Governance + Compliacne

Governance

Management of policies, standards, procedures and operation in a framework that ensure an organization’s IT infrastructure aligns with its business objectives and regulatory requirements.

Monitoring

Regularly reviewing and assessing the effectiveness of the governance framework

Monitoring

Regularly reviewing and assessing the effectiveness of the governance framework

Boards

A group of people elected by shareholders to oversee the management of an organization. Responsible to setting the companies strategic direction. (Establish policies and big decision)

Committees

Subgroups of a board, each with a specific focus (Finance Committee and Cyber Committee)

Government Entitites

Establish laws and regulations that companies must comply with.

Centralized Structure

Decision making authority is at the top levels of management

• Consistent decision making

• Clear Authority

• Slow to respond to local needs

Decentralized Structure

Distrusted decision making authority across the company.

• Quicker

• Good for local/ department needs

• Can be inconsistent

Acceptable Use Policy (AUP)

Outlines the do’s and dont’s for what users when interacting with an organizations IT systems

Information Security Policies

Outlines how an organization protects its information asset from threats (Internal + External)

Business Continuity Policy

Outline steps/how an organization can continue business operations during and after a disruption (Dealing with power outages, hardware failures, natural disasters)

Disaster Recovery Policy

Specifically how an organization will recover its IT system and data after a disaster (Data backup/ restoration, software and hardeware recovery, alternative locations)

Incident Response Policy

A plan for handling security incidents (Detect, Report, Assessing, Respond, Learn)

Software Development Lifecycle Policy (SDLC)

Guide how software is developed

Change Management Policy

Ensures that changes are implemented in a controlled and coordinated manner, minimizing the risk of disruption (Procedures of, requesting, proving, implementing and reviewing changes)

Standards

Provide a framework for implementing security measures, to ensure all aspects of an organizations security posture are addressed

Password Standards

Dictate complexity and management of passwords (Length, Casing, Special Character, timely changes, hashing, salting)

Access Control Standards

Determine who has access to to what resources. (DAC, MAC, RBAC))

Physical Security Standards

Physical measures taken to protect an organizations asserts and info (Fences, Surveillance , Keycards, Power redundancy)

Encryption Standards

Ensure that data needs proper authorization to be accessed (Using certain encryption standards)

Procedures

Steps taken to achieve a specific outcome

Change Management

Approach to dealing with changes within an organization

Change Management Stages

1. The need for change is identified and potential impacts are assessed

2. Plan is developed (Who, what , Where , When)

3. Change is implemented

4. Review

Onboarding

Orientation and Training to ensure employees are engaged and productive

Offboarding Procedures

• Taking Company property

• Disabling access to systems

• Exit Interviews

Playbooks

Checklist of actions to perform to detect and respond to a specific type of incident

Complicance

Ensuring that a company is following laws , regulations, guidelines and specifications.

Compliance Reporting

Process of collecting and presenting data to demonstrate adherence to compliance requirements

Internal Complicance Reporting

Collection and analysis of data to ensure that an organization is following its internal policies and procedures

External Compliance Reporting

Demonstrating compliance to external entities (Regulatory bodies, Auditors, Customers), this is usually mandated by law or contract

Compliance Monitoring

Process of regularly reviewing and analyzing an organization’s operations to ensure compliance with laws, regulations and internal policies

Due Diligence

Conducting an exhaustive review of an organization’s operations to identify potential compliance risks (Researching laws and regulations )

Due Car

Steps taken to mitigate risks found doing Due Diligence.

Attestation

Formal declaration by a responsible party that the organization’s processes and controls are compliant (Making people attest to protocols)

Acknowlegdement

Recognition and acceptance of compliance requirements by all relevant parties (making people acknowledge protocols via compliance agreement )

Internal Monitoring

Regularly reviewing an organization’s operations to ensure compliance with internal policies

External Monitoring

Third-party review/audits to verify compliance with external regulations or standards

Fines

Monetary penalties imposed by regulatory bodies for non-compliance with law and regulation

Sanctions

Strict measures taken by regulatory bodies to enforce compliance (restrictions on business operations or bans)

Reputational Damage

The negative impact on a company’s reputation due to non-compliance (Bad Online reviews, Criticism, loss in stock value)

Loss of License

Non-compliance can lead to the loss of a company’s reputation due license to operate

Contractual Impacts

Consequences or effects that arise as a result of a contract between two or more parties