Standards: password, access, physical, encryption

5.1 Security governance

📘CompTIA Security+ (SY0-701)

Standards are established rules or requirements set by an organization, industry, or government to ensure consistent security practices. They are enforceable and measurable. In the context of IT security, standards help protect systems, data, and users by providing a consistent way to implement security controls.

In Security Governance, standards are critical because they define how security is implemented and maintained across an organization.

The main types we’ll cover are:

  1. Password Standards
  2. Access Control Standards
  3. Physical Security Standards
  4. Encryption Standards

1. Password Standards

Password standards define how users create, manage, and protect passwords to secure accounts. Strong password practices prevent unauthorized access.

Key Elements:

  • Password Length: Minimum number of characters, e.g., at least 12 characters. Longer passwords are stronger.
  • Complexity: Include uppercase letters, lowercase letters, numbers, and symbols.
  • Expiration: Passwords may need to be changed every 60–90 days.
  • History: Prevent users from reusing old passwords.
  • Lockout Policy: After a certain number of failed login attempts, the account is locked temporarily.

IT Example:
A company uses Active Directory (AD) to manage users. AD enforces password standards: users must create a 12-character password, use at least 3 types of characters, and cannot reuse their last 5 passwords. After 5 failed login attempts, AD locks the account for 15 minutes.

2. Access Control Standards

Access standards define who can access which systems or data and under what conditions. They ensure that users have only the permissions they need to do their jobs.

Key Models:

  • Role-Based Access Control (RBAC): Users get permissions based on their role. For example, HR staff can access employee records, but not server configurations.
  • Mandatory Access Control (MAC): Access is strictly controlled by the system based on sensitivity levels. Example: Secret documents are only accessible to users with “Secret” clearance.
  • Discretionary Access Control (DAC): Resource owners decide who gets access. Example: A user can share a folder with specific coworkers.

Other Standards:

  • Least Privilege: Users get the minimum access required.
  • Separation of Duties: Critical tasks are divided among multiple users to reduce fraud risk.

IT Example:
In a database, finance staff have read/write access to financial records. IT support can only view system logs, not financial data, enforcing least privilege.

3. Physical Security Standards

Physical security protects hardware, networks, and IT assets from unauthorized physical access or damage.

Key Controls:

  • Controlled Access: Use keycards, PINs, or biometrics to enter server rooms.
  • Surveillance: Security cameras monitor sensitive areas.
  • Environmental Controls: Fire suppression, temperature control, and flood protection.
  • Asset Tracking: Logging all equipment and who accesses it.

IT Example:
A data center requires a keycard and fingerprint scan to enter. Logs are kept showing who entered and when. Server racks are protected with individual locks.

4. Encryption Standards

Encryption standards define how data is protected using cryptography, making data unreadable to unauthorized users.

Key Types:

  • Data at Rest: Protects stored data (e.g., on a database, laptop, or backup).
    Example: BitLocker encrypts a laptop’s hard drive so if it’s stolen, data cannot be read.
  • Data in Transit: Protects data being sent over networks.
    Example: TLS (HTTPS) encrypts web traffic between a user’s browser and a website.

Encryption Algorithms:

  • Symmetric: Same key to encrypt and decrypt (e.g., AES). Fast and good for large amounts of data.
  • Asymmetric: Public key encrypts, private key decrypts (e.g., RSA). Good for secure key exchange and authentication.

Standards & Compliance:
Organizations often follow standards like FIPS 140-3 (for cryptography) or NIST guidelines to ensure encryption is strong and compliant.

Summary Table

Standard TypePurposeIT Example
PasswordSecure accounts from unauthorized accessAD enforces 12-character complex passwords with lockouts
Access ControlDefine who can access whatFinance staff have access to financial DB; IT staff do not
PhysicalProtect hardware and sensitive locationsServer rooms require keycard + fingerprint; logs kept
EncryptionProtect data confidentialityAES for hard drives, TLS for web traffic

Key Exam Tip:
For Security+, remember that standards are enforceable rules, different from policies (which are high-level guidelines) and procedures (step-by-step instructions). Password, access, physical, and encryption standards are often tested in scenarios about protecting systems and data.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by