Page 156 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 156

Security Governance


               Security governance is the collection of practices related to
               supporting, defining, and directing the security efforts of an
               organization. Security governance is closely related to and often

               intertwined with corporate and IT governance. The goals of these
               three governance agendas often interrelate or are the same. For
               example, a common goal of organizational governance is to ensure
               that the organization will continue to exist and will grow or expand
               over time. Thus, the goal of all three forms of governance is to

               maintain business processes while striving toward growth and
               resiliency.

               Third-party governance is the system of oversight that may be
               mandated by law, regulation, industry standards, contractual
               obligation, or licensing requirements. The actual method of
               governance may vary, but it generally involves an outside investigator
               or auditor. These auditors might be designated by a governing body or

               might be consultants hired by the target organization.

               Another aspect of third-party governance is the application of security
               oversight on third parties that your organization relies on. Many
               organizations choose to outsource various aspects of their business
               operations. Outsourced operations can include security guards,
               maintenance, technical support, and accounting services. These
               parties need to stay in compliance with the primary organization’s

               security stance. Otherwise, they present additional risks and
               vulnerabilities to the primary organization.

               Third-party governance focuses on verifying compliance with stated
               security objectives, requirements, regulations, and contractual
               obligations. On-site assessments can provide firsthand exposure to the
               security mechanisms employed at a location. Those performing on-site
               assessment or audits need to follow auditing protocols (such as

               Control Objectives for Information and Related Technology [COBIT])
               and have a specific checklist of requirements to investigate.

               In the auditing and assessment process, both the target and the
   151   152   153   154   155   156   157   158   159   160   161