2 DOMAIN ONE – INFORMATION SECURITY AND RISK MANAGEMENT 27 2.1 EXPECTATIONS FOR CISSP 27 2.2 UNDERSTANDING SECURITY POLICIES, PROCEDURES, STANDARDS, GUIDELINES AND BASELINES 29 2.3 WHAT ARE THE COMPLIANCE FRAMEWORKS? 31 2.3.1 COSO 31 2.3.2 ITIL 32 2.3.3 COBIT 32 2.3.4 ISO 17799 / BS 7799 33 2.4 CHANGING ORGANIZATIONAL BEHAVIOR 35 2.5 RESPONSIBILITIES OF THE INFORMATION SECURITY OFFICER 37 2.6 CREATING AN ENTERPRISE SECURITY OVERSIGHT 3 –
They are control environment, risk assessment, control activities, information and communication, and monitoring.
Some organizations working toward compliance to SarbanesOxley Section 404 have adopted the COSO internal control model as an audit framework. 2.3.2 ITIL The British governmentís Stationary Office created a set of 34 books between 1989 and 1992 to improve IT service management.
This framework is called the IT Infrastructure Library (ITIL).
It contains best practices for core operational processes such as change, release, and configuration management, problem and incident management, capacity and availability management, and financial management as they pertain to IT service.
ITIL shows how controls can be implemented for these IT process, but are required to be maintained and implemented daily.
Achievement of the ITIL standard is an ongoing process requiring management support and planning. 2.3.3 COBIT The IT Governance Institute published 34 high-level processes called the Control Objectives of Information and related Technology (COBIT).
A total of 214 control 32 –
The COBIT model defines four domains for governance: planning and organization, acquisition and implementation, delivery and support, and monitoring.
Within these domains, processes and IT activities are defined. 2.3.4 ISO 17799 / BS 7799 The ISO 17799/BS 7799 standard has a rich history starting in 1993 and started with the U.K.
Department of Trade and Industry.
In 1999, ISO 17799:2000 became the first international information security management standard by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Modified in June 2005, the ISO 17799 standard contains 134 detailed information security controls in 11 areas consisting of:
Read more about 2 ITIL 32 2: