Beruflich Dokumente
Kultur Dokumente
MISSION CISSP
Why Security
Governance?
What is Governance?
Security Planning
Enterprise Frameworks
Security Frameworks
MISSION CISSP
Why an organization needs Security?
MISSION CISSP
Security Governance
SECURITY GOVERNANCE
Develop Management Role and Identify legal Establish and Develop Develop a
Information Committee Responsibilities issues and maintain Procedures and Business
Security access impact Security guidelines, case
Program policies implement
standards to
support policies
MISSION CISSP
Governance Alignment
Corporate
Governance
Information
IT
Security
Governance
Governance
MISSION CISSP
How Security Planning works
Why we exist
VISIO
N
OBJECTIVE -
1
OBJECTIVE OBJECTIVE -3 What we must achieve for
-2
success
C
A1 A2 A3 B2 B2 B2 C1 Planned actions to achieve objective
C2
MISSION CISSP
Types of Security Plans
MISSION CISSP
Organisation roles and Responsibilities
11
2
4 3
6
5
Divestiture A A C
MISSION CISSP
Due Care and Due Diligence
• Due care
• Due diligence
• Downstream Liability
MISSION CISSP
Security Control Framework
• Framework is a logical structure
• Series of documented processes that are used to define policies and
procedures around the implementation and ongoing management of
information security controls in an enterprise environment
•Categories:
International (Ex - ISO/IEC 27001)
National (Ex. NIST CSF)
Regulatory (Ex. SOX and GLBA)
Industry specific – (Ex. PCI DSS)
MISSION CISSP
Enterprise Frameworks
COSO , Zachman and SABSA Frameworks
MISSION CISSP
COSO Framework
• Committee of Sponsoring Organisations of the Treadway
commission (COSO)
• Established to combat corporate fraud
• Enterprise governance and Risk based framework and
extensively designed to take care of the below aspects
• Ethics
• Fraud
• Internal Control
• Risk Management
• Reporting
MISSION CISSP
Enterprise Frameworks
• Zachman Framework
• Enterprise framework for viewing
and defining an enterprise
• SABSA Model
• Security architecture with similar
structure to the Zachman
Framework
MISSION CISSP
COBIT Framework
• Documented set of best IT security practices crafted by the
Information Systems Audit and Control Association (ISACA)
• While COBIT 5 is widely implemented. ISACA just released
COBIT 2019
• COBIT 5 Key principles:
• Principle 1: Meeting Stakeholder Needs
• Principle 2: Covering the Enterprise End-to-End
• Principle 3: Applying a Single, Integrated Framework
• Principle 4: Enabling a Holistic Approach
• Principle 5: Separating Governance From Management
MISSION CISSP
ISO / IEC 27000 Series
• Based on British standard BS 7799
• First adopted ISO as ISO / IEC 17799 in 2000
MISSION CISSP
NIST Cybersecurity Framework Version 1.1
MISSION CISSP
NIST Special Publication (SP) 800 Series
MISSION CISSP
Process Management
Frameworks
• ITIL: set of detailed practices for IT
service management (ITSM)
MISSION CISSP
Summary
• Enterprise need security governance to comply with legal,
regulatory, business and contract requirements
• Security governance is documenting polices and best practices,
setting roles and responsibilities, implement security program
and monitor risk on day to day basis
• Security governance should align with enterprise governance
• Security Goals are time defined measurable plans
MISSION CISSP
Summary Continued…
• Security is a top down approach
• Due care is a legal term to ensure enterprise take prudent
action (setting up polices and framework) to ensure information
security
• Due diligence is the act of following best practices,
maintenance of due care
• Enterprise frameworks are designed for governance of entire
enterprise including IT and Information security
• Information Security frameworks are the set of best practices to
establish a governance framework
MISSION CISSP