Governance and Compliance Flashcards
Governance
- Part of the GRC triad (Governance, Risk, and Compliance)
- Involves risk management, resource allocation, and performance measurement
Purpose of Governance
■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT
resources
Adaptation and Revision
■ Governance must adapt to technological advancements, regulatory changes, and
industry culture shifts
■ Monitoring evaluates governance effectiveness and identifies gaps
■ Revision updates governance framework
Boards
Governance Structures
● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions
Committees
Governance Structures
● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas
Government Entities
Governance Structures
● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance
Centralized
Governance Structures
○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs
Decentralized
Governance Structures
○ Decision-making authority distributed throughout the
organization
○ Enables quicker decisions and local responsiveness
○ Potential for inconsistencies
Acceptable Use Policy (AUP)
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats
Information Security Policies
■ Outlines how an organization protects its information assets from threats, both internal and external
● Data Classification
● Access Control
● Encryption
● Physical Security
Business Continuity Policy
Ensures operations continue during and after disruptions
Disaster Recovery Policy
■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative locations
Incident Response Policy
■ Addresses detection, reporting, assessment, response, and learning from security incidents
■ Specifies incident notification, containment, investigation, and prevention steps
Software Development Lifecycle (SDLC) Policy
■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs
Change Management Policy
■ Ensures controlled, coordinated change implementation to minimize disruptions
■ Covers change request, approval, implementation, and review processes
Password Standards
Define password complexity and management
Access Control Standards
Determine who has access to resources within an organization
● Discretionary Access Control (DAC)
● Mandatory Access Control (MAC)
● Role Based Access Control (RBAC)
Physical Security Standards
Cover physical measures to protect assets and information
Encryption Standards
Ensure data remains secure and unreadable even if accessed without authorization
Change Management
It aims to implement changes smoothly and successfully with minimal disruption
Change Management Key Stages
● Identifying the need for change
● Assessing impacts
● Developing a plan
● Implementation
● Post-change review
Playbooks
Detailed guides for specific tasks or processes
Compliance Reporting
Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
Compliance Monitoring
■ Regularly reviews and analyzes operations for compliance
■ Includes due diligence and due care, attestation and acknowledgement, and
internal and external monitoring
Due Diligence
Compliance Monitoring
Identifying compliance risks through thorough review
Due Care
Compliance Monitoring
Mitigating identified risks
