Practical Foundations in Cybersecurity
  • 🖌️Practical Foundations in Cybersecurity
  • 1. IT career planning
    • Introduction - IT career planning
    • IT career paths – everything you need to know
    • Job roles in IT and cybersecurity
    • How to break into information security
    • The Security Operations Center (SOC) career path
    • The GRC analyst role
    • How to get CCNA certification
    • Job search strategy
  • 2. Introduction to cybersecurity
    • Introduction - Introduction to cybersecurity
    • Foundational cybersecurity concepts and practices
    • The cybersecurity threat landscape
    • Common cyber attacks
    • Risk mitigation methods
    • Network security risk mitigation best practices
  • 3. Cybersecurity GRC
    • Introduction - Cybersecurity GRC
    • Cybersecurity GRC
  • 4. Networking fundamentals
    • Introduction - Networking fundamentals
    • How data flow through the Internet
  • 5. Wireless security and cryptography
    • Introduction - Wireless security and cryptography
    • SSL/TLS cryptography
    • Wireless network security
  • 6. Practical foundations in ethical hacking
    • Introduction - Practical foundations in ethical hacking
    • Ethical assessment of teaching ethical hacking
    • The ethical teaching of ethical hacking
    • Professional ethical hacking body of knowledge
      • The ethics of ethical hackers
      • The penetration testing process
      • What do ethical hackers do?
    • Who are ethical hackers?
  • 7. Conclusion
    • Introduction - Conclusion
    • Final words
Powered by GitBook
On this page
  • Learning objectives
  • Topics covered in this section
  • How to get into GRC
  • Skills of a GRC analyst
  • GRC analyst/manager industry certifications
  • Salient risk management frameworks
  • GRC training resources
  • Key lesson takeaways
  • References
  1. 1. IT career planning

The GRC analyst role

This section sheds light on the GRC analyst role as a career choice, including how to pivot into it from an IT job function, relevant skills, and helpful industry certifications

Learning objectives

• Understand from which organizational functions you can pivot into a GRC analyst role • Identify important skills of a GRC analyst • Identify industry certifications relevant to the GRC analyst/manager role

Illuminating the GRC (Governance, Risk Management, and Compliance) cybersecurity career path – focusing on the role of the GRC analyst/manager. This discussion covers the ins and outs of the GRC analyst/manager role.

Topics covered in this section

  • How to get into GRC

  • Skills of a GRC analyst

  • GRC analyst/manager industry certifications

  • Salient risk management frameworks

  • GRC training resources

How to get into GRC

You can get into GRC through a security analyst role (e.g., vulnerability assessment analyst), a cyber defender role (e.g., SOC analyst), a cyber operator role (e.g., penetration tester), a security/privacy policy analyst role, a risk analyst or risk management role (e.g., IT vendor risk manager), a compliance auditor role, or an IA/QA assurance role. GRC analyst can be your first job in IT.

GRC analyst relevant job titles include Compliance Analyst, IT Auditor, Risk and Compliance Analyst, Cyber Audit Analyst, GRC Specialist, and GRC manager.

Skills of a GRC analyst

A cybersecurity analyst/manager has skills/knowledge in the technical foundations of cybersecurity – especially network security, incident and disaster management, operating systems, and system administration. As a GRC professional, you’re interacting and coordinating regulatory compliance and assurance activities with legal, procurement, engineering, project management, etc. You’re working internally, or externally with professional services.

A GRC analyst/manager may partake in the following organizational IT governance activities:

  • Developing a cybersecurity governance program

  • Specifying the committees, roles, and plans needed to perform contingency planning

  • Identifying regulations/compliance needs relevant to the organization’s industry and business activities, and a suitable GRC RMF to help the organization achieve compliance in alignment with its business goals

  • Establishing compliance procedures relevant to GDPR, PCI (financial services), HIPAA (health care), FISMA (Federal IT), CMMC (DoD), etc. (regulations the organization may be held accountable to)

  • Establishing IT security audit procedures relevant to NIST, SOC 2, ISO 27001, etc.

  • Establishing performance measures as a method to assess and improve GRC programs

GRC analyst/manager industry certifications

  • CISA – Certified Information Systems Auditor by ISACA (you can take the test pending 3 years experience to receive the certification)

  • ISACA’s IT Risk Fundamentals Certificate

  • CRISC – ISACA’s Certified in Risk and Information Systems Control certification is ideal for mid-career IT/IS audit, risk, and security professionals

  • CISM – Certified Information Security Manager by ISACA

  • ISO 27001 Lead Auditor (ISMS) by CIS

Salient risk management frameworks

  • NIST CSF as an information security program framework and NIST SP 800-30 to risk assess it

  • NIST SP 800-37 and select the appropriate subset of security controls from the control catalog in NIST SP 800-53

  • SOC 2 Cybersecurity Framework is a good RMF – AICPA maps SOC 2 to all sorts of frameworks

  • Other: ISO/IEC 27001, CMMC

GRC training resources

Key lesson takeaways

• You can get into GRC through various roles, including security analyst and policy analyst • Important skills of a GRC analyst span compliance and auditing to incident and disaster recovery • Well regarded GRC analyst/manager industry certifications include CISA by ISACA and ISO 27001 Lead Auditor by CIS

References

PreviousThe Security Operations Center (SOC) career pathNextHow to get CCNA certification

Last updated 9 hours ago

(Coursera – Course 3 in IT Fundamentals for Cybersecurity Specialization) This Coursera course “gives you the background needed to understand the key cybersecurity compliance and industry standards.”

(Cybrary) “This course will discuss the NIST Risk Management Framework (RMF) from an executive perspective. Each module will not only address each step in the RMF process, but how this process can be implemented into your organization or business.”

(TCM Security Academy) “This class assumes no prior background knowledge and is setup to give you a full scope understanding and the practical skills needed to be an effective GRC Analyst.”

(Coursera – Course 2 in Managing Cybersecurity Specialization) This Coursera course “examines the role of Governance, Risk Management, and Compliance (GRC) as part of the Cybersecurity management process, including key functions of planning, policies, and the administration of technologies to support the protection of critical information assets.”

(oceg.org)

(YouTube video by Gerald Auger of Simply Cyber)

(EDUCAUSE, 2022)

(“Plain English Guide” by Praxiom Research Group Limited)

Cybersecurity Compliance Framework & System Administration
Executive RMF
GRC Analyst Master Class
The GRC Approach to Managing Cybersecurity
GRACE-IT – The “Critical Six” disciplines of GRC
How to GRC Like A Boss with Erika McDuffie
Information Security Governance
NIST Cybersecurity Program Development Plan
NIST SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy