Domain 1: Information Security Governance and Risk Management

Term
Mission Statement

Explanation
A 'mission statement' is a statement of the purpose of a company or organization which guides the actions of the organization, spell out its overall goal, provide a path, and guide decision-making. A goal is a desired result an organization envisions, plans and commits to achieve A business objective is the map you will use to reach the goals you have for your organization Information Security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. Information Security management includes risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly An acquisition is the purchase of one business or company by another company or other business entity Divestment or divestiture is the reduction of some kind of asset for either financial or ethical objectives or sale of an existing business by a firm. A divestment is the opposite of an investment The governance committees main role is to recruit new board members and to ensure that each board member is equipped with the proper tools and motivation to carry out his or

Goal Business Objective Information Security

Information Security Management

Security Governance

Acquisition

Divestment

Role of Governance Committee

Service Level Agreement

Outsourcing Audting

Control Framework

Administrative Control

Technical Control

Physical Control

Top Down Approach

Due Care

her responsibilities. A service level agreement (SLA) is a formally defined level of service provided by an organization Outsourcing is the subcontracting of a business process to a third-party company. Auditing means verifying compliance to a security control framework or published specification. A control framework is a data structure that organizes and categorizes an organizations internal controls, which are practices and procedures established to create business value and minimize risk. Administrative controls include the developing and publishing of policies, standards, procedures, and guidelines; the screening of personnel; conducting security-awareness training; and implementing change control procedures. Technical controls (also called logical controls) consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, and the configuration of the infrastructure. Physical Controls consist of controlling individual access into the facility and different departments, locking systems and removing unnecessary pen drive or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls A security program should use a top-down approach, meaning that the initiation, support and direction come from top management and work their way through middle management and then to staff members. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible

threats.