Governance and Compliance Flashcards
Governance
Overall management of IT infrastructure, policies, procedures, and operations
Part of the GRC triad (Governance, Risk, and Compliance)
Strategic leadership, structures, and processes ensuring IT aligns with business objectives
Involves risk management, resource allocation, and performance measurement
Framework
Aligns with organizational objectives and regulatory requirements
Governance and Compliance - crucial aspects
Risk Management
Identify, assess, and manage potential risks
Strategic Alignment
Ensure IT strategy aligns with business objectives
Resource Management
Efficient and effective use of IT resources
Performance Measurement
Mechanisms for measuring and monitoring the
performance of IT processes
Importance of compliance
Legal Obligations
Non-compliance leads to penalties (fines, sanctions)
Trust and Reputation
Compliance enhances reputation and fosters trust
Data Protection
Prevents breaches and protects privacy
Business Continuity
Ensures operation in disasters or disruptions
Governance structure
1: Boards
Elected by shareholders to oversee organization
management
Responsible for setting strategic direction, policies, and major decisions
2: Committees
Subgroups of boards with specific focuses
Allows detailed attention to complex areas
3: Government Entities
Play roles in governance, especially for public and
regulated organizations
Establish laws and regulations for compliance
4: Centralized and Decentralized Structures
Centralized
Decision-making authority at top management levels
Ensures consistent decisions and clear authority
Slower response to local/departmental needs
Decentralized
Decision-making authority distributed throughout the
organization
Enables quicker decisions and local responsiveness
Potential for inconsistencies
Policies are High-level guidelines indicating organizational commitments. They cover
Acceptable Use Policies
Information Security Policies
Business Continuity
Disaster Recovery
Incident Response
Change Management
Software Development Lifecycle (SDLC)
Standards are specific, mandatory actions or rules adhering to policies. They cover
Password Standards
Access Control Standards
Physical Security Standards
Encryption Standards
Procedures are step-by-step instructions ensure consistency and compliance. They cover
Change Management Procedures
Onboarding and Offboarding Procedures
Playbooks
Compliance covers
1: Monitoring and Reporting
Concepts like due diligence, due care, attestation, and
acknowledgment
2: Internal and External Compliance
Differentiating factors
3: Automation in Compliance
Utilizing automation in the compliance process
Consequences of Non-compliance
Fines, Sanctions
Legal penalties
Reputational Damage
Impact on trust and reputation
Loss of License, Contractual Impacts
Severe consequences
Purpose of Governance
Establishes a strategic framework aligning with
objectives and regulations
Defines rules, responsibilities, and practices for
achieving goals and managing IT resources
Governance influence on IT Components
Shapes guidelines for recommended approaches in
handling situations
Drives policy development, outlining organizational
commitments (e.g., data protection)
Impacts standards, defining mandatory rules for policy
adherence
Ensures procedures align with objectives, providing
task-specific guidance
Organizational Governance
Complex, multifaceted concept essential for successful
organization operation
Comprises various components, each with unique
functions
Acceptable Use Policy (AUP)
Document that outlines the do’s and don’ts for users
when interacting with an organization’s IT systems and
resources
Defines appropriate and prohibited use of IT
systems/resources
Aims to protect organizations from legal issues and
security threats
Information Security Policies & what 5 areas do they cover
Cornerstone of an organization’s security
Outlines how an organization protects its information
assets from threats, both internal and external
These policies cover a range of areas
1 Data Classification
2 Access Control
3 Encryption
4 Physical Security
5 Ensures confidentiality, integrity, and availability of data
Business Continuity Policy
Ensures operations continue during and after
disruptions
Focuses on critical operation continuation and quick
recovery
Includes strategies for power outages, hardware
failures, and disasters
Disaster Recovery Policy
Focuses on IT systems and data recovery after disasters
Outlines data backup, restoration, hardware/software
recovery, and alternative locations
Incident Response Policy
Addresses detection, reporting, assessment, response,
and learning from security incidents
Specifies incident notification, containment,
investigation, and prevention steps
Minimizes damage and downtime during incidents
Software Development Lifecycle (SDLC) Policy
Guides software development stages from
requirements to maintenance
Includes secure coding practices, code reviews, and
testing standards
Ensures high-quality, secure software meeting user
needs
Change Management Policy
Governs handling of IT system/process changes
Ensures controlled, coordinated change
implementation to minimize disruptions
Covers change request, approval, implementation, and
review processes
Standards
Provides a framework for implementing security measures, ensuring that all aspects of an organization’s security posture are addressed
Password Standards
Define password complexity and management
Include length, character types, regular changes, and
password reuse rules
Emphasize password hashing and salting for security
Access control standards and its models
Determine who has access to resources within an organization
Access control models:
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)
Enforce principles of least privilege and separation of
duties
Physical security standards
Cover physical measures to protect assets and
information
Include controls like perimeter security, surveillance
systems, and access control mechanisms
Address environmental controls and secure areas for
sensitive information
Encryption Standards
Ensure data remains secure and unreadable even if
accessed without authorization
Include encryption algorithms like AES, RSA, and SHA-2
Depends on the use case and balance between security
and performance
Procedures
Systematic sequences of actions or steps taken to
achieve a specific outcome in an organization
Ensures consistency, efficiency, and compliance with
standards
Change Management and its 5 key stages
Systematic approach to handling organizational
changes
It aims to implement changes smoothly and
successfully with minimal disruption
Key Stages
1 Identifying the need for change
2 Assessing impacts
3 Developing a plan
4 Implementation
5 Post-change review
Onboarding and Offboarding procedures
Onboarding integrates new employees into the organization
ensures productivity and engagement
Includes orientation, training, and integration activities
Offboarding manages the transition when an employee leaves
Tasks include property retrieval, access disabling, and
exit interviews
Playbooks
Detailed guides for specific tasks or processes
They provide step-by-step instructions for consistent
and efficient execution
Used in various situations, from cybersecurity incidents
to customer complaints
Include resource requirements, steps to be taken, and
expected outcomes
Define Regulatory Considerations and what 4 areas does it cover
1 Data Protection
2 Privacy
3 Environmental Standards
4 Labor Laws
Litigation risks include
Breach of contract, product liability, and employment disputes.
Robust legal strategies and resources are needed to manage legal risks.
Industry Considerations
Refer to industry-specific standards, practices, and
ethical guidelines
Not legally binding but influence customer, partner,
and regulator expectations
Non-adoption may lead to competitive disadvantages
and stakeholder criticism
Geographical Considerations
Geographical regulations impact organizations at local,
regional, national, and global levels
Local considerations include city ordinances, zoning
laws, and operational restrictions
Regional considerations, like CCPA in California, impose
state-level regulations
National considerations, e.g., ADA in the US, affect
businesses across the entire country
Global considerations, like GDPR, apply
extraterritorially to organizations dealing with EU
citizens’ data
Conflict of laws between jurisdictions is significant
challenge
Navigating these differences requires deep legal
knowledge and flexibility in governance
Compliance
Ensures adherence to laws, regulations, guidelines, and
specifications
Includes compliance reporting and compliance
monitoring
Compliance Reporting
Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
Two types of compliance reporting
Internal Compliance Reporting
Ensures adherence to internal policies and procedures
Conducted by an internal audit team or compliance
department
External Compliance Reporting
Demonstrates compliance to external entities
Mandatory, often by law or contract
Compliance Monitoring
Regularly reviews and analyzes operations for
compliance
Includes due diligence and due care, attestation and
acknowledgement, and internal and external
monitoring
Due Diligence and Due Care
Due Diligence
Identifying compliance risks through thorough review
Due Care
Mitigating identified risks
Attestation and Acknowledgement
Attestation
Formal declaration by a responsible party that the
organization’s processes and controls are compliant
Acknowledgement
Recognition and acceptance of compliance
requirements by all relevant parties
Internal and External Monitoring
Internal Monitoring
Regularly reviewing an organization’s operations to
ensure compliance with internal policies
External Monitoring
Third-party reviews for compliance with external
regulations or standards
Role of Automation in Compliance
Streamlines data collection, improves accuracy, and provides real-time monitoring
Understanding and adhering to relevant laws and regulations
Implementing robust cybersecurity measures
Regularly reviewing and updating compliance programs
