Professional Documents
Culture Documents
Pertinent
5. How is our IS program managed?
questions
about IS 6. Is the reporting and oversight system adequate?
Governance
7. Which assets (data, applications, etc.) are impacted, and who is responsible for them?
Governance: The method by which and enterprise ensures that stakeholder needs, conditions and options are evaluated
to determine balanced, agreed-on enterprise objectives are achieved. It involves setting direction through prioritization
and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
by ISACA
Information Security Governance is the process of directing and controlling an organization to establish and
sustain a culture of security in the organization’s conduct (beliefs, behaviors, capabilities, and actions),
Term treating adequate security as a non-negotiable requirement of being in business.
Information Security Governance is the responsibility of the board of directors and executive management. It is an
integral part of enterprise governance and consists of the leadership and organizational structures and processes that
ensure that the organization’s IS sustains and extends the organization’s strategies and objectives
by COBIT 2019
Governing for Enterprise Security (GES)
Implementation Guide
the board of directors, under the leadership
Other Governance vs Governance of the chairperso
COBIT 2019 Other Management
Responsibility
the executive management under the
Information Security Governance. Framework and Toolset for Management leadership of the chief executive officer (CEO)
CISOs and Decision Makers, Andrej Volchkov
The difference between security management and security governance is not very clear. To simplify,
management encompasses the implementation and monitoring of the security program, while
Strategy is the first mission of IS governance. governance provides strategic orientations and ensures its proper execution.
Strategy is the declaration of an objective, including ways to achieve it Governance Evaluate, Direct and Monitor (EDM)
The mission is a short statement recalling Align, Plan and Organize (APO)
Domains by COBIT 2019
security’s main objectives, its main functions,
and its contribution to business goals. Mission
Build, Acquire and Implement (BAI)
Management
Context Strategy Deliver, Service and Support (DSS)
by COBIT 2019
contribution to business goals Strategic Security Initiatives Resource optimization
Does the position of the security officer and Lack of manager involvement in the prioritization of risk treatments.
their team make it easier to take business
unit needs into account? Lack of architectural design requirements for IS.
Each business line must appoint a security
delegate to participate in quarterly security
Do we have a committee empowered to rule 3. Organization The whole company is involved
project review meetings
on exceptions and changes to security
policies and directives?
Characteristics of Responsibilities are defined
Effective IS Governance
How does the security officer communicate
The level of protection depends on risk appetite
with the business units about security
objectives (in both directions)?
Security is actively managed
Does security risk management fit into the
company’ s operational risk management concept? Principle 1: Establish organization-wide
information security.
How involved are the board, management, and Principle 6: Review performance in
business unit leaders in setting security priorities? relation to business outcomes.
Three-Layer
Have we identified, classified, and 5. IS program management
Control
categorized our data?
Framework (TLCF)
Define data classes and categories 6. Reporting and oversight
and inventory them in a catalog. Do we know who the data owners are? 7. Asset
Tactical
Identify data owners for each class/ management
7. Asset management
business line. How is it guaranteed that data owners’ privacy,
availability, and integrity requirements are
integrated into the security program? 8. Compliance
Operations