Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our security governance principles module. Information security governance is focused on protecting our information from any type of security risks. It is important that we try to minimize our exposure to threats to our information security. In order to ensure proper information security governance, we have to define the roles and responsibilities of our management staff, and our board of directors.
We have to make sure that our information security is effective and aligned with our business goals and objectives. It's important to make sure that we are complying with any legal, or regulatory requirements depending on our industry. We have to make sure that we manage our information security risks appropriately.
It is important to make sure that our staff is provided with appropriate security training. It is important to make sure that we are training all individuals in our organization, even those who do not necessarily have access to our information resources. We must make sure that our enterprise IT resources are used correctly.
We must make sure that we our monitor our security controls by using metrics, auditing, and risk management. And we also need to put systems in place to enforce policies, and make sure employees are held accountable for their actions. It is helpful to develop organizational processes. If we can come up with a systematic formal repeatable approach, it will make it much easier to maintain information security in our enterprise.
Typically, when we have technological flaws in our system, this is a symptom of poor security processes, and can be avoided. We should have a security policy which discusses our assets and how we will protect them. We should have clear operational procedures to make sure that all of our activities take place as they were planned, and make sure that they're documented appropriately.
We can reduce our risk using configuration management plans and change control. And base lines are used to define a minimum acceptable level of security, and this is a term you want to be familiar with because you'll most likely see it on the CISP examination. And we can use guidelines to recommend our best practices to follow.
You should also remember for the CISSP exam that guidelines are simply a suggestion, and do not necessarily need to be followed the way that policies and procedures should be. It is important to make sure that our security functions are properly aligned with our business objectives and strategies. First we will have to identify the systems in our organization, the types of data they maintain. And determine how we need to maintain the confidentiality, integrity and availability of that data. We need to determine how valuable systems are to our organization ad the different sensitivities of the data that they store. We also need to determine if an incident occurs, what is the impact to our organization's mission?
We should determine how long our systems can be offline before we're negatively impacting our business. And then we need to make sure that the appropriate level of security is in place to minimize the risks to our organization, and respond appropriately to any incidents that may occur. Our security policies should clearly define roles and responsibilities for the individuals in our organization.
Some of these individuals include our person at the top, or final decision maker. Such as the CEO, chief executive officer, designated approving authority, or commander. This is the only person that should be accepting any risks in our systems. And they will be responsible for making decisions about implementing security controls, by evaluating the cost versus the benefit of those controls.
Our chief information officer, or CIO is a term you should be familiar with for the CISSP examination. This is the executive in charge of our information technology. Our chief operating officer, or COO is responsible for our daily operations. Our certification authority, or CA is part of our certification and accreditation process.
The chief financial officer, or CFO, is generally responsible for risk management and record keeping. And finally, our CISO, or chief information security officer, focuses on our information technology and our IT risk management. And you should also be familiar with the CISO for the CISSP exam. It is important that we understand the individuals that use our system and their roles in that system.
Auditors, assessors, or the inspector general are responsible for independent compliance and effectiveness evaluation, and then reporting on their findings. Or information assurance security officer, is responsible for carrying out our information assurance duties including reporting. Our system or data owner is the overall person responsible for determining classification or sensitivity of data.
And you wanna remember that for the CISSP exam. The data owner is responsible for classifying the data, and is ultimately responsible for it are certification agent, validators, or certifiers are responsible for performing certification and accreditation testing. Our system administrator, or network administrator is in charge of controlling access to resources, as well as monitoring to make sure our systems are working appropriately.
The data custodian is responsible for the daily operation of our data. Making sure to maintain it, protect it, and making sure that it gets backed up appropriately. And then the user is the one who ultimately uses the data. So based on the permissions assigned the data owner, the security administrator will assign access to those individuals who need to be able to access a system or a resource. The best approach to information security management is a top down approach. With a top down approach, information security policies and procedures are defined and implemented at the senior management level. We have a high level of support in this model from our senior management including funding, making sure that we have adequate staffing, and also enforcing policies if there is a violation.
With the bottom up approach, the IT department attempts to implement security from a bottom up approach. Forcing it upon middle management and then on to the senior management. This model is very rarely successful because the staff members who are attempting to implement security controls are not receiving adequate assistance from their upper level management.
They may not receive adequate funding or staffing in order to complete their objectives. This concludes the module. Thank you for watching!
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!