|
|
 |
|
Information Security Governance
Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.
Tasks
- Develop the information security strategy in support of business strategy and direction.
- Obtain senior management commitment and support for information security throughout the enterprise.
- Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
- Establish reporting and communication channels that support information security governance activities.
- Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
- Establish and maintain information security policies that support business goals and objectives.
- Ensure the development of procedures and guidelines that support information security policies.
- Develop business case and enterprise value analysis that support information security program(me) investments.
Knowledge Statements
- Knowledge of information security concepts
- Knowledge of the relationship between information security and business operations
- Knowledge of techniques used to secure senior management commitment and support of information security management
- Knowledge of methods of integrating information security governance into the overall enterprise governance framework
- Knowledge of practices associated with an overall policy directive that captures senior management level direction and expectations for information security in laying the foundation for information security management within an organization
- Knowledge of an information security steering group function
- Knowledge of information security management roles, responsibilities and organizational structure
- Knowledge of areas of governance (for example, risk management, data classification management, network security, system access)
- Knowledge of centralized and decentralized approaches to coordinating information security
- Knowledge of legal and regulatory issues associated with Internet businesses, global transmissions and transborder data flows (for example, privacy, tax laws and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, national security)
- Knowledge of common insurance policies and imposed conditions (for example, crime or fidelity insurance, business interruptions)
- Knowledge of the requirements for the content and retention of business records and compliance
- Knowledge of the process for linking policies to enterprise business objectives
- Knowledge of the function and content of essential elements of an information security program(me) (for example, policy statements, procedures and guidelines)
- Knowledge of techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures
- Knowledge of information security process improvement and its relationship to traditional process management
- Knowledge of information security process improvement and its relationship to security architecture development and modeling
- Knowledge of information security process improvement and its relationship to security infrastructure
- Knowledge of generally accepted international standards for information security management and related process improvement models
- Knowledge of the key components of cost benefit analysis and enterprise transformation/migration plans (for example, architectural alignment, organizational positioning, change management, benchmarking, market/competitive analysis)
- Knowledge of methodology for business case development and computing enterprise value proposition
|
 |
|
|
|
|
|
|
