Domain 5
5.1 Security Governance
Summarize elements of effective security governance.
0% Complete

Organizational guidelines and policies establish the administrative framework that dictates how personnel interact with assets, handle data, and respond to operational disruptions.
Common Organizational Policies - Acceptable Use Policy (AUP): A foundational document that defines what users may and may not do on company systems; often signed during onboarding to mitigate personnel risk. - Information Security Policy (ISP): A high-level document declaring the organization’s overall security posture and attitudes toward protecting critical infrastructure. - Credential Policy: Defines rules for passwords, multi-factor authentication, and the management of service accounts versus administrative/root accounts. - BYOD Policy: Outlines requirements for personally owned devices, such as mandatory Mobile Device Management (MDM) enrollment and the organization’s right to remote wipe data. - Privacy Policy: Details how the organization handles Personally Identifiable Information (PII) and ensures compliance with legal and regulatory frameworks.
Business Continuity and Disaster Recovery - Business Continuity (BC): Focuses on maintaining essential functions during and after a disaster (e.g., redundant sites). - Disaster Recovery (DR): Specific IT-oriented plans to restore systems and data after a catastrophic event. - RTO/RPO: Recovery Time Objective (max downtime allowed) and Recovery Point Objective (max data loss allowed) are the metrics driving these policies.
Incident Response (IR) - IR Policy: Defines what constitutes an "incident" and establishes the Incident Response Team (IRT). - Standard Operating Procedures (SOPs): Step-by-step instructions for responders to follow (e.g., isolation of an infected host). - Incident Lifecycle: Typically includes Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Secure Software Development Lifecycle (SDLC) - Security by Design: Integrating security requirements into the initial stages of software development. - Policy Enforcement: Includes mandates for Static Analysis (SAST) of code, Dynamic Analysis (DAST) during runtime, and peer code reviews. - Change Management: Formal processes to ensure that updates or configuration changes do not introduce new vulnerabilities.
Personnel Management - Onboarding/Offboarding: Ensuring access is granted at hire and revoking all credentials immediately upon departure. - Mandatory Vacations: A policy designed to detect fraudulent activity by requiring employees to be away from their duties for a set time. - Job Rotation: Cross-training employees and rotating tasks to prevent collusion and single points of failure.
Quick recall - AUP: Focuses on user behavior and "dos and don'ts." - Change Management: Prevents unauthorized or undocumented system modifications. - MDM/BYOD: Critical for managing risks of personal devices in the workspace. - Lessons Learned: The most important final step in the IR process for long-term improvement.