Governance

The CISSP exam requires you to be familiar with several concepts related to governance.  Let’s take them one at a time and throw in some memorization tools.

Governance – how an organization is managed.

Security Governance – how security is managed, through policies, roles, and processes used to make security decisions.

Governance Committee – a formal decision making body within the organization.

Note:

• Security must align with organizational goals (not dominate or drive them).
• Security is optional (it’s a support function).
  • Remember that security and its budget can be “done away” with at any time.
• Security practitioners must align with organizational goals.
  • This helps keep costs down.
  • It also helps the security program serve the organization properly.

Security control frameworks – these are publications that an organization uses to outline or develop a security strategy.  A Framework can be thought of as a shell of something, or a starting point, so a security control framework is simply a list or set of controls.  A control is the same as a safeguard, which is simply a specification of how you should do something.

Some common frameworks are:

ISO 27001– information security management system, which focuses on governance.

ISO 27002– security controls, techniques, and methods.

COBIT – a framework aimed at documenting Organizational IT Security.  If you take the first three letters of Cobit (Cob) and reverse them, it spells “Doc” (we know it’s a “b”, but just go with it), and the O and IT you can remember as “Organizational” and “IT”

ITIL – how IT can serve business functions – remember it by thinking “I TILt it this way, or that way” for the business.

NIST Special Publications (risk management frameworks), such as 800-53 , which is a set of security controls, 800-37, which is the risk management framework.

CSA STAR is for cloud security alliance, which publishes standards for cloud security.  Of interest is: 

• Tier 1, in which participants self-assess by filling out a questionnaire, 
• Tier 2 is a third party assessment, and 
• Tier 3 (still in draft) is continuous monitoring by a certified independent organization.

HITRUST is a collection of frameworks compiled into a single resource with the objective to normalize the different sets of security requirements into a single trusted certification/assessment.

Privacy Management Framework (PMF) was created as a revision to the 2009 Generally Accepted Privacy Principles (GAPP) by the AICPA. It incorporates local information and data privacy laws and standards that including GDPR and updates to the AICPA’s Trust Services Criteria (TSC).

SWIFT is a security control framework for financial and payment card system builders. PCI is for payment card processors only, whereas SWIFT has a much broader scope. https://www.swift.com/about-us

Acquisition is when a company purchases another to become one of its subsidiaries.

Merger is when two companies are combined into one.

Divestiture is when a company cedes, or gives up control of one of its subsidiaries

Some security roles you should be familiar with that can sponsor security policy and decisions are:

• Senior Management
• Chief executive officer (CEO)
• Chief financial officer, chief information officer, chief operating officer, chief security officer, etc…  

Supporting security functions are:

• Security manager, security officer, or security director
• Chief information security officer or simply the information security officer.  

It is acceptable for the security manager or security department to report directly to the CIO, or to the CEO, but not the head of IT.

Roles of the security manager include:

• Managing day-to-day security operations
• Advising management on security decisions including change management or configuration management 
• Advising on security product solutions
• Participating or leading incident response and disaster recovery efforts.  

Security personnel support the security manager/officer in their functions, but with different disciplines

• Administrators – database or system admins.
• Technicians – IT personnel.
• Users – individuals who work with the data.

Due Diligence – the best way to understand Due Diligence is to think of it as the preparation, research, legwork, the knowledge and understanding, or anything that is done before decisions are made.

Due Care – is considered the actions that follow due diligence.  This would include employee behavior and actions such as decisions, company practices, configurations of appliances, devices and baselines, and something called the prudent person rule, which basically presents a fictitious scenario of what “would a prudent person do?” in the same situation.

Related topics…

Prudent actions are those that most people in a similar life circumstances would do.  For example, if the speed limit is 55 you might be able to argue that most “prudent” people are usually within 5 to 10 miles over or under the speed limit. 

Reasonable actions are actions that have logical justification.  For example, if you break someone’s rib during a karate class, it’s probably reasonably justified, but if you do that to a random person on the street, it’s not justified (or in this case, reasonable).