< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 2 - Information Security Governance

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 4, 2018 | Modified: February 4, 2018
Join Cybrary

NotepadModule 2 - CIA intro

CIA Intro

This lesson covers the principles of security.  We can remember the three principles of security using the acronym CIA.

  • Confidentiality: preventing the unauthorized disclosure of data
  • Integrity: preventing the unauthorized modification of data and detecting any such unauthorized modifications when they occur
  • Availability of data; the timely access of resources

You will familiarize yourself with the necessary security objectives that we must strive to achieve, and remember them using the acronym SMART.

Our security objectives must be:

  • Specific; such as increasing application security
  • Measurable; you have to know when you’ve achieved your goal
  • Attainable; is it something that can be done?
  • Realistic; can the objective be achieved within the realm of possibility?
  • Timely; can the goal be reached within a specific period of time?

You must keep in mind all the threats that can compromise your data security within the CIA and SMART framework.

 

 

 

 

 

 

 

 

 

 

 

 


NotepadModule 2 - Information Security Governance

Information Security Governance

This lesson will cover information security governance within the role of the CISO.

Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C-I-A of information.  Information security governance should, therefore:

  • Provide long-term goals and short-term objectives
  • Include metrics by which to determine success
  • Be based on sound risk management principals
  • Ensure that the enterprise’s resources are used appropriately
  • Require an in-depth understanding of the value of an organization’s information

Ultimately the responsibility for information security must rest upon the organization’s executive level.  Information security is an executive responsibility because:

  • If an organization’s senior management, including the boards of directors, senior executives, and all managers does not establish and reinforce the business need for effective enterprise security; the organizations desired state of security will not be articulated, achieved, or sustained
  • To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at the governance level and not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance

Security is a non-negotiable aspect of the business environment, because if you don’t protect your information you will be out of business. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


NotepadModule 2 - Information Security governance overview

This lesson will cover information security governance within the role of the CISO.

Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C-I-A of information.  Information security governance should therefore:

  • Provide long-term goals and short-term objectives
  • Include metrics by which to determine success
  • Be based on sound risk management principals
  • Ensure that the enterprise’s resources are used appropriately
  • Require an in-depth understanding of the value of an organization’s information

Ultimately the responsibility for information security must rest upon the organization’s executive level.  Information security is an executive responsibility because:

  • If an organization’s senior management, including the boards of directors, senior executives and all managers does not establish and reinforce the business need for effective enterprise security; the organizations desired state of security will not be articulated, achieved, or sustained
  • To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at the governance level and not of other organizational roles that lack the authority, accountability and resources to act and enforce compliance

Security is a non-negotiable aspect of the business environment, because if you don’t protect your information you will be out of business.

  • Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C I A  of information
  • Should provide long term goals and short term objectives
  • Should also include metrics by which to determine success
  • Based on sound risk management principles
  • Ensures that the enterprise’s resources are used appropriately
  • Requires an in depth understanding of the value of an organization’s information

Responsibilities of the CISO

  • Responsible for providing CIA for all information assets
  • Communication of risks to senior management
  • Recommend best practices to influence policies, standards, procedures and guidelines
  • Establish security measurements
  • Ensure compliance with government and industry regulations
  • Maintain awareness of emerging threats

Roles and responsibilities

Senior/executive management

CEO: Chief decision maker

CFO: Responsible for budgeting and finances

CIO: Ensures technology supports company’s objectives

CISO: Risk Analysis and mitigation

Steering committee: Define risks, objectives and approaches

Auditors: Evaluate business processes

Data owner: Classifies data

Data custodian: Day to day maintenance of data

Network administrator: Ensures availability of network resources

Security administrator: Responsible for all security related tasks, focusing on Confidentiality and integrity

 


NotepadModule 2 - Security Management Program

This module covers what a security management program looks like and what are the elements that will help make the security management program successful.

The importance of senior management involvement in data security cannot be emphasized enough; they have the understanding of all the elements of the business and how they work together.  Consequently, they can help us prioritize and understand critical business functions, and how best to spend our budget. Senior management can answer the question: how much security do we need?

Important points:

  • You can have too much security if your security measures begin to interfere with the work of the business
  • You have to think about security in terms of cost-benefit analysis; how much security is enough to support the function and the business needs of our environment?

These issues must be resolved by senior management who will provide the necessary governance and establish and manage:

  • Policies/standards/procedures/guidelines
  • Roles and responsibilities
  • Service level agreements/outsourcing
  • Data classification/security
  • Certification and accreditation
  • Auditing

The ultimate responsibility for security in an organization will fall on senior management as the individuals who have been entrusted with the company assets and are liable in any legal action against the company or for the repercussions of not following regulations.

The end result is that everyone working under senior management will respect and abide by the policies, standards, procedures, and guidelines as set forth by the executive level and ensure that the security management program is implemented in an effective manner.

What makes a Information security management program successful?

  • Senior management involvement
  • Governance
  • Policies/standards/Procedures/guidelines
  • Roles and responsibilities
  • SLA Service Level Agreements/Outsourcing
  • Data classification/Security
  • C&A (Certification and accreditation)
  • Auditing

 


< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel