From the course: CompTIA Security+ (SY0-701) Cert Prep

Security governance structures

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Security governance structures

- [Instructor] Governance programs are the sets of procedures and controls put in place to allow an organization to effectively direct its work. Without governance, running a large organization would be impossible. If thousands of employees each made their own decisions about priorities, responsibilities and operational methods, nothing would ever get done. Governance ensures that all parts of the organization align with its strategic goals. Corporate governance programs ensure that the organization sets and follows the right strategic direction. In publicly-traded companies, the thousands of shareholders can't manage daily oversight. Instead, they hold meetings to elect a board of directors to represent them. These directors, often major shareholders with expertise in corporate governance, have the ultimate authority. They might've served as senior corporate executives themselves. Best practices often suggest that a majority of the board members should be independent. Having no significant ties to the company other than their board membership. Boards generally meet monthly or quarterly and don't dictate the day-to-day operations of the organization. Instead, they appoint a chief executive officer, or CEO, to manage daily tasks. Now, the CEO can't control every single function, so they hire a team of executives, managers and individual contributors. The flow of governance cascades downward. The shareholder owners of the company delegate authority to run the organization to their elected board of directors. The board then hires and manages the CEO, who then hires and manages other senior executives, who hire and manage middle managers, who hire and manage teams of individual contributors. The size of the management hierarchy depends upon the size of the organization, and it's intended to preserve a reasonable number of direct subordinates for each manager. Information security governance stems from corporate governance. The CEO delegates information security responsibility to the chief information security officer, CISO, or other responsible executive. The CISO and CEO must work together to ensure the proper alignment of the information security program with corporate governance. Now, different organizations have different approaches to security governance. Two primary types are centralized governance models, which use a top-down approach, where a central authority creates policies and standards, which are then enforced throughout the organization. And decentralized governance models, which use a bottom-up approach, where individual business units are delegated the authority to achieve cybersecurity objectives, and then may do so in the manner that they see fit. Besides the board of directors, governance structures often include a variety of internal committees consisting of subject matter experts and managers. Government entities, such as regulatory agencies, may also play a role in the governance of some organizations. For example, banks may be regulated by the US Treasury Department or similar agencies in other countries.

Contents