Chapter 5 - 02 - UISG and Compliance Program - 03_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 3 - 01 - Discuss Information Security Fundamentals - 01_ocred.pdf
- Chapter 3 - 01 - Discuss Information Security Fundamentals - 02_ocred.pdf
- Chapter 3 - 01 - Discuss Information Security Fundamentals - 03_ocred.pdf
- Module 05 - Network Security Controls - Administrative Controls_fax_ocred.pdf
- Chapter 3 - 01 - Discuss Information Security Fundamentals_fax_ocred.pdf
- Session 1 Cyber security Awareness & Network (1).pdf
Full Transcript
Certified Cybersecurity Technician Network Security Controls - Administrative Controls Exam 212-82 Information Security Drivers Alignment with the business, compliance, and privacy are among the most important information security drivers an organization must address | | Organizational alignment is...
Certified Cybersecurity Technician Network Security Controls - Administrative Controls Exam 212-82 Information Security Drivers Alignment with the business, compliance, and privacy are among the most important information security drivers an organization must address | | Organizational alignment is one of the most important drivers for information security governance ®0 0O 1 ! The security professional can achieve harmony and alignment between the business and security by mapping information security governance to the foundations provided by corporate governance The security professional must understand the organization before alignment can occur Because competitive forces produce different reactions to business drivers, the security professional must understand the objectives of the business, the business processes created to support those objectives, information and technology supporting these processes, and the threats that could disrupt those processes Copyright © by EC-Council All Rights Reserved. Reproductionis Strictly Prohibited Information Security Drivers Business drivers affect the decisions made in an organization. Information security drivers are also worth consideration because of their effect on the management and operation of an organization. Alignment with the business, compliance, and privacy are among the most important information security drivers an organization must address. Corporate governance influences the programs and activities created to support information security governance. Priorities defined at the corporate governance level provide the foundation for most information security decisions. They often influence, and sometimes outweigh, information security priorities. Business and operational priorities of the organization affect not only the strategy for information security governance, but also the resources dedicated to accomplishing security goals and objectives. Organizational alignment is one of the most important drivers for information security governance. The security professional can achieve harmony and alignment between the business and security by mapping information security governance to the foundations provided by corporate governance. Success and effectiveness for this approach rely on understanding the influence of corporate governance and then incorporating corporate governance principles into the security program. The efforts to achieve this balance reinforce the importance of executive buy-in and corporate communication. They also highlight the value of relationships between the security professional and other organizational leaders. Optimally, information security governance should flow naturally from the highest levels of leadership and permeate, top-down, throughout the rest of the organization. The approach used to achieve alignment with the business varies on the basis of the size, industry, and complexity of the organization. For example, larger corporations operating in regulated environments often dedicate more resources to a more comprehensive security Module 05 Page 548 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 program. Smaller organizations with fewer resources tend to focus on key components of the security program, dedicating organizational resources to the most important aspects of security and outsourcing other components of the security program to vendors and managed service providers. The security professional must understand the organization before alignment can occur. Because competitive forces produce different reactions to business drivers, the security professional must understand the objectives of the business, the business processes created to support those objectives, information and technology supporting these processes, and the threats that could disrupt those processes. Module 05 Page 549 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Managing an Enterprise Information Security Compliance Program Information Security Management System/Framework Security Management and Operations Driving the information security program requires compliance with various laws, regulations, standards, and Business Continuity S Management r—_ T frameworks. MmO Q oSN < OO E.T Security Metrics an Q The practical mechanism for enabling this activity is through the creation of an information security Information Security Management System management program Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited Managing an Enterprise Information Security Compliance Program Driving the information security program requires compliance with various laws, regulations, standards, and frameworks. The practical mechanism for enabling this activity is through the creation of an information security management program. Today’s information security management programs encompass more than just firewalls and passwords. They are organization-wide programs that are designed to enable the business to operate in a state of reduced risk. The effective management of information security in an organization or enterprise encompasses all organizational and operational processes and participants relevant to information security. Information security should be an ongoing process, which when fully developed, will position an organization to address the right security issues so that the business fulfills its objectives. The information security management processes, procedures, standards, and framework is a combination of well-defined policies, guidelines information security. The figure below shows how information security management system fit together. Module 05 Page 550 for establishing all of the pieces the required level of of a comprehensive Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 G 0o v e r n a n c e Information Security Management System Figure 5.3 Information Security Management System/Framework Module 05 Page 551 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
