Introduction - Cybersecurity GRC

This chapter introduces students to how organizations integrate cybersecurity into enterprise risk management through Governance, Risk, and Compliance (GRC) frameworks

Chapter 3: Cybersecurity GRC

This chapter explores how organizations integrate cybersecurity into enterprise risk management through Governance, Risk, and Compliance (GRC) frameworks. Students will learn how regulations, standards, and risk assessment methodologies align with business objectives to mitigate cyber risks.

This chapter will help students:

• Understand the strategic, ethical, and legal importance of cybersecurity regulations and standards for businesses.

• Define the concepts of Governance, Risk, and Compliance, and explain their role in IT governance.

• Identify key cybersecurity regulations (e.g., GGDPR, HIPAA, and SOX) and industry standards (e.g., PCI DSS).

• Become familiar with popular information security RMFs, including NIST SP 800-37, NIST CSF, and ISO/IEC 27001, and how they can be combined.

• Understand how GRC can be used as a cybersecurity risk management framework (RMF).

• Understand information security risk assessment phases and terminology.

Topics covered in this chapter

Foundational GRC concepts and terminology (governance, risk, compliance, controls, due diligence, policies, audits, reporting).

Salient cybersecurity regulations

Key features of salient cybersecurity industry standards, such as PCI DSS (payment security), and SOC 2 (service providers).

Applying risk management frameworks, such as NIST SP 800-37 (RMF for federal systems), NIST Cybersecurity Framework (CSF) (Identify, Protect, Detect, Respond, Recover), and ISO/IEC 27001 (ISMS framework).

Risk assessment phases (risk identification, risk analysis, risk mitigation, and risk monitoring).