Security Governance Dashboard

Five Pillars of Information Security

Confidentiality

Prevent unauthorized disclosure of information

✓

Integrity

Ensure accuracy and completeness of data

Availability

Ensure timely access to information

Authenticity

Verify identity of users and systems

Non-repudiation

Prevent denial of actions taken

Security Documentation Hierarchy

Policies High-level management statements of intent

Standards Mandatory requirements and specifications

Baselines Minimum security configurations

Guidelines Recommended best practices (flexible)

Procedures Step-by-step instructions

Documentation Types

Policies

High-level statements that reflect management's intent. Define what should be done but not how. Approved by senior management.

"All employees must use strong passwords to protect company assets."

Standards

Mandatory requirements that support policies. Specific and measurable. Define what must be done.

"Passwords must be at least 12 characters with uppercase, lowercase, numbers, and symbols."

Baselines

Minimum security configurations for systems. Platform-specific. Define the security floor.

"Windows servers must have CIS Level 1 benchmark applied before deployment."

Guidelines

Recommended practices. Not mandatory but suggested. Provide flexibility for compliance.

"Consider using a password manager to generate and store complex passwords."

Procedures

Step-by-step instructions. Tell exactly how to accomplish a task. Most detailed documentation.

"1. Open Settings > 2. Click Security > 3. Select Change Password > 4. Enter new password..."

Security Roles & Responsibilities

Senior Management

Ultimate responsibility for security. Sets strategy, approves policies, provides resources.

CISO

Leads security program. Reports to executive leadership. Manages security team.

Data Owner

Business manager responsible for data classification and access decisions.

Data Custodian

IT staff who implement controls. Manage day-to-day data handling.

System Owner

Manager responsible for a specific system. Ensures compliance with policies.

Security Admin

Implements and manages security controls. Configures access rights.

User

Follow security policies. Report incidents. Complete training.

Auditor

Independently verifies controls. Tests compliance. Reports findings.

Due Care vs Due Diligence

Due Care

Doing what a reasonable person would do in similar circumstances. Taking action to protect the organization.

Example: Installing antivirus software, implementing firewalls, patching systems

Due Diligence

Researching and understanding the risks before making decisions. Investigation and verification.

Example: Conducting risk assessments, background checks, vendor evaluations

Remember: Due Diligence = Understand the risk | Due Care = Take action on the risk

Security Control Frameworks

Framework	Type	Focus	Best For
ISO 27001/27002	Certification	ISMS implementation & controls	International organizations
NIST CSF	Framework	Cybersecurity risk management	Critical infrastructure, US orgs
NIST 800-53	Control Catalog	Federal system security	US Government, contractors
COBIT	Framework	IT governance & management	Enterprise IT alignment
CIS Controls	Best Practices	Prioritized cyber defense	Any organization, practical
SOC 2	Audit/Report	Trust Service Criteria	Service organizations (SaaS)
CSA CCM	Control Matrix	Cloud security	Cloud service providers

(ISC)² Code of Professional Ethics

Canon I

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Canon II

Act honorably, honestly, justly, responsibly, and legally.

Canon III

Provide diligent and competent service to principals.

Canon IV

Advance and protect the profession.

Order matters! In ethical conflicts, Canon I takes precedence over II, II over III, etc.