Governance and Compliance

Question 1

■ Part of the GRC triad
■ Strategic leadership, structures, and processes ensuring IT aligns with business objectives
■ Involves risk management, resource allocation, and performance measurement

The purpose is to:
■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT resources

Answer 1

Governance

Question 2

● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions

Answer 2

Boards

(Governance Structures)

Question 3

● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas

Answer 3

Committees

(Governance Structures)

Question 4

● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance

Answer 4

Government Entities

(Governance Structures)

Question 5

○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs

Answer 5

Centralized Strcutures

Question 6

○ Decision-making authority distributed throughout the
organization
○ Enables quicker decisions and local responsiveness
○ Potential for inconsistencies

Answer 6

Decentralized Structures

Question 7

■ Document that outlines the do’s and don’ts for users when interacting with an organization’s IT systems and resources
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats

Answer 7

Acceptable Use Policy (AUP)

Question 8

■ Cornerstone of an organization’s security
■ Outlines how an organization protects its information assets from threats, both internal and external
■ Ensures confidentiality, integrity, and availability of data

These policies cover a range of areas
● Data Classification
● Access Control
● Encryption
● Physical Security

Answer 8

Information Security Policies

Question 9

■ Ensures operations continue during and after disruptions
■ Focuses on critical operation continuation and quick recovery
■ Includes strategies for power outages, hardware failures, and disasters

Answer 9

Business Continuity Policy

Question 10

■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative locations

Answer 10

Disaster Recovery Policy

Question 11

■ Addresses detection, reporting, assessment, response, and learning from security incidents
■ Specifies incident notification, containment, investigation, and prevention steps
■ Minimizes damage and downtime during incidents

Answer 11

Incident Response Policy

Question 12

■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs

Answer 12

Software Development Lifecycle (SDLC) Policy

Question 13

■ Governs handling of IT system/process changes
■ Ensures controlled, coordinated change implementation to minimize disruptions
■ Covers change request, approval, implementation, and review processes

Answer 13

Change Management Policy

Question 14

■ Provides a framework for implementing security measures, ensuring that all aspects of an organization’s security posture are addressed

Answer 14

Standards

Question 15

■ Define password complexity and management
■ Include length, character types, regular changes, and password reuse rules
■ Emphasize password hashing and salting for security

Answer 15

Password Standards

Question 16

■ Determine who has access to resources within an organization
■ Enforce principles of least privilege and separation of duties

Include access control models like
● Discretionary Access Control (DAC)
● Mandatory Access Control (MAC)
● Role Based Access Control (RBAC

Answer 16

Access Control Standards

Question 17

■ Cover physical measures to protect assets and information
■ Include controls like perimeter security, surveillance systems, and access control mechanisms
■ Address environmental controls and secure areas for sensitive information

Answer 17

Physical Security Standards

Question 18

■ Systematic sequences of actions or steps taken to achieve a specific outcome in an organization
■ Ensures consistency, efficiency, and compliance with standards

Answer 18

Procedures

Question 18

■ Ensure data remains secure and unreadable even if accessed without authorization
■ Include encryption algorithms like AES, RSA, and SHA-2
■ Depends on the use case and balance between security and performance

Answer 18

Encryption Standards

Question 19

■ Systematic approach to handling organizational changes
■ It aims to implement changes smoothly and successfully with minimal disruption

Answer 19

Change Management

Question 20

■ Detailed guides for specific tasks or processes
■ They provide step-by-step instructions for consistent and efficient execution
■ Used in various situations, from cybersecurity incidents to customer complaints
■ Include resource requirements, steps to be taken, and expected outcomes

Answer 20

Playbooks

Question 21

■ Onboarding integrates new employees into the organization
■ Offboarding manages the transition when an employee leaves

Answer 21

Onboarding and Offboarding Procedures

Question 22

■ Organizations must comply with various regulations, depending on industry and location
■ Non-compliance leads to penalties, sanctions, and reputational damage

Regulations cover areas such as
● Data Protection
● Privacy
● Environmental Standards
● Labor Laws

Answer 22

Regulatory Considerations

Question 23

■ Complement regulatory considerations, encompassing contract, intellectual
property, and corporate law
■ Employment laws address minimum wage, overtime, safety, discrimination, and benefits
■ Litigation risks include breach of contract, product liability, and employment disputes
■ Robust legal strategies and resources are needed to manage legal risks

Answer 23

Legal Considerations

Question 24

■ Refer to industry-specific standards, practices, and ethical guidelines
■ Not legally binding but influence customer, partner, and regulator expectations
■ Non-adoption may lead to competitive disadvantages and stakeholder criticism

Answer 24

Industry Considerations

Question 25

■ Geographical regulations impact organizations at local, regional, national, and global levels
■ Local considerations include city ordinances, zoning laws, and operational restrictions
■ Conflict of laws between jurisdictions is a significant challenge
■ Navigating these differences requires deep legal knowledge and flexibility in governance

Answer 25

Geographical Considerations

Question 26

■ Ensures adherence to laws, regulations, guidelines, and specifications
■ Includes compliance reporting and compliance monitoring

Answer 26

Compliance

Question 27

■ Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
■ Two Types (Internal and External)

Answer 27

Compliance Reporting

Question 28

■ Regularly reviews and analyzes operations for compliance
■ Includes due diligence and due care, attestation and acknowledgement, and internal and external monitoring

Answer 28

Compliance Monitoring

Question 29

● Identifying compliance risks through thorough review

Answer 29

Due Diligence

Question 30

● Mitigating identified risks

Answer 30

Due Care

Question 31

● Formal declaration by a responsible party that the organization’s
processes and controls are compliant

Answer 31

Attestation

Question 32

● Strict measures by regulatory bodies to enforce compliance
● Range from restrictions to bans

Answer 32

Sanctions