Professional Documents
Culture Documents
Knowledge of CISO
Purpose: Use this Job Aid to know about the key security concepts and technologies that a CISO
should be aware of.
To ensure the effectiveness of information security governance, a CISO needs to have a thorough
understanding of certain key security concepts.
Definitions of Key Security Concepts
Key Security
Concept
Definition
Definition
information.
Layered security is the in-depth protection for controlling compromise.
Management refers to the supervision of activities for ensuring the
achievement of objectives.
Nonrepudiation is the assurance that a party cannot refuse that it originated
some data, that there is evidence about the origin and integrity of data, and
that the evidence can be verified by a third party.
Policies are high-level statements that indicate the intent and direction of
an organization's senior management.
Residual risk is the risk that is left after implementing controls and
countermeasures.
Risk is the possibility of a threat taking advantage of a vulnerability.
Security metrics describe the ways of making a quantitative and periodic
assessment of security performance.
Sensitivity is the impact level of an unauthorized disclosure.
Standards indicate the permitted limits of procedures and actions for
meeting the policy.
Strategy refers to the steps to be performed for attaining an objective.
Threats are events or actions that can lead to harmful results.
Vulnerabilities are weaknesses that can be exploited by threats.
Enterprise architecture is the systematic logic for IT infrastructure and
business processes.
Security domains are logical areas that are surrounded by various levels of
security.
Trust models map security controls and functions to various security
levels.
A CISO should also have a conceptual understanding of security technologies such as firewalls,
antivirus, antispam, encryption, biometrics, and forensics. Other security technologies include
user account administration, intrusion detection and intrusion prevention, privacy compliance,
remote access, digital signature, public key infrastructure, or PKI, and virtual private networks,
also called VPNs.
Some more security technologies that a CISO should know are Secure Sockets Layer or SSL,
secure electronic transfer or SET, monitoring technologies, electronic data interchange, or EDI,
electronic funds transfer, also called as EFT, identity and access management, known as IAM,
single-sign on, or SSO, and system information and event management, referred as SIEM.
Course: CISM: Information Security Governance (Part 1)
Topic: Senior Management and Information Security Governance
2015 Skillsoft Ireland Limited
Job Aid
Principles of Effective Information Security
Governance
Purpose: Use this Job Aid to learn about the twelve principles of effective information security
governance.
for protecting information assets, organizations must implement policies and processes
based on the assessment of risks
chief executive officers, or CEOs, must assess information security once a year, study the
results with their employees, and submit the performance report to the board of directors
organizations must devise and implement plans for managing any gaps in information
security
organizations must assess the efficiency of the information security policies and
processes on a regular basis
to assess the performance of information security, organizations must use security best
practices guidance, such as ISO 17799
to ensure continuity of operations, organizations must develop plans, processes, and tests,
and