Domain 5.0 Governance/Compliance

Reputation Damage

Occurs when a company's brand is tainted due to a data breach, leading to a loss of public respect and potentially reduced sales.

Identify Theft

Involves stolen customer data being used for identity theft, which can result in the company being sued for damages.

Fines

Data breaches may lead to regulatory fines, such as under the EU GDPR, where fines can reach up to 20 million Euros or 4% of the company's annual global turnover.

IP Theft

Involves competitors stealing copyrighted material, trade secrets, and patents, resulting in a loss of revenue for the company.

Classifications

The first stage of risk management involves classifying assets, determining how data is handled, accessed, stored, and destroyed based on different data classifications.

Data Minimization

Refers to collecting only necessary data and holding it in accordance with regulations, as reflected in the data retention policy.

Data Masking

Involves leaving only partial data in a field to prevent the theft of original data, such as showing only the last four digits of a credit card number.

Tokenization

Replaces meaningful data with a randomly generated token stored in a remote location, enhancing security compared to encryption.

Anonymization

Involves rendering data anonymous to prevent identification of individuals, typically by removing identifiers like names.

Data Owners

Responsible for classifying data and determining who can access it within the organization.

Data Controller

Ensures legal collection and storage of all data, following compliance regulations and investigating data breaches.

Data Processor

Operates on behalf of the data controller, ensuring data collection, storage, and analysis comply with regulations.

Data Custodian / Steward

Responsible for labeling, storing, and managing data securely, including encryption and regular backups.

DPO (Data Privacy Officer)

Ensures handling, storage, and disposal of personally identifiable information comply with national laws and regulatory frameworks.

Information Lifecycle

Involves the stages of data creation, use, retention, and disposal, ensuring compliance with regulatory frameworks.

Impact Assessment

Evaluates risks associated with collecting large amounts of data and implements tools to reduce those risks effectively.

Terms of Agreement

Outlines the agreement between data collectors and individuals whose data is being collected, specifying the purpose of data collection.

Privacy Notice

Obtaining consent to collect personal data for specific purposes and not using it for other unintended purposes.

External Threats

Include various threat actors like competitors, criminal syndicates, and foreign governments, with different levels of sophistication and funding.

Internal Threats

Include malicious insiders and human errors as potential risks to data security within an organization.

Risk Transference

Insurance of any kind, whether for a car or CyberSecurity, is considered a Risk Transference.

Risk Register

A list of all potential risks a company could face, with specific risk owners responsible for assessing and managing them.

Risk Assessments

Qualitative identifies risks as High, Medium, or Low, while Quantitative assigns numeric values by multiplying Probability x Impact.

Risk Matrix / Heat Map

Visual representation of risks, with severity indicated by colors like red for severe, pink for high, and green for low risk.

Risk Control Self Assessment

Process where employees evaluate existing risk controls to ensure adequacy, reporting back to management.

Inherent Risk

Raw risk before any mitigation strategies are applied.

Residual Risk

Risk remaining after mitigation efforts, as risk cannot be completely eliminated.

Control Risk

Measurement of risk control effectiveness over time.

Risk Appetite

Amount of risk mitigation a company is willing to undertake to comply with regulations and protect itself.

Single-Loss Expectancy (SLE)

The loss of one item, calculated as SLE = ALE / ARO.

Annualized Loss Expectancy (ALE)

Total loss in one year, calculated as ALE = SLE x ARO.

Recovery Point Objective (RPO)

Duration a company can function without its data before operations are affected.

Recovery Time Objective (RTO)

Time needed to return a company to an operational state.

Mean Time to Repair (MTTR)

Average time taken to repair a system.

Mean Time Between Failures (MTBF)

Shows the reliability of a system.

Functional Recovery Plans (FRP)

Plans using structures, walkthroughs, and simulations for incident response.

Disaster Recovery Plans (DRP)

Plans for various disasters to recover quickly and minimize financial impact.

Site Risk Assessment

Evaluation of risks and hazards on a construction site.

Acceptable Use Policy (AUP)

Guidelines on using company computers and devices, specifying allowed and forbidden practices.

Separation of Duties

Internal control where multiple individuals are involved in completing a task to prevent fraud or errors.

Off-Boarding Policy

Ensures removal of business data from BYOD devices when an employee leaves to prevent data breaches.

Non-Disclosure Agreements (NDA)

Legally binding contracts preventing disclosure of trade secrets to competitors without authorization.

Background Checks

Process involving criminal records, employment history, and more to verify information provided by job applicants.

Least Privilege Policy

Restricts data access to employees based on job requirements, following the "Need to know" principle.

Clean-Desk Policy

Requires employees to clear desks daily to prevent unauthorized access to sensitive information.

Social Media Analysis

Establishes company policies to prevent attackers from accessing valuable information shared on social media.

User Training

Essential for reducing the risk of cyber exploitation by educating employees on security measures.

Capture the Flag

Exercise where Red and Blue teams engage in exploitation-based challenges to enhance cybersecurity skills.

Phishing Campaigns

Simulated phishing emails sent to employees to assess their responses and provide training on phishing attacks.

Computer Based Training (CBT)

Training method involving videos and questions to ensure understanding, a form of gamification.

Role Based Training

Ensures employees receive security awareness training tailored to their specific job roles.

3rd Party Risk Management

Involves assessing risks associated with interactions with external companies or service providers.

Supply Chain

Companies rely on suppliers for materials; disruptions in the supply chain can impact business operations.

Vendors

Emphasizes the importance of trustworthy software vendors to prevent malware installation or backdoors.

Service Level Agreement (SLA)

Contract between a service provider and a company detailing service expectations and metrics.

Memorandum of Understanding (MOU)

Formal agreement between parties indicating a serious commitment, though not legally binding.

Measurement Systems Analysis (MSA)

Tool for evaluating the quality of measurement systems to minimize variation.

Business Partnership Agreement (BPA)

Governs the relationship between companies in a business venture, outlining contributions and responsibilities.

End of Life (EOL)

Occurs when a vendor discontinues a product, limiting support and availability of replacement parts.

End of Service (EOS)

Vendor ceases support for a product, leaving users vulnerable without security updates or technical assistance.

Data

Crucial company asset requiring proper classification, handling, storage, and disposal in compliance with regulations.

Classification

Labeling data with relevant security classifications to determine how it should be handled.

Governance

Oversight and management of security controls throughout the data handling process to ensure compliance.

Retention

Balances data storage needs with liability concerns, requiring companies to retain data as necessary for compliance.

Personnel

Involves shared or user accounts subject to the principle of least privilege for security.

Third Party

Utilizes credentials like SAML tokens or SSH keys from external providers for secure access.

Devices

Require changing default settings to enhance security, especially generic accounts with default passwords.

Service Accounts

Used to run applications like antivirus, with different levels of privilege for system and local service accounts.

Administrator / Root Accounts

Need protection as they grant extensive system access, restricting their use to authorized IT personnel.

Credential Policies

Establish guidelines to safeguard credentials and prevent unauthorized system access.

Change Management

Process for amending existing procedures to enhance security controls and address vulnerabilities.

Change Control

Involves managing requests for changes to existing controls, ensuring they are beneficial and approved by the Change Advisory Board.

Asset Management

Process of tagging and recording company assets in a register to ensure accountability and tracking.

Comparing Security Control Types

Categorizes security controls into managerial, operational, and technical types to mitigate risks effectively.

Preventative Controls

Measures put in place to deter attacks, like disabling user accounts or operating system hardening.

Detective Controls

Tools used to investigate incidents, such as CCTV for recording events or log files for tracking trends.

Corrective Control Types

Actions taken to recover from incidents, like replacing lost data from backups or using fire suppression systems.

Deterrent Controls

Methods like CCTV and motion sensors used to discourage potential threats, such as triggering lights to deter intruders.

Compensating Control Types

Secondary controls used when primary controls fail, like using temporary login methods while waiting for smart cards.

GDPR

General Data Protection Regulation by the EU to safeguard individuals' data privacy, enforced by the Information Commissioner's Office.

ISO Standard 27001

Focuses on security techniques for information security management systems.

ISO Standard 27002

Aims to improve information management through a code of practice for information security controls.

ISO Standard 27701

Extension to 27001/27002 for privacy information management requirements and guidelines.

ISO Standard 31000

Manages risk for company organizations and general management.

CSA CCM

Helps assess the overall risk of a cloud provider for potential customers.

CSA Reference Architecture

Contains best security practices for Cloud Service Providers (CSPs) to promote secure and trusted cloud environments.

Role of Web Servers

Microsoft's Internet Information Server and Apache are the main web servers used by commercial companies, providing security guides for enhanced protection.

Network Infrastructure Devices

Cisco produces high-end network devices and offers Infrastructure Upgrade Guides for best practices in upgrading network devices.