Governance
- Strategic leadership, structures, and processes that ensure an organization’s IT infrastructure aligns with its business objectives
Compliance
- Adherence to laws, regulations, standards, and policies that apply to the operation of the organization
What are the aspects that make up a governance framework?
- Rules, Responsibilities and Practices
Governance Monitoring
- Regularly reviewing and assessing the effectiveness of the governance framework
Governance Revisions
- Updating the governance framework to address any gaps or weaknesses
Board of Directors
- A group of individuals elected by shareholder to oversee the management of an organization
Committees
- Subgroups of a board of directors, each with a specific focus
Government Entities
- They establish laws and regulations that organizations must comply with
EXAMPLES: Federal Trade Commissions makes laws against unfair trade practices you must adhere to
Centralized Structures
- Decision-making authority is concentrated at the top levels of management
DeCentralized Structures
- Distributes decision making authority throughout the organization
Acceptable Use Policy (AUP)
- A document outlining the do’s and don’ts for users when interacting with an organization’s IT systems and resources
EXAMPLE: Might prohibit users from visiting unwanted websites, or downloading files they shouldn’t
Information Security Policies
- Outlines how an organization protects its information assets from threats, both internal and external
*** This covers a range of areas including Data Classification, Access Control, Encryption, and Physical Security
Business Continuity
- Focuses on how an organization will continue its critical operations during and after a disruption
Disaster Recovery
- Focuses specifically on how an organization will recover its IT systems and data after a disaster
Incident Response
- A plan for handling security incidents
EXAMPLE: States the who/what/when/where of disaster actions
Change Management
- Aims to ensure that changes are implemented in a controlled and coordinated manner, minimizing the risk for disruption
Standards
- Provide a framework for implementing security measures, ensuring that all aspects of an organization’s security posture are addressed
Password Standards
- Dictate the complexity and management of passwords, which are the first line of defense against unauthorized access
*** Minimum length of characters, upper/lower case, numbers, and special characters
Access Control Standards
- Determines who has access to what resources within an organization
*** This includes…
Discretionary Access Control (DAC) - resource owner decides who gets access
Mandatory Access Control (MAC) - system enforces access based on security clearances and data classifications
Role-Based Access Control (RBAC) - access is tied to job functions/roles rather than individual users
Physical Security Standards
- Standards that cover the physical measures taken to protect an organization’s assets and information
Encryption Standards
- Ensures that data intercepted or accessed without authorization remains unreadable and secure
Procedures
- Systematic sequences of actions or steps taken to achieve a specific outcome
EXAMPLE: Data back-up procedure, Emergency Evacuation Procedure
Onboarding/Off-boarding Procedures
- Process of either integrating new employees or managing their transition when leaving
Playbooks
- Checklist of actions to perform to detect and respond to a specific type of incident
