CompTIA Security+ (SY0-701): Security Program Management and Oversight
Table of Contents
Click Here to Return To the CompTIA Security+ Course Page
Security Program Management and Oversight is 20% of the CompTIA Security+ (SY0-701) exam. This module covers governance, risk, third-party management, compliance, and awareness. This is the managerial side of security that ties technical controls to business goals.
The technical domains protect systems. This domain answers why and how an organization decides what to protect, how much risk it accepts, and who is accountable.
Security Governance
Governance sets the direction and the rules.
| Document | Purpose |
|---|---|
| Policy | High-level intent (acceptable use) |
| Standard | Mandatory rules (AES-256 for data) |
| Procedure | Step-by-step instructions |
| Guideline | Recommended best practice |
Governance structures include boards, committees, and centralized vs. decentralized models. Define data roles clearly: the data owner sets classification, the data custodian maintains it, and the data processor handles it on the owner’s behalf.
Risk Management
You identify, assess, and treat risk on a repeating cycle.
- Identification finds threats and vulnerabilities.
- Assessment can be qualitative (high/medium/low) or quantitative (dollar values).
- Analysis measures likelihood and impact, often on a risk matrix.
- A risk register tracks each risk, its owner, and its status.
Quantitative analysis uses three formulas:
| Term | Formula | Meaning |
|---|---|---|
| SLE | Asset Value × EF | Loss from one event |
| ARO | Rate | Times per year an event occurs |
| ALE | SLE × ARO | Expected yearly loss |
You then choose a risk strategy:
- Mitigate reduces the risk with controls.
- Transfer shifts it to a third party (insurance).
- Accept keeps the risk when cost outweighs benefit.
- Avoid stops the activity that creates the risk.
Spending more on a control than the asset is worth is poor risk management.
Third-Party Risk Management
Vendors extend your attack surface, so you vet them.
- Assess with vendor questionnaires, right-to-audit clauses, and independent assessments.
- Watch the supply chain for tampered hardware or compromised software.
Know the agreement types:
| Agreement | Purpose |
|---|---|
| SLA | Service performance targets |
| MOU/MOA | Intent to work together |
| MSA | Master terms for ongoing work |
| SOW | Specific deliverables and scope |
| NDA | Protects confidential information |
| BPA | Terms between business partners |
Compliance and Privacy
Compliance proves you meet external requirements.
- Regulatory rules carry legal weight (GDPR, HIPAA, PCI DSS).
- Non-compliance brings fines, sanctions, and reputational damage.
- Data privacy covers data sovereignty (laws of where data lives), classification, retention, and legal holds.
Compare popular privacy tools in best privacy browsers .
Frameworks and Standards
Frameworks give you a proven structure instead of starting from scratch.
| Framework | Focus |
|---|---|
| NIST CSF | Identify, Protect, Detect, Respond, Recover |
| ISO 27001 | Information security management system |
| SOC 2 | Service provider trust controls |
| PCI DSS | Cardholder data protection |
Audits and Assessments
You verify that controls work.
- Internal audits are run by staff for self-assessment.
- External audits bring independent third parties for attestation.
- Penetration tests can be offensive, defensive, or integrated, run as known, unknown, or partially known environments.
Security Awareness
People are both the weakest link and the first line of defense.
- Run phishing campaigns to train and measure user response.
- Teach anomalous behavior recognition so users report odd activity.
- Track metrics like click rate and report rate to prove the program works.
Business Continuity and Disaster Recovery
You plan to keep the business running through disruption.
- A Business Impact Analysis (BIA) ranks critical functions.
- RTO is how fast you must recover, and RPO is how much data loss you can accept.
- Tabletop exercises rehearse the plan without touching production.
Next Steps
You have now covered all five SY0-701 domains. Revisit Security Operations , Security Architecture , and General Security Concepts as needed, then take the CompTIA Security+ Practice Test and review tips for passing CompTIA exams . Return to the CompTIA Security+ Course .
