Security governance principals and the CISSP

May 12, 2017 by

This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.

In today’s world, where practically every transaction can be done and completed online, high-level security is of utmost importance in battling different forms of cyberspace attacks. Companies catering to different markets have been victims of security breaches, identity thefts, and other forms of information security risks.

It doesn’t come as a surprise that companies that put a premium on information security invest not only in the best software, but also in the most competent information security professionals who are equipped with up-to-date knowledge and are at par with global standards. The Certified Information Systems Security Professional (CISSP) is a globally-recognized certification that companies and business owners look for when hiring information security professionals like security managers, security consultants, security directors, security systems engineers, and security architects, among others. It is awarded by the International Information System Security Consortium ISC2.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Information security professionals who are interested in taking the CISSP exam should expect challenging, sometimes tricky questions that will help separate the qualified from the unqualified. There are several different areas that are covered by the exam; one of them involves security governance principles.

What are the CISSP security governance principles you need to know for the exam?

Exam takers should be prepared to answer questions pertaining to principles of security governance, if they hope to pass the exam with flying colors. Some of the questions on principles one can expect from the exam involve security, risk, compliance, law, regulations, and business continuity.

Confidentiality, integrity, and availability concepts, more commonly known as the CIA triad, is a model designed to serve as a guide to policies for information security being used in a company or organization. Confidentiality means a set of rules that limits access to information. It ensures that data is not shared or disclosed to any unauthorized person. Confidentiality can be achieved by having Access Controls, which restricts users from gaining access to information, especially the sensitive ones, without permission.

Another tool is encryption, which provides protection for the information while in transit or at rest. Third is steganography, which hides information within files and images.

Meanwhile, integrity means ensuring that the information is safe, accurate, and reliable. It keeps unauthorized subjects from altering data and, at the same time, prevents authorized subjects from making unauthorized data alterations. Hashing is one good tool to use, as it indicates changes in the underlying file.

Availability, the last part of the triad, ensures that authorized subjects receive timely and uninterrupted access to data and other key resources. To aid availability, Redundant Components are used to protect system from failure of a single portion. High availability, on the other hand, protects services against single server failures. There is also fault tolerance, which protects services from small failure disruptions and, lastly, the OS and application patching, which also help to enhance data availability.

Security governance principles – There are six security governance principles that will be covered in the exam, namely, responsibility, strategy, acquisition, performance, conformance, and human behavior. These practices should support, define, and direct the security efforts of an organization, with the goal of maintaining business processes in the middle of growth.

Compliance – Compliance means being aligned with the industry regulations, guidelines, and specifications. It is a crucial part of security governance as accountability can only take place when employees are properly taught the rules, standards, policies, and regulations that they need to adhere to.

Legal and regulatory issues – These tackle the legal and regulatory repercussions when compliance to standards is not met, or if certain security governance laws are breached or broken. Some of the key terms one needs to know and understand are:

  • Criminal Law – Involves guilt beyond reasonable doubt, the burden of which is difficult to prove in the case of computer-related crimes. Penalties vary from fines to time in prison and, in some cases, death.
  • Civil Law – Designed to facilitate an orderly society, dealing with matters that are not criminal in nature, but still require settlement among individuals and organizations through an impartial arbitrator.
  • Regulatory (administrative law) – These are rules and regulations used by government agencies in their day-to-day tasks, with penalties ranging from fines to incarceration.
  • The Computer Fraud and Abuse Act of 1984 - Amended in 1994 to battle malicious code, the act provides protection to federal government computers from different kinds of abuse.
  • The Computer Security Act – The act that helps outline vital steps that the government should take to keep its own systems from different types of attacks.
  • National Information Infrastructure Protection Act of 1996 – This act covers computer crimes that are perpetrated in international trade and commerce. Reckless or intentional acts resulting to damages of national infrastructure that play crucial roles are also considered felony under this act.

Regulatory acts

  • Health Insurance Portability and Accountability Act – States that covered entities should disclose breaches in security pertaining to personal information. This act applies to health insurers, health providers, and claims and processing agencies.
  • Gramm-Leach-Bliley Financial Modernization Act – This act covers financial agencies and aims to increase protection of customer’s PII.
  • Patriot Act of 2011 – Provides a wider coverage for wiretapping and allows searching and seizure without immediate disclosure.
  • Electronic Communications Privacy Act (ECPA) – Enacted in 1986, it aims to extend government restrictions when it comes to wiretapping phone calls to cover transmissions of electronic data.
  • Sarbanes-Oxley Act (SOX) – Enacted in 2006, this helps ensure that all publicly held companies should have their own procedures and internal controls necessary for financial reporting. The act aims to minimize, if not eliminate, corporate fraud.

Professional Ethics – The CISSP has a code of ethics that is to be followed by certified information security professionals. Those who intentionally or knowingly violate the code of ethics will face action from a peer review panel, which, could result in the revocation and nullification of the certification. The code of ethics comprises four canons: Protect society, the government, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

Business Continuity Planning (BCP) – This is a process that is mainly focused on maintaining and sustaining business operations with a reduced infrastructure capabilities and restricted resources. Reduction and/or restriction of resources comes as a result of emergencies and unexpected situations like major disasters. The BCP is divided into four phases:

  • Project Scope and Planning – This involves forming a team of representatives who are members of the organization’s core services department. These departments include senior management, legal representatives, the IT department, and security representatives who are adept at the BCP process.
  • Business Impact Assessment – Part of the assessment process are identifying priorities, identifying risk, as well as likelihood assessment, impact assessment, and resource prioritization.
  • Continuity Planning – Planning for continuity involves strategy development, provisions and processes, selection of people, buildings and facilities, hardening provisioning, infrastructure, and alternate sites.
  • Approval and Implementation – The fourth and final phase involves approval and implementation of the plan, BCP documentation, training and education, and setting up of continuity goals. Also included are the crafting of a statement of importance, statement of priorities, statement of organizational responsibility, and a statement of timing and urgency. To cap off the implementation phase, emergency-response guidelines should also be introduced.

How does security governance interact with risk management?

CISSP security and risk management is one of the eight domains of the common bodies of knowledge for the CISSP certification exam. The two are closely related, as they concern the information assets of an organization, as well as the documentation, development, and implementation of standards, procedures, and guidelines. It can be said that CISSP information security governance and risk management aim to ensure integrity, confidentiality, and availability of information.

For organizations to effectively implement security controls, management tools such as risk assessment, risk analysis, and data classification are used to classify assets, rate their vulnerabilities, and identify the threats. Security governance is the overall approach of management toward the organization’s risk management processes. It helps ensure that the organization’s risk management, particularly on the part of upper management, is not excessive to the point that it exceeds the former’s risk appetite.

Risk management, on the other hand, involves the identification, measurement, control, and minimization of loss that is a result of risks and other uncertain events. Furthermore, it also includes risk analysis, overall security review, selection and evaluation of safeguards, cost-benefit analysis, safeguard implementation, and safeguard review. In relation to these measures, studies have shown that successful companies and organizations have invested in the right set of people armed with the right knowledge and have placed them in the roles that best suit them.

The objectives of CISSP security and risk management domain for exam takers and would-be passers are:

  • To understand the different areas of security management that are concerned with identifying and securing organizations’ information assets.
  • To learn how to create guidelines, standards, and procedures that support and strengthen information security policies of organizations.

What's changed in CISSP security and risk management?

With the rapid technological advancements taking place, a myriad of risks have also arisen and are posing serious threats in the information security field. To counter these dangers, the CISSP updated its domains and refreshed its technical content on April 15, 2015, in the hopes of staying and maintaining relevant.

As a result of the updates, the domains became more streamlined, more manageable, and easier to digest and understand. Furthermore, the contents now include some of the most recent industry topics that will further equip the exam takers with ample knowledge to handle the latest challenges. With the nature of risk being dynamic and quick to evolve, it is a must for it to be quantified. Quantification of risk allows organizations, particularly the information security professionals, to come up with an effective plan and/or counter-measure.

One good example of unforeseen risks are earthquakes. With the updated domain, information security professionals will now be able to conduct a more reliable assessment of the risk and produce relevant, cost-effective plans that will benefit the organization in the event the catastrophe takes place.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!


Obtaining the CISSP certificate cannot be considered a walk IN the park, considering the stringency of the exam. Such stringency is necessary because high-level information security is involved and having valuable data exposed to threats can lead to a compromise that may spell doom for an organization. It is important for companies and organizations to have their information security handled only by professionals who are CISSP certified.

As for the professionals who are keen on taking the exam, the recent domain updates will prove to be useful as it streamlines a number of domains and, more importantly, equates to passers who are truly deserving of the certification.