Governance, Risk Management and Compliance Flashcards
Control Framework
Examples
These are used to create a governance program to enable compliance with security and privacy requirements
ISO 27014 - Governance of Information Security
ISO 38501 - Governance of Information Technology
What characteristics should control frameworks have?
Consistent - in line with Sr. Mgmt guidance and expectations with regards to security and data privacy goals
Measurable - provides a way to determine progress and set goals or KPIs
Standardized - rely on standards or results from one organization or part of an organization that can be compared in a meaningful way
Comprehensive - Should cover the minimum legal and/or regulatory requirements
Modular - A framework that can withstand the changes of an organization because the controls or requirements needing modification are reviewed and updated
Governance
Ensures the business focuses on core activities, clarifies WHO in the organization has the authority to make DECISIONS, create POLICY, determines ACCOUNTABILITY for actions and RESPONSIBILITY for outcomes and addresses how expected performance will be evaluated.
Compliance
Refers to actions that ensure behavior complies with established rules/policies
Data Subject
An individual who is the subject of personal data
Data Steward
Responsible for data quality, content, context, and associated business rules
from class “responsible for data integrity”
Data Owner
Hold legal rights and complete control and accountability of a single piece or set of data elements
usually the department head or business unit manager for the office that has created or collected a certain dataset.
The data owner will be identified in the create phase.
Data Custodian
Responsible for the safe custody, transport, storage of the data and implementation of business rules
The data custodian is any person or entity that is tasked with the daily maintenance and administration of the data. The custodian also has the role of applying the proper security controls and processes as directed by the data owner.
Data Controller
A person who determines WHY and HOW PERSONAL DATA is processed
Data Processor
Any person who processes data on behalf of the data controller
Data Protection Officer (DPO)
Normally APPOINTED by the Data Controller and Data Processor
Responsible for ensuring the strategy and implementation of DATA PROTECTION requirements are in COMPLIANCE with data standards/requirements/laws (e.g. GDPR)
Due Care
Setting best or reasonable practices as a responsible organization should do
“Do the Right Thing”
Every employee in the organization should do their job correctly, following policies, procedures, and best practices
The company did all it could have reasonably done to prevent.. breach, what ever…
They exercised due care
Note: Auditors care about due care
Due Diligence
Providing a record or history of compliance and enforcement
Providing evidence that you are doing the right thing.. e.g. proof a policy was followed
Note: Auditors care about due diligence
Corporate Governance
the system of rules, practices, and process by which a company is directed and controlled
begins with policy
- Policies?
Corporate Policies?
- the foundation of corporate governance
Mandatory rules, practices and processes authorized and sponsored by Sr. Mgmt and followed by everyone under penalty if broken
- Requirements derived from regulatory/legal, contractual, or social/ethical compliance
How is Policy Implemented?
Management must adopt:
Standards/Frameworks
Baselines
Procedures
Guidelines
How should you adopt standards/frameworks to implement policy?
HW, SW, documents are deployed universally throughout the organization
Specific technologies are used in uniform ways
Standards are mandatory, everyone must follow them
How should baselines be used to implement policy?
The minimum level of protection or settings for specific platforms or environments should be established as a baseline
Baselines are derived from standards and are mandatory
How should Procedures be used to implement policy?
Step by step required and mandatory actions on how to accomplish or maintain the directives of the policy should be documented and followed
How should Guidelines be used to implement policy?
Not mandatory but used as best practices, recommendations, suggestions or advice for accomplishing a goal
e.g. optional, non-binding
Executive committees for governance
- Purpose
- Who is on the committee
- Determine Organizational requirements and determine Governance, Risk Management and Compliance
- Board of Directors, Shareholders, Stakeholders and Senior Management
Risk Management
identifying threats and vulnerabilities and quantifying and addressing risk associated with them
identify industry, legal and regulatory requirements and addressing risk associated with them
a cyclic, systematic process for monitoring, identifying, analyzing, evaluating/assessing risk to determine risk response: mitigating, transferring, avoiding, and accepting risk
To mitigate or reduce risk to acceptable levels
Includes Risk Analysis, Cost/Benefit Analysis, Deploying counter measures or safeguards, auditing, insurance, Business Continuity Planning, education, training, etc.
What measure does a Qualitative Risk Assessment use to assess risks?
Qualitative risk assessments use nonnumerical categories that are relative in nature, such as high, medium, and low. Quantitative assessments use specific numerical values such as 1, 2, and 3.
Risk Appetite
AKA, Desc
Risk appetite is the level, amount, or type of risk that the organization finds acceptable.
Organization is prepared to accept this amount or level of risks to meet its objectives
AKA Risk Tolerance
Organizations have four main ways to address risk?
Avoidance
Acceptance
Transference
Mitigation
Risk Avoidance
removing the technology or activity to remove the risk
it means leaving a business opportunity because the risk is simply too high and cannot be compensated for with adequate control mechanisms—a risk that exceeds the organization’s appetite.
Risk Acceptance
What should never happen with respect to managing risk?
AKA
The opposite of avoidance; the risk falls within the organization’s risk appetite, so the organization continues operations without any additional efforts regarding the risk
NEVER accept risk without avoiding, mitigating and transferring as much as possible based on business/compliance/due care conditions
Risk Retention
Risk Transference
The organization pays someone else to accept the risk, at a lower cost than the potential impact that would result from the risk being realized; this is usually in the form of insurance or outsourcing. This type of risk is often associated with things that have a low probability of occurring but a high impact should they occur.
Risk Mitigation
The organization takes steps to decrease the likelihood or the impact of the risk (and often both); this can take the form of controls or COUNTERMEASURES and is usually where security practitioners are involved.
Internal Compliance Items
Mission/Vision Statement
Selected Strategies
Goals and Benchmarks
External Compliance Items
Legislation/Legal
Regulatory/Oversight
Industry Standards
Customer Requirements
List Compliance Standard Requirement Types
Regulatory/Legal
Contractual
Ethical/Social
How should corporate policies/compliance requirements be tested/verified?
Compliance audit, either internal or external to ensure the company does what they say they do to comply with legal/regulatory, contractual, and ethical standards
Laws Considered for GRC
International Law State Law Federal Law Privacy Law Criminal Law Common Law/Tort
International Law
Rules that govern relations between countries
State Laws
typically refers to laws of each US state but can refer to geographic divisions (e.g. state, provinces) within any country
Privacy Law
Laws that generally protect the rights of an individual within a country; Can extend to PII of the individual housed in a different country
Federal Law
The body of laws used to govern a sovereign nation
Criminal Law
Typically rules and statutes that define contact prohibited by government to protect the SAFETY and well-being of the public, punishable by jail, death, fines, loss of certain individual rights
Common Law (Tort)
Laws that seek to COMPENSATE victims for injuries suffered at the hand of another ex Lawsuit
Investigations considered for GRC
Operational
Civil
Criminal
Operational Investigation
What are potential penalties?
An investigation performed by the organization related to internal digital or other malfeasance
Penalty may include release from the company
Civil Investigation, Penalties, Standard of Proof?
In the US and other countries, civil investigations are governed by Federal Rules of Civil Procedure
Based on TORT law, they seek to remedy a conflict between parties
Penalties are usually MONETARY and/or result in a court order
Standard of proof is a preponderance of evidence
Criminal Investigation
Who governs/performs and what are potential penalties?
In a criminal case, it is the STATE against the individual which a jury or judge must find guilty
Penalties may include incarceration, monetary fines or death
What are the concerns when a cloud provider becomes involved in an investigation?
Control over data
Multi-Tenancy
Data Volatility
Evidence Acquisition (especially e-disovery)
E-discovery
What ISO relates to e-discovery?
Any process in which ELECTRONIC data is sought, located, secured, and searched with the intent of using it as EVIDENCE in a LEGAL case
ISO 27050
Legal Hold
If a party reasonably anticipates litigation it must SUSPEND its routine document retention destruction policy and put in place a hold on relevant documents
Spoliation
The intentional or accidental DESTRUCTION or ALTERATION of data that is either under legal hold or lawfully requested by a court
Production - GRC
The PRESENTATION of the requested data to the court or to the requesting party
Agent of the Government
When a PRIVATE citizen who has been given government AUTHORIZATION to act on behalf of the government, they must follow the same rules as the government
Warrant
A court order AUTHORIZING law enforcement to gain entry and to search for items or persons for seizure
Subpoena
A written legal order summoning a witness or requiring evidence to be submitted to a court
Doctrine of plain view
Allows law enforcement to seize objects not described in a WARRANT when executing a lawful search or seizure if they observe the object in plain view and has PROBABLE cause to believe that it is connected with a criminal activity
Extradition
The REMOVAL of a person from a requested state to a requesting state for criminal prosecution or punishment
Jurisdiction
The authority granted by law to the courts to rule on a legal matter and render judgments according to the subject matter of the case and the GEOGRAPHICAL region in which the issue took place
Harmonization of Law
the process of creating common standards across the internal market specifically in the EU
The process of achieving technical EQUIVALENCY and enabling interchangeability between different standards with OVERLAPPING functionality. Harmonization REQUIRES an architecture that documents key points of interoperability and associated interfaces ex. the user of directives in the EU
Rules of Evidence Admissibility
- Be AUTHENTIC - the evidence needs to be tied back to the scene
- Be ACCURATE - evidence must maintain authenticity and veracity throughout the evidence lifecycle
- Be COMPLETE - all evidence should be collected, including evidence that support and that can diminish the reliability of the other incriminating evidence
- Be CONVINCING - evidence should be easy to understand and believable to a jury
- Be ADMISSIBLE - evidence must be able to be used in a court of law
Digital Forensics Phases
- Collection - identifying, labeling, recording, and acquiring data from a possible source of relevant data
- Examination - processing collected data
- Analysis - analyzing the results of the examination
- Reporting - reporting the results of analysis
Chain of Custody
A complete, verifiable record of handling evidence from the moment of acquisition through destruction or return
A chronological paper trail documenting evidence that was gathered, who had it and when (documenting and controlling evidence handling)
Integrity is the upmost importance
Must be maintained while evidence is identified, gathered, protected, accessed and presented
Non-Repudiation
The ability to prove that the evidence is the original as acquired from the system
Probative Value
Evidence that has some benefit to the court case or interest to the court. It must prove something.
Provenance
The ability to track back to the original creation of the evidence
How do you capture Digital Evidence in order to ensure you gather all that may be available given time?
Start from the volatile forms then go to more persistent forms
Volatile items cant be recovered after a reboot
Order of Volatility
- Live system info (RAM, process list, unsaved work, encryption keys, etc.)
- Virtual memory (Paging file/swap file, temp file)
- Physical media - HD, DVD, USB, printouts
- Backups and networks - back up media server logs files, cloud storage
Shadow IT
Shadow IT, occurs when cloud users access and use cloud systems and resources that have not been authorized by their organization.
Unsanctioned or unapproved cloud workloads or utilization of unapproved devices or VMs within the enterprise
Risk Profile
The willingness of an organization to take on risk as well as the threats it will be exposed to
Exposure
Actual or anticipated damage from a threat
How do you calculate Annual Rate of Occurrence?
Asset Value (AV) x Exposure Factor (EF) = Single Loss Expectancy
of incidents/ # of years = ARO
How do you calculate Annual Loss Expectancy?
Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) = Annual Loss Expectancy
Controls Gap
How is this calculated?
The amount of risk that is mitigated implementing countermeasures
Controls Gap = Total Risk - Residual Risk
If I am 100% exposed, and after mitigation, I am 5% exposed, then controls gap is 95%
Residual Risk
smaller amount of risk that remains after mitigation or transference or avoidance and must be accepted
