5.1 Flashcards
(33 cards)
Data ownership
Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets
Data Owner
A senior executive responsible for labeling information assets and ensuring they
are protected with appropriate control
Data Controller
Entity responsible for determining data storage, collection, and usage purposes
and methods, as well as ensuring the legality of these processes
Data processor
A group or individual hired by the data controller to assist with tasks like data
collection and processing
Data Steward
Focuses on data quality and metadata, ensuring data is appropriately labeled and
classified, often working under the data owner
Data Custodian
responsible for managing the systems on which data assets are stored, including
enforcing access controls, encryption, and backup measures
PRivacy Officer
Oversees privacy-related data, such as personally identifiable information (PII),
sensitive personal information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory framework
Governance
Overall management of IT infrastructure, policies, procedures, and operations
includes
- Risk Management
○ Identify, assess, and manage potential risks
● Strategic Alignment
○ Ensure IT strategy aligns with business objectives
● Resource Management
○ Efficient and effective use of IT resources
● Performance Measurement
○ Mechanisms for measuring and monitoring the performance of IT
processes
Compliance
Adherence to laws, regulations, standards, and policies
Policies
■ High-level guidelines indicating organizational commitments
■ Topics Covered
● Acceptable Use Policies
● Information Security Policies
● Business Continuity
● Disaster Recovery
● Incident Response
● Change Management
● Software Development Lifecycle (SDLC)
Standards
■ Specific, mandatory actions or rules adhering to policies
■ Covered Standards
● Password Standards
● Access Control Standards
● Physical Security Standards
● Encryption Standards
Procedures
■ Step-by-step instructions ensure consistency and compliance
■ Covered Procedures
● Change Management Procedures
● Onboarding and Offboarding Procedures
● Playbooks
GRC Triad
Governance Risk and Compliance
Purpose of Governance
■ Establishes a strategic framework aligning with objectives and regulations
■ Defines rules, responsibilities, and practices for achieving goals and managing IT
resources
Boards
● Elected by shareholders to oversee organization management
● Responsible for setting strategic direction, policies, and major decisions
Committees
● Subgroups of boards with specific focuses
● Allows detailed attention to complex areas
Government Entities
● Play roles in governance, especially for public and regulated organizations
● Establish laws and regulations for compliance
Centralized governance
○ Decision-making authority at top management levels
○ Ensures consistent decisions and clear authority
○ Slower response to local/departmental needs
AUP
acceptable use policy
■ Document that outlines the do’s and don’ts for users when interacting with an
organization’s IT systems and resources
■ Defines appropriate and prohibited use of IT systems/resources
■ Aims to protect organizations from legal issues and security threats
Info Security Policies
■ Cornerstone of an organization’s security
■ Outlines how an organization protects its information assets from threats, both
internal and extern
These policies cover a range of areas
● Data Classification
● Access Control
● Encryption
● Physical Security
■ Ensures confidentiality, integrity, and availability of data
Business Continuity Policy
■ Ensures operations continue during and after disruptions
■ Focuses on critical operation continuation and quick recovery
■ Includes strategies for power outages, hardware failures, and disasters
Disaster Recovery Policy
■ Focuses on IT systems and data recovery after disasters
■ Outlines data backup, restoration, hardware/software recovery, and alternative
locations
Incident Response Policy
■ Addresses detection, reporting, assessment, response, and learning fromsecurity incidents
SDLC Policy
■ Guides software development stages from requirements to maintenance
■ Includes secure coding practices, code reviews, and testing standards
■ Ensures high-quality, secure software meeting user needs
