5.1

Question 1

Data ownership

Answer 1

Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets

Question 2

Data Owner

Answer 2

A senior executive responsible for labeling information assets and ensuring they
are protected with appropriate control

Question 3

Data Controller

Answer 3

Entity responsible for determining data storage, collection, and usage purposes
and methods, as well as ensuring the legality of these processes

Question 4

Data processor

Answer 4

A group or individual hired by the data controller to assist with tasks like data
collection and processing

Question 5

Data Steward

Answer 5

Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner

Question 6

Data Custodian

Answer 6

responsible for managing the systems on which data assets are stored, including
enforcing access controls, encryption, and backup measures

Question 7

PRivacy Officer

Answer 7

Oversees privacy-related data, such as personally identifiable information (PII),
sensitive personal information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory framework

Question 8

Governance

Answer 8

Overall management of IT infrastructure, policies, procedures, and operations
includes
- Risk Management
○ Identify, assess, and manage potential risks
● Strategic Alignment
○ Ensure IT strategy aligns with business objectives
● Resource Management
○ Efficient and effective use of IT resources
● Performance Measurement
○ Mechanisms for measuring and monitoring the performance of IT
processes

Question 9

Compliance

Answer 9

Adherence to laws, regulations, standards, and policies

Question 10

Policies

Answer 10

■ High-level guidelines indicating organizational commitments
■ Topics Covered
● Acceptable Use Policies
● Information Security Policies
● Business Continuity
● Disaster Recovery
● Incident Response
● Change Management
● Software Development Lifecycle (SDLC)

Question 11

Standards

Answer 11

■ Specific, mandatory actions or rules adhering to policies
■ Covered Standards
● Password Standards
● Access Control Standards
● Physical Security Standards
● Encryption Standards

Question 12

Procedures

Answer 12

■ Step-by-step instructions ensure consistency and compliance
■ Covered Procedures
● Change Management Procedures
● Onboarding and Offboarding Procedures
● Playbooks

Question 13

GRC Triad

Answer 13

Governance Risk and Compliance

Question 14

Purpose of Governance

Answer 14

■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT
resources

Question 15

Boards

Answer 15

● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions

Question 16

Committees

Answer 16

● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas

Question 17

Government Entities

Answer 17

● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance

Question 18

Centralized governance

Answer 18

○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs

Question 19

AUP

Answer 19

acceptable use policy
■ Document that outlines the do’s and don’ts for users when interacting with an
organization’s IT systems and resources
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats

Question 20

Info Security Policies

Answer 20

■ Cornerstone of an organization’s security
■ Outlines how an organization protects its information assets from threats, both
internal and extern
These policies cover a range of areas
● Data Classification
● Access Control
● Encryption
● Physical Security
■ Ensures confidentiality, integrity, and availability of data

Question 21

Business Continuity Policy

Answer 21

■ Ensures operations continue during and after disruptions
■ Focuses on critical operation continuation and quick recovery
■ Includes strategies for power outages, hardware failures, and disasters

Question 22

Disaster Recovery Policy

Answer 22

■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative
locations

Question 23

Incident Response Policy

Answer 23

■ Addresses detection, reporting, assessment, response, and learning fromsecurity incidents

Question 24

SDLC Policy

Answer 24

■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs

Question 25

Types of Standards

Answer 25

password standards
access control DAC, MAC< Role based etc
physical security
encryption standards

Question 26

Regulations can cover which areas

Answer 26

● Data Protection
● Privacy
● Environmental Standards
● Labor Laws

Question 27

Industry considerations

Answer 27

■ Refer to industry-specific standards, practices, and ethical guidelines
■ Not legally binding but influence customer, partner, and regulator expectations
■ Non-adoption may lead to competitive disadvantages and stakeholder criticism

Question 28

Geographical Considerations

Answer 28

Geographical regulations impact organizations at local, regional, national, and
global levels
■ Local considerations include city ordinances, zoning laws, and operational
restrictions
■ Regional considerations, like CCPA in California, impose state-level regulations
■ National considerations, e.g., ADA in the US, affect businesses across the entire
country
■ Global considerations, like GDPR, apply extraterritorially to organizations dealing
with EU citizens’ data

Question 29

Compliance Reporting

Answer 29

■ Systematic process of collecting and presenting data to demonstrate adherence
to compliance requirements

Question 30

Due diligence

Answer 30

Identifying compliance risks through thorough review

Question 31

Due Care

Answer 31

Mitigating identified risks

Question 32

Attestation

Answer 32

Formal declaration by a responsible party that the organization’s
processes and controls are complian

Question 33

Ackowledgement

Answer 33

Recognition and acceptance of compliance requirements by all relevant
parties