Governance and Compliance Flashcards
■ Part of the GRC triad
■ Strategic leadership, structures, and processes ensuring IT aligns with business objectives
■ Involves risk management, resource allocation, and performance measurement
The purpose is to:
■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT resources
Governance
● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions
Boards
(Governance Structures)
● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas
Committees
(Governance Structures)
● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance
Government Entities
(Governance Structures)
○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs
Centralized Strcutures
○ Decision-making authority distributed throughout the
organization
○ Enables quicker decisions and local responsiveness
○ Potential for inconsistencies
Decentralized Structures
■ Document that outlines the do’s and don’ts for users when interacting with an organization’s IT systems and resources
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats
Acceptable Use Policy (AUP)
■ Cornerstone of an organization’s security
■ Outlines how an organization protects its information assets from threats, both internal and external
■ Ensures confidentiality, integrity, and availability of data
These policies cover a range of areas
● Data Classification
● Access Control
● Encryption
● Physical Security
Information Security Policies
■ Ensures operations continue during and after disruptions
■ Focuses on critical operation continuation and quick recovery
■ Includes strategies for power outages, hardware failures, and disasters
Business Continuity Policy
■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative locations
Disaster Recovery Policy
■ Addresses detection, reporting, assessment, response, and learning from security incidents
■ Specifies incident notification, containment, investigation, and prevention steps
■ Minimizes damage and downtime during incidents
Incident Response Policy
■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs
Software Development Lifecycle (SDLC) Policy
■ Governs handling of IT system/process changes
■ Ensures controlled, coordinated change implementation to minimize disruptions
■ Covers change request, approval, implementation, and review processes
Change Management Policy
■ Provides a framework for implementing security measures, ensuring that all aspects of an organization’s security posture are addressed
Standards
■ Define password complexity and management
■ Include length, character types, regular changes, and password reuse rules
■ Emphasize password hashing and salting for security
Password Standards
■ Determine who has access to resources within an organization
■ Enforce principles of least privilege and separation of duties
Include access control models like
● Discretionary Access Control (DAC)
● Mandatory Access Control (MAC)
● Role Based Access Control (RBAC
Access Control Standards
■ Cover physical measures to protect assets and information
■ Include controls like perimeter security, surveillance systems, and access control mechanisms
■ Address environmental controls and secure areas for sensitive information
Physical Security Standards
■ Systematic sequences of actions or steps taken to achieve a specific outcome in an organization
■ Ensures consistency, efficiency, and compliance with standards
Procedures
■ Ensure data remains secure and unreadable even if accessed without authorization
■ Include encryption algorithms like AES, RSA, and SHA-2
■ Depends on the use case and balance between security and performance
Encryption Standards
■ Systematic approach to handling organizational changes
■ It aims to implement changes smoothly and successfully with minimal disruption
Change Management
■ Detailed guides for specific tasks or processes
■ They provide step-by-step instructions for consistent and efficient execution
■ Used in various situations, from cybersecurity incidents to customer complaints
■ Include resource requirements, steps to be taken, and expected outcomes
Playbooks
■ Onboarding integrates new employees into the organization
■ Offboarding manages the transition when an employee leaves
Onboarding and Offboarding Procedures
■ Organizations must comply with various regulations, depending on industry and location
■ Non-compliance leads to penalties, sanctions, and reputational damage
Regulations cover areas such as
● Data Protection
● Privacy
● Environmental Standards
● Labor Laws
Regulatory Considerations
■ Complement regulatory considerations, encompassing contract, intellectual
property, and corporate law
■ Employment laws address minimum wage, overtime, safety, discrimination, and benefits
■ Litigation risks include breach of contract, product liability, and employment disputes
■ Robust legal strategies and resources are needed to manage legal risks
Legal Considerations
■ Refer to industry-specific standards, practices, and ethical guidelines
■ Not legally binding but influence customer, partner, and regulator expectations
■ Non-adoption may lead to competitive disadvantages and stakeholder criticism
Industry Considerations
■ Geographical regulations impact organizations at local, regional, national, and global levels
■ Local considerations include city ordinances, zoning laws, and operational restrictions
■ Conflict of laws between jurisdictions is a significant challenge
■ Navigating these differences requires deep legal knowledge and flexibility in governance
Geographical Considerations
■ Ensures adherence to laws, regulations, guidelines, and specifications
■ Includes compliance reporting and compliance monitoring
Compliance
■ Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
■ Two Types (Internal and External)
Compliance Reporting
■ Regularly reviews and analyzes operations for compliance
■ Includes due diligence and due care, attestation and acknowledgement, and internal and external monitoring
Compliance Monitoring
● Identifying compliance risks through thorough review
Due Diligence
● Mitigating identified risks
Due Care
● Formal declaration by a responsible party that the organization’s
processes and controls are compliant
Attestation
● Strict measures by regulatory bodies to enforce compliance
● Range from restrictions to bans
Sanctions
