topic Re: Security governance in CISSP Study Group

Security governance

Mahender — Fri, 20 Sep 2024 10:06:36 GMT

Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which
of the following is true about security governance?
A. Security governance ensures that the requested activity or access to an object is possible
given the rights and privileges assigned to the authenticated identity.
B. Security governance is used for efficiency. Similar elements are put into groups, classes,
or roles that are assigned security controls, restrictions, or permissions as a collective.
C. Security governance is a documented set of best IT security practices that prescribes
goals and requirements for security controls and encourages the mapping of IT security
ideals to business objectives.
D. Security governance seeks to compare the security processes and infrastructure used
within the organization with knowledge and insight obtained from external sources.

Hard to believe on the answer given by ISC2 which is D, but the correct answer is C. Correct me if I am wrong?

Re: Security governance

Steve-Wilme — Fri, 20 Sep 2024 10:53:42 GMT

D is like an incomplete version of C, although C itself isn't a good description.

Yes governance will involve examining the external context, starting with applicable legislation and regulation, codes that apply in your industry, then the frameworks which best match those and the capabilities/resources of the organisation. Generally, you find different external stakeholders will generate or refer out to their preferred frameworks and then the challenge often is to map all of that across to the controls your organisation can implement and operate. So governance isn't about best in class or ideals it's about what are appropriate to the context and can be complied with.

Re: Security governance

ericgeater — Fri, 20 Sep 2024 11:38:11 GMT

@Steve-Wilme , yeah, I agree with you that it is poorly worded. @Mahender , are you certain that this question came from ISC2?

Re: Security governance

Mahender — Fri, 20 Sep 2024 13:16:18 GMT

I mean, in our ISC2 9E document questionnaire, the answer was given as Option D. We mostly refer this document, but in fact it is not accurate to follow some times.

Re: Security governance

dcontesti — Fri, 20 Sep 2024 22:41:24 GMT

I think this question should be referred back to the Exam Development team for review. Maybe @CBMExamTeam can stick handle to the correct folk.

I personally do not like any of the answers as any and all of them are partially correct.. I prefer the Gartner definition:

Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own.

Others

Re: Security governance

ericgeater — Tue, 24 Sep 2024 12:34:03 GMT

@Mahender I don't mean to belabor the question, but what does "in our ISC2 9E document questionnaire" refer to? Is it a book? A PDF? Who publishes it? @dcontesti I'm curious if he's referring to the Sybex ninth edition, myself... which ain't an ISC2 responsibility

Re: Security governance

CBMExamTeam — Tue, 24 Sep 2024 17:43:14 GMT

@dcontesti @Mahender @ericgeater @Steve-Wilme
Hello all,

Thank you for reaching out via the ISC2 Community board.

I am looking to see if there is an internal ISC2 association/connection/oversight between what we publish as content for training and the Self-Study Material (that have links on our website) such as the ISC2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide).

In the meantime, I read through the first 2 paragraphs on Page 14 (either edition), Chapter 1 - Security Governance Through Principles and Policies, Security Governance is seen as a "collection of practices..." as opposed to the reference from Gartner, "Security Governance is a process..." With regards to the exam and the sample questions provided in the study material, I believe it's up to the test taker to determine exactly what the question is looking for; definition, concept, or linking of two or more concepts.

I'm not sure if the above is helpful, but I'm offering it up anyway. Feel free to ignore it if it's not.

I can also tell you that the verbiage regarding Security Governance is the same in both the 9th and 10th editions of that publication; no change or update between editions.

I'll let you know what I find out about ISC2 and the study publication in question.

Re: Security governance

JoePete — Thu, 26 Sep 2024 03:13:39 GMT

@CBMExamTeam wrote:

In the meantime, I read through the first 2 paragraphs on Page 14 (either edition), Chapter 1 - Security Governance Through Principles and Policies, Security Governance is seen as a "collection of practices..."

I suppose we can call things whatever we want, but I would consider governance more than just "practices." Otherwise, under what umbrella do you include policy, standards, guidelines, and procedures? Where do you include industry regulations, etc. ("external governance" by another name)?

Re: Security governance

CBMExamTeam — Thu, 26 Sep 2024 18:23:26 GMT

@Mahender @dcontesti @ericgeater @Steve-Wilme @JoePete
Hello all,

Thank you for your patience.

I have contacted several internal experts in both Professional Development and Exam Content/Standards & Practices.

Professional Development has 100% control over ISC2 training content. They have no control over contents in publications from Wiley & Sons. They do, however, have a business relationship with Wiley and will reach out to their Wiley contact.
Exam Content/Standards & Practice reviewed both the Security Governance post and the Incident Management Steps post. For both, they agreed they were poorly written ("terrible").

All I spoke with concur - you should reach out to Wiley & Sons and report these as errata. The contact information for that is in the publication, but I'll save you the time and trouble of finding it.

Reader Support for this Book

How to Contact the Publisher

If you believe you’ve found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email to our Customer Service Team at wileysupport@wiley.com with the subject line: "Possible Book Errata Submission."

Thank you, @dcontesti for your faith that I could "stick handle this inquiry to the right internalteam." LOL

I hope you can get a resolution from Wiley & Sons.

Re: Security governance

dcontesti — Thu, 26 Sep 2024 23:58:06 GMT

@CBMExamTeam THANK YOU for you diligence on this one and others.

And thank you for clarifying that these questions are related to the Riley publication.

Regards

Re: Security governance

Mahender — Fri, 27 Sep 2024 04:14:42 GMT

Yes sir, it's CISSP ISC2 Official 9th edition guide in PDF format. Seems it will be addressed below by Wiley & Sons publications. Sorry for the delayed response.

Re: Security governance

JohnEricsson — Tue, 29 Oct 2024 17:58:24 GMT

I answered "C" but now think "D" is best.

For "C", I would say "Security Governance" (SG) is an oversight that a standard is being met. I think what the answer says is part of the oversight, but not SG itself.

For "D", SG is the top tier of oversight, While it does not set the standard (that could be management instruction), SG role is to make sure it is being met (see answer C as to how) and provide assurance of it. However it can not do that in isolation, it needs external input to determine best practice, it needs external input to determine new risks (e.g. supply chain with AI python repositories).

However I could be CISSP definition of SG is different to mine.