14A - Policies, Standards and Procedures Flashcards
What are Policies ?
Policies are high-level, authoritative documents defining the organization’s security commitment.
What are Standards ?
Standards are more specific than policies and specify the **methods ** used to implement technical and procedural requirements.
Eg. Industry Standards like ISO/IEC 27001 or an Internal Standard for password reset that defines appropriate identity verification methods to protect password reset requests from exploitation.
What are Procedures ?
Procedures are detailed, step-by-step instructions describing how to complete specific tasks and align to the requirements provided in standards. Procedures provide clear directions for individuals to perform their job duties consistently, securely, and efficiently.
What are Guidelines ?
Guidelines describe recommendations that steer actions in a particular job role or department. They are more flexible than policies and allow greater discretion for the individuals implementing them.
Guidelines provide best practices and suggestions on achieving goals and completing tasks effectively and help individuals understand the required steps to comply with a policy or improve effectiveness.
Who is a data owner in data governance ?
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
Who is a controller in data governance ?
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used. The controller ensures that data processing activities adhere to all legal requirements.
Who is a processor in data governance ?
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector. The processor is responsible for processing personal data on behalf of the controller and often represents cloud service providers (CSP) but could also be represented by vendors and business partners.
Who is a custodian in data governance ?
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures. The custodian is also known as the data steward and is responsible for the safe custody, transport, storage of the data, and implementation of business rules.