You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Governance, Risk and Compliance (GRC) is the framework that aligns cybersecurity with business objectives, regulatory requirements, and risk tolerance. Without GRC, security efforts lack direction and accountability.
Governance establishes the policies, structure, and accountability for cybersecurity:
| Component | Description |
|---|---|
| Security policies | High-level statements of intent and direction |
| Standards | Mandatory requirements for implementing policies |
| Procedures | Step-by-step instructions for carrying out standards |
| Guidelines | Recommended practices (not mandatory) |
| Baselines | Minimum security configurations for systems |
┌─────────────────────────┐
│ Security Policy │ ← "What" (high-level intent)
├─────────────────────────┤
│ Standards │ ← "What specifically" (mandatory requirements)
├─────────────────────────┤
│ Procedures │ ← "How" (step-by-step instructions)
├─────────────────────────┤
│ Guidelines │ ← "Recommendations" (best practices)
└─────────────────────────┘
| Policy | Purpose |
|---|---|
| Acceptable Use Policy | Defines acceptable behaviour for using company systems |
| Access Control Policy | Defines who can access what resources |
| Data Classification Policy | Defines sensitivity levels (public, internal, confidential, restricted) |
| Incident Response Policy | Defines how to handle security incidents |
| Password Policy | Defines password requirements and rotation |
| Bring Your Own Device (BYOD) | Defines rules for personal devices on the network |
| Data Retention Policy | Defines how long data is kept and when it is destroyed |
Risk management identifies, assesses, and mitigates threats to the organisation:
| Factor | Definition |
|---|---|
| Threat | A potential cause of harm (e.g., ransomware, insider) |
| Vulnerability | A weakness that a threat can exploit (e.g., unpatched software) |
| Likelihood | Probability that the threat will exploit the vulnerability |
| Impact | The damage if the risk materialises (financial, reputational, legal) |
| Risk | Risk = Likelihood x Impact |
| Option | Description | Example |
|---|---|---|
| Mitigate | Reduce the likelihood or impact | Install patches, add MFA |
| Transfer | Shift the risk to a third party | Buy cyber insurance |
| Accept | Acknowledge and accept the risk | Low-impact, low-likelihood risks |
| Avoid | Eliminate the activity that creates the risk | Discontinue a vulnerable service |
| Risk ID | Description | Likelihood | Impact | Rating | Treatment | Owner |
|---|---|---|---|---|---|---|
| R-001 | Ransomware attack | High | Critical | Critical | Mitigate | CISO |
| R-002 | Employee data leakage | Medium | High | High | Mitigate | DPO |
| R-003 | Third-party breach | Medium | Medium | Medium | Transfer | Vendor Mgmt |
| R-004 | Physical server theft | Low | Low | Low | Accept | Facilities |
The international standard for Information Security Management Systems (ISMS):
| Aspect | Description |
|---|---|
| Scope | Establish, implement, maintain, and improve an ISMS |
| Annex A controls | 93 security controls across 4 themes (organisational, people, physical, technological) |
| Certification | Audited by accredited certification bodies |
| Plan-Do-Check-Act | Continuous improvement cycle |
| Function | Purpose |
|---|---|
| Govern | Establish cybersecurity strategy and risk management (new in 2.0) |
| Identify | Understand assets, risks, and vulnerabilities |
| Protect | Implement safeguards |
| Detect | Monitor for security events |
| Respond | Contain and mitigate incidents |
| Recover | Restore operations and learn |
A detailed catalogue of security and privacy controls for US federal systems:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.