Security Principles of Governance

Security Principles of governance is one of the most important aspects of CISSP training course.

1- Alignment of Security Function to Business

• Mission : Mission statement should be easy to understand and should explain that what the organization is? What it does? Why it exists? What methods does use for its works? And why did it choose these methods?

• Strategy : An organizational strategy is the sum of the actions a company intends to take to achieve long-term goals. Together, these actions make up a company’s strategic plan. Strategic plans take at least a year to complete, requiring involvement from all company levels.

• Goal : The goal is something (or things) that an organization hopes to achieve.

• Objective : It is a turning point or a specific outcome that is expected and helps the organization achieve its goals.

• How is security managed in each organization and what are the important differences?

• How do policies between the two organizations differ and what issues will be encountered when merging the policies into one?

• What security controls are there in each organization, and what is the difference between them?

• what operations are to be carried out from now on and how? This includes vulnerability management, incident management, event monitoring, access management and third-party risk management.

2-Organizational Processes

Organizational management determines the direction of the organization. Then it set policies and processes in place to ensure that executive management is following that direction.

Acquisitions and divestitures: Sometimes one organization, buys another and merges with it. Sometimes an organization divides itself into two (or more) separate companies. Therefore, it is very important to reorganize to change the direction of teams, departments, divisions and business units.

There are a number of security considerations that must be considered in such times. including:

3- Security Roles

Specific roles and responsibilities for information security should be defined in an organization’s security policy.

Security roles include:

1- Job descriptions

2- Individual positions

3- Third party contracts and other cases.

These roles and responsibilities should apply to employees, consultants and contractors And they should apply to all levels of staff.

• ISO/IEC 17799:2005

• ISO/IEC 27000 Series

• ISO/IEC 27001

• Common Criteria (CC) or ISO/IEC 15408

• Zachman framework

• TOGAF

• DoDAF

• COBIT 5

• NIST Special Publication 800-53

• COSO

• ISO/IEC 27002

• ITIL

4- Control Tools

Organizations adopt a control framework to aid in their legal and regulatory compliance efforts. Some examples of relevant security frameworks include:

5- Due Care

Due care provides a standard for determining negligence. In the world of information security, due care relates to the steps that individuals or organizations take to perform their duties and implement security best practices.

If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent. In such cases the organization’s insurance company may be required to pay only a portion of any loss.

6- Due Diligence

Due diligence, is execution of due care. In the context of information security, due diligence commonly refers to risk identification and risk management practices.

The concepts of due care and due diligence are related but distinctly different. For example, in practice, due care is turning on logging; due diligence is regularly reviewing the logs.