5.1 Flashcards
Data ownership
Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets
Data Owner
A senior executive responsible for labeling information assets and ensuring they
are protected with appropriate control
Data Controller
Entity responsible for determining data storage, collection, and usage purposes
and methods, as well as ensuring the legality of these processes
Data processor
A group or individual hired by the data controller to assist with tasks like data
collection and processing
Data Steward
Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner
Data Custodian
responsible for managing the systems on which data assets are stored, including
enforcing access controls, encryption, and backup measures
PRivacy Officer
Oversees privacy-related data, such as personally identifiable information (PII),
sensitive personal information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory framework
Governance
Overall management of IT infrastructure, policies, procedures, and operations
includes
- Risk Management
○ Identify, assess, and manage potential risks
● Strategic Alignment
○ Ensure IT strategy aligns with business objectives
● Resource Management
○ Efficient and effective use of IT resources
● Performance Measurement
○ Mechanisms for measuring and monitoring the performance of IT
processes
Compliance
Adherence to laws, regulations, standards, and policies
Policies
■ High-level guidelines indicating organizational commitments
■ Topics Covered
● Acceptable Use Policies
● Information Security Policies
● Business Continuity
● Disaster Recovery
● Incident Response
● Change Management
● Software Development Lifecycle (SDLC)
Standards
■ Specific, mandatory actions or rules adhering to policies
■ Covered Standards
● Password Standards
● Access Control Standards
● Physical Security Standards
● Encryption Standards
Procedures
■ Step-by-step instructions ensure consistency and compliance
■ Covered Procedures
● Change Management Procedures
● Onboarding and Offboarding Procedures
● Playbooks
GRC Triad
Governance Risk and Compliance
Purpose of Governance
■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT
resources
Boards
● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions
Committees
● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas
Government Entities
● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance
Centralized governance
○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs
AUP
acceptable use policy
■ Document that outlines the do’s and don’ts for users when interacting with an
organization’s IT systems and resources
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats
Info Security Policies
■ Cornerstone of an organization’s security
■ Outlines how an organization protects its information assets from threats, both
internal and extern
These policies cover a range of areas
● Data Classification
● Access Control
● Encryption
● Physical Security
■ Ensures confidentiality, integrity, and availability of data
Business Continuity Policy
■ Ensures operations continue during and after disruptions
■ Focuses on critical operation continuation and quick recovery
■ Includes strategies for power outages, hardware failures, and disasters
Disaster Recovery Policy
■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative
locations
Incident Response Policy
■ Addresses detection, reporting, assessment, response, and learning fromsecurity incidents
SDLC Policy
■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs
Types of Standards
password standards
access control DAC, MAC< Role based etc
physical security
encryption standards
Regulations can cover which areas
● Data Protection
● Privacy
● Environmental Standards
● Labor Laws
Industry considerations
■ Refer to industry-specific standards, practices, and ethical guidelines
■ Not legally binding but influence customer, partner, and regulator expectations
■ Non-adoption may lead to competitive disadvantages and stakeholder criticism
Geographical Considerations
Geographical regulations impact organizations at local, regional, national, and
global levels
■ Local considerations include city ordinances, zoning laws, and operational
restrictions
■ Regional considerations, like CCPA in California, impose state-level regulations
■ National considerations, e.g., ADA in the US, affect businesses across the entire
country
■ Global considerations, like GDPR, apply extraterritorially to organizations dealing
with EU citizens’ data
Compliance Reporting
■ Systematic process of collecting and presenting data to demonstrate adherence
to compliance requirements
Due diligence
Identifying compliance risks through thorough review
Due Care
Mitigating identified risks
Attestation
Formal declaration by a responsible party that the organization’s
processes and controls are complian
Ackowledgement
Recognition and acceptance of compliance requirements by all relevant
parties
