Role of IT Security Governance And Responsibilities – CompTIA Security – If a security control is the cornerstone of everything that an I.T. security person does well then that kind of begs the question where do they come from? I mean, the standard type of organization is going to have tens of thousands, hundreds of thousands, zillions of different security controls to start with something. And we do that and we do that through a process known as governance.
Governance – A set of overarching rules that define how an organization and its personnel conduct themselves.
IT Security Governance Influences – How The Organization Conducts IT Security
Well that sounds easy enough. But governance is a big topic. It covers a whole lot more than I.T. security so what we’re going to be talking about is I.T. security governance. And those are the set of overarching rules that define how an organization and its personnel conduct their I.T. Security. So to do this we have to get some type of sources. And there’s a lot of sources out there and we take these sources and we start to build up our set of rules. So let’s take a look at the different type of sources that we use.
Laws and Regulations
The first source for security governance are laws and regulations. There are lots of laws and regulations out there that affect our I.T. security. A great example would be here in the United States HIPAA which is used by health care professionals and how they take care of personal data.
Second are standards. Now in standards we can really break this into two different types. First are what we called government standards. So here in the U.S. it’s going to be the National Institute of Standards. In Europe it might be ISO but these are organizations that provide specific standards on how to do I.T. Security. Secondly though are industry standards and probably the one best example of that is PCI-DSS. Anybody who works with a credit card on the Internet in any way shape or form deals with PCI-DSS standards.
Third are best practices. Best practices are just how different people tell you the best way to do their stuff. And the most famous of these are the Microsoft best practices that define tens of thousands of ways to properly do a Microsoft Network.
Common sense and experience are really really important. And really what it boils down to is thinking what’s worked in the past, what have I understood to be the best way to do something, and what just sounds right.
Once we take a look at all of these sources for governance our next job is to create two very different types of documents. First or what we call policies. A policy is a document.
A document that you can hold in your hand that defines how we’re going to be doing something.
A policy is always going to say we will do this. This will take place. So they’re very directive in nature. Third they are often used to define roles and responsibilities. So there’s usually some organization’s policy that says we will always have a chief information security officer and there will be three security analysts under that position.