Introduction - Cybersecurity GRC

This chapter introduces students to how organizations integrate cybersecurity into enterprise risk management through Governance, Risk, and Compliance (GRC) frameworks

Chapter 3: Cybersecurity GRC

This chapter introduces the principles of Governance, Risk, and Compliance (GRC) as the foundational structure for integrating cybersecurity into enterprise strategy and operations. This chapter provides a foundation for building and managing a cybersecurity program through well established and widely used GRC frameworks. The chapter explores how organizations use GRC to systematically manage cybersecurity risk, satisfy legal and ethical obligations, and align security posture with business objectives. Students will learn how organizations use GRC frameworks to navigate complex regulations and systematically mitigate cybersecurity risks.

This chapter will help students:

• Understand the strategic, ethical, and legal importance of cybersecurity regulations and standards for businesses.

• Define the concepts of Governance, Risk, and Compliance, and explain their role in IT governance.

• Understand key phases and terminology of information security risk assessments.

• Identify key cybersecurity regulations (e.g., GGDPR, HIPAA, and SOX) and industry standards (e.g., PCI DSS).

• Explain how GRC can be used as a cybersecurity risk management framework (RMF).

• Become familiar with popular information security RMFs, including NIST SP 800-37, NIST CSF, and ISO/IEC 27001, and how they can be combined.

Topics covered in this chapter

Foundational GRC concepts

Risk assessment phases

Key cybersecurity regulations and standards

GRC as a risk management framework (RMF)

NIST SP 800-37, NIST CSF, and ISO/IEC 27001

Common combinations of cybersecurity RMFs