2.3 Governance, Risk, and Compliance III Flashcards
Codifying and enforcing proper behavior and operations. That is, establishing standards of “right” and “wrong,” and enforcing those standards is ______________?
Governance
Enforcing the policies in order to meet those
standards is ______________?
Compliance
A __________ is a rule that defines the “right”
behavior.
A policy is a rule that defines the “right”
behavior.
__________ inform standards for behavior and operations.
Policies inform standards for behavior and operations.
A _____________ defines the policies an organization must have in place.
A governance framework defines the policies an organization must have in place.
The two main types of business goals are:
- Internal/Volitional - Targets that the business sets in its own interest. Ex. An organization might aim to reduce long-term security expenses to less than $400,000.
- External/Imposed - Targets that the business must hit because they will suffer consequences if they do not.
Ex. The requirement that online merchants process all credit card transactions securely, or suffer legal penalties if a customer’s PII is breached.
There are some rules and policies that must be followed by everyone within an organization or industry. Collections of such policies are called ____________.
There are some rules and policies that must be followed by everyone within an organization or industry. Collections of such policies are called governance frameworks.
Frameworks originate from the __________________, the regulatory organization in charge of proposing and enforcing laws regarding financial instruments (for example, stocks, bonds, options), and protecting consumers from fraud.
Frameworks originate from the Securities and Exchange
Commission (SEC), the regulatory organization in charge of proposing and enforcing laws regarding financial instruments (for example, stocks, bonds, options), and protecting consumers from fraud.
What is General Data Protection Regulation (GDPR)
protects the private data of all citizens of the EU and European Economic Area (EEA).
What is Health Insurance Portability and Accountability Act (HIPAA)
Mandates the protection of medical information.
Payment Card Industry Data Security Standard (PCI DSS) requires that companies
Requires that companies handling credit
card transactions do so securely.
Title II: ___________________ is a provision establishing privacy standards around electronic access to healthcare data. Organizations must uphold the following standards to remain HIPAA compliant:
Title II: HIPAA Administrative Specification is a provision establishing privacy standards around electronic access to healthcare data. Organizations must uphold the following standards to remain HIPAA compliant:
Businesses must enforce policies in order to guarantee __________ with regulations.
Compliance
_________ refer to each rule in the framework, and check that the business is following it.
Auditors refer to each rule in the framework, and check that the business is following it.
In the event a business is found to be non-compliant in any way, the organization will typically respond by:
- Acknowledging that they are aware of the non-compliance.
- Determining a timeline to fix the issue.
- Developing a plan to bring the organization back into compliance.
________________ and ________________ planning focus on contingency plans in the event of a disruption or disaster, and ensure that the business can resume daily operations.
Business continuity planning (BCP) and disaster recovery (DR) planning focus on contingency plans in the event of a disruption or disaster, and ensure that the business can resume daily operations.
A breach can have one of two results:
- Mild / Moderate Breach: The business has been impacted, but can still handle day-to-day operations at a greater cost.
- Serious / Catastrophic Breach: The business has been impacted so severely that they cannot operate.
Instead, they must use their __________ to contain the incident, __________ from the disaster, and eventually __________ to operation.
Instead, they must use their resources to contain the incident, recover from the disaster, and eventually return to operation.
What’s the differences between BCP and DR?
Business Continuity Planning focuses on processes
and procedures an organization must consider in
order to ensure business critical functions continue during and after a disaster.
Disaster Recovery focuses on the specific steps an organization must take to resume work after a disaster.
Contingency planning results in a contingency policy statement, which establishes the organization’s framework and responsibilities for maintaining
confidentiality, integrity, and availability of data. It includes:
- Responsibilities of an emergency response team
- Resource requirements
- Training requirements
- Schedule for plan maintenance
_____________ represents the amount of data that a business can afford to lose/recover (given the most recent backup copy of the data) after a disruption or system outage.
Recovery Point Objective (RPO) represents the amount of data that a business can afford to lose/recover (given the most recent backup copy of the data) after a disruption or system outage.
A pivotal step in BCP and DR planning is the Business Impact Analysis and Risk Assessment. Goals include:
- Identify key processes and functions of the business.
- Establish a detailed list of requirements for business recovery.
- Determine the resource requirements needed to resume key processes.
- Evaluate the impact on daily operations.
- Develop priorities and classifications of business processes and functions.
- Develop recovery time requirements.
- Determine financial, operations, and legal impact of disruptions.
__________________ is the total amount of time a system can afford to be unavailable for users and the business.
Maximum Tolerable Downtime (MTD) is the total amount of time a system can afford to be unavailable for users and the business.
- Recovery Time Objective (RTO) is the maximum tolerable amount of time needed to bring all critical systems back online after a disaster has occured.
- Work Recovery Time (WRT) is the time available to get the systems working again. WRT is the remainder of the MTD after the RTO. If MTD is four days and RTO is one day, WRT is three days.