[MUSIC] Welcome to the introduction for chapter one Information Security Governance of the ice aka CISSP certification. This module covers the first eight slides of your INFOSEC INSTITUTE course material if you want to follow along. There are actually five different sections within domain number one. Each section as identified on this slide affects abilities information security strategy. Resources and constraints and implementation action plan. We'll be talking about each of these areas in detail. But first, an introduction to effective governance. What is it, Information Security Governance is the set of responsibilities and practices that the board of directors and executive management does to provide strategic direction for information security governance. In order to become an effective Information Security manager, you need to understand what the purpose is. Why are we doing effective security governments? We need to have an information security strategy defined by senior management and that needs to be supported by information security policies, standards, procedures, and guidelines. Everything that we need to do in information security has to be justified. By a business case management wants to know what's in it for them. What is the return on their security investment, or as we call it, ROSI, R-O-S-I, return on security investment. We also need to have metrics in place so that we can measure the controls once they're implemented, to see if they are effective and efficient. This domain, domain number one in its entirety, is 24% of the CISM exam, and you'll see about 36 questions that relate specifically to this domain on the exam. Now in order to do governance, there are a number of tasks associated with that, nine to be exact. First of all, you need to have established and maintained a security strategy that has to have a supporting information security governance framework which has to be integrated into the corporate governance framework. That governance framework has to be supported by information security, what we call paperwork, policy standards, procedures and guidelines. Everything that we do in security has to be justified by a business case anytime we want to spend money to buy control. We also have to identify anything that might be affecting security, both from an internal influence point of view and an external influence point of view. To be successful, one of the things that we have to accomplish is we have to get senior management's commitment and buy in. Everybody involved in security has to have their role and responsibility to define and we have to have good metrics in place. To measure the controls to see whether or not they are effective or efficient. Now in order to do those tasks, there are certain things that we need to understand and know, how do you develop information security strategy? How do we develop business goals and objectives and the interaction and the support of the information and security of those business goals and objectives. How do we implement a governance framework? What is governance framework, and how do we incorporate security governance into corporate governance? What are the different internationally recognized standards frameworks and best practices, how do we develop and write policy standards, procedures and guidelines, remembering all the way along the line? Anything that we have to do, we have to support with a business case. But how do you do business case, how are those developed? We have to also understand the budgeting process and how we obtain money. For our information security program, what are the different influences internally and externally that affect the organization? How do you get senior management to support this security project? What are the different roles and responsibility, how's the organization structure? What is its culture, how do you communicate throughout the organization and what metrics or management interested in so that we can show that the controls that we put in place are truly effective and efficient.
