5.0 Governance, Risk, and Compliance
Data Custodian
Individuals and departments responsible for the storage and safeguarding of computerized data.
Data Owner
Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting, technical accountability, and use of computerized data.
Asset Management
Involves obtaining and continually updating an accurate inventory of all IT assets, discovering security gaps related to the asset's presence or configuration, and enforcing security requirements to rapidly address the identified gaps.
Web Server
Is a program that uses HTTP to serve the files that form Web pages to users, in response to their requests, which are forwarded by their computers' HTTP clients.
Offboarding
It involves separating an employee from a firm. This can include a process for sharing knowledge with other employees.
Recovery Point Objective (RPO)
It is the maximum tolerable period in which data might be lost from an IT service due to a major incident. The ___ gives systems designers a limit to work to.
Risk Appetite
Level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings.
Terms of Agreement
List of rules you agree to follow; also lists consequences you agree to accept for not following the rules
Data Minimization
Measures performed by organizations to limit the personal data they collect from individuals and process only information that is relevant or necessary to accomplish specific business purposes.
Mean Time Between Failures (MTBF)
Measures the average time that equipment is operating between breakdowns or stoppages. Measured in hours, helps businesses understand the availability of their equipment and if they have a problem with reliability.
Center for Internet Security (CIS)
Nonprofit organization, formed in October, 2000. Its mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace".
Risk Posture
One's ability to accept (or handle) exposure to defined levels of uncontrolled risk.
Data Anonymization
Process by which personal data is irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other party. Such as converting PII into aggregated data.
Data Masking
Process of changing certain data elements within a data store so that the structure remains similar while the information itself is changed to protect sensitive information. Ensures that sensitive customer information is unavailable beyond the permitted production environment.
General Data Protection Regulation (GDPR)
Proposed set of regulations adopted by the European Union to protect Internet users from clandestine (secret) tracking and unauthorized personal data usage. Primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
ISO 27002
Provides guidance on information security standards and management practices. It specifies how to select, implement, and manage information security controls.
ISO 27701
Providing the requirements and guidelines necessary to create a privacy information management system (PIMS). A strong PIMS is critical to organizations that are responsible and accountable for the processing of personally identifiable information.
Intellectual Property (IP) Theft
Refers to the robbing of people or companies of their ideas, inventions, and creative expressions. There are four main types of IP, including trade secrets, trademarks, copyrights, and patents.
Security Organization Control (SOC) 2 Type 1
Report that details the suitability of the design controls to the service organization's system. It details the system at a point in time particularly its scope, the management of the organization describing the system, and the controls in place. Contains independent service auditor's report and service organization's description of controls.
Change Management (CM)
A collective term for all approaches to prepare, support, and help individuals, teams, and organizations in making organizational change. May include the ongoing evolution of technology, internal reviews of processes, crisis response, customer demand changes, competitive pressure, acquisitions and mergers, and organizational restructuring.
Business Partnership Agreement (BPA)
A contract between two or more parties that binds all participants to specific terms and conditions of their working relationship.
Clean Desk Policy (CDP)
A corporate directive that specifies how employees should leave their working space when they leave the office.
Reference Architecture
A document or set of documents to which a project manager or other interested party can refer for best practices. The lists and charts of functions, departments, products, and security practices that create a common vocabulary for IT and management to use to discuss current and future success make up the _______.
Risk Register
A document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g. nature of the risk, reference and owner, mitigation measures. It can be displayed as a scatterplot or as a table.
ISO 31000
A family of standards relating to risk management. Guidelines provide principles, a framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.
Non-Disclosure Agreement (NDA)
A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties
Risk Matrix
A matrix that is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity. This is a simple mechanism to increase visibility of risks and assist management decision making.
Mean Time to Repair (MTTR)
A metric used to measure how well equipment or services are being maintained, and how quickly issues are being responded to. The average time it takes to detect an issue, diagnose the problem, repair the fault and return the system to being fully functional.
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote best practices for using cloud computing securely.
Single Point of Failure (SPOF)
A part of a system that, if it fails, will stop the entire system from working. Undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or other industrial system.
Data Steward
A person who owns a business accountability for a set of data assets.
Data Controller
A person, company, or other body that determines the purpose and means of personal data processing.
National Institute of Standards and Technology (NIST)
A physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
Cybersecurity Framework (CSF)
A policy framework of computer security guidance created by NIST for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.
Principle of Least Privilege (PoLP)
A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job.
Acceptable Use Policy (AUP)
A set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. ___ Documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.
Cybersecurity Insurance
A specialty lines insurance product intended to protect businesses, and individuals providing services for such businesses, from Internet-based risks, and more generally from risks relating to information technology infrastructure, information privacy, information governance liability, and activities related cyber attacks,
Privacy Notice
A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information.
Job Rotation
A technique used by some employers to rotate their employees' assigned jobs throughout their employment. Employers practice this technique for enhancing skills and improve job satisfaction levels.
Qualitative Risk Assessment
A technique used to quantify risk associated with a particular hazard.
Measurement Systems Analysis (MSA)
A thorough assessment of a measurement process, and typically includes a specially designed experiment that seeks to identify the components of variation in that measurement process.
Service Account
A user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources.
End of Service (EOS)
A vendor of systems or software will no longer provide maintenance, troubleshooting or other support. Such software which is abandoned service-wise by the original developers is also called abandonware.
Memorandum of Understanding (MOU)
An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement.
Service Level Agreement (SLA)
An agreement between two or more parties, where one is the customer and the others are service providers. This can be a legally binding formal or an informal "contract" (for example, internal department relationships). The agreement may involve separate organizations, or different teams within one organization.
Inherent Risk (IR)
An assessed level of raw or untreated risk; that is, the natural level of ___ in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.
Statement on Standards for Attestation Engagements (SSAE)
An attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR).
Risk Control Self Assessment (RCSA)
An empowering method/process by which management and staff of all levels collectively identify and evaluate risks and associated controls.
Payment Card Industry Data Security Standard (PCI DSS)
An information security standard for organizations that handle branded credit cards from the major card schemes. The mandated by the card brands but administered by the PCI Security Standards Council. Was created to increase controls around cardholder data to reduce credit card fraud by securing environment.
Computer-based training (CBT)
An interactive instructor-less educational process. Practically, learners interact with various types of learning material via computer.
SOC 2 Type 2
An internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use _____ reports to assess and address the risks associated with third party technology services. Contains independent service auditor's report, service organization's description of controls, and independent service auditor tests operating effectiveness and describes the results of those tests..
Quantitative Risk Assessment
An objective tool, that quantifies project risks which are usually prioritized during qualitative risk analysis.
International Organization for Standardization (ISO)
An organization founded in 1946 to standardize measurements for international industrial, commercial, and scientific purposes.
Role-based training
Specialized training that is customized to the specific role that an employee holds in the organization.
Control Risk (CR)
Chance that auditors will not catch and correct a material mistake in the financial statements before they are issued.
Cloud Controls Matrix (CCM)
Covers three main focus areas: cloud architecture, governing in the cloud, and operating in the cloud. There are more than 100 controls and guidelines to follow in the matrix, but they are further divided into 16 categories based on specific areas and requirements.
Network Infrastructure Devices
Devices that are the components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.
Data Protection Officer (DPO)
Ensures in an independent manner that an organization applies the laws protecting individuals' personal data.
Single Loss Expectancy (SLE)
Expected monetary loss each time an asset is at risk. It's a term that's most commonly used during risk assessment and attempts to put a monetary value on each single threat.
Supply Chain
Focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and APT on _____.
Impact Assessment (IA)
Formal, evidence-based procedures that assess the economic, social, and environmental effects of public policy. They have been incorporated into policy making in the Organization for Economic Cooperation and Development (OECD) countries and the European Commission.
Privacy Breach
Generally, an impermissible use or disclosure under the Privacy Rule (PR) that compromises the security or privacy of the protected health information. Can occur in any size or type of business, and are more commonplace than you might think. The impact of a _____ can have a number of negative consequences, including: Reputation.
Information Life Cycle (ILM)
Strategies for administering storage systems on computing devices. The practice of applying certain policies to effective information management.
Onboarding
The action or process of integrating a new employee into an organization or familiarizing a new customer or client with one's products or services.
Residual Risk (RR)
The amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.
Pseudo-anonymization
The appearance - but not the reality--of anonymity online. Most commonly, enables anonymous posting and commenting.
Gamification
The application of game-design elements and game principles in non-game contexts. It can also be defined as a set of activities and processes to solve problems by using or applying the characteristics of game elements.
Annualized Loss Expectancy (ALE)
The expected monetary loss that can be expected for an asset due to a risk over a one-year period.
Risk Management
The identification, evaluation, and prioritization of risks
Root Account
The most privileged account on a Unix system. This account gives you the ability to carry out all facets of system administration, including adding accounts, changing user passwords, examining log files, installing software, etc. When using this account it is crucial to be as careful as possible.
ISO 27001
The most well-known of these standards and outlines requirements for an information security management system (ISMS). This guidance is critical to ensuring the confidentiality, integrity and availability of information. -Select controls for implementing an ISMS based on ______________ -Implement commonly accepted information security controls -Develop their own information security management guidelines
Personally Identifiable Information (PII)
The name, postal address, or any other information that allows tracking down the specific person who owns a device.
Annualized Rate of Occurrence (ARO)
The probability that a risk will occur in a particular year.
Likelihood of Occurrence
The probability that noncompliance with a law or regulation will occur daily, monthly, yearly, once every five years, ten years, etc.
Risk Management Framework (RMF)
The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk ---that is, the risk to the organization or to individuals associated with the operation of a system.
Recovery Time Objective (RTO)
The targeted duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity.
Functional Recovery Plan
To help clients discover connection and passion beyond symptom reduction and maintenance.
Change Control
Used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. Reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. Goal usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.