5.0 Governance Risk and Compliance Flashcards
this is a control that focuses on the design of the security or the policy implementation associated with the security. We might have a set of security policies for our organization or set of standard operating procedures that everyone is expected to follow
Managerial Control
these are controls that are managed by people. If we have security guards posted at the front doors or we have an awareness program to let people know that phishing is a significant
operational control
a control type that use our own systems to prevent some of these security events from occurring. So if you’ve implemented antivirus on your workstations or there’s a firewall connecting you to the internet
Technical control
A control type would be something that prevents access to a particular area. Something like locks on a door or a security guard would certainly prevent access as would a firewall, especially if we have a connection to the internet
preventive control
control type commonly identifies and is able to record that a security event has occurred, but it may not be able to prevent access
detective control
A control that takes action to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity.
corrective control
may not stop an intrusion from occurring but it may deter someone from performing an intrusion
deterrent control
controls are put into place when specific requirements for compliance can’t be met with existing control
compensating control
a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources
AUP Acceptable Use Policy
nonbinding agreement that states each party’s intentions to take action, conduct a business transaction, or form a new partnership.
Memorandum of Understanding
looks for the classic case of garbage in, garbage out. Accurate measurements lead to accurate data lead to the best possible decisions for designing and manufacturing a product. However, faulty measurements lead to faulty data lead to poor decisions for designing and manufacturing a product
measurement system analysis
agreement establishes rules for two or more parties going into business together. It’s a legally binding document that outlines every detail of your business operations, ownership stakes, financials, responsibilities, and decision-making strategies
business partnership agreement
regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
General Data Protection Regulation
is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense. ‘ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world
Center for Internet Security
Institute helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
NIST National Institute of Standards and Technology
a template and guideline used by companies to identify, eliminate and minimize risks. also part of NIST
Risk Management Framework
a non government standards where
a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes
ISO 27001
a non government standards gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s)
ISO 27002
a non government standards specifies the requirements for establishing, implementing, maintaining and continually improving – a privacy information management system (PIMS).
ISO 27701
Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization
ISO 31000
is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment
Cloud security alliance