Domain 1: Governance (Policy, Legal & Compliance)
- Define, implement, manage and maintain an information security governance program that includes leadership, organizational structures and processes.
- Align information security governance framework with organizational goals and governance, i.e., leadership style, philosophy, values, standards and policies.
- Establish information security management structure.
- Establish a framework for information security governance monitoring (considering cost/benefits analyses of controls and ROI).
- Understand standards, procedures, directives, policies, regulations, and legal issues that affect the information security program.
- Understand the enterprise information security compliance program and manage the compliance team.
- Analyze all the external laws, regulations, standards, and best practices applicable to the organization.
- Understand the various provisions of the laws that affect the organizational security such as Gramm-Leach-Bliley Act, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act [HIPAA], Federal Information Security
Management Act [FISMA], Clinger-Cohen Act, Privacy Act, Sarbanes-Oxley, etc.
- Be familiar with the different standards such as ISO 27000 series, Federal Information Processing Standards [FIPS].
- Understand the federal and organization specific published documents to manage operations in a computing environment.
- Assess the major enterprise risk factors for compliance.
- Coordinate the application of information security strategies, plans, policies, and procedures to reduce regulatory risk.
- Understand the importance of regulatory information security organizations and appropriate industry groups, forums, and stakeholders.
- Understand the information security changes, trends, and best practices.
- Manage enterprise compliance program controls.
- Understand the information security compliance process and procedures.
- Compile, analyze, and report compliance programs.
- Understand the compliance auditing and certification programs.
- Follow organizational ethics.