Page 86 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 86

Organizational Processes


               Security governance needs to address every aspect of an organization.
               This includes the organizational processes of acquisitions, divestitures,
               and governance committees. Acquisitions and mergers place an
               organization at an increased level of risk. Such risks include
               inappropriate information disclosure, data loss, downtime, or failure

               to achieve sufficient return on investment (ROI). In addition to all the
               typical business and financial aspects of mergers and acquisitions, a
               healthy dose of security oversight and increased scrutiny is often
               essential to reduce the likelihood of losses during such a period of
               transformation.

               Similarly, a divestiture or any form of asset or employee reduction is
               another time period of increased risk and thus increased need for

               focused security governance. Assets need to be sanitized to prevent
               data leakage. Storage media should be removed and destroyed,
               because media sanitization techniques do not guarantee against data
               remnant recovery. Employees released from duty need to be debriefed.
               This process is often called an exit interview. This process usually
               involves reviewing any nondisclosure agreements as well as any other
               binding contracts or agreements that will continue after employment

               has ceased.

               Two additional examples of organizational processes that are essential
               to strong security governance are change control/change management
               and data classification.


               Change Control/Management

               Another important aspect of security management is the control or
               management of change. Change in a secure environment can

               introduce loopholes, overlaps, missing objects, and oversights that can
               lead to new vulnerabilities. The only way to maintain security in the
               face of change is to systematically manage change. This usually
               involves extensive planning, testing, logging, auditing, and monitoring
               of activities related to security controls and mechanisms. The records
               of changes to an environment are then used to identify agents of
               change, whether those agents are objects, subjects, programs,
   81   82   83   84   85   86   87   88   89   90   91