Cybersecurity Specialization: Governance, Risk, and Compliance
New – Acquire the skills to design a system of governance to enforce compliance with laws, regulations, and company policies. GK# 6974
Course Outline
- Develop a strategy to mitigate compliance risk based on laws governing Information Technology and reporting requirements to various regulatory bodies
- Contribute to a risk management strategy that will frame an organization's risk tolerance along with defining and enabling managers to understand the levels of risk they are allowed to take
- Create policies supported by controls that utilize frameworks and standards to minimize risk to an acceptable level
- Determine the mechanisms to raise the organization's risk maturity level
- Support both top-down and bottom-up approaches to enterprise security by acquiring management buy-in and improving employee attitudes to security
- Contribute to a business continuity plan that prioritizes business processes
- Select an eGRC tool to help manage risk based on requirements and capabilities
Why Does GRC Matter?
- Terms and definitions
- Assets, value
- Increasing importance of Governance, Risk, and Compliance
- Essence of compliance
- Industry Standards: Payment Card Industry (PCI)
- Industry Standards: Sarbanes-Oxley (SOX) Act
- Industry Standards: Financial Industry Regulatory Authority (FINRA)
- Industry Standards: General Data Protection Regulation (GDPR)
- Compliance and company policy
- Impact of privacy
- Personally identifiable information (PII), protected health information (PHI)
- Data architecture
- Data handling
- Encryption
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Gramm-Leach-Bliley Act (GLBA)
- Privacy best practices
- CIA triad
- Threat modeling
- Risk assessment
- Quantitative vs. qualitative risk assessment
- Risk assessment models
- Risk likelihood and impact
- Risk tolerance
- Risk appetite
- Business impact analysis (BIA)
- Risk mitigation strategies
- Risk management strategies: Mitigation, avoidance, transference, acceptance
- Risk Management Framework (RMF)
- RMF vs. CAP
- Risk maturity level
- Residual risk
- Continuous monitoring and incident response
- Patch management and the Common Vulnerability Scoring System (CVSS)
- Enterprise-wide attitudes to security and risk
- FUD: Fear, uncertainty, and doubt
- Governance failures in the real world
- Buy-in
- NICE, best practices, role-based training
- Aligning risk management with business goals
- Authorized use policies
- Tools: Training, rewards and consequences, hiring practices
- Ongoing monitoring and tracking
- Business continuity plan (BCP)
- Disaster recovery plan (DRP)
- Business impact analysis (BIA)
- Single point of failure
- Redundancy
- BCP dependency chain
- Rapid information sharing
- RACI chart
- Discussion: Fast vs. good vs. cheap
- eGRC: Archer and OpenPages
- Real-time access to information
- Reporting
- Relevance
- Interoperability
- Savings through reduced complexity
- Challenge: Why does GRC matter?
- Challenge: Collaborate on compliance solutions
- Challenge: Identify and classify PII
- Challenge: Calculate risk
- Challenge: Choose a risk management strategy
- Challenge: Adjust corporate culture
- Challenge: Develop a DRP and integrate it with the BCP
- Challenge: Explore eGRC tools
WHO SHOULD ATTEND
- Mid-career professionals who are interested in a career in risk analysis and management of cybersecurity processes, tools, and people.
- Students should have at least two years of experience in cybersecurity but can come to this course from a variety of backgrounds, including but not limited to auditing, project management, DevOps, and engineering.
Training Location
Online Classroom
your office
your city,
your province
your country