Page 82 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 82

organizational process, not just something the IT geeks do behind the
               scenes. Using the term “security governance” is an attempt to

               emphasize this point by indicating that security needs to be managed
               and governed throughout the organization, not just in the IT
               department.

               Security governance is commonly managed by a governance
               committee or at least a board of directors. This is the group of
               influential knowledge experts whose primary task is to oversee and

               guide the actions of security and operations for an organization.
               Security is a complex task. Organizations are often large and difficult
               to understand from a single viewpoint. Having a group of experts work
               together toward the goal of reliable security governance is a solid
               strategy.

               There are numerous security frameworks and governance guidelines,
               including NIST 800-53 or 800-100. While the NIST guidance is

               focused on government and military use, it can be adopted and
               adapted by other types of organization as well. Many organizations
               adopt security frameworks in an effort to standardize and organize
               what can become a complex and bewilderingly messy activity, namely,
               attempting to implement reasonable security governance.


               Alignment of Security Function to Business Strategy,

               Goals, Mission, and Objectives

               Security management planning ensures proper creation,
               implementation, and enforcement of a security policy. Security
               management planning aligns the security functions to the strategy,
               goals, mission, and objectives of the organization. This includes

               designing and implementing security based on business cases, budget
               restrictions, or scarcity of resources. A business case is usually a
               documented argument or stated position in order to define a need to
               make a decision or take some form of action. To make a business case
               is to demonstrate a business-specific need to alter an existing process

               or choose an approach to a business task. A business case is often
               made to justify the start of a new project, especially a project related to
               security. It is also important to consider the budget that can be
               allocated to a business need–based security project. Security can be
   77   78   79   80   81   82   83   84   85   86   87