GRC

Question 1

Define Governance

Answer 1

Ensuring that organsational activities are aligned with business goals

Question 2

Define Risk

Answer 2

Any risk or opportunity associated with business activities is identified

Question 3

Define Compliance

Answer 3

business activities operated to meet laws and regulations

Question 4

What are the benefits of GRC?

Answer 4

• improved decision-making
• more optimal investments
• reduced fragmentation among departments

Question 5

Discuss NIST

Answer 5

National Institute of Standards and Technology
- creates voluntary framework - no penalties or fines for not following
- provides customisable guide
- combined standards, guidelines and best practices
- encourages communication
- common risk language

Question 6

Discuss ISO

Answer 6

International Organisation for Standardisation
- international, non-governmental organisation
- consists of various bodies that develop and publish standards
- ISO 27000 - security requirements around maintenance of information security management systems
- ISO 31000 - governs principles of implementation and risk management

Question 7

Outline PCI-DSS

Answer 7

Payment Card Industry Data Security Standard
-Independent body created by financial firms. Standard - not law.
- Consists of 12 requirements
- designed to reduce fraud and protect CC informattion
- contractually required of any company handling CC information
- consequences of not complying - penalties from CC companies, data breaches, legal action, lost revenue

Question 8

Outline GDPR

Answer 8

General Data Protection Regulation
- EU regulation
- Regulates data protection and privacy of citizens in EU
- Applies to - any company in the EU, any company handling the data of an EU citizen
- Penalties - Up to 20 mil euros, up to 4% of global revenue