5.4 Flashcards
Compliance
as observing a rule, such
as a policy, standard, specification, or law
Regulatory compliance
outlines the goals
organizations want to accomplish to certify that they understand and take actions to comply with policies, relevant laws, and regulations
Regulatory compliance example:
companies that provide products and services to the U.S. federal government
must meet certain security directives set by NIST
Compliance monitoring
a continuous process to
ensure that all organizational subjects are adhering to all policies and procedures in the published policies and procedures
Goals of compliance monitoring include:
- Exposing compliance risk issues in an organization’s
operations or functions - Helping organizations achieve consistent regulatory
compliance and avoid areas of non-compliance
compliance monitoring activities include:
- Monitoring for continuous certification and
accreditation - Publishing all compliance and regulatory
requirements - Tracking and recording all compliance and
remediation initiatives - Supporting a compliance manager enforcing a Separation of Duty (SOD) or larger Zero Trust initiative
- May be an activity for one with the role of a data steward in some organizations
Due diligence
relates to the act of performing thorough research before committing to a
particular plan of action
It involves proper information gathering,
planning, testing, and strategizing before
development, production, and deployment
Due diligence examples:
- Comprehensive background check practices for hiring
- Investigating a cloud service provider (CSP)
thoroughly before
signing a memorandum of understanding (MOU) - Testing and evaluating nonrepudiation
techniques (digital signatures) before signing contracts or using code
Due care
refers to the degree of attention that a
reasonable person takes for a particular entity
Is the level of judgment, attention, and activity that a person would engage in under similar
circumstances
Compliance attestation
a formal validation document that is used to certify an organization’s status to interested external parties
Compliance acknowledgment
typically involves a
statement affirming that an authorized enterprise
understands and will adhere to their
confidentiality obligations and a security and
privacy mandate
Compliance acknowledgment example:
- Sarbanes-Oxley (SOX)
- Health Insurance Portability and Accountability Act
(HIPAA)/Health Information Technology for
Economic and Clinical Health (HITECH) - SOC1/2
- Payment Card Industry Data Security Standard (PCI
DSS) - General Data Protection Regulation (GDPR)
- CSA Cloud Controls Matrix (CCM)
- Other regulations and governance
Compliance processes
are time-consuming, and when there is no
automation involved, it quickly uses productive hours
manual workflow vs manual compliance tool time to complete
A manual workflow can take around 150 hours, while an automated compliance tool may only need about 10-12 hours to complete
Compliance automation
tools ensure the protection of data and
are governed according to the applicable regulations such as
GDPR
compliance automation tasks can include
self-assessment, planning and monitoring
controls, testing, and reporting