Domain 1: GOVERNANCE AND RISK MANAGEMENT Flashcards
Business driver
Condition, process, requirement, or other concern that influences the way an org manages activities
What does understanding why an organization exists and conducts business preceed?
Developing Infosec Governence
Proprietership
Single owner/family owned
Proprietorship decision-making process
Single decision maker
Partnership
Multiple owners
Who is responsible for management and risk in a partnership?
All partners
Corporation purpose
Separate liability from the owners
Articles of incorporation
How a business will be run
Primary force driving governance
Shareholder value
CMMI
Capability Maturity Model Integration
CMMI Levels
- Initial
- Managed
- Defined
- Quantitatively Managed
- Optimizing
CMMI Proactive levels
3-5 (Defined, Quantitatively Managed, Optimizing)
When do orgs realize the benefits of mapping processes to organizational standards and achieving consistency?
CMMI Level 3
Business drivers affect…
Decisions made in an organization
Most important infoSec drivers? (2)
Business compliance
Privacy needs
CISO must understand these drivers (4)
Objectives
Business processes supporting objectives
Information and technology
Threats to operations
First things CISO’s need to do
Understand how org works. People, Revenue streams
ISMS
Policy, guided by Governance and Compliance
Then everything under that.
Risk, Architecture, Asset Classification, SecOps
Business Resilince
Training
Metrics & Reporting
Benefit of a security policy
Provides legal protection because of a stated commitment to requirements
Most common reason companies create security policies…
Regulatory requirements
Other reasons for policies
Compliance
Frameworks (ISO)
Most important content
Understandable
Target Audience
Policy best-practices (5)
Concise
Common Language
Consistent with law
Reasonable
Enforceable
Who must support a policy?
Senior Management
Traditional role of CISO is to develop processes to support 4 objectives
Reduce IT Risk
Establish and implement security policies and procedures
Establish standards and controls
Respond to incidents
Ethics
Moral principles that govern behavior of a person or group.