Posted filed under CISSP.

  • Organizational  or corporate governance has existed since time immemorial to ensure the efficient  running  via control structures.
  • Since information security has become an integral part of every organization, it is absolutely necessary for  a governance  structure to be in place.
  • Information security must  also be properly aligned  with the mission of the organization.
  • Information security governance provides a platform for upper management and the board of directors (BOD) to exercise their oversight  on enterprise risk  management to required acceptable level.
  • The intent of governance is to provide some guarantee that certain appropriate  mechanisms are in place to reduce risks (please note that risk cannot be completely eliminated).
  • Executive management must  be  fully committed to provide the investments required for any information security activities.
  • The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of directors and executive management”.
  • The ITGI also proposes that information security governance  must be considered part of IT governance and that the BOD should:
    • Be informed about security
    • Set direction to drive policy and strategy
    • Provide resources to security efforts
    • Assign management responsibilities
    • Set priorities
    • Support changes required
    • Define cultural values related to risk assessment
    • Obtain assurance from internal and external auditors
    • Insists that security investments are made measurable and reported on for program effectiveness.



  • In addition, the ITGI suggests that the management should:
    • Write security policies with business input
    • Ensure that roles and responsibilities are clearly defined and understood
    • Identify threats and vulnerabilities
    • Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
    • Ensure that policy is approved by the governing body
    • Establish priorities and implement security projects in a timely manner
    • Monitor breaches
    • Conduct periodic reviews and tests
    • Reinforce awareness education as critical
    • Build security into the systems development life cycle.



Security Governance:

  • Goals, Mission, and Objectives of the Organization
    • Information security must support and enable the vision, mission and the business objective of the organization.
    • Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting awareness, monitoring effectiveness, etc., etc.
  • Organizational Processes
    • Acquisitions and mergers
    • Divestitures and spinoffs
    • Governance committees
  • Security Roles and Responsibilities
    • Today’s organizational structure
    • Role of the Information Security Officer
    • Communicate risks to executive management
  • Information Security Strategies
    • Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives.
    • Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of multiple projects.
    • Operational and project planning – Specific plans with milestones, dates, and accountabilities provide communication and direction for project completion.



To Become Certified For CISSP Please Visit This Link;