Skip to content

Page036

Information Security Governance

Information Security Governance is information security at the organizational level: senior management, policies, processes, and staffing. It is also the organizational priority provided by senior leadership, which is required for a successful information security program.

Documents such as policies and procedures are a required part of any successful information security program. These documents should be grounded in reality: they are not idealistic documents that sit on shelves collecting dust. They should mirror the real world, and provide guidance on the correct (and sometimes required) way of doing things.

Exam Warning:
When discussing policies and related documents, terms like “mandatory” (compulsory) and “discretionary” may be a bit of an overstatement, but it is a useful one for the exam. This text will use those terms. We live in an information security world that is painted in shades of gray, but the exam asks black-and-white questions about the best choice. A guideline to follow best practices is “discretionary,” but if you decide not to follow a guideline, the decision should be well thought out and documented.

Policy

Policies are high-level management directives. Policy is mandatory: if you do not agree with your company’s sexual harassment policy, for example, you do not have the option of not following it.

Policy is high level: it does not delve into specifics. A server security policy would discuss protecting the confidentiality, integrity, and availability of the system (usually in those terms). It may discuss software updates and patching. The policy would not use terms like “Linux” or “Windows”; that is too low level. In fact, if you converted your servers from Windows to Linux, your server policy would not change. Other documents, like procedures, would change.