Course Recap

In this course, we covered Governance, Risk, and Compliance as it relates to cybersecurity. We did that by looking at an overview of GRC and the evolution of traditional GRC vs. security GRC, defining security GRC, and examining how GRC relationships interrelate with one another and with the organization. Then, we turned our attention to examining the individual GRC functions and the critical task of audit management.

In the Governance lesson, we demonstrated how Governance professionals act as a bridge between cybersecurity and the rest of the organization by helping to align security strategy with organizational strategy and by championing security throughout. We then focused on the day-to-day focus of Governance --- designing, measuring, and reporting on the effectiveness of cybersecurity controls and working with stakeholders to remediate any gaps between the perceived function of a control and its actual performance.

In the Risk lesson, we learned that while risk management has its roots in mathematical principles, the bulk of security risk management is performed by making rough assessments of risk based on the risk professional’s knowledge of business operations and security. We additionally discussed how risk management operates in most organizations today by demonstrating how risk managers leverage risk management frameworks like NIST RMF and FAIR as a guide to craft internal risk assessments and strengthen controls. Finally, we discussed the importance of customizing risk assessment and how GRC professionals can craft or find appropriate risk statements.

In the Compliance lesson, we discussed what a compliance obligation is and what the control objectives are within that obligation. Additionally, we discussed the three ways that organizations typically attach themselves to a compliance obligation and talked about the important job that governance professionals do ensuring that the organization meets its compliance objectives. Finally, we discussed how compliance professionals execute on their role by evaluating control objectives and assessing operational security measures against those objectives.

Finally, in the Audit Management lesson, we discussed the goals of audits and assessments, how they are conducted, and the importance of guiding audits for every organization to maximize their usefulness.