibilities, as in data owners, controllers, processors, custodians, and stewards
  • compare risk types, such as internal, external, and multiparty
  • define data policies, like data classification, governance, and retention
  • define regulations, standards, and legislation, such as PCI-DSS, GDPR, and various national, territory, or state laws
  • define risk analysis terms, as in risk register, inherent risk, residual risk, and control risk
  • define various data type classifications, like public, sensitive, and critical
  • describe business impact analysis concepts, like recovery time vs. recovery point objectives, mean time to repair, and mean time between failures, and outline a disaster recovery plan
  • describe credential policies, including service accounts, administrator, and root accounts
  • describe personnel policies, like AUP, job rotation, mandatory vacations, separation of duties, least privilege, clean desk space, background checks, and non-disclosure agreements (NDAs)
  • describe privacy-enhancing technologies, such as tokenization, data minimization and masking, and anonymization
  • describe risk management strategies, like acceptance, avoidance, transference, and mitigation
  • describe the purpose of various AWS cloud computing services, such as CloudWatch, CloudTrail, and AWS Config
  • examine common Windows logs, like security, application, and system logs
  • examine key frameworks like CIS, NIST, RMF/CSF, ISO 27001/27002/27701/31000, SSAE SOC 2 type II/III, and Cloud Security Alliance (CSA)
  • explore privacy concepts, like information's life cycle, impact assessment, terms of agreement, and privacy notices
  • explore the consequences of breaches, such as fines and identity theft
  • identify lessons learned and their relationship to AARs
  • list disasters and classify their types, such as environmental, human-made, and external
  • outline how to use Linux logging utilities, such as systemd and auditd
  • outline how to work with Wireshark's output
  • recognize the importance of log aggregation and collection tools
  • summarize the best practices and guidelines for dealing with visibility and reporting
  • survey third-party risks concepts, such as vendors, supply chains, business partners, SLA, MOU, MSA, BPA, EOL, EOS, and NDA
  • survey various benchmarks and secure configuration guides, as in platform/vendor-specific guides for web servers, OS, application servers, and network infrastructure devices
  • survey various organizational polices, such as change management , change control, and asset management