Class 14: Security Governance, Policies, Personnel, Change Management, and Automation
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/115
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
116 Terms
Organizational policy
An organizational policy is a formal mandatory rule or framework that guides operations, behavior, risk mitigation, fairness, transparency, and compliance.
Example: A data privacy policy explains how customer data must be collected, stored, processed, shared, and protected.
Memory trick: Policy means the official rulebook.
Trick question tip: Policies are mandatory governance outputs, not optional suggestions.
Governance
Governance is the process used to direct and control an organization, including decision-making, risk management, accountability, and compliance oversight.
Example: Leadership defines how risks are evaluated, who approves decisions, and how compliance responsibilities are assigned.
Memory trick: Governance steers the organization.
Trick question tip: Governance is the process; policies are written rules produced by governance.
Governance versus policy
Governance directs, controls, and oversees the organization, while policy documents the rules and expectations created from that governance process.
Example: Governance identifies a privacy risk, and a privacy policy defines required handling rules.
Memory trick: Governance decides; policy documents.
Trick question tip: If asked what governance produces, policies are a strong answer.
Compliance
Compliance is how well an organization follows applicable laws, regulations, standards, contracts, and internal policies.
Example: An organization follows privacy law and internal data handling rules when processing customer data.
Memory trick: Compliance means following the rules that apply.
Trick question tip: Compliance includes both external requirements and internal policies.
Policy role in compliance
Policies support compliance by translating legal, regulatory, contractual, and business requirements into daily rules employees can follow.
Example: A privacy law becomes a company policy explaining employee data-handling responsibilities.
Memory trick: Policy turns legal requirements into work rules.
Trick question tip: Policies operationalize compliance and provide criteria for audits.
Noncompliance consequences
Noncompliance consequences are penalties or actions resulting from failing to follow policies, standards, laws, regulations, or contracts.
Example: An AUP states that violations may lead to disciplinary action, access restriction, fines, or legal consequences.
Memory trick: No compliance means consequences.
Trick question tip: Policies should define consequences for violations.
Compliance assessment
A compliance assessment evaluates whether an organization follows applicable policies, standards, laws, regulations, and contractual requirements.
Example: An audit checks whether employees follow the data privacy policy.
Memory trick: Assessment checks if rules are being followed.
Trick question tip: Policies provide the roadmap and criteria for compliance assessments.
Internal versus external audit
An internal audit is performed by or for the organization, while an external audit is performed by an outside party to validate obligations.
Example: Internal auditors review change records, while an outside auditor reviews privacy practices for stakeholders.
Memory trick: Internal checks yourself; external means outside review.
Trick question tip: Outside stakeholder validation points to external audit.
Audit roadmap
An audit roadmap is the guidance policies give auditors when evaluating whether the organization operates as claimed.
Example: Auditors use the incident response policy to check whether procedures were followed during an incident.
Memory trick: Policies tell auditors what to check.
Trick question tip: Policies can act as evidence and criteria during audits.
Acceptable Use Policy (AUP)
An AUP defines acceptable and unacceptable ways users may use organizational systems, networks, data, and technology resources.
Example: An AUP explains rules for browsing, downloads, appropriate content, sensitive data handling, monitoring, and consequences.
Memory trick: AUP means allowed use policy.
Trick question tip: User behavior on company systems points to AUP.
AUP acknowledgment and monitoring
AUP acknowledgment requires users to confirm they understand the rules, while monitoring checks whether users follow those rules.
Example: A new employee signs the AUP before receiving access, and the organization monitors for unauthorized downloads.
Memory trick: Sign the rules; monitor the behavior.
Trick question tip: AUPs should explain both user acknowledgment and how compliance is monitored.
Information security policy
An information security policy defines rules and responsibilities for protecting organizational information, systems, and technology assets.
Example: A policy requires users to protect stored information, follow access rules, and preserve confidentiality, integrity, and availability.
Memory trick: InfoSec policy protects information assets.
Trick question tip: Rules for securing organizational information and technology point to information security policy.
Data privacy policy
A data privacy policy explains how personal or customer data must be collected, stored, processed, shared, protected, and handled by employees.
Example: The policy defines employee responsibilities when working with customer records.
Memory trick: Privacy policy tells how personal data must be treated.
Trick question tip: Data collection, storage, processing, sharing, and employee responsibility point to data privacy policy.
Business continuity policy
A business continuity policy focuses on keeping critical business processes operational during and after disruption.
Example: A policy identifies which functions must continue during a cyberattack, hurricane, fire, or power outage.
Memory trick: Business continuity keeps the business running.
Trick question tip: Keeping critical processes operational points to business continuity or COOP.
COOP
A Continuity of Operations Plan focuses on maintaining essential operations during and after a substantial disruption.
Example: A COOP plan defines how essential services continue during a major outage.
Memory trick: COOP keeps operations going.
Trick question tip: COOP and business continuity focus on continuing critical operations.
Business continuity versus disaster recovery
Business continuity keeps critical processes running, while disaster recovery restores systems, data, and services after a catastrophic event.
Example: Continuity keeps essential services available during a cyberattack; disaster recovery restores systems after major failure.
Memory trick: BC keeps going; DR gets back up.
Trick question tip: Restore operations after catastrophe means DR; keep critical processes operational means BC or COOP.
Disaster recovery policy
A disaster recovery policy details steps for recovering IT systems, services, and data after catastrophic events.
Example: The policy defines how systems are restored after a major outage or significant security breach.
Memory trick: Disaster recovery means recover after the bad event.
Trick question tip: Restoring operations quickly and efficiently after catastrophe points to disaster recovery.
Incident response policy
An incident response policy defines the processes followed after a security breach or cyberattack occurs.
Example: The policy explains how to identify, investigate, contain, mitigate, communicate, and recover from incidents.
Memory trick: Incident response means what to do after the breach alarm.
Trick question tip: Detecting, investigating, containing, eradicating, recovering, and communicating about incidents points to incident response policy.
SDLC policy
An SDLC policy governs software development from requirements analysis through deployment and maintenance.
Example: A policy requires security review during design, testing before release, and maintenance after deployment.
Memory trick: SDLC follows software from idea to upkeep.
Trick question tip: Development stages, requirements, deployment, maintenance, reliability, and secure coding point to SDLC policy.
Change management policy
A change management policy defines how IT changes are requested, reviewed, approved, implemented, documented, and reviewed.
Example: A firewall rule change must be submitted, reviewed, approved, implemented, and documented.
Memory trick: Change management controls changes before they happen.
Trick question tip: Request, review, approval, implementation, documentation, and rollback point to change management.
Policy, standard, procedure, and guideline
A policy is a mandatory rule, a standard is a specific required detail that supports policy, a procedure is step-by-step instructions, and a guideline is flexible recommended guidance.
Example: A policy requires encryption, a standard requires AES with approved key lengths, a procedure lists steps to encrypt a laptop, and a guideline recommends best practices.
Memory trick: Policy must, standard specifies, procedure steps, guideline suggests.
Trick question tip: Mandatory high-level rule means policy; measurable requirement means standard; checklist means procedure; flexible advice means guideline.
Standard
A standard defines specific mandatory technical, procedural, or operational requirements that support a policy.
Example: A password standard defines minimum length, MFA requirement, or account lockout settings that support an access policy.
Memory trick: Standard = specific required details.
Trick question tip: Measurable technical requirements that support policy point to standards.
Standard selection
Organizations select standards based on regulatory requirements, business needs, risk management goals, and stakeholder expectations.
Example: A healthcare organization follows HIPAA-related requirements, a payment processor follows PCI DSS, and a cloud-heavy organization may use cloud-focused standards.
Memory trick: Standards match rules, risks, and business needs.
Trick question tip: Industry, regulation, and business context drive standard selection.
Encryption standard
An encryption standard defines approved algorithms, key lengths, key management practices, storage requirements, rotation, and revocation.
Example: A standard requires approved symmetric encryption and key rotation after suspected compromise.
Memory trick: Encryption standards tell how data must be protected.
Trick question tip: Algorithm choice, minimum key length, storage, rotation, and revocation point to encryption standards.
Procedure
A procedure is a step-by-step instruction set or checklist used to complete a task consistently and in compliance with policy.
Example: An onboarding procedure lists steps for account creation, privilege assignment, credential issuance, and training.
Memory trick: Procedure means exact steps.
Trick question tip: Ordered steps or checklists point to procedure.
Policy versus procedure
A policy defines what must happen and why, while a procedure explains exactly how to perform the task.
Example: A policy requires account removal at termination; a procedure lists how to disable accounts and recover assets.
Memory trick: Policy is the rule; procedure is the checklist.
Trick question tip: If the answer involves ordered task steps, choose procedure.
Guideline
A guideline is flexible recommended guidance that helps people make good decisions while allowing judgment and discretion.
Example: A help desk guideline suggests tone, language, and response times for support replies.
Memory trick: Guideline means recommended path.
Trick question tip: Recommended and flexible means guideline; mandatory means policy or standard.
Guideline versus procedure
A guideline gives flexible recommendations, while a procedure gives specific required steps to complete a task consistently.
Example: A guideline suggests help desk tone, while a procedure lists exact steps for resetting a password securely.
Memory trick: Guideline suggests; procedure instructs.
Trick question tip: Recommendations are guidelines; required step-by-step actions are procedures.
Guideline review and updates
Guidelines should be reviewed and updated so recommendations remain practical, relevant, and aligned with new technologies, operations, threats, and standards.
Example: A support guideline is updated after a new ticketing platform changes the workflow.
Memory trick: Guidelines need updates to stay useful.
Trick question tip: Changing technologies, business operations, threats, and standards can require guideline updates.
Personnel management
Personnel management applies security policies and procedures across the worker lifecycle, including recruitment, operation, and termination.
Example: HR and IT coordinate background checks, training, account provisioning, access changes, and account removal.
Memory trick: Personnel management secures people from entry to exit.
Trick question tip: Recruitment, operation, and termination are the main personnel management phases.
Recruitment phase
The recruitment phase locates and selects people for roles and may include candidate screening and background checks.
Example: A candidate for a sensitive finance role is screened before being hired.
Memory trick: Recruitment means check before hiring.
Trick question tip: Candidate screening and background checks belong to recruitment.
Operation phase
The operation phase covers employees while they work, including policy communication, training, awareness, and ongoing access management.
Example: HR communicates security policies and schedules awareness training for employees.
Memory trick: Operation means secure behavior while employed.
Trick question tip: Employee training and policy communication occur during operation.
Termination or separation phase
The termination or separation phase covers voluntary or involuntary departure and includes offboarding, access removal, and asset recovery.
Example: A departing employee’s accounts are disabled and company devices are recovered.
Memory trick: Separation means secure the exit.
Trick question tip: Leaving the organization triggers offboarding and access removal.
Background check
A background check verifies identity and looks for risk factors that could make a candidate unsuitable for a role.
Example: A high-trust role may require review for identity, criminal history, financial risk, or clearance eligibility.
Memory trick: Verify before trust.
Trick question tip: The depth of screening should match role sensitivity and access level.
IAM and HR coordination
IAM and HR coordination ensures accounts and access are created, changed, and removed based on accurate employment status and role information.
Example: HR confirms a new hire before IT creates the user account.
Memory trick: HR knows the person; IAM grants the access.
Trick question tip: HR and IT integration helps prevent ghost accounts, stale access, and accidental account vulnerabilities.
Onboarding
Onboarding is the process of welcoming employees, contractors, suppliers, customers, or guests and setting up appropriate access, credentials, assets, and responsibilities.
Example: A new employee receives an account, assigned privileges, credentials, devices, and security training.
Memory trick: Onboarding means secure entry.
Trick question tip: Creating accounts, assigning access, issuing assets, and scheduling training are onboarding tasks.
Supplier and contractor onboarding
Supplier and contractor onboarding applies access controls, review, training, time limits, and later offboarding to third-party workers or vendors.
Example: A contractor receives time-limited access and required security training for the project.
Memory trick: Third parties need controlled entry too.
Trick question tip: Onboarding and offboarding apply to contractors and suppliers, not only employees.
Customer and guest account onboarding
Customer and guest account onboarding creates limited, controlled, and often time-bound access for non-employee users.
Example: A guest account is created with limited access and an expiration date.
Memory trick: Guest access still needs rules.
Trick question tip: Guest or customer accounts require controlled provisioning.
Account provisioning
Account provisioning creates and configures a user account, credentials, and access permissions for system use.
Example: IT creates a new account after HR confirms the employee has been hired.
Memory trick: Provisioning means build the account.
Trick question tip: Account creation and configuration point to provisioning.
Appropriate privilege assignment
Appropriate privilege assignment gives a user only the access required for their role and responsibilities.
Example: A new finance employee receives access to approved finance applications but not engineering systems.
Memory trick: Right role, right access.
Trick question tip: Role-based access and least privilege are onboarding access clues.
Credential confidentiality during onboarding
Credential confidentiality ensures initial passwords, smart cards, tokens, and other credentials are transmitted and handled securely.
Example: A new user receives an initial credential through a protected process and must change it at first login.
Memory trick: Send credentials like secrets.
Trick question tip: Default passwords, insecure credential delivery, and admin knowledge of user passwords create onboarding risk.
Smart card issuance
Smart card issuance is the secure process of providing a user with a physical smart card credential.
Example: A new employee receives a smart card through verified handoff.
Memory trick: Smart card is a physical credential.
Trick question tip: Issuing smart cards is part of secure credential onboarding.
Asset allocation
Asset allocation provides users with required devices or approves personal devices for work under policy.
Example: A new employee is assigned a laptop and mobile device, or a BYOD phone is enrolled for access.
Memory trick: Asset allocation means give the worker their tools.
Trick question tip: Provisioning devices or BYOD approval is asset allocation.
Onboarding training
Onboarding training provides security awareness, policy communication, and role-specific instruction before or during initial access.
Example: A developer receives secure coding training, while help desk staff receive identity verification training.
Memory trick: New users need training before trust.
Trick question tip: Training should match role, access level, and responsibilities.
IAM automation
IAM automation streamlines onboarding by synchronizing with HR systems, creating accounts, assigning role-based access, and enforcing standardized controls.
Example: A new hire entered into HR automatically triggers account creation and standard role-based access.
Memory trick: IAM automation turns HR data into access setup.
Trick question tip: Automated provisioning and HR synchronization point to IAM automation.
Automated provisioning
Automated provisioning creates and configures accounts based on predefined roles, policies, and HR data.
Example: A new employee account is automatically created with standard department access.
Memory trick: Automation builds accounts without manual guesswork.
Trick question tip: Automation improves consistency and reduces manual account mistakes.
Offboarding
Offboarding manages a worker, contractor, or third party’s departure while protecting access, assets, information, and business continuity.
Example: A departing employee’s account is disabled, devices are recovered, and corporate data is removed from personal devices.
Memory trick: Offboarding means secure the exit.
Trick question tip: Account removal, asset retrieval, data recovery, and corporate data wipe are offboarding steps.
Offboarding account management
Offboarding account management disables or removes accounts, sessions, privileges, and application access when a worker leaves.
Example: IT disables domain, email, VPN, cloud, and application access for a departing user.
Memory trick: Leaving means access stops.
Trick question tip: Disabling accounts and privileges is a core offboarding task.
Company asset retrieval
Company asset retrieval recovers organization-owned devices, badges, keys, smart cards, USB media, and other property during offboarding.
Example: A departing employee returns a laptop, badge, smart card, USB drive, and office key.
Memory trick: Get the company stuff back.
Trick question tip: Mobile devices, keys, smart cards, and USB media are common offboarding retrieval items.
Information asset accessibility
Information asset accessibility ensures company information remains available after an employee leaves, including encrypted files and password-protected documents.
Example: IT recovers or transfers keys needed to access files managed by the departing employee.
Memory trick: Company data must stay with the company.
Trick question tip: Offboarding must handle encryption keys and password-protected assets.
Personal device corporate data wipe
Personal device corporate data wipe removes company data, applications, credentials, and access from employee-owned devices during offboarding.
Example: Corporate email, apps, and documents are removed from a departing employee’s personal phone.
Memory trick: BYOD leaves; corporate data goes.
Trick question tip: Employee-owned devices require corporate data removal when access ends.
High-risk departure
A high-risk departure may require additional actions because of the employee’s access, role, knowledge, or conflict risk.
Example: A departing security administrator triggers immediate credential review and shared secret changes.
Memory trick: Sensitive exit needs stronger controls.
Trick question tip: Privileged or disgruntled departures may require faster access removal and extra review.
Playbook
A playbook is a central repository of standardized strategies, procedures, checklists, and best practices for consistent operations.
Example: An incident response playbook lists triage, containment, communication, recovery, and documentation steps.
Memory trick: Playbook means the official game plan.
Trick question tip: Playbooks standardize procedures and preserve team knowledge.
Playbook benefits
Playbooks improve consistency, knowledge sharing, institutional memory, quality assurance, crisis response, and continuous improvement.
Example: A new analyst follows a phishing playbook and the team later updates it after lessons learned.
Memory trick: Playbooks keep everyone running the same play.
Trick question tip: Preserving procedures and improving repeatability are playbook benefits.
Incident response playbook
An incident response playbook details emergency procedures and contingency steps used during security incidents.
Example: The playbook tells responders how to contain malware, notify stakeholders, and document actions.
Memory trick: Incident playbook is the crisis checklist.
Trick question tip: Quick decisions under stress are supported by playbooks.
MITRE ATT&CK and NIST SP 800-61 playbook support
MITRE ATT&CK helps map playbooks to attacker tactics and techniques, while NIST SP 800-61 provides incident response guidance.
Example: A team maps detection and response steps to adversary techniques and structures the process using incident response guidance.
Memory trick: ATT&CK maps attacker behavior; NIST 800-61 guides IR.
Trick question tip: MITRE ATT&CK supports adversary behavior mapping; NIST SP 800-61 supports incident response procedures.
Change management program
A change management program systematically manages changes to systems, software, hardware, networks, configurations, products, and support environments.
Example: An organization tracks and approves a system update before deployment to reduce downtime and security risk.
Memory trick: Change management keeps change from becoming chaos.
Trick question tip: Planning, reviewing, approving, documenting, and improving changes point to change management.
Change request
A change request documents a proposed change, reason, affected systems, risks, expected impact, implementation plan, and rollback plan.
Example: A network change request describes the business reason, security risks, impacted applications, and rollback steps.
Memory trick: Request first, change later.
Trick question tip: Security and business risks should be evaluated before approval.
Change approval process
A change approval process ensures proposed changes are reviewed and authorized before implementation.
Example: A software update is reviewed and approved before deployment to production.
Memory trick: Approve changes before applying changes.
Trick question tip: Unauthorized changes are reduced through change management.
Change implementation planning
Change implementation planning evaluates dependencies, affected components, business processes, users, and workflows before a change is made.
Example: Before changing a server, IT checks which applications and users depend on it.
Memory trick: Know what depends on it before changing it.
Trick question tip: Dependency impact should be considered before implementation.
Change trial
A change trial tests a significant or major change before full production implementation.
Example: A major software update is tested in a pilot environment before organization-wide rollout.
Memory trick: Trial the change before committing.
Trick question tip: Significant changes should be tested when possible.
Rollback plan versus remediation plan
A rollback plan reverses a change to the previous state, while a remediation plan corrects problems caused by the change.
Example: A firewall update includes steps to restore the old rules, and a separate plan fixes the cause of the failure.
Memory trick: Rollback undoes; remediation fixes.
Trick question tip: Rollback returns to the prior state; remediation corrects the issue.
Maintenance window
A maintenance window is a scheduled period of authorized downtime or reduced service used to perform IT changes.
Example: Network upgrades are performed during a weekend maintenance window.
Memory trick: Maintenance window is approved downtime.
Trick question tip: Authorized downtime for planned changes points to maintenance window.
Post-change impact assessment
A post-change impact assessment reviews the effect of a completed change on systems, users, performance, availability, security, and operations.
Example: After a server update, IT checks performance, availability, logs, and user reports.
Memory trick: After the change, check what changed.
Trick question tip: Change management continues after implementation.
Change process review
A change process review documents outcomes and lessons learned to improve future change management.
Example: A team reviews why a deployment caused downtime and updates the change procedure.
Memory trick: Review the change to improve the next one.
Trick question tip: Documenting outcomes supports future change management.
SOP
A standard operating procedure is a documented routine process for performing common tasks consistently and securely.
Example: An SOP defines the steps for applying routine approved updates.
Memory trick: SOP means standard steps for routine work.
Trick question tip: Routine tasks and consistent execution point to SOPs.
Allow list and deny list
An allow list identifies approved items, while a deny list or block list identifies explicitly prohibited items.
Example: Approved business applications are allow-listed, while known vulnerable software is deny-listed.
Memory trick: Allow list says yes; deny list says no.
Trick question tip: Permitted items point to allow list; prohibited or off-limits items point to deny/block list.
Change management allow list
A change management allow list identifies trusted software, hardware, routine changes, or approvers that may use a streamlined process.
Example: A low-risk standard device replacement is preapproved and does not require full review each time.
Memory trick: Allow-listed changes move faster.
Trick question tip: Preauthorized low-risk changes point to a change management allow list.
Routine, low-risk, and preauthorized changes
Routine changes are common and expected, low-risk changes have limited impact, and preauthorized changes are approved in advance under defined conditions.
Example: A standard approved software update in a noncritical environment follows a shorter process.
Memory trick: Common, safe, approved ahead.
Trick question tip: Low risk does not mean no documentation; it may mean a lighter process.
Change management deny list
A change management deny list or block list identifies prohibited software, hardware, people, or change types that require blocking or formal review.
Example: Unlicensed software or vulnerable hardware is blocked from installation.
Memory trick: Deny list blocks what should not happen.
Trick question tip: Explicitly prohibited items point to deny list or block list.
Legacy system change risk
Legacy systems can be difficult to change because they may be unsupported, business-critical, complex, fragile, or dependent on old processes.
Example: An unsupported application remains in use because a critical business process depends on it.
Memory trick: Old systems can be too important and too fragile.
Trick question tip: Complexity plus business importance makes legacy changes risky.
Change documentation and versioning
Change documentation records what changed, why, who approved it, when it happened, results, and affected documents, while versioning labels new and archived versions.
Example: A policy update is labeled version 3.3 while prior versions are archived for reference and audit.
Memory trick: If it changed, document and version it.
Trick question tip: Accurate documentation supports auditing, incident response, training, and troubleshooting.
Legal environment
The legal environment includes laws, regulations, contracts, industry requirements, privacy obligations, breach notification rules, licensing, and penalties that shape cybersecurity.
Example: A security team translates legal data protection requirements into administrative and technical controls.
Memory trick: Law becomes security requirements.
Trick question tip: Cybersecurity programs are heavily influenced by legal and regulatory requirements.
Due diligence versus negligence
Due diligence means taking reasonable steps to protect systems and data, while negligence means failing to meet that reasonable duty of care.
Example: An organization performs risk assessments, implements controls, and documents audits to show due diligence.
Memory trick: Due diligence proves you tried; negligence means you failed to act reasonably.
Trick question tip: Failure to exercise due diligence can lead to fines, lawsuits, regulatory penalties, or criminal cases.
Legal requirements to operational controls
Governance translates legal requirements into technical, administrative, and operational controls that employees can actually follow.
Example: A privacy regulation becomes access controls, retention rules, training, and breach notification procedures.
Memory trick: Law must become daily controls.
Trick question tip: Governance connects legal obligations to practical controls.
SOX
SOX is a law associated with corporate accountability, internal controls, risk assessments, auditing, and financial reporting integrity.
Example: A public company implements risk assessments and internal controls to support audit evidence.
Memory trick: SOX cares about controls and accountability.
Trick question tip: Risk assessments, internal controls, and audit processes in corporate reporting point to SOX.
GDPR
GDPR is a European Union privacy regulation focused on protecting personal data and privacy rights, including consent and data handling requirements.
Example: An organization obtains consent before collecting personal data from EU users.
Memory trick: GDPR protects EU personal data rights.
Trick question tip: Consent before personal data collection and EU privacy rights point to GDPR.
CCPA
CCPA is a California privacy law focused on consumer privacy rights and how organizations handle California consumer data.
Example: A company gives California consumers required notices and privacy choices.
Memory trick: CCPA = California consumer privacy.
Trick question tip: California consumer privacy rights point to CCPA.
HIPAA
HIPAA governs healthcare privacy and security requirements for protected health information.
Example: A healthcare organization protects patient records and controls access to health data.
Memory trick: HIPAA = healthcare information privacy.
Trick question tip: Healthcare records and protected health information point to HIPAA.
GLBA
GLBA applies to financial institutions and requires protection of customer financial information.
Example: A bank implements controls for customer account and financial records.
Memory trick: GLBA = financial customer data.
Trick question tip: Financial services and customer financial information point to GLBA.
FISMA
FISMA requires United States federal agencies to develop, document, and implement information security programs.
Example: A federal agency follows security policies and controls for systems handling government information.
Memory trick: FISMA = federal information security.
Trick question tip: U.S. federal agency security programs point to FISMA.
PCI DSS
PCI DSS is an industry standard for protecting payment card data in organizations that process, store, or transmit cardholder data.
Example: A payment processor follows PCI DSS controls to protect cardholder data.
Memory trick: PCI DSS protects payment cards.
Trick question tip: Credit card processing and cardholder data point to PCI DSS.
CMMC
CMMC is a cybersecurity maturity certification model associated with defense contractors and protection of sensitive defense information.
Example: A defense contractor prepares for certification to meet customer cybersecurity requirements.
Memory trick: CMMC = defense contractor maturity.
Trick question tip: Defense contractor cybersecurity maturity certification points to CMMC.
Regulatory agency
A regulatory agency establishes and enforces standards, regulations, and guidelines for specific sectors.
Example: A financial regulator oversees security requirements for financial institutions.
Memory trick: Regulators make and enforce sector rules.
Trick question tip: Establishing and enforcing sector regulations points to regulatory agencies.
Data protection authority
A data protection authority protects personal data and privacy rights, enforces data protection regulations, and provides privacy guidance.
Example: A data protection authority investigates whether an organization mishandled personal data.
Memory trick: Data protection authorities guard privacy rights.
Trick question tip: Personal data privacy enforcement points to data protection authorities.
National cybersecurity agency
A national cybersecurity agency protects critical infrastructure, government networks, and national cybersecurity interests.
Example: A national agency coordinates incident response and publishes cybersecurity guidance.
Memory trick: National cybersecurity agencies protect national cyber interests.
Trick question tip: Critical infrastructure, government networks, national cyber strategy, and incident coordination point to national cybersecurity agencies.
Law enforcement versus intelligence agency
Law enforcement investigates and prosecutes criminal activity, while intelligence agencies gather and analyze information to identify threats and support national policy or military strategy.
Example: Law enforcement investigates stolen data, while an intelligence agency provides threat information to government leaders.
Memory trick: Police prosecute; intelligence informs.
Trick question tip: Criminal investigation points to law enforcement; national threat analysis points to intelligence agency.
Defense and military organization
Defense and military organizations protect national security from external threats and develop physical and cyber defense capabilities.
Example: A defense organization protects national infrastructure from external cyber threats.
Memory trick: Defense protects the nation.
Trick question tip: National defense, border control, military cybersecurity, and external threats point to defense organizations.
Governance and accountability
Governance and accountability ensure cybersecurity decisions, legal compliance, risk management, and operational controls are owned, overseen, reviewed, and improved.
Example: A governance board sets security objectives while committees and data roles implement and report issues.
Memory trick: Governance decides; accountability assigns responsibility.
Trick question tip: Oversight, responsibility, legal compliance, and strategic direction point to governance and accountability.
Monitoring and revision
Monitoring and revision is the ongoing process of reviewing, evaluating, updating, and improving policies, procedures, standards, and compliance practices.
Example: A policy is updated after a new privacy law changes reporting requirements.
Memory trick: Monitor, measure, update, repeat.
Trick question tip: Cybersecurity governance is cyclical because threats, laws, and technology change.
Revision drivers
Revision drivers are events or findings that cause policies, procedures, standards, or training to be updated.
Example: A new law, technology change, business process change, audit finding, or new risk triggers a revision.
Memory trick: Revision drivers are reasons to update the rulebook.
Trick question tip: Reports, technologies, laws, business processes, and newly identified risks commonly drive revisions.
Employee training after policy changes
Employee training after policy changes informs workers about updated requirements and helps maintain compliance.
Example: Employees complete updated privacy training after the data handling policy changes.
Memory trick: New rules require new training.
Trick question tip: Training helps employees understand and follow revised policies.
Cyclical governance process
A cyclical governance process continually monitors, evaluates, revises, trains, and reassesses security requirements.
Example: An organization reviews compliance, updates standards, trains employees, and repeats the cycle as risks change.
Memory trick: Governance is a loop, not a one-time event.
Trick question tip: Dynamic and proactive review is part of effective governance.
Governance board
A governance board is a high-level group responsible for strategic security objectives, policies, risk oversight, accountability, and program effectiveness.
Example: A governance board sets security priorities and reviews audit results, incidents, metrics, and compliance reports.
Memory trick: Governance board sets strategic direction.
Trick question tip: Strategic objectives and executive-level oversight point to a governance board.
Governance committee
A governance committee provides specialized expertise, analysis, and recommendations to support the governance board.
Example: A security committee of subject matter experts analyzes an issue and recommends policy updates.
Memory trick: Board sets strategy; committee advises.
Trick question tip: Specialized SME analysis and recommendations point to a committee.
Centralized, decentralized, and hybrid governance
Centralized governance uses one core authority, decentralized governance gives local groups more control, and hybrid governance combines central oversight with local flexibility.
Example: Corporate security sets minimum standards while departments adapt procedures for local needs.
Memory trick: Central controls, local adapts, hybrid blends.
Trick question tip: One central authority means centralized; local autonomy means decentralized; both together means hybrid.
Data governance role
Data governance roles define accountability for protecting, processing, managing, or securing data.
Example: Owner, controller, processor, and custodian roles divide responsibility for business data.
Memory trick: Data governance assigns responsibility for data.
Trick question tip: Owner, controller, processor, and custodian are key data governance roles.
Data owner
A data owner is a senior person ultimately responsible for ensuring data is appropriately classified, protected, and aligned with business objectives.
Example: A vice president decides classification level and access requirements for business data.
Memory trick: Owner owns responsibility, not necessarily the server.
Trick question tip: Classification, sensitivity, access decisions, and strategic guidance point to data owner.
Data controller
A data controller decides why and how personal data is processed.
Example: A business decides the purpose and method for collecting customer data.
Memory trick: Controller decides processing purpose.
Trick question tip: GDPR-style purpose and method decisions point to controller.
Data processor
A data processor processes personal data on behalf of the controller according to the controller’s instructions.
Example: A cloud vendor processes customer data for a business that controls the purpose.
Memory trick: Processor processes for the controller.
Trick question tip: Service provider handling data for the controller points to processor.