Lesson 14

Lesson 14: Security Governance Concepts

High-level rules guiding organizational behavior and decision-making

Specific technical guidelines supporting policies

Step-by-step instructions for completing tasks

Onboarding: Setup new users (account creation, role assignment, access to systems, training)
Offboarding: Remove access when employee leaves (disable accounts, revoke credentials, collect assets)
Background Checks: Pre-employment verification (criminal history, identity, employment)
Service Provisioning: Assign IT services (email, cloud apps, VPN) based on role
Software Provisioning: Grant access to specific applications needed for job
Desktop Deployment: Install/configure endpoint devices for new users
Patching & Updating: Ensure systems have latest security patches
Go-Live Actions: Checklist when deploying new system/user into production
After-Hours Support: Handle support requests outside normal hours
Ticket Management: Track onboarding/offboarding actions

GDPR (General Data Protection Regulation): EU law protecting personal data, requires consent, fines up to €20M or 4% revenue
CCPA (California Consumer Privacy Act): Grants Californians rights over data (opt-out of sales)

HIPAA (Health Insurance Portability and Accountability Act): Protects patient health data in U.S., safeguards for ePHI
FERPA (Family Educational Rights and Privacy Act): Safeguards student records in U.S. schools
PCI DSS (Payment Card Industry Data Security Standard): Security for credit card transactions, annual audits
GLBA (Gramm-Leach-Bliley Act): U.S. financial institutions protect consumer financial information

NERC (North American Electric Reliability Corporation): Cybersecurity for energy infrastructure (U.S. & Canada)
CIPA (Children's Internet Protection Act): Requires schools/libraries to filter harmful content
COPPA (Children's Online Privacy Protection Act): Restricts online data collection from children under 13
FISMA (Federal Information Security Modernization Act): Cybersecurity protections for federal agencies
CJIS (Criminal Justice Information Services Security Policy): Security for criminal justice data
GSC (Government Security Classifications): U.K. system for classifying sensitive information

Data Owner: Senior staff responsible for data classification (CFO owns financial data)
Data Controller: Decides why and how personal data is collected/processed
Data Processor: Processes personal data on behalf of controller (cloud storage provider)
Data Custodian: Manages data storage and security (IT department encrypting files)
Data Subject: Individual whose personal information is collected/stored

Propose Change: Submit request (upgrade server hardware)
Review by Change Board: Assess risks and impacts (downtime)
Test: Validate in sandbox environment
Implement: Deploy during maintenance windows
Backout Plan: Revert if issues arise (snapshot can be part of backout but is technical tool, not detailed procedure)

Version Control: Track changes to policies (using Git, GitHub, GitLab)
Legacy Systems: Older systems needing special handling (compatibility testing for Windows 7)