Governance and Compliance

Section 11 of the Dion Training Security+ Course

Governance

Overall management of the organization’s IT infrastructure, policies, procedures and operations. It is the strategic leadership, structures, and processes that ensure an organization’s IT infrastructure aligns with its business objectives.

Compliance

Adherence to laws, regulations, standards, and policies that apply to the operations of the organization

Monitoring

Regularly reviewing and assessing the effectiveness of the governance framework

Boards

A board of directors is a group of individuals elected by shareholders to oversee the management of an organization.

Committees

Subgroups of a board of directors, each with a specific focus

Government Entities

They establish laws and regulations that organizations must comply with

Centralized Structures

Decision-making authority is concentrated at the top levels of managment

Decentralized Structures

Distributes decision-making authority throughout the organization

Acceptable Use Policy (AUP)

A document that outlines the do’s and don’ts for users when interacting with an organization’s IT systems and resources

Information Security Policies

Outline how an organization protects its information assets from threats, both internal and external

Business Continuity

Focuses on how an organization will continue its critical operations during and after a disruption

Disaster Recovery

Focuses specifically on how an organization will recover its IT systems and data after a disaster

Indicent Response

A plan for handling security incidents

Software Development Lifecycle (SDLC)

Guides how software is developed within an organization

Change Management

Aims to ensure that changes are implemented in a controlled and coordinated manner, minimizing the risk of disruptions

Standards

Provide a framework for implmeenting security measures, ensuring that all aspects of an organization’s security posture are addressed

Password Standards

Dictate the complexity and management of passwords, which are the first line of defense against unauthorized access

Access Control Standards

Determine who has access to what resources within an organization

What are some types of access control standards?

Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC)

Physical Security Standards

These standards cover the physical measures taken to protect an organization’s assets and information

Encryption Standards

Ensure that data intercepted or accessed without authorization remains unreadable and secure

Procedures

Systematic sequences of actions or steps taken to achieve a specific outcome

Onboarding

The process of integrating new employees into the organization

Offboarding

The process of managing the transition when an employee leaves

Playbooks

Checklist of actions to perform to detect and respond to a specific type of incident

Regulatory Considerations

These regulations can cover a wide range of areas, from data protection and privacy to environmental standards and labor laws

Legal Considerations

Closely tied to regulatory considerations, but they also encompass other areas such as contract law, intellectual property, and corporate law

Industry Considerations

The specific standards and practices that are prevalent in a particular industry

National Considerations

Laws like the Americans with Disabilities Act (ADA) in the United States

Global Considerations

General Data Protection Regulation (GDPR) Implemented by the European Union

Compliance Reporting

Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements

Compliance Monitoring

The process of regularly reviewing and analyzing an organization’s operations to ensure compliance with laws, regulations, and internal policies

What is the difference between due diligence and due care?

Due diligence is the act of conducting an exhaustive review of an organizations’s operations to identify potential compliance risks while due care describes the steps taken to mitigate these risks

Attestation

Formal declaration by a responsible party that the organization’s processes and controls are compliant

Acknnowledgement

Recognition and acceptance of compliance requirements by all relevant parties

Automation in Compliance

Automated compliance systems can streamline data collection, improve accuracy, and provide real-time compliance monitoring

Fines

Monetary penalties imposed by regulatory bodies for non-compliance with laws and regulations

Sanctions

Strict measures taken by regulatory bodies to enforce compliance