5.4 Flashcards
Compliance
as observing a rule, such
as a policy, standard, specification, or law
Regulatory compliance
outlines the goals
organizations want to accomplish to certify that they understand and take actions to comply with policies, relevant laws, and regulations
Regulatory compliance example:
companies that provide products and services to the U.S. federal government
must meet certain security directives set by NIST
Compliance monitoring
a continuous process to
ensure that all organizational subjects are adhering to all policies and procedures in the published policies and procedures
Goals of compliance monitoring include:
- Exposing compliance risk issues in an organization’s
operations or functions - Helping organizations achieve consistent regulatory
compliance and avoid areas of non-compliance
compliance monitoring activities include:
- Monitoring for continuous certification and
accreditation - Publishing all compliance and regulatory
requirements - Tracking and recording all compliance and
remediation initiatives - Supporting a compliance manager enforcing a Separation of Duty (SOD) or larger Zero Trust initiative
- May be an activity for one with the role of a data steward in some organizations
Due diligence
relates to the act of performing thorough research before committing to a
particular plan of action
It involves proper information gathering,
planning, testing, and strategizing before
development, production, and deployment
Due diligence examples:
- Comprehensive background check practices for hiring
- Investigating a cloud service provider (CSP)
thoroughly before
signing a memorandum of understanding (MOU) - Testing and evaluating nonrepudiation
techniques (digital signatures) before signing contracts or using code
Due care
refers to the degree of attention that a
reasonable person takes for a particular entity
Is the level of judgment, attention, and activity that a person would engage in under similar
circumstances
Compliance attestation
a formal validation document that is used to certify an organization’s status to interested external parties
Compliance acknowledgment
typically involves a
statement affirming that an authorized enterprise
understands and will adhere to their
confidentiality obligations and a security and
privacy mandate
Compliance acknowledgment example:
- Sarbanes-Oxley (SOX)
- Health Insurance Portability and Accountability Act
(HIPAA)/Health Information Technology for
Economic and Clinical Health (HITECH) - SOC1/2
- Payment Card Industry Data Security Standard (PCI
DSS) - General Data Protection Regulation (GDPR)
- CSA Cloud Controls Matrix (CCM)
- Other regulations and governance
Compliance processes
are time-consuming, and when there is no
automation involved, it quickly uses productive hours
manual workflow vs manual compliance tool time to complete
A manual workflow can take around 150 hours, while an automated compliance tool may only need about 10-12 hours to complete
Compliance automation
tools ensure the protection of data and
are governed according to the applicable regulations such as
GDPR
compliance automation tasks can include
self-assessment, planning and monitoring
controls, testing, and reporting
Compliance automation tools can assist enterprises to:
reduce
non-compliance risk, improve efficiency, and attain better
visibility
Internal compliance
reporting allows organizations
to institute internal controls, monitor employee
behavior, and detect potential fraud, misconduct,
or non-compliant activities
Internal compliance examples:
- Adhere to regulatory requirements
- Maintain stakeholder trust
- Mitigate risk
- Support ethical considerations and corporate social
responsibility (CSR) - Establish internal governance and performance
monitoring
External compliance
refers to following the rules, laws, and standards set by a Government entity
External compliance goals:
to avoid any negative impact on
the organization such as fines, penalties, and loss of corporate goodwill
Privacy considerations:
- Legal implications
- Local/regional, national/global distinctives
- Data subjects (controller vs. processor)
- Ownership
- Data inventory and retention
- Right to be forgotten
right to be forgotten
right to obtain from the controller the erasure of personal
data concerning him or her without undue delay and the
controller shall have the obligation to erase personal data
without undue delay if one of a number of conditions applies
“Undue delay” is typically about:
a month
Nondisclosure agreement (NDA)
legally enforceable contracts that generate a confidential/private relationship between an entity that has
sensitive information and an entity who will gain access to
that information
A confidential relationship means:
one or both parties has a duty not to share that information
NDA’s can be signed:
(examples)
- At the outset of a pre-engagement meeting
- Early in the interview process
- As part of the hiring and post-termination process
- In anticipation of a Memorandum of Agreement (MOA)
or Memorandum of Understanding (MOU)
Memorandum of agreement (MOA)
a written document
describing a cooperation between two entities that
want to work together on a project or an agreed-upon objective
**more formal than a verbal agreement but less formal than
a contract
memorandum of understanding (MOU)
a nonbinding
agreement that declares each party’s objectives in
performing a business transaction or initiating a new partnership
** This form of agreement may also be referred to as a letter
of intent (LOI) or MOA
MOU goal is to
attain a mutual understanding of the
partnership so that both parties can move forward into an enforceable contract
Service Level Agreement (SLA)
A provider must realize that the use of contractual agreements such as hosting/connection
agreements and SLAs are used to allocate shared responsibility and risk among both providers and consumers
SLA clarifies:
the support system (service desk)
response to problems or outages for an agreed level of service (based on support plan)
An SLA defines:
the precise responsibilities of the
provider and sets customer expectations
master service agreement (MSA)
is a contract two parties enter into during a
service transaction
- This agreement details the expectations of both parties
**like an SLA
The goal of a master service agreement is to:
make the
contract process faster
It also should make future contract agreements simpler
work order (WO)
a document that delivers all the information
about an ongoing maintenance task and outlines a process
for completing that activity
Work orders can include details regarding:
- Who authorized the job
- The scope
- Who the job/task is assigned to
- What are all expectations (delivery time or date)
statement of work (SOW)
an agreement that establishes the
expectations for a project or program and aligning the team(s) involved
an SOW is a document of agreement
between a client and service or agent defining the
scope and details of a project
**first piece of paperwork
SOW should detail
should clarify price, cost, timeline,
deliverables, process, expectations of
requirements, invoicing schedules, and much
more, depending on the scope and breadth of the
project
Business partnership agreement (BPA)
establishes rules for two or more parties
going into business together
*a legally binding document that outlines every detail of the business operations, ownership stakes,
financials, accountabilities, and decision-making
approach and strategies
what are the different partnerships:
- General partnerships
- Limited partnerships
- Limited liability partnerships
- Limited liability limited partnerships
