Governance

The CISSP exam requires you to be familiar with several concepts related to governance.  Let’s take them one at a time and throw in some memorization tools.

Governance – how an organization is managed.

Security Governance – how security is managed, through policies, roles, and processes used to make security decisions.

Governance Committee – a formal decision making body within the organization.

Note:

• Security must align with organizational goals (not dominate or drive them).
• Security is optional (it’s a support function).
  • Remember that security and its budget can be “done away” with at any time.
• Security practitioners must align with organizational goals.
  • This helps keep costs down.
  • It also helps the security program serve the organization properly.

Security control frameworks – these are publications that an organization uses to outline or develop a security strategy.  A Framework can be thought of as a shell of something, or a starting point, so a security control framework is simply a list or set of controls.  A control is the same as a safeguard, which is simply a specification of how you should do something.

Some common frameworks are:

ISO 27001– information security management system, which focuses on governance.

ISO 27002– security controls, techniques, and methods.

COBIT – a framework aimed at documenting Organizational IT Security.  If you take the first three letters of Cobit (Cob) and reverse them, it spells “Doc” (we know it’s a “b”, but just go with it), and the O and IT you can remember as “Organizational” and “IT”

Payment Card Industry Data Security Standard – developed by the major bank and credit card companies, the PCI-DSS provides security standards for companies who want to process payments from credit and bank cards.

Payment Application Data Security Standard (PA-DSS)

The Payment Application Data Security Standard (PA-DSS) establishes a comprehensive set of security guidelines and requirements for software developers and vendors who design applications that process, store, or transmit cardholder data. The primary goal of PA-DSS is to ensure that payment applications are developed with security best practices to prevent unauthorized access, data breaches, and fraud. Compliance with PA-DSS helps organizations adhere to the Payment Card Industry Data Security Standard (PCI DSS) by ensuring that their applications do not introduce vulnerabilities into the payment ecosystem.

PIN Security Services (PCI PIN)

The PCI PIN Security Standard outlines stringent security requirements designed to protect customer Personal Identification Number (PIN) data from theft and unauthorized access. This framework applies to all entities that handle PIN data and governs the design, implementation, and lifecycle management of PIN input hardware, including:

• Manufacturing and distribution: Ensuring PIN entry devices are securely created, transported, and deployed.
• Control and storage: Defining how PIN data should be handled to prevent exposure or compromise.
• Encryption and key management: Establishing strict cryptographic protocols to safeguard PIN-related transactions.

These requirements are crucial for maintaining the integrity of PIN-based payment systems and reducing fraud risks.

Federal Risk and Authorization Management Program (FedRAMP)

The Federal Risk and Authorization Management Program (FedRAMP) is a standardized security framework designed to assess, authorize, and continuously monitor the security posture of cloud service providers (CSPs) that work with U.S. federal agencies. Its purpose is to ensure that government agencies can safely adopt cloud computing services while maintaining high security standards.

Key components of FedRAMP include:

• Joint Authorization Board (JAB): A central governing authority responsible for evaluating and granting authorization for cloud providers using pre-existing security assessment packages when applicable.
• Third Party Assessment Organizations (3PAOs): Independent auditing entities that evaluate CSPs’ security implementations to ensure compliance with FedRAMP requirements. Organizations seeking FedRAMP authorization must engage a 3PAO to validate their security controls.
• 3PAO Qualification Standards: FedRAMP sets specific criteria that organizations must meet to become an accredited 3PAO, ensuring consistency and reliability in cloud security assessments.

By implementing these measures, FedRAMP provides a structured approach for federal agencies to securely adopt cloud technologies while minimizing cybersecurity risks.

Sherwood Applied Business Security Architecture (SABSA)

The Sherwood Applied Business Security Architecture (SABSA) is a business-driven security framework that helps organizations develop robust security programs aligned with their strategic and operational objectives. Unlike purely technical security models, SABSA integrates security into business processes, ensuring that security measures directly support an organization’s goals.

SABSA provides various tools and methodologies, including:

• Information assurance architectures: Frameworks that help organizations design and implement comprehensive security strategies.
• Risk Management Frameworks (RMFs): Aligns with existing risk management standards such as NIST, FedRAMP, and ISO 27001 to provide structured risk analysis and mitigation strategies.
• Continuity management: Ensures that security planning includes disaster recovery and business continuity measures to sustain operations during disruptions.
• Business-driven, traceable toolkits: Resources that help organizations model, assess, and implement security standards while maintaining alignment with business priorities.

By leveraging SABSA, organizations can create customized security architectures that are scalable, traceable, and responsive to business needs, ensuring that security decisions support overall business objectives rather than being implemented in isolation.

ITIL – how IT can serve business functions – remember it by thinking “I TILt it this way, or that way” for the business.

NIST Special Publications (risk management frameworks), such as 800-53 , which is a set of security controls, 800-37, which is the risk management framework.

CSA STAR is for cloud security alliance, which publishes standards for cloud security.  Of interest is: 

• Tier 1, in which participants self-assess by filling out a questionnaire, 
• Tier 2 is a third party assessment, and 
• Tier 3 (still in draft) is continuous monitoring by a certified independent organization.

HITRUST is a collection of frameworks compiled into a single resource with the objective to normalize the different sets of security requirements into a single trusted certification/assessment.

Privacy Management Framework (PMF) was created as a revision to the 2009 Generally Accepted Privacy Principles (GAPP) by the AICPA. It incorporates local information and data privacy laws and standards that including GDPR and updates to the AICPA’s Trust Services Criteria (TSC).

SWIFT is a security control framework for financial and payment card system builders. PCI is for payment card processors only, whereas SWIFT has a much broader scope. https://www.swift.com/about-us

Gap Analysis: an analytical process that yields findings that highlight areas where an organization’s information security controls fall short of the standards required or recommended by the security control framework.

Acquisition is when a company purchases another to become one of its subsidiaries.

Merger is when two companies are combined into one.

Divestiture is when a company cedes, or gives up control of one of its subsidiaries

Some security roles you should be familiar with that can sponsor security policy and decisions are:

• Senior Management
• Chief executive officer (CEO)
• Chief financial officer, chief information officer, chief operating officer, chief security officer, etc…  

Supporting security functions are:

• Security manager, security officer, or security director
• Chief information security officer or simply the information security officer.  

It is acceptable for the security manager or security department to report directly to the CIO, or to the CEO, but not the head of IT.

Roles of the security manager include:

• Managing day-to-day security operations
• Advising management on security decisions including change management or configuration management 
• Advising on security product solutions
• Participating or leading incident response and disaster recovery efforts.  

Security personnel support the security manager/officer in their functions, but with different disciplines

• Administrators – database or system admins.
• Technicians – IT personnel.
• Users – individuals who work with the data.

Due Diligence – the best way to understand Due Diligence is to think of it as the preparation, research, legwork, the knowledge and understanding, or anything that is done before decisions are made.

Due Care – is considered the actions that follow due diligence.  This would include employee behavior and actions such as decisions, company practices, configurations of appliances, devices and baselines, and something called the prudent person rule, which basically presents a fictitious scenario of what “would a prudent person do?” in the same situation.

Related topics…

Prudent actions are those that most people in a similar life circumstances would do.  For example, if the speed limit is 55 you might be able to argue that most “prudent” people are usually within 5 to 10 miles over or under the speed limit. 

Reasonable actions are actions that have logical justification.  For example, if you break someone’s rib during a karate class, it’s probably reasonably justified, but if you do that to a random person on the street, it’s not justified (or in this case, reasonable).

In control theory and cybernetics, a control loop serves as a practical demonstration of the principles of due care and due diligence. Every system consists of control loops that regulate its behavior and ensure that it operates within the desired parameters. These control loops generally comprise three fundamental components:

1. Feedback Mechanism: This element continuously monitors the current state of the system, collecting real-time data on its performance. Based on these measurements, adjustments are made to align the system’s state with predefined conditions or goals.
2. Logic Model or Decision-Making Component: This core decision-making unit determines the appropriate actions to take based on both present conditions and historical data. It ensures the system responds appropriately to maintain stability, efficiency, and effectiveness.
3. Higher-Level or Outer Control Loop: This meta-control mechanism oversees the primary control loop, providing directives and evaluating performance. It receives feedback from the system and the inner control loop, ensuring that the control process itself is functioning correctly.

The principles of due care and due diligence are embedded within these control loops. Due care is represented by the logic model, as it is responsible for taking the necessary actions to maintain proper system function. Due diligence, on the other hand, is exercised through continuous monitoring and feedback analysis—verifying that implemented changes have the intended effect and ensuring that the system remains on course. Together, these principles form the foundation of responsible and effective system control.

The easiest way to memorize the difference between due diligence and due care, especially in the context of control loops and their associated mechanisms, would be this: “due care” has the letter “A” in it, and “A” stands for “Action”.