5.1 Flashcards

1
Q

Data ownership

A

Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data Owner

A

A senior executive responsible for labeling information assets and ensuring they
are protected with appropriate control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Controller

A

Entity responsible for determining data storage, collection, and usage purposes
and methods, as well as ensuring the legality of these processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data processor

A

A group or individual hired by the data controller to assist with tasks like data
collection and processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Data Steward

A

Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Custodian

A

responsible for managing the systems on which data assets are stored, including
enforcing access controls, encryption, and backup measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PRivacy Officer

A

Oversees privacy-related data, such as personally identifiable information (PII),
sensitive personal information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Governance

A

Overall management of IT infrastructure, policies, procedures, and operations
includes
- Risk Management
○ Identify, assess, and manage potential risks
● Strategic Alignment
○ Ensure IT strategy aligns with business objectives
● Resource Management
○ Efficient and effective use of IT resources
● Performance Measurement
○ Mechanisms for measuring and monitoring the performance of IT
processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Compliance

A

Adherence to laws, regulations, standards, and policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Policies

A

■ High-level guidelines indicating organizational commitments
■ Topics Covered
● Acceptable Use Policies
● Information Security Policies
● Business Continuity
● Disaster Recovery
● Incident Response
● Change Management
● Software Development Lifecycle (SDLC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Standards

A

■ Specific, mandatory actions or rules adhering to policies
■ Covered Standards
● Password Standards
● Access Control Standards
● Physical Security Standards
● Encryption Standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Procedures

A

■ Step-by-step instructions ensure consistency and compliance
■ Covered Procedures
● Change Management Procedures
● Onboarding and Offboarding Procedures
● Playbooks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

GRC Triad

A

Governance Risk and Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Purpose of Governance

A

■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT
resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Boards

A

● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Committees

A

● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas

17
Q

Government Entities

A

● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance

18
Q

Centralized governance

A

○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs

19
Q

AUP

A

acceptable use policy
■ Document that outlines the do’s and don’ts for users when interacting with an
organization’s IT systems and resources
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats

20
Q

Info Security Policies

A

■ Cornerstone of an organization’s security
■ Outlines how an organization protects its information assets from threats, both
internal and extern
These policies cover a range of areas
● Data Classification
● Access Control
● Encryption
● Physical Security
■ Ensures confidentiality, integrity, and availability of data

21
Q

Business Continuity Policy

A

■ Ensures operations continue during and after disruptions
■ Focuses on critical operation continuation and quick recovery
■ Includes strategies for power outages, hardware failures, and disasters

22
Q

Disaster Recovery Policy

A

■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative
locations

23
Q

Incident Response Policy

A

■ Addresses detection, reporting, assessment, response, and learning fromsecurity incidents

24
Q

SDLC Policy

A

■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs

25
Q

Types of Standards

A

password standards
access control DAC, MAC< Role based etc
physical security
encryption standards

26
Q

Regulations can cover which areas

A

● Data Protection
● Privacy
● Environmental Standards
● Labor Laws

27
Q

Industry considerations

A

■ Refer to industry-specific standards, practices, and ethical guidelines
■ Not legally binding but influence customer, partner, and regulator expectations
■ Non-adoption may lead to competitive disadvantages and stakeholder criticism

28
Q

Geographical Considerations

A

Geographical regulations impact organizations at local, regional, national, and
global levels
■ Local considerations include city ordinances, zoning laws, and operational
restrictions
■ Regional considerations, like CCPA in California, impose state-level regulations
■ National considerations, e.g., ADA in the US, affect businesses across the entire
country
■ Global considerations, like GDPR, apply extraterritorially to organizations dealing
with EU citizens’ data

29
Q

Compliance Reporting

A

■ Systematic process of collecting and presenting data to demonstrate adherence
to compliance requirements

30
Q

Due diligence

A

Identifying compliance risks through thorough review

31
Q

Due Care

A

Mitigating identified risks

32
Q

Attestation

A

Formal declaration by a responsible party that the organization’s
processes and controls are complian

33
Q

Ackowledgement

A

Recognition and acceptance of compliance requirements by all relevant
parties