CISSP Domain 1

Security and Risk

Management
1.2 – Evaluate and Apply Security Governance Principles

MISSION CISSP
 Why Security
Governance?
What is Governance?

Security Planning

Security Roles and

Responsibilities

Enterprise Frameworks
Security Frameworks

MISSION CISSP
Why an organization needs Security?

Legal and Regulatory Financial and Reputational Business Requirements

Requirements Risk

MISSION CISSP
 Security Governance

• Security governance is the collection of practices related to supporting, defining,

and directing the security efforts of an organization.

SECURITY GOVERNANCE
Develop Management Role and Identify legal Establish and Develop Develop a
Information Committee Responsibilities issues and maintain Procedures and Business
Security access impact Security guidelines, case
Program policies implement
standards to
support policies

MISSION CISSP
Governance Alignment

Corporate
Governance

Information
IT
Security
Governance
Governance

MISSION CISSP
How Security Planning works

Why we exist
VISIO
N

MISSION What we want to do

GOALS What we must achieve for

success

OBJECTIVE -
1
OBJECTIVE OBJECTIVE -3 What we must achieve for
-2
success
C
A1 A2 A3 B2 B2 B2 C1 Planned actions to achieve objective
C2

MISSION CISSP
Types of Security Plans

MISSION CISSP Sy-16

Leadership Information Security Responsibilities
• Strategic alignment with
• Develop plan and policies
• Assess and Review
• Build Awareness
• Manage
• Respond
• Value delivery (Return on
investment)

MISSION CISSP
Organisation roles and Responsibilities
11
2

4 3

6
5

Security is a shared responsibility

MISSION CISSP
Organizational Process

Acquisitions A • Increased level of

B A Risk
• Disclosures
• Data loss
• Downtime
• Failure to achieve
Merger A B C ROI
• Insufficient Data
Sanitization

Divestiture A A C

MISSION CISSP
Due Care and Due Diligence

• Due care
• Due diligence
• Downstream Liability

MISSION CISSP
Security Control Framework
• Framework is a logical structure
• Series of documented processes that are used to define policies and
procedures around the implementation and ongoing management of
information security controls in an enterprise environment

•Categories:
International (Ex - ISO/IEC 27001)
National (Ex. NIST CSF)
Regulatory (Ex. SOX and GLBA)
Industry specific – (Ex. PCI DSS)

MISSION CISSP
Enterprise Frameworks
COSO , Zachman and SABSA Frameworks

MISSION CISSP
COSO Framework
• Committee of Sponsoring Organisations of the Treadway
commission (COSO)
• Established to combat corporate fraud
• Enterprise governance and Risk based framework and
extensively designed to take care of the below aspects
• Ethics
• Fraud
• Internal Control
• Risk Management
• Reporting

MISSION CISSP
Enterprise Frameworks
• Zachman Framework
• Enterprise framework for viewing
and defining an enterprise

• SABSA Model
• Security architecture with similar
structure to the Zachman
Framework

• The open group architecture

Framework (TOGAF)
• IT architecture framework

MISSION CISSP
COBIT Framework
• Documented set of best IT security practices crafted by the
Information Systems Audit and Control Association (ISACA)
• While COBIT 5 is widely implemented. ISACA just released
COBIT 2019
• COBIT 5 Key principles:
• Principle 1: Meeting Stakeholder Needs
• Principle 2: Covering the Enterprise End-to-End
• Principle 3: Applying a Single, Integrated Framework
• Principle 4: Enabling a Holistic Approach
• Principle 5: Separating Governance From Management

MISSION CISSP
ISO / IEC 27000 Series
• Based on British standard BS 7799
• First adopted ISO as ISO / IEC 17799 in 2000

• Updated to ISO/IEC 27000 series in 2005

• ISO / IEC 27001 Information Security Management System
• ISO / IEC 27002 Controls for an ISMS
• ISO / IEC 27003 IT Security Techniques
• ISO / IEC 27005 Risk Management
• ISO / IEC 27006 IT Certification and Accreditations
• ISO / IEC 27017 Security controls for cloud services

MISSION CISSP
NIST Cybersecurity Framework Version 1.1

• Version 1.0 was released in

2014 and updated to Version
1.1 in April 2018

MISSION CISSP
NIST Special Publication (SP) 800 Series

NIST publications intended for Federal agencies:

• NIST SP 800-30 Risk Assessment
• NIST SP 800-37 Risk Management Framework
• NIST SP 800-53 Rev4 Controls for Federal Information
Systems
• NIST SP 800-63 Rev2 Electronic authentication guidelines
• NIST SP 800-81 Rev2 Secure DNS Deployment guide
• NIST SP 800-123 Guide to General Server Security

MISSION CISSP
Process Management
Frameworks
• ITIL: set of detailed practices for IT
service management (ITSM)

• Capability Maturity Model

Integration (CMMI): A Process
maturity model that provides a clear
definition of what an organization
should do to improve process

MISSION CISSP
Summary
• Enterprise need security governance to comply with legal,
regulatory, business and contract requirements
• Security governance is documenting polices and best practices,
setting roles and responsibilities, implement security program
and monitor risk on day to day basis
• Security governance should align with enterprise governance
• Security Goals are time defined measurable plans

MISSION CISSP
Summary Continued…
• Security is a top down approach
• Due care is a legal term to ensure enterprise take prudent
action (setting up polices and framework) to ensure information
security
• Due diligence is the act of following best practices,
maintenance of due care
• Enterprise frameworks are designed for governance of entire
enterprise including IT and Information security
• Information Security frameworks are the set of best practices to
establish a governance framework

MISSION CISSP