Governance and Compliance

Four Purposes of Governance

• →Risk Management — identify, assess, and manage potential risks that could impact organizational security
• →Strategic Alignment — ensure IT strategy aligns with overall business objectives
• →Resource Management — enable efficient and effective use of IT resources
• →Performance Measurement — establish mechanisms to monitor and measure IT process performance

Governance as the First GRC Component

Governance is the first element of GRC (Governance, Risk, and Compliance). It provides the strategic leadership, structures, and processes that ensure an organization's IT infrastructure aligns with business objectives — covering risk management, resource allocation, and performance measurement.

Four Governance Outputs

• →Guidelines — recommended (non-mandatory) approaches; provide direction without requiring compliance
• →Policies — high-level commitments outlining the organization's intentions (e.g., data protection, ethical conduct)
• →Standards — specific mandatory rules that must be followed to satisfy a policy; defined by industry or regulatory bodies
• →Procedures — detailed step-by-step instructions for accomplishing specific tasks in compliance with policies and standards

Drivers for Governance Monitoring and Revision

• →Technology advances — adoption of new technologies (e.g., cloud services) requires updated policies and procedures
• →Regulatory changes — new or revised laws and standards require framework revisions to maintain compliance
• →Cultural shifts — changes in industry practices (e.g., remote work) necessitate updated governance controls

Four Governance Structure Types

• →Boards — elected by shareholders; set strategic direction and make significant organizational decisions
• →Committees — board subgroups with specific focus areas (audit, governance, cybersecurity); provide detailed oversight of complex domains
• →Government Entities — external regulatory bodies that impose compliance requirements on organizations
• →Centralized vs Decentralized — internal structural choice determining where decision-making authority resides

Common Committee Types

• →Audit Committee — oversees the organization's financial reporting process and internal controls
• →Governance Committee — ensures the board operates effectively and adheres to governance principles
• →Cybersecurity Committee — focuses on identifying and managing cybersecurity risks at the board level

Centralized vs Decentralized Trade-offs

• →Centralized — consistent decision-making, clear authority, uniform policies; slower response to local or departmental needs
• →Decentralized — faster decisions, greater agility and responsiveness; risk of inconsistent policies across business units
• →Choice depends on organization size, goals, and need for uniformity vs agility

Business Continuity vs Disaster Recovery

Business Continuity Policy focuses on maintaining critical operations during an ongoing disruption. Disaster Recovery Policy focuses specifically on recovering IT systems and data after a disaster has occurred. BC is broader in scope; DR is IT-system specific.

Incident Response Policy Components

• →Detection — identifying that a security incident has occurred
• →Reporting — notifying appropriate personnel and stakeholders
• →Assessment — determining scope, severity, and impact of the incident
• →Response — containing the threat and eradicating the cause
• →Learning — post-incident review to identify lessons and prevent recurrence

Access Control Models Comparison

• →DAC — resource owner decides who has access; flexible; common in general business environments
• →MAC — system enforces access via security labels/classifications; rigid; used in government and military
• →RBAC — access assigned by job role; balances flexibility and control; most common in enterprise environments

Physical Security Standard Components

• →Perimeter security — fences, gates, and security guards
• →Surveillance — CCTV systems covering access points and sensitive areas
• →Access control mechanisms — biometric scanners, keycards, and PIN pads
• →Environmental controls — fire suppression systems, HVAC controls, and power redundancy
• →Secure areas — server rooms and data centers with additional access restrictions and surveillance

Encryption Standard Use Cases

• →AES (Advanced Encryption Standard) — symmetric; used for data at rest due to strong security and efficient performance
• →RSA — asymmetric; used for secure communication and key exchange via public key infrastructure
• →Use case rule: data at rest → AES; secure communication and key exchange → RSA

Change Management Procedure Stages

• →Identify — recognize the need for change and assess potential impacts on related systems
• →Plan — develop a detailed plan specifying how the change is implemented, who is involved, and what resources are required
• →Implement — execute the change, often in stages, to surface issues incrementally
• →Review — assess the outcome, capture lessons learned, and document the full process

Change Management Best Practices

• →Rollback plan — every change must include a defined revert procedure if results are negative or unexpected
• →Test first — significant changes should be tested in a non-production environment before deployment
• →Maintenance window — disruptive changes should be scheduled during designated low-impact periods
• →Documentation — the complete change process must be recorded for audit and future reference

Onboarding vs Offboarding Security Tasks

• →Onboarding: security awareness training, provisioning credentials, granting appropriate system access
• →Offboarding: immediately disabling all system access, revoking credentials, recovering company property, conducting exit interview

Four Governance Consideration Categories

• →Regulatory — industry-specific regulations from oversight bodies; non-compliance risks fines, sanctions, and reputational damage (e.g., GDPR for data privacy, PCI-DSS for payment cards)
• →Legal — contract law, intellectual property, employment law, and corporate law; primary risk is litigation from breach of contract, product liability, or employment disputes
• →Industry — technical standards and best practices prevalent in a sector; often not legally binding but shape customer, partner, and regulator expectations
• →Geographical — local, regional, national, and global regulations that vary by jurisdiction and may conflict with one another

Geographical Consideration Scope Examples

• →Local — city zoning ordinances limiting business operations in certain areas
• →Regional — CCPA (California) granting state residents rights over their personal data
• →National — ADA (US) requiring disability accommodations across all businesses
• →Global — GDPR (EU) applying to any organization worldwide that processes EU citizens' data

Four Compliance Imperatives

• →Legal Obligations — non-compliance can lead to fines and sanctions
• →Trust and Reputation — compliance with industry standards builds stakeholder confidence and enhances organizational reputation
• →Data Protection — compliance with data protection regulations prevents breaches and protects customer and employee privacy
• →Business Continuity — compliance with DR/BC standards ensures the organization can continue operations after a disruption

Internal vs External Compliance Reporting

• →Internal — verifies adherence to the organization's own policies; conducted by internal audit or compliance teams; audience is internal management
• →External — demonstrates compliance to outside parties (regulators, auditors, customers); often legally or contractually mandated; carries higher assurance weight

Compliance Monitoring Components

• →Due Diligence — exhaustive pre-action review to identify potential compliance risks before acting
• →Due Care — steps taken to mitigate identified risks (implementing controls, training staff, hiring specialists)
• →Attestation — formal declaration by a responsible party that processes and controls are compliant
• →Acknowledgement — recognition and acceptance of compliance requirements by all relevant parties
• →Internal Monitoring — regular internal reviews to confirm adherence to policies and procedures
• →External Monitoring — independent third-party audits to verify compliance with external regulations or standards

Role of Automation in Compliance

Automated compliance systems streamline data collection, improve accuracy, and provide real-time monitoring without manual review cycles; used to automatically flag policy violations (e.g., unauthorized access to protected health records) and generate audit-ready reports.

Five Non-Compliance Consequences

• →Fines — monetary penalties from regulators (GDPR: up to €20M or 4% of annual global turnover, whichever is higher)
• →Sanctions — operational restrictions or bans enforced by regulatory bodies beyond financial penalties
• →Reputational Damage — loss of customer trust, negative media coverage, and declining stock value
• →Loss of License — revocation of the right to operate in a regulated industry or jurisdiction
• →Contractual Impacts — breach of contract with clients or partners triggering legal disputes or termination