Cybersecurity Specialization: Governance, Risk, and Compliance Training in New Zealand

• Develop a strategy to mitigate compliance risk based on laws governing Information Technology and reporting requirements to various regulatory bodies
• Contribute to a risk management strategy that will frame an organization’s risk tolerance along with defining and enabling managers to understand the levels of risk they are allowed to take
• Create policies supported by controls that utilize frameworks and standards to minimize risk to an acceptable level
• Determine the mechanisms to raise the organization’s risk maturity level
• Support both top-down and bottom-up approaches to enterprise security by acquiring management buy-in and improving employee attitudes to security
• Contribute to a business continuity plan that prioritizes business processes
• Select an eGRC tool to help manage risk based on requirements and capabilities

Why Does GRC Matter?

• Terms and definitions
• Assets, value
• Increasing importance of Governance, Risk, and Compliance

Industry Compliance

• Essence of compliance
• Industry Standards: Payment Card Industry (PCI)
• Industry Standards: Sarbanes-Oxley (SOX) Act
• Industry Standards: Financial Industry Regulatory Authority (FINRA)
• Industry Standards: General Data Protection Regulation (GDPR)
• Compliance and company policy

Privacy Compliance

• Impact of privacy
• Personally identifiable information (PII), protected health information (PHI)
• Data architecture
• Data handling
• Encryption
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Gramm-Leach-Bliley Act (GLBA)
• Privacy best practices

Risk Assessment

• CIA triad
• Threat modeling
• Risk assessment
• Quantitative vs. qualitative risk assessment
• Risk assessment models
• Risk likelihood and impact
• Risk tolerance
• Risk appetite
• Business impact analysis (BIA)
• Risk mitigation strategies

Risk Management

• Risk management strategies: Mitigation, avoidance, transference, acceptance
• Risk Management Framework (RMF)
• RMF vs. CAP
• Risk maturity level
• Residual risk
• Continuous monitoring and incident response
• Patch management and the Common Vulnerability Scoring System (CVSS)

Corporate Culture

• Enterprise-wide attitudes to security and risk
• FUD: Fear, uncertainty, and doubt
• Governance failures in the real world
• Buy-in
• NICE, best practices, role-based training
• Aligning risk management with business goals
• Authorized use policies
• Tools: Training, rewards and consequences, hiring practices
• Ongoing monitoring and tracking

Governance and Policy

• Business continuity plan (BCP)
• Disaster recovery plan (DRP)
• Business impact analysis (BIA)
• Single point of failure
• Redundancy
• BCP dependency chain
• Rapid information sharing
• RACI chart
• Discussion: Fast vs. good vs. cheap

Course Look Around

• eGRC: Archer and OpenPages
• Real-time access to information
• Reporting
• Relevance
• Interoperability
• Savings through reduced complexity