Page 81 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 81

Evaluate and Apply Security Governance

               Principles


               Security governance is the collection of practices related to
               supporting, defining, and directing the security efforts of an

               organization. Security governance principles are often closely related
               to and often intertwined with corporate and IT governance. The goals
               of these three governance agendas are often the same or interrelated.
               For example, a common goal of organizational governance is to ensure
               that the organization will continue to exist and will grow or expand
               over time. Thus, the common goal of governance is to maintain
               business processes while striving toward growth and resiliency.


               Some aspects of governance are imposed on organizations due to
               legislative and regulatory compliance needs, whereas others are
               imposed by industry guidelines or license requirements. All forms of
               governance, including security governance, must be assessed and
               verified from time to time. Various requirements for auditing and
               validation may be present due to government regulations or industry
               best practices. Governance compliance issues often vary from industry

               to industry and from country to country. As many organizations
               expand and adapt to deal with a global market, governance issues
               become more complex. This is especially problematic when laws in
               different countries differ or in fact conflict. The organization as a
               whole should be given the direction, guidance, and tools to provide
               sufficient oversight and management to address threats and risks with

               a focus on eliminating downtime and keeping potential loss or damage
               to a minimum.

               As you can tell, the definitions of security governance are often rather
               stilted and high level. Ultimately, security governance is the
               implementation of a security solution and a management method that
               are tightly interconnected. Security governance directly oversees and

               gets involved in all levels of security. Security is not and should not be
               treated as an IT issue only. Instead, security affects every aspect of an
               organization. It is no longer just something the IT staff can handle on
               their own. Security is a business operations issue. Security is an
   76   77   78   79   80   81   82   83   84   85   86