CISSP Domain 1.2: Security Governance Overview
Learn key principles of security governance in CISSP Domain 1.2 to enhance understanding and memorization for exam success. 🔐
CISSPrep
8.7K views • May 22, 2019
About this video
This lesson will help CISSP candidates to quickly understand and memorize principles of security governance as presented in Domain 1, Security and Risk Management.
https://www.facebook.com/CISSPMicroModules/
Security governance is how security is managed, thru policies, roles, and processes used to make security decisions.
Security must align with organizational goals (not dominate or drive them).
Security is optional (support function).
Remember that security and the budget that funds it can be “done away” with at any time.
Security practitioners must align with organizational goals, it may help keep costs down and helps the security program serve the organization properly.
A governance committee is a formal decision making body within the organization.
Acquisition is when a company purchases another to become one of its subsidiaries.
Merger is when two companies are combined into one.
Divestiture is when a company cedes, or gives up control of one of its subsidiaries.
If you’re not familiar with these terms you should read up on them and how they impact security.
Remember the "C" titles, CEO, CFO etc, can sponsor and help push out security policy.
Roles of the security manager may include: managing day-to-day security operations, advising management on security decisions including change management or configuration management, security product solutions, and participating or leading incident response and disaster recovery efforts.
A Framework is a shell of something, or a starting point, so a security control framework is simply a list or set of controls.
ISO 27001 – information security management system, which focuses on governance.
ISO 27002 – security controls.
COBIT – is a framework aimed at documenting Organizational IT Security. If you take the first three letters of Cobit (Cob) and reverse them, it spells “Doc”, and the O and IT you can remember as “Organizational” and “IT”.
ITIL – how IT can serve biz functions – remember it by thinking “I tilt it this way, or that way” for the business.
NIST Special Publications (risk management frameworks), such as 800-53 , which is a set of security controls, 800-37, which is the risk management framework.
CSA STAR is for cloud security alliance, which publishes standards for cloud security. Of interest is tier 1, in which participants self-assess by filling out a questionnaire, Tier 2 is a third party assessment, and Tier 3 is continuous monitoring by a certified independent organization.
The last two concepts of this module are due diligence and due care which I'll cover in another video.
https://www.facebook.com/CISSPMicroModules/
Security governance is how security is managed, thru policies, roles, and processes used to make security decisions.
Security must align with organizational goals (not dominate or drive them).
Security is optional (support function).
Remember that security and the budget that funds it can be “done away” with at any time.
Security practitioners must align with organizational goals, it may help keep costs down and helps the security program serve the organization properly.
A governance committee is a formal decision making body within the organization.
Acquisition is when a company purchases another to become one of its subsidiaries.
Merger is when two companies are combined into one.
Divestiture is when a company cedes, or gives up control of one of its subsidiaries.
If you’re not familiar with these terms you should read up on them and how they impact security.
Remember the "C" titles, CEO, CFO etc, can sponsor and help push out security policy.
Roles of the security manager may include: managing day-to-day security operations, advising management on security decisions including change management or configuration management, security product solutions, and participating or leading incident response and disaster recovery efforts.
A Framework is a shell of something, or a starting point, so a security control framework is simply a list or set of controls.
ISO 27001 – information security management system, which focuses on governance.
ISO 27002 – security controls.
COBIT – is a framework aimed at documenting Organizational IT Security. If you take the first three letters of Cobit (Cob) and reverse them, it spells “Doc”, and the O and IT you can remember as “Organizational” and “IT”.
ITIL – how IT can serve biz functions – remember it by thinking “I tilt it this way, or that way” for the business.
NIST Special Publications (risk management frameworks), such as 800-53 , which is a set of security controls, 800-37, which is the risk management framework.
CSA STAR is for cloud security alliance, which publishes standards for cloud security. Of interest is tier 1, in which participants self-assess by filling out a questionnaire, Tier 2 is a third party assessment, and Tier 3 is continuous monitoring by a certified independent organization.
The last two concepts of this module are due diligence and due care which I'll cover in another video.
Tags and Topics
Browse our collection to discover more content in these categories.
Video Information
Views
8.7K
Likes
50
Duration
5:57
Published
May 22, 2019
User Reviews
4.1
(1) Related Trending Topics
LIVE TRENDSRelated trending topics. Click any trend to explore more videos.