How to Apply Security Governance Principles for the CISSP Exam

By Lawrence C. Miller, Peter H. Gregory

For the International Information System Security Certification Consortium (ISC)2 CISSP exam, you must fully understand and be able to apply security governance principles including the following:

  • Alignment of security function to business strategy, goals, mission, and objectives
  • Organizational processes
  • Security roles and responsibilities
  • Control frameworks
  • Due care
  • Due diligence

Alignment of security function to business strategy, goals, mission, and objectives

In order for an information security program to be effective, it must be aligned with the organization’s mission, strategy, goals, and objectives; thus, you must understand the differences and relationships between an organization’s mission statement, strategy, goals, and objectives. You also need to know how these elements can affect the organization’s information security policies and program. Proper alignment with the organization’s mission, strategy, goals, and objectives also helps to build business cases, secure budgets, and allocate resources for security program initiatives. With proper alignment, security projects and other activities are appropriately prioritized, and they fit better into organization policies, practices, and processes.

Mission (not-so-impossible) and strategy

Corny heading, yes, but there’s a good chance you’re humming the Mission Impossible theme song now — mission accomplished!

An organization’s mission statement expresses its reason for existence. A good mission statement is an easily understood, general-purpose statement that says what the organization is, what it does, and why it exists, doing what it does in the way that it has chosen.

An organization’s strategy, describes how it accomplishes its mission and is frequently adapted to address new challenges and business realities.

Goals and objectives

A goal is something (or many somethings) that an organization hopes to accomplish. A goal should be consistent with the organization’s mission statement or philosophy, and it should help define a vision for the organization. It should also whip people into a wild frenzy, running around their offices, waving their arms in the air, and yelling “GOOOAAALLL!” (Well, maybe only if they’re World Cup fans.)

An objective is a milestone or a specific result that is expected and, as such, helps an organization attain its goals and achieve its mission.

Security personnel should be acutely aware of their organizations’ goals and objectives. Only then can security professionals ensure that security capabilities will work with and protect all the organization’s current, changing, and new products, services, and endeavors.

Organizations often use the terms goals and objectives interchangeably without distinction. Worse yet, some organizations refer to goals as long-term objectives, and objectives as short-term goals! For the CISSP exam, an objective (short-term) supports a goal (intermediate-term), which supports a mission (long-term), which is accomplished with a well-defined strategy. All of these fall under the umbrella of the organization’s mission statement.

Governance committees and executive oversight

Security management starts (or should start!) at the top with executive management and board-level oversight. This generally takes the form of security governance, which simply means that the organization’s governing body has set the direction and the organization has policies and processes in place to ensure that executive management is following that direction, is fully informed, and is in control of information security strategy, policy, and operations.

A governance committee is a group of executives and/or managers who regularly meet to review security incidents, projects, operational metrics, and other aspects of concern to them. The governance committee will occasionally issue mandates to security management about new business activities and shifts in priorities and strategic direction.

In practice, this is not much different from governance in IT or other departments. Governance is how executive management stays involved in the goings-on in IT, security, and other parts of the business.

Acquisitions and divestitures

Organizations, particularly in private industry, continually are reinventing themselves. More than ever before, it is important to be agile and competitive. This results in organizations acquiring other organizations, organizations splitting themselves into two (or more) separate companies, as well as internal reorganizations to change the alignment of teams, departments, divisions, and business units.

There are several security-related considerations that should be taken into account when an organization acquires another organization, or when two (or more) organizations merge:

  • Security governance and management. How is security managed in each organization, and what important differences are there?
  • Security policy. How do policies between the two organizations differ, and what issues will be encountered when merging the policies into one?
  • Security posture. Which security controls are present in each organization, and how different are they from one another?
  • Security operations. What security operations are in place today and how do they operate? This includes vulnerability management, event monitoring, identity and access management, third-party risk management, and incident management.

If the security of one organization is vastly different from another, the organization should not be too hasty to connect the two organizations’ networks together.

Interestingly, when an organization divides itself into two (or more) separate organizations or sells off a division, it can be trickier. Each new company probably will need to duplicate the security governance, management, controls, operations, and tools that the single organization had before the split. This doesn’t always mean that the two separate security functions need to be the same as the old; it is important to fully understand the business mission in each new organization, and what security regulations and standards apply to each new organization. Only then can information security align to each new organization.

Security roles and responsibilities

The truism that information security is “everyone’s responsibility” is too often put into practice as everyone is responsible, but no one is accountable. To avoid this pitfall, specific roles and responsibilities for information security should be defined in an organization’s security policy, individual job or position descriptions, and third-party contracts. These roles and responsibilities should apply to employees, consultants, contractors, interns, and vendors. And they should apply to every level of staff, from C-level executives to line employees.

Management

Senior-level management is often responsible for information security at several levels, including the role as an information owner, which we discuss in the following section. However, in this context, management has a responsibility to demonstrate a strong commitment to an organization’s information security program through the following actions:

  • Creating, mandating, and approving a corporate information security policy: This policy should include a statement of support from management and should also be signed by the CEO, COO, CIO, or the Chairman of the Board.
  • Leading by example: A CEO who carries a mandatory identification badge and utilizes system access controls sets a good example.
  • Rewarding compliance: Management should expect proper security behavior and acknowledge, recognize, and/or reward employees accordingly.

Management is always ultimately responsible for an organization’s overall information security and for any information security decisions that are made (or not made). Our role as information security professionals is to report security issues and to make appropriate information security recommendations to management.

Users

An end-user (or user) includes just about everyone within an organization. Users aren’t specifically designated. They can be broadly defined as anyone who has authorized access to an organization’s internal information or information systems. Users include employees, contractors and other temporary help, consultants, vendors, customer, and anyone else with access. Some organizations call them employees, partners, associates, or what-have-you. Typical user responsibilities include

  • Complying with all applicable security requirements defined in organizational policies, standards, and procedures; applicable legislative or regulatory requirements; and contractual requirements (such as non-disclosure agreements and Service Level Agreements).
  • Exercising due care in safeguarding organizational information and information assets.
  • Participating in information security training and awareness efforts as required.
  • Reporting any suspicious activity, security violations, security problems, or security concerns to appropriate personnel.

Due care

Due care is the conduct that a reasonable person exercises in a given situation, which provides a standard for determining negligence. In the practice of information security, due care relates to the steps that individuals or organizations take to perform their duties and implement security best practices.

Another important aspect of due care is the principle of culpable negligence. If an organization fails to follow a standard of due care in the protection of its assets (or its personnel), the organization may be held culpably negligent. In such cases, jury awards may be adjusted accordingly, and the organization’s insurance company may be required to pay only a portion of any loss — the organization may get stuck paying the rest of the bill!

Due diligence

Due diligence is the prudent management and execution of due care. It’s most often used in legal and financial circles to describe the actions that an organization takes to research the viability and merits of an investment or merger/acquisition opportunity. In the context of information security, due diligence commonly refers to risk identification and risk management practices, not only in the day-to-day operations of an organization, but also in the case of technology procurement, as well as mergers and acquisitions.

The concepts of due care and due diligence are related but distinctly different. For example, in practice, due care is turning on logging; due diligence is regularly reviewing the logs.