Security Governance certs/knowledge?
UnixGuy
Mod Posts: 4,570 Mod
Do you guys know any good certifications or books or videos related to Security Governance? How do you start to build your knowledge in this area?
Comments
-
soccarplayer29 Member Posts: 230 ■■■□□□□□□□I don't think there's a great single-source for that. I'd suggest looking into the ISACA CGEIT, SANS/GIAC GSLC
I think @beads recommended this Threat Modeling book awhile back: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
Can you elaborate a bit on what areas you're looking to grow related to "Security Governance"?Certs: CISSP, CISA, PMP -
UnixGuy Mod Posts: 4,570 ModGood point, I'm not really clear on what areas are there, I guess I'm more after a broad introduction to what areas currently exist, and how to improve knowledge in each area individually I guess
-
DatabaseHead Member Posts: 2,760 ■■■■■■■■■■COBIT 5 worth anything anymore? I believe one of the domains is information security and it's more certainly around IT enterprise governance.
Couple of the executives I worked with a few years back had this certification. In fact I recall our clients security information officer had the COBIT and the CISSP proudly hanging in his office. -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□The NIST documents are all about governance, read those. Also, top 20 CIS controls are about governance too, read those too.
Governance in a nutshell is about practicing a framework of keeping your sh.t together. for example, say you have a firewall, ok thats good that will check the box of many compliance and regulatory controls. But how do you know that your firewall admin does not have a rule for himself or his close co-workers to go through unfiltered to sites that everyone else cannot. Or how can you check that whenever there is a change, a request was opened and approved and time set aside to be configured properly.
The fundamental purpose of governance is to check that controls are being followed the way they were intended -
UnixGuy Mod Posts: 4,570 Modfor example, say you have a firewall, ok thats good that will check the box of many compliance and regulatory controls. But how do you know that your firewall admin does not have a rule for himself or his close co-workers to go through unfiltered to sites that everyone else cannot. Or how can you check that whenever there is a change, a request was opened and approved and time set aside to be configured properly.
The fundamental purpose of governance is to check that controls are being followed the way they were intended
That sounds like auditing doesn't it? -
UnixGuy Mod Posts: 4,570 ModI'm trying to understand more what Governance teams actually do, and try to bridge the gap between them and the technical teams if that makes sense, so I thought I need to know more and see things more from their perspective. Hope this clarifies my question
Thanks for the great answers so far -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□Yes theres a gray area between audit and governance. some teams do both some are separate.
-
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□Here is an article that will give you more insight: www.cio.com/article/3206607/compliance/what-is-grc-and-why-do-you-need-it.amp.html
-
DatabaseHead Member Posts: 2,760 ■■■■■■■■■■TechGuru80 wrote: »Here is an article that will give you more insight: www.cio.com/article/3206607/compliance/what-is-grc-and-why-do-you-need-it.amp.html
Thanks for sharing rep
Note, COBIT is mentioned in this article which cross references well with the security guys I have spent some time with..........
https://www.isaca.org/Education/COBIT-Education/Pages/COBIT-Foundation.aspx -
H-bomb Member Posts: 129 ■■■□□□□□□□I’d say governance is a collection of all the policies, standards, and procedures that support business objectives. Governance isn’t necessarily checking to see if controls are implemented, however it builds a foundation for selecting and implementing controls.
-
Chitownjedi Member Posts: 578 ■■■■■□□□□□I’d say governance is a collection of all the policies, standards, and procedures that support business objectives. Governance isn’t necessarily checking to see if controls are implemented, however it builds a foundation for selecting and implementing controls.
And providing accountability