cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mahender
Newcomer II

Security governance

Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which
of the following is true about security governance?
A. Security governance ensures that the requested activity or access to an object is possible
given the rights and privileges assigned to the authenticated identity.
B. Security governance is used for efficiency. Similar elements are put into groups, classes,
or roles that are assigned security controls, restrictions, or permissions as a collective.
C. Security governance is a documented set of best IT security practices that prescribes
goals and requirements for security controls and encourages the mapping of IT security
ideals to business objectives.
D. Security governance seeks to compare the security processes and infrastructure used
within the organization with knowledge and insight obtained from external sources.

 

Hard to believe on the answer given by ISC2 which is D, but the correct answer is C. Correct me if I am wrong?

10 Replies
Steve-Wilme
Advocate II

D is like an incomplete version of C, although C itself isn't a good description.

 

Yes governance will involve examining the external context, starting with applicable legislation and regulation, codes that apply in your industry, then the frameworks which best match those and the capabilities/resources of the organisation.  Generally, you find different external stakeholders will generate or refer out to their preferred frameworks and then the challenge often is to map all of that across to the controls your organisation can implement and operate.  So governance isn't about best in class or ideals it's about what are appropriate to the context and can be complied with.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
ericgeater
Community Champion

@Steve-Wilme , yeah, I agree with you that it is poorly worded.  @Mahender , are you certain that this question came from ISC2?  

-----------
A claim is as good as its veracity.
Mahender
Newcomer II

I mean, in our ISC2 9E document questionnaire, the answer was given as Option D. We mostly refer this document, but in fact it is not accurate to follow some times.

dcontesti
Community Champion

I think this question should be referred back to the Exam Development team for review.  Maybe @CBMExamTeam can stick handle to the correct folk.

 

I personally do not like any of the answers as any and all of them are partially correct..  I prefer the Gartner definition:

 

Security governance is a process for overseeing the cybersecurity teams who are responsible for mitigating business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own.

 

Others

 

d

 

ericgeater
Community Champion

@Mahender I don't mean to belabor the question, but what does "in our ISC2 9E document questionnaire" refer to?  Is it a book?  A PDF?  Who publishes it? @dcontesti I'm curious if he's referring to the Sybex ninth edition, myself... which ain't an ISC2 responsibility

-----------
A claim is as good as its veracity.
CBMExamTeam
ISC2 Team

@dcontesti @Mahender @ericgeater @Steve-Wilme 
Hello all,

 

Thank you for reaching out via the ISC2 Community board. 

I am looking to see if there is an internal ISC2 association/connection/oversight between what we publish as content for training and the Self-Study Material (that have links on our website) such as the ISC2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide).

In the meantime, I read through the first 2 paragraphs on Page 14 (either edition), Chapter 1 - Security Governance Through Principles and Policies, Security Governance is seen as a "collection of practices..." as opposed to the reference from Gartner, "Security Governance is a process..." With regards to the exam and the sample questions provided in the study material, I believe it's up to the test taker to determine exactly what the question is looking for; definition, concept, or linking of two or more concepts.


I'm not sure if the above is helpful, but I'm offering it up anyway. Feel free to ignore it if it's not.

 

I can also tell you that the verbiage regarding Security Governance is the same in both the 9th and 10th editions of that publication; no change or update between editions. 

I'll let you know what I find out about ISC2 and the study publication in question.

JoePete
Advocate I


@CBMExamTeam wrote:


In the meantime, I read through the first 2 paragraphs on Page 14 (either edition), Chapter 1 - Security Governance Through Principles and Policies, Security Governance is seen as a "collection of practices..."


I suppose we can call things whatever we want, but I would consider governance more than just "practices." Otherwise, under what umbrella do you include policy, standards, guidelines, and procedures? Where do you include industry regulations, etc. ("external governance" by another name)? 

CBMExamTeam
ISC2 Team

@Mahender @dcontesti @ericgeater @Steve-Wilme @JoePete 
Hello all,

 

Thank you for your patience.

 

I have contacted several internal experts in both Professional Development and Exam Content/Standards & Practices.

  • Professional Development has 100% control over ISC2 training content. They have no control over contents in publications from  Wiley & Sons. They do, however, have a business relationship with Wiley and will reach out to their Wiley contact.
  • Exam Content/Standards & Practice reviewed both the Security Governance post and the Incident Management Steps post. For both, they agreed they were poorly written ("terrible").

All I spoke with concur - you should reach out to Wiley & Sons and report these as errata. The contact information for that is in the publication, but I'll save you the time and trouble of finding it.

 

Reader Support for this Book

How to Contact the Publisher

 

If you believe you’ve found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

 

In order to submit your possible errata, please email to our Customer Service Team at wileysupport@wiley.com with the subject line: "Possible Book Errata Submission."

 

Thank you, @dcontesti for your faith that I could "stick handle this inquiry to the right internalteam." LOL

 

I hope you can get a resolution from Wiley & Sons.

 

 

dcontesti
Community Champion

@CBMExamTeam THANK YOU for you diligence on this one and others.

 

And thank you for clarifying that these questions are related to the Riley publication.

 

 

Regards

 

d