CISSP Security & Risk Management-Security Governance

• gol


• 29 Apr 2016

• • Organizational  or corporate governance has existed since time immemorial to ensure the efficient  running  via control structures.

• Since information security has become an integral part of every organization, it is absolutely necessary for  a governance  structure to be in place.
• Information security must  also be properly aligned  with the mission of the organization.
• Information security governance provides a platform for upper management and the board of directors (BOD) to exercise their oversight  on enterprise risk  management to required acceptable level.
• The intent of governance is to provide some guarantee that certain appropriate  mechanisms are in place to reduce risks (please note that risk cannot be completely eliminated).
• Executive management must  be  fully committed to provide the investments required for any information security activities.
• The IT Governance Institute (ITGI) defines IT governance as being “the responsibility of the board of directors and executive management”.
• The ITGI also proposes that information security governance  must be considered part of IT governance and that the BOD should:
  • Be informed about security
  • Set direction to drive policy and strategy
  • Provide resources to security efforts
  • Assign management responsibilities
  • Set priorities
  • Support changes required
  • Define cultural values related to risk assessment
  • Obtain assurance from internal and external auditors
  • Insists that security investments are made measurable and reported on for program effectiveness.

 

 

• In addition, the ITGI suggests that the management should:
  • Write security policies with business input
  • Ensure that roles and responsibilities are clearly defined and understood
  • Identify threats and vulnerabilities
  • Implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
  • Ensure that policy is approved by the governing body
  • Establish priorities and implement security projects in a timely manner
  • Monitor breaches
  • Conduct periodic reviews and tests
  • Reinforce awareness education as critical
  • Build security into the systems development life cycle.

 

 

Security Governance:

• Goals, Mission, and Objectives of the Organization
  • Information security must support and enable the vision, mission and the business objective of the organization.
  • Must ensure the interrelationships among risk assessment, policy implementation, response controls, promoting awareness, monitoring effectiveness, etc., etc.

• Organizational Processes
  • Acquisitions and mergers
  • Divestitures and spinoffs
  • Governance committees
• Security Roles and Responsibilities
  • Today’s organizational structure
  • Role of the Information Security Officer
  • Communicate risks to executive management
• Information Security Strategies
  • Strategic planning – Long term (3 to 5 years) and must be aligned with business objectives.
  • Tactical planning – Short term ( 6 to 18 months) used to achieve specific goals. May consist of multiple projects.
  • Operational and project planning – Specific plans with milestones, dates, and accountabilities provide communication and direction for project completion.

 

 

To Become Certified For CISSP Please Visit This Link;