Practical Foundations in Cybersecurity
  • 🖌️Practical Foundations in Cybersecurity
  • 1. IT career planning
    • IT career paths – everything you need to know
    • Job roles in IT and cybersecurity
    • How to break into information security
    • The Security Operations Center (SOC) career path
    • The GRC analyst role
    • How to get started in cryptography
    • How to get CCNA certification
  • 2. Introduction to cybersecurity
    • Confidentiality, integrity, and availability of information
    • Information security definition
    • Risk, threat, vulnerability
      • Threat landscape
    • Common cyber attacks (CCNA security fundamentals)
    • How to respond to a security incident
    • How to secure your data
    • Risk mitigation
  • 3. Cybersecurity GRC
    • Introduction
    • Cybersecurity GRC
  • 4. Networking fundamentals
    • Introduction
    • How data flow through the Internet
  • 5. Network Security Basics
    • Introduction
    • Network security basics
  • 6. Foundations in ethical hacking
    • Introduction
    • Ethical assessment of teaching ethical hacking
    • The ethical teaching of ethical hacking
    • Professional ethical hacking body of knowledge
      • The ethics of ethical hackers
      • The penetration testing process
      • What do ethical hackers do?
    • Who are ethical hackers?
  • 7. Special topics
    • Ethics and philosophy
    • Organizational communication (Karl Weick)
    • Working with recruiters
    • Prepare for an infosec interview
Powered by GitBook
On this page
  • The GRC approach to managing cybersecurity
  • How to get into GRC
  • GRC training resources
  1. 1. IT career planning

The GRC analyst role

The GRC approach to managing cybersecurity

This discussion covers the ins and outs of the GRC cybersecurity career path – focusing on the role of GRC analyst/manager.

Demystifying Governance, Risk Management, and Compliance (GRC) – a thorough discussion of the GRC cybersecurity career path – focusing on the role of the GRC analyst/manager.

How to get into GRC

IT enterprise and professional services roles

You can get into GRC through a security analyst role (e.g., vulnerability assessment analyst), a cyber defender role (e.g., SOC analyst), a cyber operator role (e.g., penetration tester), a security/privacy policy analyst role, a risk analyst or risk management role (e.g., IT vendor risk manager), a compliance auditor role, or an IA/QA assurance role. GRC analyst can be your first job in IT.

GRC analyst relevant job titles include Compliance Analyst, IT Auditor, Risk and Compliance Analyst, Cyber Audit Analyst, GRC Specialist, and GRC manager.

Certifications

  • CISA – Certified Information Systems Auditor by ISACA (you can take the test pending 3 years experience to receive the certification)

  • ISACA’s IT Risk Fundamentals Certificate

  • CRISC – ISACA’s Certified in Risk and Information Systems Control certification is ideal for mid-career IT/IS audit, risk, and security professionals

  • CISM – Certified Information Security Manager by ISACA

  • ISO 27001 Lead Auditor (ISMS) by CIS

Salient risk management frameworks

  • NIST CSF as an information security program framework and NIST SP 800-30 to risk assess it

  • NIST SP 800-37 and select the appropriate subset of security controls from the control catalog in NIST SP 800-53

  • SOC 2 Cybersecurity Framework is a good RMF – AICPA maps SOC 2 to all sorts of frameworks

  • Other: ISO/IEC 27001, CMMC

Skills of a GRC analyst

A cybersecurity analyst/manager has skills/knowledge in the technical foundations of cybersecurity – especially network security, incident and disaster management, operating systems, and system administration. As a GRC professional, you’re interacting and coordinating regulatory compliance and assurance activities with legal, procurement, engineering, project management, etc. You’re working internally, or externally with professional services.

A GRC analyst/manager may partake in the following organizational IT governance activities:

  • Developing a cybersecurity governance program

  • Specifying the committees, roles, and plans needed to perform contingency planning

  • Identifying regulations/compliance needs relevant to the organization’s industry and business activities, and a suitable GRC RMF to help the organization achieve compliance in alignment with its business goals

  • Establishing compliance procedures relevant to GDPR, PCI (financial services), HIPAA (health care), FISMA (Federal IT), CMMC (DoD), etc. (regulations the organization may be held accountable to)

  • Establishing IT security audit procedures relevant to NIST, SOC 2, ISO 27001, etc.

  • Establishing performance measures as a method to assess and improve GRC programs

GRC training resources

Cybersecurity Compliance Framework & System Administration (Coursera – Course 3 in IT Fundamentals for Cybersecurity Specialization) This Coursera course “gives you the background needed to understand the key cybersecurity compliance and industry standards.”

Executive RMF (Cybrary) “This course will discuss the NIST Risk Management Framework (RMF) from an executive perspective. Each module will not only address each step in the RMF process, but how this process can be implemented into your organization or business.”

GRC Analyst Master Class (TCM Security Academy) “This class assumes no prior background knowledge and is setup to give you a full scope understanding and the practical skills needed to be an effective GRC Analyst.”

The GRC Approach to Managing Cybersecurity (Coursera – Course 2 in Managing Cybersecurity Specialization) This Coursera course “examines the role of Governance, Risk Management, and Compliance (GRC) as part of the Cybersecurity management process, including key functions of planning, policies, and the administration of technologies to support the protection of critical information assets.”

PreviousThe Security Operations Center (SOC) career pathNextHow to get started in cryptography

Last updated 5 months ago