12-Jan-22 11:47:02 PM | https://twitter.

com/Ibraheem_111

What is Information Security Governance?

IT security governance is the system by which an organization directs and controls IT security
(adapted from ISO 38500). IT security governance should not be confused with IT security
management. IT security management is concerned with making decisions to mitigate risks;
governance determines who is authorized to make decisions. Governance specifies the
accountability framework and provides oversight to ensure that risks are adequately mitigated,
while management ensures that controls are implemented to mitigate risks. Management
recommends security strategies. Governance ensures that security strategies are aligned with
business objectives and consistent with regulations.

NIST describes IT governance as the process of establishing and maintaining a framework to

provide assurance that information security strategies are aligned with and support business

What is a Cybersecurity Assessment?

A cybersecurity assessment examines your security controls and how they stack up against
known vulnerabilities. It’s similar to a cyber risk assessment, a part of the risk management
process, in that it incorporates threat-based approaches to evaluate cyber resilience. A
complete security assessment includes a close look at the company’s overall security
infrastructure.

What is cyber security monitoring?

Cyber security threat monitoring describes the process of detecting cyber threats and
data breaches. IT infrastructure monitoring is a crucial part of cyber risk management,
enabling organizations to detect cyber-attacks in their infancy and respond to them
before they cause damage and disruption.

1
• Governance: Ensuring that organizational activities, like managing IT operations, are
aligned in a way that supports the organization's business goals.
• Risk: Making sure that any risk (or opportunity) associated with organizational activities
is identified and addressed in a way that supports the organization's business goals. In the
IT context, this means having a comprehensive IT risk management process that rolls into
an organization's enterprise risk management function.
• Compliance: Making sure that organizational activities are operated in a way that meets
the laws and regulations impacting those systems. In the IT context, this means making
sure that IT systems, and the data contained in those systems, are used and secured
properly.

2
Governance is about overall control, management of the
organization, processes, customs, and policies.
Risk involves knowing the location of critical data,
operations, and processes
Compliance(obligations) means that all the rules and regulations pertinent to
your organization have been met.

Governance The process of implementing policies and ensuring they

are executed.
Risk The process of reducing risk and uncertainty through the
establishment of business objectives and governance
mechanisms.
Compliance(obligations) Adhering to business rules, policies and guidelines
whether they are internally established or externally
implemented.

3
4
5
6
7
8
9
Risk communication
Clause 11.
Risk communication is an activity to achieve agreement on how to manage risks by exchanging
and/or sharing information about risk between the decision-makers and other stakeholders.
The information includes, but is not limited to the existence, nature, form, likelihood, severity,
treatment, and acceptability of risks.

10
Risk assessment
overall process of risk identification (3.5.1), risk analysis (3.6.1) and risk evaluation
(3.7.1)
ISO Guide 73:2009(en)
Risk management — Vocabulary

Risk appetite vs risk tolerance example

What is Risk Appetite?

According to ISO 31000, a risk appetite definition is “the amount and type of risk that an
organization is prepared to pursue, retain or take.”

".‫مقدار ونوع المخاطر التي تكون المنظمة على استعداد لمتابعتها أو االحتفاظ بها أو تحملها‬

• Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its
business objectives

• Risk tolerance: the specific maximum risk that an organization is willing to take regarding
each relevant risk

11
ISO 27000 Risk Assessment

International Organization for Standardization (ISO)’s 27000 series documentation for risk
management, specifically ISO 27005, supports organizations using ISO’s frameworks for
cybersecurity to build a risk-based cybersecurity program.

Similar to NIST SP 800-30, using the ISO guidance is the most beneficial for organizations
pursuing or already maintaining an ISO certification.

12
 Policies, Procedures, Standards, and Guidelines

Policy / High-level

-Policies are formal statements produced and supported by senior management.

- A policy is a set of mandatory directives that employees must follow, providing the basic
framework upon which a company's security program is based.

Standard

Standards are mandatory courses of action or rules that give formal policies support and
direction.

Procedure/ low-level guides

Procedures are detailed step-by-step instructions to achieve a given goal or mandate.

Guideline

Guidelines are recommendations to users when specific standards do not apply.

Ref: https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/

Baselines provide a minimum level of security that a company's employees and systems must meet. Like
standards, baselines help to ensure consistency. However, unlike standards, policies, and procedures, baselines
are somewhat discretionary. For example, a baseline might state that employees' computers must run Ubuntu
11.10 or a later version. Employees are not required to use Ubuntu 11.10; they can use any version of Ubuntu as
long as it is version 11.10 or higher. If employees must use a particular version of software, you should create a
standard instead

13
‫شرح مفصل‬
Security Policy

Policies are the top tier of formalized security documents. These high-level documents offer a
general statement about the organization’s assets and what level of protection they should have.
Well-written policies should spell out who’s responsible for security, what needs to be protected,
and what is an acceptable level of risk. They are much like a strategic plan because they outline
what should be done but don’t specifically dictate how to accomplish the stated goals. Those
decisions are left for standards, baselines, and procedures. Security policies can be written to
meet advisory, informative, and regulatory needs. Each has a unique role or function.

CAUTION

The key element in policy is that it should state management’s intention toward security.

Advisory Policy

The job of an advisory policy is to ensure that all employees know the consequences of certain
behavior and actions. Here’s an example advisory policy:

Illegal copying: Employees should never download or install any commercial software,
shareware, or freeware onto any network drives or disks unless they have written
permission from the network administrator. Be prepared to be held accountable for your
actions, including the loss of network privileges, written reprimand, probation, or
employment termination if the Rules of Appropriate Use are violated.

Informative Policy

This type of policy isn’t designed with enforcement in mind; it is developed for education. Its
goal is to inform and enlighten employees. The following is an example informative policy:

In partnership with Human Resources, the employee ombudsman's job is to serve as an

advocate for all employees, providing mediation between employees and management.
This job is to help investigate complaints and mediate fair settlements when a third party
is requested.

CAUTION

Good policy strikes a balance and is both relevant and understandable. If a policy is too generic,
no one will care what it says because it doesn’t apply to the company. If a policy is too complex,
no one will read it—or understand, it if they did.

14
Regulatory Policy

These policies are used to make certain that the organization complies with local, state, and
federal laws. An example regulatory policy might state:

Because of recent changes to Texas State law, The Company will now retain records of
employee inventions and patents for 10 years; all email messages and any backup of such
email associated with patents and inventions will be stored for one year.

Standards

Standards are much more specific than policies. Standards are tactical documents because they
lay out specific steps or processes required to meet a certain requirement. As an example, a
standard might set a mandatory requirement that all email communication be encrypted. So
although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left
for the procedure.

Baselines

A baseline is a minimum level of security that a system, network, or device must adhere to.
Baselines are usually mapped to industry standards. As an example, an organization might
specify that all computer systems comply with a minimum Trusted Computer System Evaluation
Criteria (TCSEC) C2 standard. TCSEC standards are discussed in detail in Chapter 5, "System
Architecture and Models."

Guidelines

A guideline points to a statement in a policy or procedure by which to determine a course of

action. It’s a recommendation or suggestion of how things should be done. It is meant to be
flexible so it can be customized for individual situations.

CAUTION

Don’t confuse guidelines with best practices. Whereas guidelines are used to determine a
recommended course of action, best practices are used to gauge liability. Best practices state
what other competent security professionals would have done in the same or similar situation.

Procedures

A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-
by-step document that details exactly what is to be done. As an analogy, when my mom sent my
wife the secret recipe for a three-layer cake, it described step by step what needed to be done and
how. It even specified a convection oven, which my mom stated was an absolute requirement.

Procedures are detailed documents; they are tied to specific technologies and devices (see Figure
3.4). You should expect to see procedures change as equipment changes. As an example,

15
imagine that your company has replaced its Checkpoint firewall with a Cisco PIX. Although the
policies and standards dictating the firewalls’ role in your organization probably will not change,
the procedure for configuration of the firewall will.

It’s unfortunate that sometimes instead of the donkey leading the cart, the cart leads the donkey.
By this, I mean that sometimes policies and procedures are developed as a result of a negative
event or an audit. The audit or policy shouldn’t be driving the process; the assessment should be.
The assessment’s purpose is to give management the tools needed to examine all currently
identified concerns. From this, management can prioritize the level of exposure they are
comfortable with and select an appropriate level of control. This level of control should then be
locked into policy.

A risk management method is a sequence of activities based on a published

standard that systematizes the five phases that comprise risk management,
namely,

- Identification of threats and vulnerabilities impacting the organization's IT assets

- Risk assessment

- Risk mitigation planning

- Risk mitigation implementation

- Evaluation of the mitigation's effectiveness

Data Ownership
Data ownership and responsibility has some newer terms since the 2018 refresh.

• Data Subject – the person who the information is about.

• Data Owner – the entity that collects/creates the PII and is legally responsible and
accountable for protecting it and educating others about how to protect the data through
dissemination of intellectual property rights documentation, policies and regulatory
requirements, specific protective measures that are expected of custodians, and
compliance requirements.
• Data Controller – same as data owner when a true data owner does not exist.
• Data Processor – typically an entity that works under the direction of the
owner/controller, such as an IT department.
• Data Custodian – the role within the processing entity (IT department) that handles the
data daily. | These are the technical hands-on employees who do the backups, restores,
patches, system configuration.
• Data Steward – a newer concept related to users of the data; those who use the data for
the business purpose.

16
CISSP Study Notes @ibraheem_111
___________________________________________________________________
Data Owner
The data owner role is assigned to the person who is responsible for classifying
information for placement and protection within the security solution. The data owner is
typically a high-level manager who is ultimately responsible for data protection.
However, the data owner usually delegates the responsibility of the actual data
management tasks to a data custodian.
Data Custodian
The data custodian role is assigned to the user who is responsible for the tasks of
implementing the prescribed protection defined by the security policy and senior
management.
Data Custodian
testing backups, validating data integrity, deploying security solutions, and managing
data storage based on classification.
Data Custodians
In an organization, the data governance process should include a role for the data
custodian
Data custodian
Data custodians are typically part of IT departments. They are usually divided further in
their areas of expertise, such as: data modeling, data architecture, database
administration, etc. They are mainly responsible for maintaining, archiving, recovering,
backing up data, preventing data loss/ corruption, etc.
Data steward
Most data stewards come from their respective business departments, not IT. In fact,
besides the System Data Steward.
5/5/2020

17
 ‫حوكمة األمن السيبراني ‪:‬‬ ‫•‬

‫إن إدارة األمن السيبراني هي نموذج عمل أمني‪ ،‬يتكون من مرحلتين‪ ،‬إدارة األمن والحوكمة األمنية‪ .‬تضمن إدارة األمن التقليل‬
‫من مخاطر األمن السيبراني بشكل كافٍ من خالل نشر الضوابط األمنية‪ ،‬في حين أن الحوكمة األمنية تربط بسهولة بين‬
‫استراتيجيات األمن العامة مع أهداف العمل الرئيسية واللوائح األساسية‪ .‬إن لدى شركة اإللكترونيات ال ُمتقدّمة إطار عمل ُمستقل‬
‫من أجل صياغة سياسات وإجراءات حوكمة األمن السيبراني‪.‬‬

‫إدارة المخاطر‬ ‫•‬

‫تنطوي إدارة المخاطر على تحديد األصول المعلوماتية مثل األجهزة وبيانات العمالء والملكية الفكرية التي يمكن اختراقها نتيجة‬
‫الهجمات السيبرانية ‪.‬ومن ثَ ّم‪ ،‬يتم تقييم المخاطر المحتملة التي يمكن أن تؤثر على هذه األصول لتطبيق عناصر التحكم األمني‬
‫المناسبة‪.‬‬

‫التدقيق وااللتزام‬ ‫•‬

‫تُر ّكز خدمات التدقيق وااللتزام على تقييم مدى التزام ال ُمنشآت باإلرشادات التنظيمية المتعلقة باألمن السيبراني‪ .‬ونقوم في شركة‬
‫اإللكترونيات ال ُمتقدّمة بإجراء هذا التقييم ال ُمتخصص في برامج حوكمة األمن السيبراني بشكل سنوي أو حسب رغبة العميل من‬
‫أجل فحص مدى جاهزية تنفيذ هذه البرامج‪.‬‬

‫‪18‬‬
 ‫مصفوفة ‪ RACI‬تحديد المسؤوليات واألدوار والعالقات‬

‫د‪ .‬عبد الرحمن الجاموس ‪ /‬دكتوراه في استراتيجيات األعمال‬

‫ببساطة مصفوفة ‪RACI‬عبارة عن قائمة باألنشطة‪ ،‬ومعلومات عن دور كل فرد فيما يتعلق بهذه األنشطة‪ ،‬وأمام كل نشاط يعين‬
‫اسم الشخص المختص بحسب دوره في العمود المخصص لهذا الدور‪.‬‬

‫يعتبر نموذج ‪ RACI‬طريقة جيدة لتوضيح دور كل عضو في الفريق بغض النظر عن حجم المشروع‪ ،‬ويجب تحديد المهام‬
‫بوضوح وأن يفهم كل شخص دوره ويجب أن يتمكن كل موظف من إكمال المهام واألنشطة‪.‬‬

‫نموذج ‪ RACI‬هو نموذج للمسؤولية‪ ،‬يجعل تكاليف المشروع واضحة عند أدنى مستوى‪ ،‬وهو أداة لتقليل االرتباك حول التوقعات‬
‫من ناحية وزيادة الكفاءة من ناحية أخرى‪ .‬وبفضل استخدام هذا النموذج يتم اتخاذ القرارات بسرعة أكبر‪ ،‬وتصبح المسؤوليات‬
‫واضحة‪ .‬باإلضافة إلى ذلك يتم توزيع حمل العمل بالتساوي ‪.‬وكلمة ‪RACI‬باللغة االنجليزية هي اختصار ألربعة كلمات باللغة‬
‫االنجليزية إذ تمثل األحرف األولى من هذه الكلمات‪.‬‬

‫الحرف األول ‪ R‬هو الحرف األول من كلمة ‪Responsible‬بمعني منفذ‪ ،‬وهو الشخص المكلف بأداء العمل ‪.‬وباختصار المسؤول‬ ‫•‬
‫)‪(R‬الذي كلف إلكمال المهمة (المراقب المالي‪).‬‬
‫الحرف الثاني ‪ A‬هو الحرف األول من كلمة ‪Accountable‬بمعني المساءل‪ ،‬وهو الشخص المسؤول عن التأكد من أداء العمل‬ ‫•‬
‫بشكل كافي ‪.‬وباختصار المساءل )‪ (A‬من يتخذ القرارات والتدابير داخل المشروع‪.‬‬
‫الحرف الثالث ‪ C‬هو الحرف األول من كلمة ‪Consulted‬بمعنى يستشار وهو الشخص (أو األشخاص) الذي يطلب مدخالته‬ ‫•‬
‫إلتمام العمل ‪.‬وباختصار المشاور )‪(C‬من الذي يجري التشاور فيما يتعلق بالقرارات‪.‬‬
‫الحرف الرابع واألخير ‪ I‬وهو الحرف األول من كلمة ‪Informed‬بمعني يخطر وهو الشخص (أو األشخاص) الذي يجب أن‬ ‫•‬
‫يخطر بشان هذا العمل ‪.‬وباختصار أبلغ )‪(I‬من هو على علم بشأن القرارات واإلجراءات خالل المشروع‪.‬‬
‫تضيف بعض المؤسسات مسؤوليات مثل ‪ Supportive‬وغيرها‬ ‫•‬

‫‪19‬‬
‫مصادر مهمة‬
What Is Information Security Management?

https://www.eccouncil.org/information-security-management/

https://www.youtube.com/watch?v=LTAIrFN35dc

https://www.youtube.com/watch?v=EvQmdMYeFVI

https://securityboulevard.com/2020/07/3-templates-for-a-comprehensive-cybersecurity-risk-
assessment/

20