Governance and Compliance

Question 1

Governance

Answer 1

Overall management of IT infrastructure, policies, procedures, and operations

Part of the GRC triad (Governance, Risk, and Compliance)

Strategic leadership, structures, and processes ensuring IT aligns with business objectives

Involves risk management, resource allocation, and performance measurement

Question 2

Framework

Answer 2

Aligns with organizational objectives and regulatory requirements

Question 3

Governance and Compliance - crucial aspects

Answer 3

Risk Management
 Identify, assess, and manage potential risks

Strategic Alignment
 Ensure IT strategy aligns with business objectives

Resource Management
 Efficient and effective use of IT resources

Performance Measurement
 Mechanisms for measuring and monitoring the
performance of IT processes

Question 4

Importance of compliance

Answer 4

Legal Obligations
 Non-compliance leads to penalties (fines, sanctions)

Trust and Reputation
 Compliance enhances reputation and fosters trust

Data Protection
 Prevents breaches and protects privacy

Business Continuity
 Ensures operation in disasters or disruptions

Question 5

Governance structure

Answer 5

1: Boards
 Elected by shareholders to oversee organization
management
 Responsible for setting strategic direction, policies, and major decisions

2: Committees
 Subgroups of boards with specific focuses
 Allows detailed attention to complex areas

3: Government Entities
 Play roles in governance, especially for public and
regulated organizations
 Establish laws and regulations for compliance

4: Centralized and Decentralized Structures

Centralized
 Decision-making authority at top management levels
 Ensures consistent decisions and clear authority
 Slower response to local/departmental needs

Decentralized
 Decision-making authority distributed throughout the
organization
 Enables quicker decisions and local responsiveness
 Potential for inconsistencies

Question 6

Policies are High-level guidelines indicating organizational commitments. They cover

Answer 6

 Acceptable Use Policies
 Information Security Policies
 Business Continuity
 Disaster Recovery
 Incident Response
 Change Management
 Software Development Lifecycle (SDLC)

Question 7

Standards are specific, mandatory actions or rules adhering to policies. They cover

Answer 7

 Password Standards
 Access Control Standards
 Physical Security Standards
 Encryption Standards

Question 8

Procedures are step-by-step instructions ensure consistency and compliance. They cover

Answer 8

 Change Management Procedures
 Onboarding and Offboarding Procedures
 Playbooks

Question 9

Compliance covers

Answer 9

1: Monitoring and Reporting
 Concepts like due diligence, due care, attestation, and
acknowledgment

2: Internal and External Compliance
 Differentiating factors

3: Automation in Compliance
 Utilizing automation in the compliance process

Question 10

Consequences of Non-compliance

Answer 10

 Fines, Sanctions
 Legal penalties
 Reputational Damage
 Impact on trust and reputation
 Loss of License, Contractual Impacts
 Severe consequences

Question 11

Purpose of Governance

Answer 11

 Establishes a strategic framework aligning with
objectives and regulations
 Defines rules, responsibilities, and practices for
achieving goals and managing IT resources

Question 12

Governance influence on IT Components

Answer 12

 Shapes guidelines for recommended approaches in
handling situations
 Drives policy development, outlining organizational
commitments (e.g., data protection)
 Impacts standards, defining mandatory rules for policy
adherence
 Ensures procedures align with objectives, providing
task-specific guidance

Question 13

Organizational Governance

Answer 13

 Complex, multifaceted concept essential for successful
organization operation
 Comprises various components, each with unique
functions

Question 14

Acceptable Use Policy (AUP)

Answer 14

 Document that outlines the do’s and don’ts for users
when interacting with an organization’s IT systems and
resources
 Defines appropriate and prohibited use of IT
systems/resources
 Aims to protect organizations from legal issues and
security threats

Question 15

Information Security Policies & what 5 areas do they cover

Answer 15

 Cornerstone of an organization’s security
 Outlines how an organization protects its information
assets from threats, both internal and external

These policies cover a range of areas
1 Data Classification
2 Access Control
3 Encryption
4 Physical Security
5 Ensures confidentiality, integrity, and availability of data

Question 16

Business Continuity Policy

Answer 16

 Ensures operations continue during and after
disruptions
 Focuses on critical operation continuation and quick
recovery
 Includes strategies for power outages, hardware
failures, and disasters

Question 17

Disaster Recovery Policy

Answer 17

 Focuses on IT systems and data recovery after disasters
 Outlines data backup, restoration, hardware/software
recovery, and alternative locations

Question 18

Incident Response Policy

Answer 18

 Addresses detection, reporting, assessment, response,
and learning from security incidents
 Specifies incident notification, containment,
investigation, and prevention steps
 Minimizes damage and downtime during incidents

Question 19

Software Development Lifecycle (SDLC) Policy

Answer 19

 Guides software development stages from
requirements to maintenance
 Includes secure coding practices, code reviews, and
testing standards
 Ensures high-quality, secure software meeting user
needs

Question 20

Change Management Policy

Answer 20

 Governs handling of IT system/process changes
 Ensures controlled, coordinated change
implementation to minimize disruptions
 Covers change request, approval, implementation, and
review processes

Question 21

Standards

Answer 21

Provides a framework for implementing security measures, ensuring that all aspects of an organization’s security posture are addressed

Question 22

Password Standards

Answer 22

 Define password complexity and management
 Include length, character types, regular changes, and
password reuse rules
 Emphasize password hashing and salting for security

Question 23

Access control standards and its models

Answer 23

Determine who has access to resources within an organization

Access control models:
 Discretionary Access Control (DAC)
 Mandatory Access Control (MAC)
 Role Based Access Control (RBAC)
 Enforce principles of least privilege and separation of
duties

Question 24

Physical security standards

Answer 24

 Cover physical measures to protect assets and
information
 Include controls like perimeter security, surveillance
systems, and access control mechanisms
 Address environmental controls and secure areas for
sensitive information

Question 25

Encryption Standards

Answer 25

 Ensure data remains secure and unreadable even if
accessed without authorization
 Include encryption algorithms like AES, RSA, and SHA-2
 Depends on the use case and balance between security
and performance

Question 26

Procedures

Answer 26

 Systematic sequences of actions or steps taken to
achieve a specific outcome in an organization
 Ensures consistency, efficiency, and compliance with
standards

Question 27

Change Management and its 5 key stages

Answer 27

 Systematic approach to handling organizational
changes
 It aims to implement changes smoothly and
successfully with minimal disruption

Key Stages
1 Identifying the need for change
2 Assessing impacts
3 Developing a plan
4 Implementation
5 Post-change review

Question 28

Onboarding and Offboarding procedures

Answer 28

Onboarding integrates new employees into the organization
 ensures productivity and engagement
 Includes orientation, training, and integration activities

Offboarding manages the transition when an employee leaves
 Tasks include property retrieval, access disabling, and
exit interviews

Question 29

Playbooks

Answer 29

 Detailed guides for specific tasks or processes
 They provide step-by-step instructions for consistent
and efficient execution
 Used in various situations, from cybersecurity incidents
to customer complaints
 Include resource requirements, steps to be taken, and
expected outcomes

Question 30

Define Regulatory Considerations and what 4 areas does it cover

Answer 30

1 Data Protection
2 Privacy
3 Environmental Standards
4 Labor Laws

Question 31

Litigation risks include

Answer 31

Breach of contract, product liability, and employment disputes.

Robust legal strategies and resources are needed to manage legal risks.

Question 32

Industry Considerations

Answer 32

 Refer to industry-specific standards, practices, and
ethical guidelines
 Not legally binding but influence customer, partner,
and regulator expectations
 Non-adoption may lead to competitive disadvantages
and stakeholder criticism

Question 33

Geographical Considerations

Answer 33

 Geographical regulations impact organizations at local,
regional, national, and global levels
 Local considerations include city ordinances, zoning
laws, and operational restrictions
 Regional considerations, like CCPA in California, impose
state-level regulations
 National considerations, e.g., ADA in the US, affect
businesses across the entire country
 Global considerations, like GDPR, apply
extraterritorially to organizations dealing with EU
citizens’ data
 Conflict of laws between jurisdictions is significant
challenge
 Navigating these differences requires deep legal
knowledge and flexibility in governance

Question 34

Compliance

Answer 34

 Ensures adherence to laws, regulations, guidelines, and
specifications
 Includes compliance reporting and compliance
monitoring

Question 35

Compliance Reporting

Answer 35

Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements

Question 36

Two types of compliance reporting

Answer 36

Internal Compliance Reporting
 Ensures adherence to internal policies and procedures
 Conducted by an internal audit team or compliance
department

External Compliance Reporting
 Demonstrates compliance to external entities
 Mandatory, often by law or contract

Question 37

Compliance Monitoring

Answer 37

 Regularly reviews and analyzes operations for
compliance
 Includes due diligence and due care, attestation and
acknowledgement, and internal and external
monitoring

Question 37

Due Diligence and Due Care

Answer 37

Due Diligence
 Identifying compliance risks through thorough review

Due Care
 Mitigating identified risks

Question 38

Attestation and Acknowledgement

Answer 38

Attestation
 Formal declaration by a responsible party that the
organization’s processes and controls are compliant

Acknowledgement
 Recognition and acceptance of compliance
requirements by all relevant parties

Question 39

Internal and External Monitoring

Answer 39

Internal Monitoring
 Regularly reviewing an organization’s operations to
ensure compliance with internal policies

External Monitoring
 Third-party reviews for compliance with external
regulations or standards

Question 40

Role of Automation in Compliance

Answer 40

Streamlines data collection, improves accuracy, and provides real-time monitoring

Question 41

Understanding and adhering to relevant laws and regulations

Answer 41

 Implementing robust cybersecurity measures
 Regularly reviewing and updating compliance programs