Information Security Governance and Risk Management
The Information Security Governance and Risk Management domain entails the identification of an organization’s information assets and the development, documentation, implementation and updating of policies, standards, procedures and guidelines that ensure confidentiality, integrity and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.
The candidate is expected to understand the planning, organization, roles and responsibilities of individuals in identifying and securing organization’s information assets; the development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures to support the policies; security training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality, proprietary and private information; third-party management and service-level agreements related to information security; employment agreements, employee hiring and termination practices, and risk management practices and tools to identify, rate, and reduce the risk to specific resources.
Chapter 6 covers this domain, which deals with these major topics:
Understanding and aligning security functions with organizational goals, missions, and objectives
Understanding and applying security governance, including concepts, processes, and compliance
Meeting demands for confidentiality, integrity, and availability
Developing and implementing security policies, procedures, standards, guidelines, and documentation
Managing the information life cycle
Managing third-party governance
Defining concepts and principles of risk management
Establishing policies, practices, and controls for personnel security
Maintaining security education, training, and awareness
Managing security functions, including budgets, metrics, and resources