5.1 Flashcards
Data ownership
Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets
Data Owner
A senior executive responsible for labeling information assets and ensuring they
are protected with appropriate control
Data Controller
Entity responsible for determining data storage, collection, and usage purposes
and methods, as well as ensuring the legality of these processes
Data processor
A group or individual hired by the data controller to assist with tasks like data
collection and processing
Data Steward
Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner
Data Custodian
responsible for managing the systems on which data assets are stored, including
enforcing access controls, encryption, and backup measures
PRivacy Officer
Oversees privacy-related data, such as personally identifiable information (PII),
sensitive personal information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory framework
Governance
Overall management of IT infrastructure, policies, procedures, and operations
includes
- Risk Management
○ Identify, assess, and manage potential risks
● Strategic Alignment
○ Ensure IT strategy aligns with business objectives
● Resource Management
○ Efficient and effective use of IT resources
● Performance Measurement
○ Mechanisms for measuring and monitoring the performance of IT
processes
Compliance
Adherence to laws, regulations, standards, and policies
Policies
■ High-level guidelines indicating organizational commitments
■ Topics Covered
● Acceptable Use Policies
● Information Security Policies
● Business Continuity
● Disaster Recovery
● Incident Response
● Change Management
● Software Development Lifecycle (SDLC)
Standards
■ Specific, mandatory actions or rules adhering to policies
■ Covered Standards
● Password Standards
● Access Control Standards
● Physical Security Standards
● Encryption Standards
Procedures
■ Step-by-step instructions ensure consistency and compliance
■ Covered Procedures
● Change Management Procedures
● Onboarding and Offboarding Procedures
● Playbooks
GRC Triad
Governance Risk and Compliance
Purpose of Governance
■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT
resources
Boards
● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions