🏠 Home > Cybersecurity > Enterprise Security > Module 4
Module 4: Governance, Risk, and Compliance (GRC)
Overview
This module covers the critical aspects of cybersecurity governance, regulatory compliance, and organizational resilience. Students will learn to navigate complex regulatory landscapes, manage third-party risks, and build cyber-resilient organizations.
Learning Duration
[To be determined]
Prerequisites
- Understanding of business operations
- Familiarity with risk management concepts
- Basic knowledge of regulatory frameworks
Topics
4.1 Navigating the EU AI Act and Global Data Privacy Laws
Key Concepts:
- EU AI Act requirements
- Global privacy regulations
- Cross-border data transfers
- Compliance strategies
Content Areas:
- EU AI Act: Risk categories and compliance obligations
- GDPR fundamentals and enforcement
- CCPA and US state privacy laws
- International data transfer mechanisms (SCCs, BCRs)
- Privacy impact assessments (PIAs)
- Data protection officers (DPOs) and accountability
[Detailed content to be added]
4.2 Supply Chain Security: Managing SBOM (Software Bill of Materials)
Key Concepts:
- Software supply chain risks
- SBOM standards and formats
- Dependency management
- Vulnerability tracking
Content Areas:
- Software supply chain attack vectors
- SBOM generation and management (SPDX, CycloneDX)
- Open source risk assessment
- Dependency vulnerability scanning
- Secure software development lifecycle (SSDLC)
- Vendor software attestation
[Detailed content to be added]
4.3 Third-Party Risk Management (TPRM)
Key Concepts:
- Vendor risk assessment
- Continuous monitoring
- Contract and SLA management
- Fourth-party risk
Content Areas:
- TPRM frameworks and methodologies
- Vendor security questionnaires
- Security ratings and scoring
- Ongoing vendor monitoring
- Breach notification requirements
- Vendor offboarding procedures
[Detailed content to be added]
4.4 Cyber Resilience: Business Continuity & Disaster Recovery (BCDR)
Key Concepts:
- Business continuity planning
- Disaster recovery strategies
- Incident response
- Resilience testing
Content Areas:
- Business impact analysis (BIA)
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Backup and recovery strategies
- Incident response planning and exercises
- Crisis communication plans
- Tabletop exercises and simulations
- Post-incident reviews and improvements
[Detailed content to be added]
Hands-on Labs
Lab 1: Privacy Compliance Assessment
Objective: [To be added] Duration: [To be added] Steps: [To be added]
Lab 2: SBOM Generation and Analysis
Objective: [To be added] Duration: [To be added] Steps: [To be added]
Lab 3: Incident Response Tabletop Exercise
Objective: [To be added] Duration: [To be added] Steps: [To be added]
Case Studies
Case Study 1: GDPR Compliance Journey
Challenge: [To be added] Solution: [To be added] Results: [To be added]
Case Study 2: Supply Chain Breach Response
Challenge: [To be added] Solution: [To be added] Results: [To be added]
Case Study 3: Business Continuity During Ransomware Attack
Challenge: [To be added] Solution: [To be added] Results: [To be added]
Assessment
Quiz Questions
- [To be added]
Project Assignment
Title: Develop a Comprehensive GRC Program Description: [To be added] Deliverables:
- Risk assessment framework
- Compliance roadmap
- BCDR plan
- [Additional deliverables to be added]
Resources
Required Reading
- NIST Cybersecurity Framework
- ISO 27001/27002
- EU AI Act Official Text
- GDPR Official Text
- [To be added]
Recommended Tools
- GRC Platforms: ServiceNow GRC, Archer, MetricStream
- SBOM Tools: Syft, SPDX tools, CycloneDX
- Risk Assessment: RiskLens, LogicGate, Resolver
- TPRM: BitSight, SecurityScorecard, UpGuard
Compliance Resources
- NIST Publications
- ISO Standards
- ENISA Guidelines
- CISA Resources
Further Learning
- [GRC certifications]
- [Privacy and compliance training]
- [Risk management courses]
Last Updated: 2026-01-07