Governance and Compliance Flashcards
GRC Triad
Governance, Risk, and Compliance
Governance
Strategic leadership, structures, and processes ensuring IT aligns with business
objectives
Involves risk management, resource allocation, and performance measurement
Board
Elected by shareholders to oversee organization management
Responsible for setting strategic direction, policies, and major decisions
Committee
Subgroups of boards with specific focuses
Government Entities
Play roles in governance, especially for public and regulated organizations
Establish laws and regulations for compliance
AUP
Acceptable Use Policy
Document that outlines the do’s and don’ts for users when interacting with an
organization’s IT systems and resources
Information Security Policies
Outline how an organization protects its information assets from threats, both
internal and external
Business Continuity Policy
Ensures operations continue during and after disruptions
Disaster Recovery Policy
Focuses on IT systems and data recovery after disasters
Incident Response Policy
Addresses detection, reporting, assessment, response, and learning from
security incidents
Software Development Lifecycle (SDLC) Policy
Guides software development stages from requirements to maintenance
Change Management Policy
Governs handling of IT system/process changes
DAC
Discretionary Access Control
MAC
Mandatory Access Control
RBAC
Role-Based Access Control
Playbook
Detailed guide for specific tasks or processes that provides step-by-step instructions for consistent and efficient execution
Regulatory Considerations
Regulations cover areas such as
● Data Protection
● Privacy
● Environmental Standards
● Labor Laws
Legal Considerations
Complement regulatory considerations, encompassing contract, intellectual property, and corporate law
Industry Considerations
Refer to industry-specific standards, practices, and ethical guidelines
Geographical Considerations
Geographical regulations impact organizations at local, regional, national, and
global levels (e.g. CCPA in California, GDPR in Europe)
Compliance
Ensures adherence to laws, regulations, guidelines, and specifications
Due Care
Mitigating identified risks
Attestation
Formal declaration by a responsible party that the organization’s processes and controls are compliant
Acknowledgement
Recognition and acceptance of compliance requirements by all relevant
parties