GOVERNANCE Flashcards
HIPPA (Regulation)
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an example of a law that governs the use of protected health information (PHI) in the United States. Violation of the HIPAA rule carries the possibility of fines and/or imprisonment for both individuals and companies.
GDPR (Regulation)
The General Data Protection Regulation (GDPR) was enacted by the European Union (EU) to control use of Personally Identifiable Information (PII) of its citizens and those in the EU. It includes provisions that apply financial penalties to companies who handle data of EU citizens and those living in the EU even if the company does not have a physical presence in the EU, giving this regulation an international reach.
ISO (Standardization)
International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards.
NIST (Standardization)
The National Institute of Standards and Technology (NIST) is a United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards. Many of the standards issued by NIST are requirements for U.S. government agencies and are considered recommended standards by industries worldwide.
IETF (Standardization)
Internet Engineering Task Force (IETF), there are standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language.
IEEE (Standardization)
Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications, computer engineering and similar disciplines.
Regulations and Laws (1)
Regulations are commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for noncompliance.
Regulations and associated fines and penalties can be imposed by governments at the national, regional or local level.
LAWS ISSUED
Standards (2)
Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.
Organizations use multiple standards as part of their information systems security programs, both as compliance documents and as advisories or guidelines.
Standards cover a broad range of issues and ideas and may provide assurance that an organization is operating with policies and procedures that support regulations and are widely accepted best practices.
COMPLIANCE DOCUMENTS OR GUIDELINES OR ADVISORIES
Policies (3)
Policies are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.
SUPPORTS
Procedure (4)
Procedures are the detailed steps to complete a task that support departmental or organizational policies.
STEP BY STEP
Policies
Policies are the highest-level governance documents in an organization, usually approved and issued by management, usually to support a compliance initiative.
SUPPORTS
Procedure
A security practitioner who needs step-by-step instructions to complete a provisioning task might use a
Procedure to ensure they are performing the task in a consistent manner.
STEP BY STEP
Standards
Frameworks or Standards are often offered by third-party organizations and cover specific advisory or compliance objectives.
Regulations
Usually mandated by a government agency, Laws or Regulations are a set of rules that everyone must comply with and usually carry monetary penalties for noncompliance.
