Week-2 Activities : Applying Governance, Risk, and Compliance (GRC)
Overview
These activities includes two connected activities:
-
Task 1 - Individual Scenario Analysis
You will analyse one detailed scenario individually to identify and evaluate Governance, Risk, and Compliance (GRC) weaknesses. -
Task 2 - Group Scenario Challenge
You will then collaborate in small groups to apply the same framework to a range of new organisational cases and present your findings.
Learning Objectives
By completing these activities , you will:
- Recognise how GRC principles apply to real-world cyber incidents.
- Identify governance, risk, and compliance gaps and recommend practical improvements.
- Link organisational and technical issues to relevant UK legislation.
- Communicate findings effectively in both written and verbal formats.
Task 1 - Individual Scenario Analysis (30 mins)
Scenario: MedSecure Ltd
Context:
MedSecure Ltd is a small private healthcare provider offering online consultations and prescription management.
The company hosts patient records and consultation notes on a third-party cloud platform.
User authentication is handled through an outdated web portal that does not enforce strong password policies or multi-factor authentication.
Incident:
Last month, a malicious actor gained access to several patient accounts using credentials leaked from another breach.
Although the attacker only viewed a limited number of files, the company self-reported the incident to the Information Commissioner’s Office (ICO).
Organisational Challenges:
- No dedicated cybersecurity role; IT duties are shared informally between admin staff.
- No documented process for user access reviews or password reset management.
- Unclear data-handling responsibilities between MedSecure and its cloud provider.
- Minimal compliance awareness among staff.
Your Task
Analyse this scenario through the GRC lens and complete the following tables.
1. Governance
| Governance Weakness | Who Should Be Accountable? | Why It Matters / Organisational Impact |
|---|---|---|
2. Risk Management
Identify one or two key cyber risks and propose realistic mitigations.
| Risk | What Could Go Wrong / Consequence | Mitigation / Control | Who Should Implement It? |
|---|---|---|---|
3. Compliance
Link the scenario to at least one relevant UK act or regulation (e.g., DPA 2018, UK-GDPR, NIS, CMA).
Describe why it applies and what practices are required.
| Regulation / Act | Why It Applies | Required Practice | Responsible Role |
|---|---|---|---|
Reflection (Short Paragraph)
In 3-4 sentences, explain how Governance, Risk Management, and Compliance interact in this case to prevent or respond to incidents.
Task 2 - Group Scenario Challenge (45 mins)
Overview
Now that you have completed your individual analysis, you will work in small groups to apply the same GRC framework to a set of new scenarios.
Each group will be assigned one case, analyse it collaboratively, and prepare a short presentation.
Group Allocation
| Group | Scenario | Focus Area |
|---|---|---|
| 1 | UniCloud Services | Cloud data governance and academic accountability |
| 2 | MediPlus App | Healthcare app data handling and third-party development |
| 3 | ShopQuick | Small-business e-commerce and plugin management |
| 4 | HomeSync IoT | Consumer IoT product security and PSTI compliance |
| 5 | FinServe Ltd | Financial-technology platform and third-party API risk |
Group Task
-
Identify GRC Weaknesses
- Where are the governance, risk, or compliance gaps?
- How do they interact to increase exposure?
-
Recommend Improvements
- Propose at least one improvement per GRC area (policy and/or technical).
- Consider both short-term fixes and longer-term structures.
-
Analyse One Recommendation in Depth
- What technical or operational changes are required?
- What challenges or trade-offs exist?
- How will success be measured?
-
Prepare a 5-Minute Presentation
- Summarise findings in one slide or table.
- One member from each group will present to the class.
Discussion & Debrief
After all groups have presented:
- Compare governance failures across sectors.
- Discuss which compliance frameworks (GDPR, NIS, PSTI, FCA) were most influential.
- Reflect on how governance structures drive or hinder technical security.
Scenario Descriptions
Below are the five scenarios for Task 2. Expand each section to review the context, incident, and discussion prompts.
Scenario 1 - UniCloud Services
Context:
UniCloud Services manages digital learning and administrative systems for several UK universities.
All student records, coursework submissions, and teaching materials are hosted on cloud storage (S3-compatible).
Incident:
During a system update, a shared folder containing student grade reports was accidentally made public, exposing hundreds of records for several hours before being noticed.
Key Challenge:
The issue revealed unclear ownership of security responsibilities between the IT team, academic departments, and the cloud provider.
Consider:
- Governance: Who is accountable for securing and auditing shared resources?
- Risk: What could happen if data exposure occurs again?
- Compliance: Which laws (e.g., DPA 2018, UK-GDPR) apply to student-data handling?
Scenario 2 - MediPlus App
Context:
MediPlus is a UK-based healthcare app that allows patients to book GP appointments, access prescriptions, and view health summaries.
The system stores patient contact information and appointment data.
Incident:
Several users reported receiving SMS and email reminders for other patients’ appointments, suggesting a data-handling or permissions error in the notification system.
Key Challenge:
MediPlus relies on outsourced developers and lacks a formal data-governance policy or access-review process.
Consider:
- Governance: Who owns data-protection and quality-assurance responsibilities?
- Risk: What harm could result from misdirected messages or data leaks?
- Compliance: How do the DPA 2018 and UK-GDPR define the handling of personal and health data?
Scenario 3 - ShopQuick
Context:
ShopQuick is a small e-commerce retailer selling home goods online.
It integrates third-party plugins for payment processing, analytics, and live chat.
Incident:
A third-party analytics plugin was found to contain a known JavaScript vulnerability, potentially allowing attackers to collect payment information from customers.
Key Challenge:
The business does not have a formal security-vetting or update process for third-party tools.
Consider:
- Governance: Who approves or manages external software dependencies?
- Risk: What would be the impact of a payment-data breach?
- Compliance: How do NIS Regulations or PCI-DSS obligations apply to small online retailers?
Scenario 4 - HomeSync IoT
Context:
HomeSync is a UK-based start-up manufacturing smart-home cameras and sensors that connect to mobile apps and a cloud management platform.
Incident:
Security researchers discovered that communication between the devices and the cloud API occurs without encryption, allowing potential interception of video streams.
Key Challenge:
HomeSync’s small development team prioritised rapid deployment over secure design, and there is no designated security officer or incident-response plan.
Consider:
- Governance: Who is responsible for product-security decisions?
- Risk: What could happen if attackers intercept or manipulate device data?
- Compliance: How might the PSTI Act 2022 and CMA apply to insecure IoT devices?
Scenario 5 - FinServe Ltd
Context:
FinServe Ltd is a UK-based financial-technology start-up that provides an online credit-scoring and lending platform for small businesses.
The platform analyses financial data uploaded by clients (bank statements, invoices, and payment histories) through a web portal and several third-party APIs.
It relies heavily on external data suppliers and analytics services to calculate risk scores and make automated lending decisions.
Infrastructure Overview:
- Core services hosted in the public cloud.
- Customer data processed through multiple APIs (including open-banking connectors).
- Small in-house team with one lead developer and two data analysts.
- Security management handled informally by the CTO.
Incident:
A supplier API returned incorrect customer data after a version update.
FinServe’s validation process failed to flag the inconsistency, leading to erroneous credit-score outputs and financial losses for several clients.
Complaints were filed with the Financial Conduct Authority (FCA).
Organisational Challenges:
- No governance framework for approving or monitoring third-party API integrations.
- Limited risk assessment before adopting external services.
- Lack of audit logging or version control for automated decision algorithms.
- Unclear accountability for compliance with FCA, DPA 2018, and UK-GDPR requirements.
Consider:
- Governance: Who should be accountable for verifying third-party service integrity?
- Risk: What are the risks of relying on external data and APIs for financial decisions?
- Compliance: Which regulations (e.g., DPA 2018, UK-GDPR, FCA rules, NIS2) apply, and what evidence would demonstrate due diligence?
Best,
Ali.