Study CompTIA SY0-701 Security Program Oversight: key concepts, common traps, and exam decision cues.
This chapter covers the management layer that keeps security programs real instead of theoretical. Security+ does not expect you to become a full-time auditor or risk officer. It does expect you to understand how policy, risk, vendors, privacy, compliance, audits, and training shape technical decisions.
BIA: Business impact analysis, which estimates how disruption affects operations so recovery and priority decisions stay grounded.
SLA: Service-level agreement, the formal service promise around metrics such as availability or response time.
ALE: Annualized loss expectancy, a rough estimate of yearly loss used to compare the cost of risk against the cost of controls.
CompTIA currently weights this domain at 20% of the exam.
Start with 5.1 Security Governance, then move through 5.2 Risk Management, 5.3 Third-Party Risk, 5.4 Security Compliance & Privacy, 5.5 Audits & Assessments, and 5.6 Security Awareness & Training.
| If the scenario is really about… | Go first to… |
|---|---|
| policies, standards, procedures, roles, or governance structures | 5.1 Security Governance |
| risk registers, appetite, treatment, ALE, or BIA | 5.2 Risk Management |
| vendors, contracts, SLAs, questionnaires, or shared obligations | 5.3 Third-Party Risk |
| legal obligations, privacy, data handling, or reporting | 5.4 Security Compliance & Privacy |
| internal audit, external audit, attestation, or formal assessments | 5.5 Audits & Assessments |
| phishing training, user behavior, or awareness campaigns | 5.6 Security Awareness & Training |
This domain gets easier when you translate every management concept back into a real control decision or accountability question.