Security Governance certs/knowledge?

UnixGuy

Do you guys know any good certifications or books or videos related to Security Governance? How do you start to build your knowledge in this area?

soccarplayer29

I don't think there's a great single-source for that. I'd suggest looking into the ISACA CGEIT, SANS/GIAC GSLC

I think @beads recommended this Threat Modeling book awhile back: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998

Can you elaborate a bit on what areas you're looking to grow related to "Security Governance"?

UnixGuy

Good point, I'm not really clear on what areas are there, I guess I'm more after a broad introduction to what areas currently exist, and how to improve knowledge in each area individually I guess

DatabaseHead

COBIT 5 worth anything anymore? I believe one of the domains is information security and it's more certainly around IT enterprise governance.

Couple of the executives I worked with a few years back had this certification. In fact I recall our clients security information officer had the COBIT and the CISSP proudly hanging in his office.

TheFORCE

The NIST documents are all about governance, read those. Also, top 20 CIS controls are about governance too, read those too.

Governance in a nutshell is about practicing a framework of keeping your sh.t together. for example, say you have a firewall, ok thats good that will check the box of many compliance and regulatory controls. But how do you know that your firewall admin does not have a rule for himself or his close co-workers to go through unfiltered to sites that everyone else cannot. Or how can you check that whenever there is a change, a request was opened and approved and time set aside to be configured properly.

The fundamental purpose of governance is to check that controls are being followed the way they were intended

UnixGuy

TheFORCE wrote: »

for example, say you have a firewall, ok thats good that will check the box of many compliance and regulatory controls. But how do you know that your firewall admin does not have a rule for himself or his close co-workers to go through unfiltered to sites that everyone else cannot. Or how can you check that whenever there is a change, a request was opened and approved and time set aside to be configured properly.

The fundamental purpose of governance is to check that controls are being followed the way they were intended

That sounds like auditing doesn't it?

UnixGuy

I'm trying to understand more what Governance teams actually do, and try to bridge the gap between them and the technical teams if that makes sense, so I thought I need to know more and see things more from their perspective. Hope this clarifies my question

Thanks for the great answers so far

TheFORCE

Yes theres a gray area between audit and governance. some teams do both some are separate.

TechGuru80

Here is an article that will give you more insight: www.cio.com/article/3206607/compliance/what-is-grc-and-why-do-you-need-it.amp.html

DatabaseHead

TechGuru80 wrote: »

Here is an article that will give you more insight: www.cio.com/article/3206607/compliance/what-is-grc-and-why-do-you-need-it.amp.html

Thanks for sharing rep

Note, COBIT is mentioned in this article which cross references well with the security guys I have spent some time with..........

https://www.isaca.org/Education/COBIT-Education/Pages/COBIT-Foundation.aspx

H-bomb

I’d say governance is a collection of all the policies, standards, and procedures that support business objectives. Governance isn’t necessarily checking to see if controls are implemented, however it builds a foundation for selecting and implementing controls.

Chitownjedi

H-bomb wrote: »

I’d say governance is a collection of all the policies, standards, and procedures that support business objectives. Governance isn’t necessarily checking to see if controls are implemented, however it builds a foundation for selecting and implementing controls.

And providing accountability