CompTIA Security+risk-management-and-governance

Risk Management and Security Governance

Assessing risk, choosing treatments, and the policies and frameworks that govern security.

Risk management is the backbone of every security program: you identify what could go wrong, decide how much you can tolerate, and choose how to respond. On the Security+ (SY0-701) exam, expect scenario questions that ask you to name a risk treatment, read a risk register, or match a vendor agreement to a situation. Learn the vocabulary precisely — the exam rewards knowing the exact difference between an MOU and an MSA, or inherent versus residual risk.

Core Idea

  • Risk management is a repeating process: identify assets and threats, assess likelihood and impact, treat the risk, then monitor and reassess.
  • You cannot eliminate all risk — you reduce it until it falls within your risk appetite (how much risk leadership is willing to pursue) and risk tolerance (acceptable variation around that appetite).
  • Governance sets the rules (policies, standards, procedures, guidelines) while risk management makes the decisions those rules constrain.

Risk Identification and Assessment

Assessment can be qualitative or quantitative. Qualitative uses subjective ratings — high/medium/low or a heat map of likelihood versus impact — and is fast but imprecise. Quantitative assigns dollar figures using formulas:

  • SLE (Single Loss Expectancy) = Asset Value x Exposure Factor (EF) — the dollar loss from one incident, where EF is the percentage of the asset lost.
  • ALE (Annualized Loss Expectancy) = SLE x ARO — expected yearly loss, where ARO is the annualized rate of occurrence (how many times per year).
  • Example: a $100,000 asset with a 30% EF gives an SLE of $30,000; at an ARO of 2, the ALE is $60,000. A control is worth buying if it costs less than the ALE it removes.

Assessments run on a schedule (recurring), after a change (ad hoc), one time (one-time), or continuously.

Tracking Risk: Registers, KRIs, and Residual Risk

A risk register is the central document listing each risk, its owner, likelihood, impact, treatment, and status. Key Risk Indicators (KRIs) are metrics that signal rising risk before it materializes. Distinguish:

  • Inherent risk — the risk present before any controls are applied.
  • Residual risk — the risk that remains after controls are applied; leadership must formally accept it.
  • Control risk — the chance that controls fail to work as intended.

Risk Treatment Strategies

Every risk gets one of four responses:

  • Accept — take no action because the cost of treatment exceeds the potential loss (a documented decision, sometimes with a formal exception).
  • Avoid — stop the risky activity entirely (e.g., cancel a feature).
  • Transfer / Share — shift the financial impact to a third party, most often through insurance or a contract clause.
  • Mitigate — apply controls to reduce likelihood or impact.

Third-Party and Vendor Risk

Vendors extend your attack surface, so agreements define expectations. Know these acronyms cold:

  • SLA (Service Level Agreement) — commits a vendor to measurable performance (uptime, response time).
  • MOU (Memorandum of Understanding) — informal, often non-binding statement of intent.
  • MSA (Master Service Agreement) — overarching contract covering general terms for future work.
  • BPA (Business Partners Agreement) — governs a partnership, including profit and responsibility sharing.
  • Due diligence — investigating a vendor's security posture before signing; ongoing checks are due care.

Governance, Compliance, and BIA

Governance documents form a hierarchy: policies (high-level mandates) set direction, standards make them mandatory and specific, procedures give step-by-step instructions, and guidelines are recommended best practices. Compliance ensures adherence to laws and frameworks, verified through audits (internal or external, including attestation). A Business Impact Analysis (BIA) quantifies the effect of disruptions using RTO (maximum tolerable downtime), RPO (maximum tolerable data loss), MTTR (average time to repair), and MTBF (average time between failures). Finally, security awareness and training turns users into a control by teaching phishing recognition, reporting, and secure behavior.

High-Yield Exam Patterns

  • Given asset value, EF, and ARO, be ready to compute SLE then ALE — the exam loves plugging numbers into these formulas.
  • Buying insurance = transfer/share; installing a control = mitigate; doing nothing on purpose = accept; stopping the activity = avoid.
  • RTO = downtime, RPO = data loss. Memorize this pairing; questions swap them to trick you.
  • Residual risk is what leadership signs off on after controls; inherent risk is before.
  • Match the agreement to the scenario: performance metrics point to an SLA; an informal handshake points to an MOU.

Common Traps to Avoid

  • Confusing risk appetite (willingness to take risk) with risk tolerance (acceptable deviation from it).
  • Reversing RTO and RPO, or MTTR and MTBF.
  • Assuming transferring risk (insurance) removes it — you still own the residual risk and reputational impact.
  • Calling "accept" a failure to act; on the exam it is a deliberate, documented decision by a risk owner.
  • Treating a policy and a standard as the same thing — policies set intent, standards make it enforceable.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.