Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 31

Security governance is the set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization. Security is often mistakenly considered to be an IT issue; in actuality, securing an organization's assets and data is a business issue and requires a high level of planning and oversight by people throughout the entire organization, not just the IT department. Because security is a wide-ranging business issue, security governance commonly overlaps with corporate governance and IT governance for an organization. As such, security governance is typically led by executive management at a company, usually including the board of directors. Applying security governance principles involves the following:

 Aligning the organization's security function to the company's business strategy, goals, mission, and objectives

 Defining and managing organizational processes that require security involvement or oversight (e.g., acquisitions, divestitures, and governance committees)

 Developing security roles and responsibilities throughout the organization

 Identifying one or more security control frameworks to align your organization with

 Conducting due diligence and due care activities on an ongoing basis