GCGA Ch. 11 Security Governance (ST)

Question 1

Security governance

Answer 1

the set of responsibilities and processes established by an organization’s top-level management to direct, evaluate, and control the organization’s security efforts.

Question 2

Boards (company)

Answer 2

often consist of executives and high-ranking individuals within the organization who make critical decisions about security policy and strategy. Committees are usually specialized groups focusing on specific aspects of security, such as risk management or compliance. Government entities might have a role if the organization operates in a heavily regulated industry or if it deals with sensitive data like protected health information or national security matters.

Question 3

Centralized vs decentralized governance structures

Answer 3

centralized governance structures concentrate decision-making authority at the top of the organization. Decentralized structures allow different parts of the organization to make their own security decisions.

Question 4

Setting up/managing security governance

Answer 4

In setting up and managing security governance, organizations need to take into account a range of external considerations. These may include regulatory requirements, legal obligations, industry standards, and the security environment at local, regional, national, and global levels.

Question 5

Written security policies

Answer 5

administrative controls that identify an overall security plan for an organization and reduce overall risk. Procedures identify security controls used to enforce security policies. Common security policies include acceptable use policies (AUP), information security policies, business continuity and disaster recovery policies, incident response policies, software development lifecycle (SDLC) policies, and change management policies.

Question 6

Security standards

Answer 6

outline technical and business requirements for security. Common security standards include password standards, access control standards, physical security standards, and encryption standards.

Question 7

Security procedures

Answer 7

provide very specific step-by-step instructions for carrying out security-related tasks. Security guidelines offer advice on achieving security objectives. Common security procedures include change management procedures and employee onboarding/offboarding procedures.

Question 8

Security guidelines

Answer 8

optional advice, while compliance with policies, procedures, and standards is mandatory. Data owners have primary responsibility for a specific type of data within the organization. The data owner is typically a senior executive responsible for the area with oversight of the data.

Question 9

Data owners

Answer 9

typically have senior-level positions and can’t do the day-to-day work of data governance. For this reason, they typically delegate authority to data stewards on their teams who are responsible for carrying out the intent of the data owner’s requirements.

Question 10

Data custodian

Answer 10

responsible for routine daily tasks such as backing up data, storage of the data, and implementation of business rules.

Question 11

Data controller

Answer 11

the organization that is responsible for a dataset. A data processor handles information on behalf of a data controller.