Governance and compliance Flashcards
Governance
IT security governance determines who is authorised to make decisions about cybersecurity risks within an organisation. It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organisation’s business objectives and are compliant with regulations.
IT security management
IT security management defines and implements the controls that an organisation needs to have in place to mitigate risks.
Data Governance
Data governance determines who is authorised to make decisions about data within an organisation.
Data owner
A person who ensures compliance with policies and procedures, assigns the proper classification to information assets and determines the criteria for accessing information assets.
Data controller
A person who determines the purpose for which, and the way in which, personal data is processed.
Data processor
A person or organisation who processes personal data on behalf of the data controller.
Data custodian
A person who implements the classification and security controls for the data in accordance with the rules set out by the data owner.
Data steward
A person who ensures that data supports an organisation’s business needs and meets regulatory requirements.
Data protection officer
A person who oversees an organisation’s data protection strategy.
Cybersecurity Policy
A high-level document that outlines an organisation’s vision for cybersecurity, including its goals, needs, scope and responsibilities.
Specifically, it:
- Demonstrates an organisation’s commitment to security.
- Sets the standards of behaviour and security requirements for carrying out activities, processes and operations, and protecting technology and information assets within an organisation.
- Ensure that the acquisition use and maintenance of system operations, software and hardware is consistent across the organisation.
- Defines the legal consequences of policy violations.
- Gives the security team the support they need from senior management.
Master cybersecurity policy
The blueprint for an organisation’s cybersecurity program, their policy serves as the strategic plan for implementing cybersecurity controls.
System-specific policy
This type of policy is developed for specific devices or computer systems and aims to establish standardisation for approved applications, software, operating system configurations, hardware and hardening countermeasures within an organisation.
Identification and authentication policy
Specifies who should be permitted access to network resources and what verification procedures are in place to facilitate this.
Password policy
Defines minimum password requirements, such as the number and type of characters used and how often they need to be changed
Acceptable use policy
Highlights a set of rules that determine access to and use of network resources. It may also define the consequences of policy violations.
