C2 - Governance and Management of IT - Part A: IT Governance, 2.0-2.3 Flashcards
A system in which all stakeholders, including the board, senior management, internal customers, and departments, provide input into the IT decision-making process
Enterprise Governance of Information and Technology (EGIT)
Broad processes of EGIT:
IT Resource management, Performance measurement, Compliance Management
Makes a clear distinction between governance & management
ISACA’s COBIT Framework
Plans, builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives
Management
Ensures that stakeholders needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives
Governance
The basic outcomes of effective information security governance include strategic alignment, risk management, compliance, and value delivery. These outcomes are enabled through the development of:
performance measurement, resource management, process integration
Process-based ISM maturity model for security.
O-ISM3
Provides guiding principles for members of governing bodies organizations on the effective, efficient, and acceptable use of IT within an org
ISO/IEC 38500:2015: Information Technology - Governance of IT for the Organization
A specification for service management aligned with ITIL’s service management framework
ISO/IEC 2000
Guidelines on and a common approach to risk management for organizations
ISO 3100:2018 Risk Management - Guidelines
A set of best practices that provides guidance to organizations implementing and maintaining information security programs
ISO/IEC 27000 series
A mandatory requirement, code of practice, or specification approved by a recognized external standards org
Standards
High-level statements of management intent
Policies
Documented, defined steps for achieving policy objectives
Procedures
Should contain information that will be helpful in executing the procedures
Guidelines
