Bash, the Crucial Exams Chat Bot
AI Bot
Documentation and Reporting (ISC2 CGRC) Flashcards
ISC2 Governance, Risk and Compliance (CGRC) Flashcards
| Front | Back |
| Content of vulnerability assessment report | Identified weaknesses, risk levels, affected systems, and mitigation steps |
| Contents of a secure software development life-cycle report | Code review findings, vulnerability tests, and compliance checks |
| Define authority to operate (ATO) documentation | Approval that allows a system to operate within set security parameters |
| Define gap analysis report | Identifies differences between current system capabilities and compliance requirements |
| Define policy exception documentation | Details cases where specific standards are not met and the rationale behind them |
| Define risk register | A documented database of identified risks, their severity, and mitigation strategies |
| Documentation requirements for third-party service providers | Includes SLAs, contract terms, and compliance certifications |
| Elements of a security incident report | Details of the incident, actions taken, impact, and follow-up recommendations |
| How to document data retention policies | Outlines rules for data storage durations and secure disposal methods |
| How to document incident response team activities | Tracks actions taken, resources used, and timeline of responses |
| Importance of change management documentation | Ensures accountability and review for modifications to systems and processes |
| Importance of documenting security benchmarks | Provides reference standards for evaluating system performance and compliance |
| Importance of maintaining regulatory requirement updates | Ensures documentation stays aligned with current standards |
| Key components of an audit log | User actions, system events, timestamps, and data changes |
| Key elements of a security risk management plan | Identified risks, mitigation strategies, monitoring processes, and assigned roles |
| Primary audience for system documentation | Internal teams, auditors, and regulatory authorities |
| Purpose of access control audit report | Verifies compliance with access permissions and identifies any unauthorized access |
| Purpose of business impact analysis documentation | Evaluates potential disruption effects on organizational operations |
| Purpose of compliance reporting | Tracks performance against regulatory and organizational requirements |
| Purpose of configuration management plan | Defines procedures for maintaining consistency in system settings and operations |
| Purpose of encryption key management documentation | Specifies procedures for securing, rotating, and retiring encryption keys |
| Purpose of privacy impact assessment documentation | Evaluates potential effects of system operations on individual privacy |
| Purpose of system security plan | Describes system security controls and compliance with regulatory requirements |
| Reporting frequency for operational metrics | Varies by organizational policy and regulatory requirements |
| Responsibilities of system owners in reporting | Ensure accurate documentation and timely communication of system status |
| Role of communication plan in governance | Ensures stakeholders receive timely and relevant information |
| Role of escalation procedures in reporting | Ensures critical issues are promptly communicated to higher management |
| Role of governance framework in reporting | Provides structure for consistent communication about risk and compliance |
| Role of performance indicators in compliance reporting | Tracks goals, achievements, and areas needing improvement |
| Role of service level agreements in documentation | Establishes performance expectations and accountability for services |
| Steps for documenting system upgrades | Includes impact assessments, approval processes, and testing outcomes |
| Use of metrics in security documentation | Provides quantifiable measures for evaluating system performance and controls |
| What is a risk assessment report | Analyzes potential threats, vulnerabilities, and business impacts |
| What is a risk treatment plan | Outlines strategies to reduce identified risks to acceptable levels |
| What is continuous monitoring reporting | Ongoing collection and analysis of security data to ensure compliance and detect incidents |
| What is security training program documentation | Tracks employee training activities and certifications for compliance purposes |
| When to use stakeholder communication templates | Simplifies the process of delivering consistent messages across teams |
| Why document lessons learned from incidents | Improves future response and reduces risk of repeated issues |
| Why document third-party risk assessments | Ensures thorough evaluation of external service providers’ security practices |
This deck covers the essential documents, reporting requirements, and communication practices needed for governance and compliance activities.