• Choose a category
• All
• Classic-Fiction

15. A. The certificate policies document defines what certificates can be used for.

16. A. Key escrow is the process of storing keys or certificates for use by law enforcement. Law enforcement has the right, under subpoena, to conduct investigations using these keys.

17. D. Online Certificate Status Protocol (OCSP) can be used to immediately verify a certificate’s authenticity.

18. A. XML Key Management Specification (XKMS) is designed to allow XML-based programs access to PKI services.

19. A. Birthday attacks are based on the statistical likelihood of a match. As the key length grows, the probability of a match decreases.

20. D. Public keys are created to be distributed to a wide audience. The biggest security concern regarding their use is ensuring that the public keys maintain their integrity. This can be accomplished by using a thumbprint or a second encryption scheme in the certificate or key.

Chapter 8

Security Policies and Procedures

THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

✓ 3.2 Explain common access control models and the differences between each.

■ MAC

■ DAC

■ Role and Rule based access control

✓ 3.6 Summarize the various authentication models and identify the components of each.

■ One, two, and three-factor authentication

■ Single sign-on

✓ 4.6 Execute proper logging procedures and evaluate the results.

■ Security application

■ DNS

■ Firewall

■ Antivirus

✓ 4.7 Conduct periodic audits of system security settings.

■ User access and rights review

■ Storage and retention policies

✓ 6.1 Explain redundancy planning and its components.

■ Hot site

■ Cold site

■ Warm Site

■ Backup generator

■ Single point of failure

■ RAID

■ Spare parts

■ Redundant servers

■ Redundant ISP

■ UPS

■ Redundant connections

✓ 6.2 Implement disaster recovery procedures.

■ Planning

■ Disaster recovery exercises

■ Backup techniques and practices—storage

■ Schemes

■ Restoration

✓ 6.4 Identify and explain applicable legislation and organizational policies.

■ Secure disposal of computers

■ Acceptable use policies

■ Password complexity

■ Change management

■ Classification of information

■ Mandatory vacations

■ Personally Identifiable Information (PII)

■ Due care

■ Due diligence

■ Due process

■ SLA

■ Security-related HR policy

■ User education and awareness training

While this chapter focuses on the topic of policies, it is far from the first time the subject has appeared in this book. As a security professional, you must strive not only to prevent losses, but also to make contingency plans for recovering from any losses that do occur. Plans are the building blocks on which your company is built, and policies are the tools used to implement those plans.

This chapter deals with the crucial aspects of business continuity, vendor support, security policies and procedures, and privilege management from an operations perspective. A solid grasp of these concepts will help you prepare for the exam because they appear in multiple objectives. It will also help you become a more proficient and professional security team member. The process of working with, helping to design, and maintaining security in your organization is a tough job. It requires dedication, vigilance, and a sense of duty to your organization.

Understanding Business Continuity

One of the oldest phrases still in use today is “the show must go on.” Nowhere is that more true than in the world of business, where downtime means the loss of significant revenue with each passing minute. Business continuity is primarily concerned with the processes, policies, and methods that an organization follows to minimize the impact of a system failure, network failure, or the failure of any key component needed for operation—essentially, whatever it takes