Scribd Logo
Upload

Welcome to Scribd!

  • Isc2 Cissp 1 3 1 Evaluate and Apply Security Governance Principles

    Uploaded by

    trojanbaya
    19 views4 pages
    The document discusses several security governance frameworks and standards that can be used to evaluate and apply security principles in an information security role. It provides examples in three categories: financial reporting, information security, and management/enterprise frameworks. For information security frameworks, it specifically outlines BS7799/ISO 27000, ISO 15408, NIST Cybersecurity Framework, and BSIMM. It also provides a deep dive on three enterprise frameworks: SABSA (Strategy & Planning --> Design --> Implement --> Manage & Measure), TOGAF (Business, Data, Application, and Technology Architectures), and the Zachman Framework (a logical structure for classifying enterprise representations).

    Original Description:

    Original Title

    isc2-cissp-1-3-1-evaluate-and-apply-security-governance-principles

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses several security governance frameworks and standards that can be used to evaluate and apply security principles in an information security role. It provides examples in three categories: financial reporting, information security, and management/enterprise frameworks. For information security frameworks, it specifically outlines BS7799/ISO 27000, ISO 15408, NIST Cybersecurity Framework, and BSIMM. It also provides a deep dive on three enterprise frameworks: SABSA (Strategy & Planning --> Design --> Implement --> Manage & Measure), TOGAF (Business, Data, Application, and Technology Architectures), and the Zachman Framework (a logical structure for classifying enterprise representations).

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views4 pages

    Isc2 Cissp 1 3 1 Evaluate and Apply Security Governance Principles

    Uploaded by

    trojanbaya
    The document discusses several security governance frameworks and standards that can be used to evaluate and apply security principles in an information security role. It provides examples in three categories: financial reporting, information security, and management/enterprise frameworks. For information security frameworks, it specifically outlines BS7799/ISO 27000, ISO 15408, NIST Cybersecurity Framework, and BSIMM. It also provides a deep dive on three enterprise frameworks: SABSA (Strategy & Planning --> Design --> Implement --> Manage & Measure), TOGAF (Business, Data, Application, and Technology Architectures), and the Zachman Framework (a logical structure for classifying enterprise representations).

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Evaluate and apply security governance principles

    Objectives:

    At the end of this episode, I will be able to:

    Evaluate and apply security governance principles such as security frameworks


    through your daily practice as an information security professional.

    External Resources:

    Evaluate and apply security governance principles

    Information security management validates appropriate policies, procedures,


    standards, and guidelines are implemented to ensure business operations are
    conducted within an acceptable level of risk.

    A Security Framework

    acts as a reference point


    provides a common language for communications (CULTURE OF SECURITY)
    allows us to share information and create relevancy

    Examples

    Financial Reporting:

    Basel II
    Sarbanes-Oxley
    COSO

    Information Security:

    BS7799 / ISO 27000 ISMS fundamentals and vocabulary, umbrella 27003 ISMS
    implementation guide, 27004 ISM metrics, 27005 infosec risk management, 27006
    certification agencies, 27007 audit, 27009 IS governance, 27010 critical
    infrastructure

    BS 7799 Part 1 ISO 17799, ISO 27002 code of practice - 133 controls, 500+ detailed
    controls

    BS 7799 Part 2 ISO 27001 Information Security Management System (ISMS)

    COBIT 5 / COBIT 2019: A business framework for the governance and management of
    enterprise IT

    ISO 15408: Common Criteria for Information Technology Security Evaluation

    ISO/IEC DIS 15408-1 Information security, cybersecurity and privacy


    protection — Evaluation criteria for IT security — Part 1: Introduction and
    general model

    Framework for specification of evaluation Protection Profile (PP) Evaluation


    Assurance Level (EAL 1-7)

    Information Security Forum: (www.securityforum.org)

    Standard of Good Practice for Information Security - 5 "aspects"


    Security Management
    Critical Business Applications
    Computer Installations
    Networks
    Systems Development
    Broken out into 30 "areas," and 135 "sections"

    NIST CyberSecurity Framework:


    https://www.nist.gov/cyberframework

    BSIMM:
    https://www.bsimm.com/framework.html

    ITIL

    Management / Enterprise frameworks:

    NOTE... (LOOK FOR THE DEEP DIVE ON SABSA, TOGAF & ZACHMAN BELOW)

    Zachman
    Calder-Moir
    TOGAF
    DoDAF
    MODAF
    SABSA
    COSO

    NIST: A library of freely available resources (http://csrc.nist.gov)

    Information Security Handbook: A Guide for Managers SP800-100

    Recommended Security Controls for Federal Info Systems SP800-53R4 / R5

    Risk Management Guide for Information Technology Systems SP800-30R1

    An Introduction to Information Security SP800-12R1

    Supply Chain Risk Management Practices for Federal Information Systems and
    Organizations SP800-161

    Computer Security Incident Handling Guide SP800-61R2

    Guide for Applying the Risk Management Framework to Federal Information


    Systems: a Security Life Cycle Approach SP800-37R2

    https://www.iso.org/standard/50341.html
    https://www.iso.org/isoiec-27001-information-security.html

    DEEP DIVE ON SABSA, TOGAF & ZACHMAN

    SABSA -

    A methodology for developing business-driven, risk and opportunity focused


    Security Architectures at both enterprise and solutions level that traceably
    support business objectives.

    It is also widely used for Information Assurance Architectures, Risk Management


    Frameworks, and to align and seamlessly integrate security and risk management
    into IT Architecture methods and frameworks.

    SABSA is comprised of a series of integrated frameworks, models, methods and


    processes, used independently or as an holistic integrated enterprise solution,
    including:
    Business Requirements Engineering Framework (known as Attributes Profiling)
    Risk and Opportunity Management Framework
    Policy Architecture Framework
    Security Services-Oriented Architecture Framework
    Governance Framework
    Security Domain Framework
    Through-life Security Service Management & Performance Management Framework

    =======================================================
    | Business View | Contextual Architecture |
    |======================|================================|
    | Architect's View | Conceptual Architecture |
    |======================|================================|
    | Designer's View | Logical Architecture |
    |======================|================================|
    | Constructor's View | Physical Architecture |
    |======================|================================|
    | Technician's View | Component Architecture |
    |======================|================================|
    | Manager's View | Management Architecture |
    |======================|================================|

    Strategy & Planning --> Design --> Implement --> Manage & Measure

    =====================================

    TOGAF Standard, Version 9.2

    In particular, the following concepts are included:

    Partitioning – a number of techniques and considerations on how to partition


    the various architectures within an enterprise.

    Architecture Repository – a logical information model for an Architecture


    Repository which can be used as an integrated store for all outputs created by
    executing the Architecture Development Method (ADM).

    Capability Framework – a structured definition of the organization, skills,


    roles, and responsibilities required to operate an effective enterprise
    architecture capability. The TOGAF standard also provides guidance on a process
    that can be followed to identify and establish an appropriate architecture
    capability.

    What Kinds of Architecture does the TOGAF Standard Deal with?

    Business Architecture - The business strategy, governance, organization, and key


    business processes.

    Data Architecture - The structure of an organization’s logical and physical data


    assets and data management resources.

    Application Architecture - A blueprint for the individual applications to be


    deployed, their interactions, and their relationships to the core business
    processes of the organization.

    Technology Architecture - The logical software and hardware capabilities that


    are required to support the deployment of business, data, and application
    services. This includes IT infrastructure, middleware, networks, communications,
    processing, and standards.

    =========================================
    The Zachman Framework -

    The Framework for Enterprise Architecture (or Zachman Framework) as it applies


    to Enterprises is simply a logical structure for classifying and organizing the
    descriptive representations of an Enterprise that are significant to the
    management of the Enterprise as well as to the development of the Enterprise’s
    systems, manual systems as well as automated systems.

    You might also like