Chapter 105 · Tricks

Security Policies — Tricks & Mnemonics

Four memory tricks and three practice scenarios for exam-day recall of AUP, BCP/DRP, IR roles, and change management.

01AUP = Acknowledged Limit on Legal Liability

AUP questions often describe an employee misusing systems and ask what policy document the company should have had, or what the AUP accomplishes. Key facts to remember:

  • AUP requires acknowledgment (signature) — the document is not effective until the employee signs it
  • Purpose: limits legal liability — the organization is not responsible for prohibited activities the employee was told not to do
  • Content: permitted AND prohibited uses — not just a list of rules; also covers monitoring notice and consequences

Exam trap: "The company had a security policy" is not the same as "the company had an acknowledged AUP." A security policy that was never presented to employees does not create documented notice. The acknowledgment/signature step is what makes the AUP legally effective.

Second trap: The AUP applies to all users of organizational systems — not just employees. Contractors, vendors, and guests who use organizational systems should also acknowledge an AUP.

02Cold/Warm/Hot Site: Match RTO to Temperature

Recovery site questions give you either a scenario (RTO requirement) or a site description and ask you to match them. Use this:

  • Cold site: empty space + power = weeks to operational. RTO = weeks. Cost = lowest.
  • Warm site: hardware ready + needs data restore = days to operational. RTO = days. Cost = medium.
  • Hot site: fully operational + real-time data = hours/minutes to operational. RTO = hours. Cost = highest.

Memory trick: temperature = readiness. The hotter the site, the faster it is ready. A hot site is ready immediately. A cold site is cold — nothing is running yet.

Exam application: If a question states "the system RTO is 2 hours," the answer is hot site (only option that can meet a 2-hour RTO). If the question states "the system can be offline for 3 weeks," cold site may be acceptable. If the site has "equipment pre-installed but requires data restoration," it is a warm site.

03NIST SP 800-61 vs. NIST CSF: Four vs. Five

These two frameworks are the most commonly confused on the Security+ exam. Use this table to distinguish them instantly:

  • NIST SP 800-61: Incident RESPONSE lifecycle. 4 phases: Preparation / Detection and Analysis / Containment, Eradication, Recovery / Post-Incident Activity. Used for: "what are the incident response phases?" questions.
  • NIST CSF: Cybersecurity PROGRAM framework. 5 functions: Identify / Protect / Detect / Respond / Recover. Used for: "what are the NIST cybersecurity framework functions?" questions.

Exam trigger: "lifecycle phases" → 800-61. "Framework functions" or "program framework" → CSF.

Quick memory hook: 800-61 has FOUR phases (prep + detect + contain + post). CSF has FIVE functions (I-P-D-R-R). Count them when you read the answer choices — if the list has five items, it is CSF. If it has four (with one multi-part), it is 800-61.

04Change Management: Every Change Needs a Fallback

Change management questions will either describe a change that went wrong (no fallback = problem) or ask what change management requires. The non-obvious requirement most students miss: every change must have a fallback/rollback plan documented before the change is approved.

  • Not optional for "low-risk" changes
  • Not something to figure out if the change fails
  • Must be documented BEFORE the change window

Exam scenario: "A database administrator applied a schema change and it caused system errors. The DBA had no documented rollback procedure and spent 6 hours attempting manual recovery." The change management failure: no fallback plan. If a rollback plan had existed, recovery would have been immediate.

Also remember: unauthorized emergency changes are still changes that require documentation, even if after the fact. An undocumented change is always a change management violation regardless of the emergency justification.

Practice Scenarios

Scenario 1: BCP Testing Failure

A regional bank's BCP specifies that if the core banking system is unavailable, tellers will use paper transaction slips and manually update customer accounts when the system is restored. During a real outage, tellers discovered: (1) the paper slips were redesigned 18 months ago but the old format is in the BCP; (2) the branch manager who knows the manual procedure retired 8 months ago and was not replaced in the BCP; (3) the handwriting on transaction slips cannot be read during reconciliation because no standard was specified.

Identify what BCP requirement was not met and what three specific failures would have been caught by regular testing.

Answer: The BCP was not tested after significant changes (form redesign, personnel turnover). Regular testing would have caught: (1) The outdated form reference — a test would have required tellers to use the actual forms, revealing the mismatch immediately. (2) The missing successor for the branch manager role — a tabletop would have asked "who performs this step?" revealing the gap. (3) The missing standard for handwriting/legibility — simulation would have produced illegible slips during the drill, flagging the need for a handwriting standard or printed form. All three failures represent untested assumptions that seemed reasonable when written but were never validated.

Scenario 2: IR Role Assignment

A healthcare company experiences a ransomware attack at 2 AM. The following actions occur: (A) The on-call security analyst isolates the affected servers from the network. (B) The CISO is paged and begins coordinating response. (C) Legal counsel is notified and determines a HIPAA breach notification may be required within 60 days. (D) A physician who was using the EHR at 2 AM reports that the system stopped responding and contacts the IT helpdesk. (E) The systems administrator provides the analyst with database access credentials to examine backup integrity.

Map each action to the correct incident response role.

Answer: (A) IR team — technical responder performs containment. (B) IT Security Management — CISO coordinates overall response and escalation. (C) Compliance officer — ensures regulatory requirements are met (HIPAA notification assessment and management). (D) User community — end user reports the incident and cooperates with IT. (E) Technical staff (non-IR) — provides system access and SME knowledge. All five roles are demonstrated in this single incident. Note that only the compliance officer (C) handles the regulatory notification decision — not the analyst or CISO directly.

Scenario 3: Change Management Gaps

An organization's change management policy requires weekly change windows, documented risk analysis, and manager approval. A developer needs to deploy a critical security patch outside the change window because a vulnerability is being actively exploited in the wild. The developer patches the system without approval and documents the change afterwards.

Was the change management policy violated? What is the proper process for this situation?

Answer: The policy was violated by skipping the approval process, even though the rationale was legitimate. Proper change management policies include an emergency change procedure for exactly this situation: (1) Notify the appropriate manager or on-call approval authority immediately. (2) Receive verbal/documented emergency approval. (3) Apply the change with a documented fallback plan. (4) Complete full documentation within 24 hours. The error was skipping approval entirely, not the speed of action. Emergency changes can be approved quickly — in minutes if the authority is reachable — without skipping the approval step. Post-hoc documentation is required but does not replace pre-change approval. The distinction matters: an approved emergency change is compliant; an unapproved emergency change is a policy violation.