Misc Governance, Risk, and Compliance Flashcards
SLA
Service level agreement - defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area
MOU
memorandum of understanding - a legal document that describes a mutual agreement between parties
ISA
interconnection security agreement - an agreement that specifies the technical and security requirements of the interconnection security requirements of the interconnection between organizations.
BPA
business partnership agreement - a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners
Risk severity = X*Impact
likelihood of occurrence
RPO
Recovery point objective - specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning’s maximum acceptable threshold
MTTR
Mean time to repair - the average time it takes for a failed device or component to be repaired or replaced
MTBF
mean time between failures - the rating on a device or component that predicts the expected time between failures.
ARO
annual rate of occurrence - is the ratio of an estimated possibility that a threat will take place within a one-year time frame.
AUP
acceptable use policy - describes the limits and guidelines for users to make use of an organization’s physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours.
BIA
Business Impact Analysis - helps to identify critical systems by determining which systems will create the largest impact if they are not available.
ISO 27002
a global standard that outlines guidelines for creating and sustaining information security systems
ISO 27017
a standard for cloud security
NIST 800-12
a general security standard that is specific to the United States, not recognized internationally
NIST 800-14
a U.S. standard that focuses on policy development rather than information security management systems
PCI-DSS
Payment Card Industry Data Security Standard - a security standard that is mandated by credit card vendors. The Payment Card Industry Security Standards Council is responsible for updates and changes to the standard
GDPR
General Data Protection Regulation - a standard for data privacy and security in the European Union (EU)
SSAE
Standard for Attestation Engagements
SSAE-18 SOC 2
SOC 2 engagement assesses the security and privacy controls that are in place
SSAE-18 Type 2 report
Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place
SSAE-18 SOC 1
SOC 1 report assesses the controls that impact the accuracy of financial reporting
SSAE-18 Type 1 report
Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed. They do not look at the actual operating effectiveness of the controls.
data controller
sometimes called a data owner. He determines the reasons for processing personal information and how it is processed
Data steward
carries out the intents of the data controller
data custodian
charged with safeguarding information
Control risk
a term used in public accounting. It is the risk that arises from a potential lack of internal controls within an organization that may cause a material misstatement in the organization’s financial reports. In this case, the lack of controls that would validate the financial system’s data and function is a control risk
