Professional Documents
Culture Documents
Table of Contents
Domain 1: Governance ............................................................ 2
Knowledge Assumptions ................................................................................... 3
1. Drivers that Influence Governance .............................................................. 4
1.1 Business Drivers ................................................................................................................................ 4
1.1.1 Form of Business Organization .................................................................................................. 4
1.1.2 Organizational Structure .............................................................................................................. 5
1.1.3 Industry ........................................................................................................................................... 7
1.1.4 Organizational Maturity ............................................................................................................... 7
1.2 Information Security Drivers........................................................................................................... 8
1.2.1 Corporate Governance and Organizational Alignment .......................................................... 9
1.2.2 Compliance .................................................................................................................................... 9
1.2.3 Information Privacy .................................................................................................................... 22
2. Corporate Governance Activities .............................................................. 24
2.1 Risk Oversight ................................................................................................................................. 25
2.2 Enterprise Architecture .................................................................................................................. 26
2.2.1 The Zachman Framework ......................................................................................................... 27
2.2.2 The Open Group Architecture Framework (TOGAF) ........................................................ 28
2.2.3 Sherwood Applied Business Security Architecture (SABSA) ............................................... 30
2.2.4 Federal Enterprise Architecture Framework (FEAF) ........................................................... 32
2.2.5 Department of Defense Architecture Framework (DoDAF) .............................................. 34
2.3 Asset Management .......................................................................................................................... 36
2.3.1 Asset Ownership ......................................................................................................................... 37
2.3.2 Classification ................................................................................................................................ 37
2.3.3 Asset Inventory ........................................................................................................................... 39
2.3.4 Asset Value................................................................................................................................... 40
2.3.5 Asset Protection .......................................................................................................................... 41
2.3.6 Asset Management in Practice .................................................................................................. 41
2.4 Managing and Controlling Organizational Changes .................................................................. 42
2.4.1 Change Control ........................................................................................................................... 44
2.4.2 Change Management .................................................................................................................. 44
2.5 Business Continuity Management................................................................................................. 52
2.5.1 Business Impact Analysis ........................................................................................................... 52
2.5.2 Business Continuity Planning .................................................................................................... 53
2.5.3 Disaster Recovery Planning ....................................................................................................... 54
3.3.3 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro110
3.3.4 Factor Analysis of Information Risk (FAIR) ........................................................................ 111
3.3.5 COBIT Risk Management ....................................................................................................... 111
3.3.6 ITIL Risk Management ............................................................................................................ 112
4. Audit Management ................................................................................... 112
4.1 Evaluation Standards and Controls ............................................................................................ 113
4.2 Analysis and Interpretation of Audit Results ............................................................................ 116
4.3 Outcomes for Ineffective or Missing Controls......................................................................... 116
5. Risk Communication and Organizational Reporting ................................ 116
Domain 2 Summary ........................................................................................ 118