Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our security governance principles module on control frameworks. Frameworks are proven best practices that you can use to develop the security program in your organization. If your security program does not have a good model, it is similar to a house that does not have a good foundation and will not be beneficial for your organization.
Control frameworks are tools that you can use for your communications to your employees and your security management. You can use it to standardize your administrative, technical, and physical controls. It will allow you to take proven best practices and then apply them to your company in order to achieve your goals.
And it's important to remember that your security plan must always support your organization's mission. If your security plan makes it harder for your organization to achieve your mission, then it will most likely not be successful. There are several common frameworks that will help you develop your security policy.
The International Organization for Standardization, or ISO, and the International Electrotechnical Commission, or IEC, have come up with a joint standard for information security management known as the 27000-series. 27001 is an information security management requirements to provide governance, and 27002 define security controls that can be used to achieve your mission.
You should remember the difference between these two standards for the CISSP examination, noting that 27001 provides information about governance, and 27002 defines security controls. You also have the Committee of Sponsoring Organizations, or COSO. This model emphasizes financial risks and also focuses on fraud protection by implementing a system of financial checks and balances.
The IT Infrastructure Library, or ITIL, focuses on information technology services and service management, and it's basically a document that provides a framework for various types of service businesses and offers them some best practices. The PCIDSS, or the Payment Card Industry Data Security Standards, provides standards that must be followed for organizations that accept credit cards or other types of electronic payments.
The ISO 27001 specification provides us with an information security management system. This framework focuses on your organization's risks, threats, and vulnerabilities, and uses this information to develop security policies. In order to manage risks, it is suggested to implement security controls which are defined in the ISO 27002 standard.
This standard focuses on the fact that it is a management process which must include your upper level management to make sure that your security controls are implemented and verified to be working properly and protecting your information on an ongoing basis. It also describes an international certification process with external audits to establish mandatory policies and assign responsibilities to your employees.
And it is what is known as a plan, do, check, and then act model, which means that you're going to measure twice and cut once. This should help to avoid any complications that may arise by failing to plan properly. The ISO IEC 27002 standard defines 12 different security controls and their objectives.
These controls include risk assessment, human resources security, access controls, and business continuity management. The goal here is to implement policies, assign responsibilities, and describe procedures to provide layered protection for your information systems in order to avoid any security complications. The Committee of Sponsoring Organizations, or COSO model, is a corporate governance model which is designed to support your business leadership.
It provides a risk management framework that is primarily focused on financial issues and deterring fraud. This model includes internal financial controls and auditing to deter employees from engaging in unacceptable practices relating to finance. The COBIT model is a business model for information security. There are four main elements of this model, the organizational design and strategy, your people, your processes, and your technology.
This model provides dynamic interconnection factors between the elements such as governance, emergence, and architecture. And the control objectives here are for information technology, and they provide a focus on governance and operational goals and regulatory compliance. You should be familiar with the COBIT model for the CISSP examination, remembering that it has four main elements and dynamic interconnection factors.
The plan, do, check, act model is part of the COBIT framework, and it's designed to provide continuous improvement to your processes. During the planning phase, you will establish your information security management systems. You will then move on to the second phase, where you actually implement the system. During the check phase, you will monitor the system to make sure that it is meeting your expectations and functioning properly.
And during the act phase, you will then maintain your information security management system and implement any necessary improvements to ensure that your organization is safe from security risks. There are some additional frameworks that are often used in information security. The SABSA model, or the Sherwood Applied Business Security Architecture, is a lifecycle model which focuses on risks, and this is an open standard for information security infrastructure development.
The Capability Maturity Model, or CMMI, is designed for software developers and provides maturity or quality ratings for different pieces of software. The ITIL, or Information Technology Infrastructure Library, is generally used for IT service management. And the Six Sigma Model was developed for identifying manufacturing defects, but it can also be used to test the success of information security controls. This concludes the module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!