What is you job ambition after this course

Either

• Go to menti.com and use (71966600 )

Or

• Scan

Learning Objectives

• Define GRC and its core components
• Understand the role of GRC in cyber security operations
• Analyse how governance and compliance support secure system design
• Review some UK-based legislations

Definations

Hierarchical IT Security Policy Framework

• Policies: Apply to the entire organisation.

• Standards: Specific to a given policy.

• Procedures & Guidelines: Define usage and implementation.

• This will help define the roles, responsibilities, and accountability throughout.

What is GRC?

• Governance -Who decides, and how?
• Risk Management -What could go wrong, and how bad is it?
• Compliance -Are we following required laws and policies?

GRC = Integrated structure to align cyber security with organisational accountability

GRC in the cyber security Lifecycle

A robust cyber security lifecycle embeds GRC principles at every stage: Governance provides the structure for secure design and deployment. Risk Management identifies threats and sets priorities and controls. Compliance ensures alignment with legal, regulatory, and policy obligations. GRC acts as the backbone for accountable, adaptive, and defensible cyber security.

Governance in cyber security

Effective governance ensures that cybersecurity decisions are made with clarity, accountability, and strategic intent. Clear security ownership and escalation processes. Visibility of decisions across stakeholders. Strategic alignment between technical and organisational objectives. Governance turns cybersecurity from ad-hoc control into a managed, measurable discipline.

Why Governance is important Technically

Governance is more than policy - it shapes day-to-day engineering and operations.

• Stops unauthorised or ad hoc system changes
• Ensures security is built into design, deployment, and maintenance
• Translates high-level policy into enforceable practice (e.g. secure defaults)

Without governance, controls may be implemented inconsistently or ignored entirely.

Governance in Practice (e.g.)

• GitHub / GitLab:
  • Branch protection rules
  • Code reviews as enforcement mechanisms
• CI/CD Pipelines:
  • Approval gates, signed builds, rollback policies
• Cloud IAM: (Week-4&5)
  • Role-based access control (RBAC)
  • Resource tagging for ownership visibility

These tools embed governance into developer and sysadmin workflows.

Let's find other examples

Either

• Go to menti.com and use (71966600 )

Or

• Scan

Lifecycle Governance Touchpoints

Design → Develop → Deploy → Monitor

Governance must be embedded across the entire system lifecycle:

• Security ownership is clearly assigned at each stage --> accountability
• Approval workflows ensure peer-reviewed changes and accountability
• Change control procedures support secure rollbacks and version tracking
• Monitoring provides visibility with audit-ready logs and alerts

Security isn’t something added later - it must be built into every step of the pipeline.

Challenges of Governance in cyber security

Clear governance requires not only structure, but also buy-in and communication across the organisation.

Case Study: NHS and the WannaCry Attack

“Could have been prevented if basic cybersecurity practices had been followed.”

Governance Weakness: Warning Signs

(That Everyone Ignored Anyway, sadly)

• No up-to-date asset inventory
• Privilege creep and shadow admins
• No security gates/controls in deployment pipelines
• Inconsistent or undocumented configuration practices

Ask: “If something breaks or is breached, can we trace the decision and responsibility?”

Quick Activity: Governance in Action (5–10 min): Work in groups of 3

1. Think of an organisation or setting you know (e.g., a university, hospital, charity, or company).
2. Identify one cybersecurity decision - such as handling a data breach, approving access, purchasing new software, or responding to an outage.
   • Who should make the decision
   • What governance process or control should guide it
   • What could go wrong if this process is unclear

Why is it important to define who decides and how in cybersecurity governance?

Risk Management in GRC

Risk management is the process of identifying, evaluating, and mitigating threats to information systems.

It enables:

• Informed governance and security decision-making
• Prioritisation of controls and resources
• Resilient system design under uncertainty

Cyber Risk: What Could Go Wrong?

Common risk scenarios include:

• Use of outdated or unpatched software
• Misconfigured cloud storage or public-facing assets
• Weak or reused authentication credentials
• Vulnerabilities introduced through third-party vendors

Effective risk management anticipates both internal and external threats.

The Risk Management Lifecycle

A simplified process:

1. Identify -What threats or vulnerabilities exist?
2. Assess -What is the likelihood and potential impact?
3. Mitigate -What controls can reduce or eliminate the risk?
4. Monitor -Are the risks changing? Are controls effective?

This cycle is continuous - not a one-time task.

Governance and Risk: The Link

Governance ensures that risk decisions are formalised, traceable, and accountable:

• Who owns each risk?
• Who decides whether to accept, transfer, or mitigate it?
• What process validates and documents those decisions?

Without governance, risk assessments may lack follow-through or ownership.

Risk Management

More in the upcoming weeks

From Risk to Compliance

• Risk Management identifies what must be protected
• NEXT --> Compliance ensures controls are in place and operating as intended

Risk is forward-looking; compliance is confirmatory.

Why do we need Ethics and Policies?

Either

• Go to menti.com and use (71966600 )

Or

• Scan

Imagine if there were no air traffic controllers and airplanes flew freely.

• Trying to take off and land would be extremely dangerous.
• Many more accidents would have happend.
  • Such a situation would wreak havoc.

Compliance

Compliance = adherence to:

• Legal obligations
• Regulatory requirements
• Internal policies

Cybersecurity Laws and Regulations in the UK

• ISSUE: There is no overarching, primary national cybersecurity law.

• But, there are sevral critical legislation schemes that govern cybersecurity, data privacy, and data protection in the UK:

  • CMA: Computer Misuse Act 1990
  • DPA: Data Protection Act 2018
  • UK-GDPR: UK General Data Protection Regulation
  • NIS Regulations: Network and Information Security Regulations 2018:
  • PSTI: Product Security and Telecommunications Infrastructure Act 2022.
  • RIPA:Regulation of Investigatory Powers Act 2000
  • Online Safety Act 2023

Core UK Cyber Laws

Core UK Cyber Laws (Cont.)

How the DPA Act Works With the UK-GDPR?

Core UK Cyber Laws (Cont.)

These laws collectively strengthen the UK’s approach to cybersecurity, privacy, and accountability.

7. Online Safety Act 2023

Protects users - especially children and vulnerable groups - from illegal or harmful online content and holds digital platforms accountable for user safety.

“A safer digital space where users, especially children, can engage without exposure to harm.”

Compliance as a Technical Concept

• Access controls
• Logging and retention
• Configuration baselines
• Consent mechanisms

Auditing and Monitoring

• Internal audits
• External audits
• SIEM/log review

Compliance-by-Design

• Logging from Day 1
• Secure defaults
• Config hardening
• Audit trail review

Case Study-1: Data Breach at Marriott International (2018)

• Incident: Unauthorised access to the Starwood guest reservation database.
• Ethical Implications:
  • Negligence: Failure to detect and prevent the breach from 2014 to 2018.
  • Impact: Exposed personal information of approximately 500 million guests.
  • Response: Implemented enhanced security measures and notified affected customers.

Case Study-2: Ethical Dilemma in Surveillance - Clearview AI (2020)

• Unlawfully storing facial images.
• Ethical Implications:
  • Privacy Violation: Unauthorised scraping of personal images.
  • Impact: Legal actions and public criticism over privacy concerns.
  • Response: Company faced restrictions and regulatory scrutiny in several countries.

GRC: An Integrated Model

Each component strengthens the others - GRC is not siloed

CyBOK Perspective

Refer to: Security Governance & Management
https://www.cybok.org

“cyber security governance empowers us with wisdom, risk management equips us with foresight, and compliance holds us accountable…”

Discussion

How would you explain the difference between security controls and security governance?

Lab

• Review and complete this week’s activity from here.

• If you missed last week’s session, you can catch up by reviewing the Week 1 activity here.