Security Governance certs/knowledge?

UnixGuyUnixGuy Mod Posts: 4,570 Mod
Do you guys know any good certifications or books or videos related to Security Governance? How do you start to build your knowledge in this area?
Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

Learn GRC! GRC Mastery : https://grcmastery.com 

Comments

  • soccarplayer29soccarplayer29 Member Posts: 230 ■■■□□□□□□□
    I don't think there's a great single-source for that. I'd suggest looking into the ISACA CGEIT, SANS/GIAC GSLC

    I think @beads recommended this Threat Modeling book awhile back: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998

    Can you elaborate a bit on what areas you're looking to grow related to "Security Governance"?
    Certs: CISSP, CISA, PMP
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    Good point, I'm not really clear on what areas are there, I guess I'm more after a broad introduction to what areas currently exist, and how to improve knowledge in each area individually I guess
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • DatabaseHeadDatabaseHead Member Posts: 2,760 ■■■■■■■■■■
    COBIT 5 worth anything anymore? I believe one of the domains is information security and it's more certainly around IT enterprise governance.

    Couple of the executives I worked with a few years back had this certification. In fact I recall our clients security information officer had the COBIT and the CISSP proudly hanging in his office. :)
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    The NIST documents are all about governance, read those. Also, top 20 CIS controls are about governance too, read those too.

    Governance in a nutshell is about practicing a framework of keeping your sh.t together. for example, say you have a firewall, ok thats good that will check the box of many compliance and regulatory controls. But how do you know that your firewall admin does not have a rule for himself or his close co-workers to go through unfiltered to sites that everyone else cannot. Or how can you check that whenever there is a change, a request was opened and approved and time set aside to be configured properly.

    The fundamental purpose of governance is to check that controls are being followed the way they were intended
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    TheFORCE wrote: »
    for example, say you have a firewall, ok thats good that will check the box of many compliance and regulatory controls. But how do you know that your firewall admin does not have a rule for himself or his close co-workers to go through unfiltered to sites that everyone else cannot. Or how can you check that whenever there is a change, a request was opened and approved and time set aside to be configured properly.

    The fundamental purpose of governance is to check that controls are being followed the way they were intended



    That sounds like auditing doesn't it?
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    I'm trying to understand more what Governance teams actually do, and try to bridge the gap between them and the technical teams if that makes sense, so I thought I need to know more and see things more from their perspective. Hope this clarifies my question :)

    Thanks for the great answers so far
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Yes theres a gray area between audit and governance. some teams do both some are separate.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
  • DatabaseHeadDatabaseHead Member Posts: 2,760 ■■■■■■■■■■
    TechGuru80 wrote: »


    Thanks for sharing rep

    Note, COBIT is mentioned in this article which cross references well with the security guys I have spent some time with..........

    https://www.isaca.org/Education/COBIT-Education/Pages/COBIT-Foundation.aspx
  • H-bombH-bomb Member Posts: 129 ■■■□□□□□□□
    I’d say governance is a collection of all the policies, standards, and procedures that support business objectives. Governance isn’t necessarily checking to see if controls are implemented, however it builds a foundation for selecting and implementing controls.
  • ChitownjediChitownjedi Member Posts: 578 ■■■■■□□□□□
    H-bomb wrote: »
    I’d say governance is a collection of all the policies, standards, and procedures that support business objectives. Governance isn’t necessarily checking to see if controls are implemented, however it builds a foundation for selecting and implementing controls.

    And providing accountability
Sign In or Register to comment.