Infosec and enterprise risk management framework: CISSP Study Guide

Test your knowledge of information security and enterprise risk management and learn how to create a sucessful risk management framework in this part of our CISSP Study Guide, geared towards the CISSP certification exam.

The CISSP exam covers 10 domains, one of which is information security and enterprise risk management. This enterprise risk management framework section of the CISSP Study Guide pertains to security management practices and security policies. Those taking the CISSP exam will need to know about risk management, data classification, security roles and responsibilities and more.

Ensure your knowledge of information security and risk management by referring to our enterprise risk management resources and testing your knowledge with our risk management quiz, written by CISSP All-in-one Exam Guide author Shon Harris. Visit our library of study guides to see the other domains.


  Enterprise risk management framework: processes, procedures and techniques  

One of the most important aspects of information security management is learning how to classify and handle security risks. In this section of the CISSP Study Guide, get an overview of enterprise risk management frameworks, and learn how to perform a security risk analysis and create a security risk management plan.

An overview of the risk management process
One question that security companies constantly face is: "What is enough security?" But another equally important question is, "What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security unless you know your necessary baseline risk level.

In this tip, expert Shon Harris gives an overview of the risk management process and explains how to set an enterprise-wide acceptable risk level for an organization.

How risk management standards can work for enterprise IT
As attacks on government sites, substantial fraud, and data breaches continue to create a high level of risk for information connected to corporate and national IT infrastructures, executives and managers must rely on sound risk management principles in order to ensure that the most appropriate technologies and processes are in place to protect their corporate interests.

Considering, every organization should be able to articulate how IT risks can harm a business. In this tip, Forrester Research analyst Chris McClean explains how a five-step risk management strategy, based on a risk management standard like ISO 31000, makes it easier to explain how IT threats become business threats.

Security risk factors: Business partner security and pandemic planning
When it comes to business partner security, risks and pandemics are legitimate concerns, making a security partner risk assessment for evaluating threats imperative.

In this exclusive interview, Sara Santarelli offers tips on how to deal with the risks posed by business partners and possible pandemics, and how to assess an enterprise's exposure to these risks with a business partner risk assessment.

Creating a security risk management plan format
Enterprises without a codified risk management plan are much more susceptible to a plethora of threats and attacks.

In this expert response, Ernie Hayden discusses the importance of creating a risk management plan, and discusses everything that should be included so your organization has an effective plan that covers all the bases.

Performing a security risk analysis to assess acceptable level of risk
No organization is ever completely without risk, but there are steps that can be taken to establish an acceptable level of risk that can be appropriately mitigated.

In this tip, Michael Cobb explains how to perform a security risk analysis to help determine an acceptable level of risk in your organization.

Cloud computing in 2010: Be ready for risk management challenges
Because on-demand resources are dynamically scalable and flexible, they are becoming increasingly attractive to businesses large and small. For everyone involved in trying to protect their organizations' network users and data, a move to cloud computing will present a huge change and challenge.

Michael Cobb predicts some risk management challenges in 2010 as more companies make the move toward cloud computing.

How to perform an enterprise risk analysis
Some IT security best practices might not be right for your enterprise. In this expert response, learn how to perform an enterprise risk assessment and analysis to determine which enterprise resources may be at risk and how to protect them.


  Enterprise risk management framework: Data classification techniques and methods  

Data classification, which describes the sensitivity of corporate data, is an essential element for every organization's risk analysis framework. In this section of this learning guide, learn data classification best practices, techniques and methods, as well as how to conduct a data classification assessment.

Data classification best practices: Techniques, methods and projects
A data classification model is a means for optimizing the level of security of data, while maintaining the maximum possible flexibility while ensuring a proportionate level of control. But how should an enterprise choose a model that is practical and useful? What data classification best practices should it follow?

In this tip, learn data classification best practices, as well as several data classification techniques and methods to ensure the security of corporate information.

How to conduct a data classification assessment
Before a business can safeguard mission-critical data, it must know how to conduct data classification processes. Even though it is time-consuming and involves many steps, as Tom Bowers writes, data classification makes it easier to figure out where an enterprise's most important data is, who has access to it and how it should be handled.

Best practices for log data retention
Figuring out how long to retain log data and how much log data should be kept in the event of incident response can be tricky to navigate.

In this information security management expert response, David Mortman gives best practices for log data retention and answers common questions, such as, how long should an organization retain data?


  Information security and enterprise risk management roles and responsibilities  

Security responsibilities change as they relate to enterprise roles, and it is crucial to define these different roles and responsibilities clearly, and layer them across enterprise roles. In this enterprise risk management framework section of the CISSP Study Guide, learn why different security roles must stay separate and how your company's security program should define roles and responsibilities.

How should a company's security program define roles and responsibilities?
In many organizations, it's not uncommon for physical, legal and information security departments to step on each other's toes. In this expert Q&A, security management pro Shon Harris reveals how organizations should define different security groups' roles and responsibilities and how a CSO can bring these teams together to implement a stronger security program.

Reasons why enterprise networking and security roles must stay separate
Enterprise network managers are responsible for configuring and managing network devices, but should they be accountable for tasks that are typically handled by the information security team?

In this tip, contributor Shon Harris examines and explains why networking and information security roles, responsibilities and tasks should not be shared.

How would you define the responsibilities of a data custodian in a bank?
Data is the heart of every financial institution. Not only is customer data heavily regulated, but analyzing the data and figuring out how to monetize it is also a critical success factors for banks as the business continues to get more and more competitive.

Since data security is incredibly important for financial institutions, it is imperative to clearly define the roles and responsibilities of the data custodian to make sure that is safe. Security management expert Mike Rothman explains more.

Return to the CISSP Study Guide.

About the author
Shon Harris, CISSP, MCSE, is the president of Logical Security, an IT security consulting and training company. She is a former engineer in the Air Force's Information Warfare unit, an instructor and the best-selling author of the previous three editions of this book. Shon has taught computer and information security to a wide range of clients, including RSA, the Department of Defense, the Department of Energy, the National Security Agency and many more.

Dig Deeper on Employee Training and Development for MSPs