# Security Governance Principles

## Evaluate and Apply Security Governance

* ***Security governance***
  * Collection of practices related to supporting, defining and directing the security efforts of an organization
  * ***Goal -*** maintain business processes while striving for growth and resiliency
  * Implementation of a security solution and a management method that are tightly interconnected.
* ***Control Objectives for Information and Related Technology (COBIT)***
  * Documented set of best IT security practices - COBIT
  * Five key principles for governance and management of enterprise IT
    * *Principle 1:* Meeting stakeholder needs
    * *Principle 2:* Covering the enterprise end-to-end
    * *Principle 3:* Applying a single, integrated framework
    * *Principle 4:* Enabling a Holistic Approach
    * *Principle 5:* Separating Governance from Management

#### Security Framework References

***

* [NIST 800-53](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf)
* [NIST 800-100](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf)

#### Other Standards and Guidelines

***

* [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/OSSTMM.3.pdf)
* [ISO/IEC 27002](https://www.iso.org/standard/54533.html)
* [ITIL Library](https://www.itlibrary.org/)
* [Alignment of Security Functions](https://marco-vazquez.gitbook.io/kb/grc-cissp-notes/broken-reference)
* [Organizational Processes](https://marco-vazquez.gitbook.io/kb/grc-cissp-notes/broken-reference)
* [Organizational Roles and Responsibilities](https://marco-vazquez.gitbook.io/kb/grc-cissp-notes/broken-reference)