Security 11: Governance and Compliance

Governance

Overall management of the organizations, IT infrastructure, policies, procedures, and operations

governance is needed because

risk management

strategic alignment

resource management

performance measurement

compliance

Adherence to laws and regulations.

why we need compliance:

legal obligations

trust and reputation

data protection

business continuity

Governance Structure

boards

committees

government entities

centralized and decentralized structures

boards

A board of directors is a group of individuals elected by shareholders to oversee the management of an organization

committees

Subgroups of a board of directors, each with a specific focus

government entities

They establish laws and regulations that organizations must comply with

Centralized Structure

Decision-making concentrated at the top levels.

Decentralized Structure

Decision-making distributed across various levels.

What are the policies

acceptable use

information security

business continuity

disaster recovery

incident response

SDLC

change management

Acceptable Use Policy

A document that defines what a person may and may not do on an organization's computers and networks.

information security policies

Outline how an organization protects its information assets from threats, both internal and external

Business Continuity

Focuses on how an organization will continue its critical operations during and after a disruption

Disaster Recovery

Focuses specifically on how an organization will recover its IT systems and data after a disaster

Incident Response

Actions taken to address security breaches.

Software Development Life Cycle (SDLC)

Guides how software is developed within an organization

Change Management

Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.

Standards

provide a framework

Password Standards

Complexity, rotation, and storage requirements.

access control standards

Determine who has access to what resources within an organization

DAC

MAC

RBAC

what are the considerations?

regulatory considerations

legal considerations

industry considerations

geographical boundaries

Regulatory Considerations

These regulations can cover a wide range of areas, from data protection and privacy to environmental standards and labor laws

Legal Considerations

Closely tied to regulatory considerations, but they also encompass other areas such as contract law, intellectual property, and corporate law

Industry Considerations

The specific standards and practices that are prevalent in a particular industry

National Considerations

Laws like the Americans with Disabilities Act (ADA) in the United States

Global Considerations

General Data Protection Regulation ( GDPR ) implemented by the European Union

Compliance Reporting

Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements

Internal Compliance Reporting

Collection and analysis of data to ensure that an organization is following its internal policies and procedures

External Compliance Reporting

Demonstrating compliance to external entities such as regulatory bodies, auditors, or customers, often mandated by law or contract

Compliance Monitoring

The process of regularly reviewing and analyzing an organization's operations to ensure compliance with laws, regulations, and internal policies

due diligence

conducting the necessary research and investigation to make informed decisions that minimize risk

due care

the steps taken to mitigate these risks

Attestation

Formal declaration by a responsible party that the organization's processes and controls are compliant

acknowledgement

recognition for a notable deed

Non-compliance Consequences

Fines, Sanctions, Reputational Damage, Loss of License, Contractual Impacts

Sanctions

restrictions intended to enforce international law