Ready to Start Your Career?

The Role of Information Security Governance and Risk Management in the CISSP certification

Rachel Laura M's profile image

By: Rachel Laura M

June 22, 2015

The Certified Information Systems Security Professional (CISSP) certification is a strong credential to have for professionals who have a mix of both technical and managerial experience as well as competence in designing, engineering and the overall management of security programs. Their knowledge helps protect company’s important and confidential information from the growing threat of cyber attacks. This certification is perfect for security professionals in the following positions:
  • Security Consultant
  • Security Manager
  • IT Director/Manager
  • Security Auditor
  • Security Architect
  • Security Analyst
  • Security Systems Engineer
  • Chief Information Security Officer
  • Director of Security
  • Network Architect
The CISSP certification consists of many topics. One of them is Governance and Risk Management; which covers the following:
  • How management views security
  • The structure of the security organization
  • Who the Information Security Officer (ISO) reports to
When studying this particular topic, it is important to realize that security is not just about IT. Information security also centers on what is known as the CIA Triad (not to be confused with the government organization) but rather:
  • Confidentiality: means the data has not been disclosed
  • Integrity: means the data hasn’t been altered
  • Availability: means the data is still there and has not been destroyed
When learning about risk management, one of the first things to learn about is how to assess qualitative risk management vs quantitative risk management. For example, if a system will be down for a certain amount of time, that falls under quantitative risk management whereas qualitative is more subjective and open to individual interpretation. When assessing risk, there are a number of frameworks that can be used:
  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
  • Factor Analysis of Information Risk (FAIR)
  • National Institute of Standards and Technology (NIST) Risk Management Framework
  • Threat Agent Risk Assessment (TARA)
When analyzing risk, it is necessary to answer the following questions:
  • What is the value of the information and assets?
  • What are the threats against these assets?
  • What impact will the threat have on the organization?
  • What is the probability that this threat will occur?
Essentially, the topic of Information Security Governance and Risk Management is truly all encompassing and something a security professional must have an awareness of at all times. A CISSP certification examines all the topics a professional in this field must know to do the best job. There are a variety of methods one can take to obtain this certification and avoid the commonly associated huge fees of training, and these include self-guided book study from the Shon Harris All-in-One to our free CISSP training online.Check out all the free cyber security courses at Cybrary!
Schedule Demo