Expert-level study guide for CompTIA SecurityX CAS-005
Risk Appetite vs. Risk Tolerance: Risk appetite is the amount of risk an organization is willing to accept. Risk tolerance is the acceptable variance from stated risk appetite. SecurityX candidates must understand how to align security programs with enterprise risk posture.
Qualitative vs. Quantitative Risk: Qualitative risk uses descriptive scales (high/medium/low), while quantitative approaches use ALE (Annual Loss Expectancy) = SLE × ARO. ALE helps justify security investment.
Third-Party Risk: Vendor risk assessments, supply chain security, right-to-audit clauses, and SLA security requirements are all exam-relevant topics at the SecurityX level.
Core Principles: Never trust, always verify. Assume breach. Least privilege access. All resources treated as external. Strong identity verification for every user, device, and workload.
NIST SP 800-207: NIST's Zero Trust Architecture publication defines three approaches: identity-based, network-based, and device-agent/gateway. The logical components include a Policy Engine, Policy Administrator, and Policy Enforcement Point.
SASE (Secure Access Service Edge): Combines SD-WAN capabilities with security services (CASB, SWG, ZTNA, FWaaS) delivered from the cloud. Key for securing distributed workforce environments.
Post-Quantum Cryptography: NIST has standardized PQC algorithms including CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures). Organizations must plan "crypto-agility" to migrate before quantum computing threatens current algorithms.
HSM (Hardware Security Module): Physical or cloud-based devices that manage cryptographic keys securely. FIPS 140-2/140-3 Level 3+ validation required for high-assurance environments. Key ceremonies are formal processes for root CA key generation.
Supply Chain Security: Software Bill of Materials (SBOM), SLSA framework (Supply chain Levels for Software Artifacts), and dependency scanning are critical engineering controls evaluated in SecurityX.
Threat Intelligence Sharing: STIX (Structured Threat Information eXpression) is the language format and TAXII (Trusted Automated eXchange of Intelligence Information) is the transport protocol for sharing threat intelligence. ISACs facilitate sector-specific sharing.
Threat Hunting: Proactive, hypothesis-driven search for advanced threats not detected by automated tools. Uses TTPs from frameworks like MITRE ATT&CK. Hunt teams pivot on indicators, behaviors, and anomalies.
SOAR: Combines security orchestration (playbooks and automation), incident response case management, and threat intelligence feeds. Reduces MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) through automation.