Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. In addition, certain terms are used within this book. As there are no universal unique meanings to them, the most important terms are explained within the next paragraph. After that, examples are provided of the styles used and an explanation of their meaning.
The following are some terms used in the book:
|
Terms used in book |
Description |
|---|---|
|
Regulatory requirement |
The laws or industry standards applicable to a business and that are imposed by authorized institutes such as a government. |
|
(Compliance) Framework |
This is a set of guidelines that details an approach designed to adhere to regulations. It outlines rules to achieve this goal based on the organization's business processes and (internal) controls. |
|
Authority document |
This specifies the requirements that a company must adhere to. They may take different forms such as laws, regulations, industry best practices, customer contracts, or internal policies. It is essential that they are similar to regulatory requirements. Sometimes, certain control objectives are spelled out in them, but most often businesses have to determine those themselves. |
|
Control objectives |
Control objectives are most often abstract. They answer the questions '"what" and "why". Therefore, they can be defined by someone who understands compliance but doesn't have an in-depth technological knowledge. For example, the German data protection law specifies that transferred customer data has to be protected. So the control objective would be "data protection". |
|
Control activities |
These are activities to help ensure that requirements, stated in policies to address risks, are met. They answer the questions of "who", "where", "when", and "how." Therefore, they have to be defined by someone who has in-depth technical knowledge. Control activities may take different forms such as approvals, segregation of duties, reviews, and so on. Based on the previous example, the control activity defines who is responsible for protecting the data, which systems to include, and how data should be protected. |
|
Program |
A program gives a structure to compliance management. It contains authority documents and their mapping to control objectives, control activities, and documentation for the results of those controls; it might also contain risk assessments and further documentation. Quite often it is tool-assisted. |
|
Risk management |
This is the process of identifying, assessing, and managing risks. Based on company risk level, it includes the decision on whether to minimize, monitor, or control the probability and impact of those risks. Issues with negative outcomes from those risks will be transferred, minimized, or accepted. |
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The provided path is the default one; please modify it for your configuration. On the destination system, start the LocalGPO.msi file."
Any command-line input or output is written as follows:
set /a x=1 :Start net use o: \\<Name of a monitored Domain Controller\c$ /User:Administrator hjghkgkjhgkjg set /a x=%x%+1 if %x% NEQ 20 goto Start
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Click on the Star button next to the Active Directory Containers label."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
