5.4

Question 1

Compliance

Answer 1

as observing a rule, such
as a policy, standard, specification, or law

Question 2

Regulatory compliance

Answer 2

outlines the goals
organizations want to accomplish to certify that they understand and take actions to comply with policies, relevant laws, and regulations

Question 3

Regulatory compliance example:

Answer 3

companies that provide products and services to the U.S. federal government
must meet certain security directives set by NIST

Question 4

Compliance monitoring

Answer 4

a continuous process to
ensure that all organizational subjects are adhering to all policies and procedures in the published policies and procedures

Question 5

Goals of compliance monitoring include:

Answer 5

• Exposing compliance risk issues in an organization’s
  operations or functions
• Helping organizations achieve consistent regulatory
  compliance and avoid areas of non-compliance

Question 6

compliance monitoring activities include:

Answer 6

• Monitoring for continuous certification and
  accreditation
• Publishing all compliance and regulatory
  requirements
• Tracking and recording all compliance and
  remediation initiatives
• Supporting a compliance manager enforcing a Separation of Duty (SOD) or larger Zero Trust initiative
• May be an activity for one with the role of a data steward in some organizations

Question 7

Due diligence

Answer 7

relates to the act of performing thorough research before committing to a
particular plan of action

It involves proper information gathering,
planning, testing, and strategizing before
development, production, and deployment

Question 8

Due diligence examples:

Answer 8

• Comprehensive background check practices for hiring
• Investigating a cloud service provider (CSP)
  thoroughly before
  signing a memorandum of understanding (MOU)
• Testing and evaluating nonrepudiation
  techniques (digital signatures) before signing contracts or using code

Question 9

Due care

Answer 9

refers to the degree of attention that a
reasonable person takes for a particular entity

Is the level of judgment, attention, and activity that a person would engage in under similar
circumstances

Question 10

Compliance attestation

Answer 10

a formal validation document that is used to certify an organization’s status to interested external parties

Question 11

Compliance acknowledgment

Answer 11

typically involves a
statement affirming that an authorized enterprise
understands and will adhere to their
confidentiality obligations and a security and
privacy mandate

Question 12

Compliance acknowledgment example:

Answer 12

• Sarbanes-Oxley (SOX)
• Health Insurance Portability and Accountability Act
  (HIPAA)/Health Information Technology for
  Economic and Clinical Health (HITECH)
• SOC1/2
• Payment Card Industry Data Security Standard (PCI
  DSS)
• General Data Protection Regulation (GDPR)
• CSA Cloud Controls Matrix (CCM)
• Other regulations and governance

Question 13

Compliance processes

Answer 13

are time-consuming, and when there is no
automation involved, it quickly uses productive hours

Question 14

manual workflow vs manual compliance tool time to complete

Answer 14

A manual workflow can take around 150 hours, while an automated compliance tool may only need about 10-12 hours to complete

Question 15

Compliance automation

Answer 15

tools ensure the protection of data and
are governed according to the applicable regulations such as
GDPR

Question 16

compliance automation tasks can include

Answer 16

self-assessment, planning and monitoring
controls, testing, and reporting

Question 17

Compliance automation tools can assist enterprises to:

Answer 17

reduce
non-compliance risk, improve efficiency, and attain better
visibility

Question 18

Internal compliance

Answer 18

reporting allows organizations
to institute internal controls, monitor employee
behavior, and detect potential fraud, misconduct,
or non-compliant activities

Question 19

Internal compliance examples:

Answer 19

• Adhere to regulatory requirements
• Maintain stakeholder trust
• Mitigate risk
• Support ethical considerations and corporate social
  responsibility (CSR)
• Establish internal governance and performance
  monitoring

Question 20

External compliance

Answer 20

refers to following the rules, laws, and standards set by a Government entity

Question 21

External compliance goals:

Answer 21

to avoid any negative impact on
the organization such as fines, penalties, and loss of corporate goodwill

Question 22

Privacy considerations:

Answer 22

• Legal implications
• Local/regional, national/global distinctives
• Data subjects (controller vs. processor)
• Ownership
• Data inventory and retention
• Right to be forgotten

Question 23

right to be forgotten

Answer 23

right to obtain from the controller the erasure of personal
data concerning him or her without undue delay and the
controller shall have the obligation to erase personal data
without undue delay if one of a number of conditions applies

Question 24

“Undue delay” is typically about:

Answer 24

a month

Question 25

Nondisclosure agreement (NDA)

Answer 25

legally enforceable contracts that generate a confidential/private relationship between an entity that has
sensitive information and an entity who will gain access to
that information

Question 26

A confidential relationship means:

Answer 26

one or both parties has a duty not to share that information

Question 27

NDA’s can be signed:
(examples)

Answer 27

• At the outset of a pre-engagement meeting
• Early in the interview process
• As part of the hiring and post-termination process
• In anticipation of a Memorandum of Agreement (MOA)
  or Memorandum of Understanding (MOU)

Question 28

Memorandum of agreement (MOA)

Answer 28

a written document
describing a cooperation between two entities that
want to work together on a project or an agreed-upon objective

**more formal than a verbal agreement but less formal than
a contract

Question 29

memorandum of understanding (MOU)

Answer 29

a nonbinding
agreement that declares each party’s objectives in
performing a business transaction or initiating a new partnership

** This form of agreement may also be referred to as a letter
of intent (LOI) or MOA

Question 30

MOU goal is to

Answer 30

attain a mutual understanding of the
partnership so that both parties can move forward into an enforceable contract

Question 31

Service Level Agreement (SLA)

Answer 31

A provider must realize that the use of contractual agreements such as hosting/connection
agreements and SLAs are used to allocate shared responsibility and risk among both providers and consumers

Question 32

SLA clarifies:

Answer 32

the support system (service desk)
response to problems or outages for an agreed level of service (based on support plan)

Question 33

An SLA defines:

Answer 33

the precise responsibilities of the
provider and sets customer expectations

Question 34

master service agreement (MSA)

Answer 34

is a contract two parties enter into during a
service transaction

• This agreement details the expectations of both parties
  **like an SLA

Question 35

The goal of a master service agreement is to:

Answer 35

make the
contract process faster

It also should make future contract agreements simpler

Question 36

work order (WO)

Answer 36

a document that delivers all the information
about an ongoing maintenance task and outlines a process
for completing that activity

Question 37

Work orders can include details regarding:

Answer 37

• Who authorized the job
• The scope
• Who the job/task is assigned to
• What are all expectations (delivery time or date)

Question 38

statement of work (SOW)

Answer 38

an agreement that establishes the
expectations for a project or program and aligning the team(s) involved

an SOW is a document of agreement
between a client and service or agent defining the
scope and details of a project

**first piece of paperwork

Question 39

SOW should detail

Answer 39

should clarify price, cost, timeline,
deliverables, process, expectations of
requirements, invoicing schedules, and much
more, depending on the scope and breadth of the
project

Question 40

Business partnership agreement (BPA)

Answer 40

establishes rules for two or more parties
going into business together

*a legally binding document that outlines every detail of the business operations, ownership stakes,
financials, accountabilities, and decision-making
approach and strategies

Question 41

what are the different partnerships:

Answer 41

• General partnerships
• Limited partnerships
• Limited liability partnerships
• Limited liability limited partnerships