Week 1

Question 1

What is GRC?

Answer 1

Governance, Risk and Compliance is a set of processes and procedure that help organizations achieve their business objective, address uncertainty, and act with integrity.

Question 2

What is Governance?

Answer 2

Involves setting rules, strategies and policies to ensure IT system align with business goals.

It defines structure, policies and practices that make sure controls are clearly communicated, properly implemented, and supported at organizational level.

Question 3

Why should we check for Risk?

Answer 3

Ensuring proper controls are in place and functioning.

It involves identifying threats assessing potential losses and applying strategies to reduce risks to levels acceptable to the business.

Question 4

What is Compliance?

Answer 4

Compliance means following legal, regulatory standards applicable to organization’s IT systems.

By conforming these stated requirements, it helps reduce risks and ensures alignment with organization goals.

Question 5

What are the Steps to Compliance?

Answer 5

Adapt - Compliance framework

Audit - Internal/ external security audit

Monitor - Monitoring process/ system changes

Question 6

8 Functions of GRC

Answer 6

1. Organize and oversee - Set outcomes, roles, responsibilities, approach, and accountability
2. Assess & Align - Identify, analyze, and optimize risk mitigation
3. Prevent & Promote - Establish code of conduct, policies, controls, training, and stakeholder engagements
4. Detect & Discern - Set up hotlines, reporting systems, surveys, and detective controls.
5. Respond and Resolve - Conduct investigations, manage crisis, ensure recovery
6. Monitor and measure - Track context and performance for continuous improvement
7. Inform and Integrate - Manage info, communication, tech, infrastructure
8. Context and Culture - Align with business goals.

Question 7

What is the relationship between laws, regulations, standards, and security frameworks?

Answer 7

Laws and regulations state what must happen to protect information. Standards and security frameworks provide structured steps to plan, implement, test, and monitor those requirements

Question 8

What are some examples of sectors with different regulatory requirements?

Answer 8

Finance, credit card, healthcare, etc.

Government vs Private Sector
(Government must comply with IM8)

Regulated industries (Banks, medicine, power plant) have stricter regulations

Question 9

Laws & Regulations - Finance

Answer 9

Sarbanes-Oxley Act (SOX) of 2002 - US law that was created to protect investors from fraudulent accounting activities by corporations.

Question 10

Section 302

Answer 10

Purpose: To make company leaders accountable for truthful financial reporting and strong internal control systems.

Question 11

Laws & Regulations - Healthcare

Answer 11

HIPAA (Health Insurance Portability and Accountability Act)
It is a US law that ensures data privacy and security for medical information

Question 12

What are the 2 stops of HIPAA

Answer 12

HIPAA Privacy rule
HIPAA Security rule

Question 13

what does HIPAA Privacy rule do?

Answer 13

1. Limits the use and disclosure of sensitive PHI
2. Gives patients the right to access their medical records
3. Requires doctors to track and disclose how patient data is shared

Question 14

What does HIPAA Security rule do?

Answer 14

Sets national standard to protect ePHI that is created, received, used or maintained.

Requires appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security of ePHI

Question 15

Law & Regulations - Credit Card

Answer 15

Payment Card Industry Data Security Standard (PCI DSS)
Created to prevent credit card fraud and protect cardholders from identity theft

• Requires all organizations that store, process, or transmit cardholder data to comply with PCI DSS
• Provides policies and procedures to secure credit, debit and cash card transactions

Question 16

What are the Local Laws/ Regulations

Answer 16

1. Computer misuse and cybersecurity act (Ch 50A)
2. Banking Act (Ch 19)
3. Cybersecurity Act 2018
4. Personal Data Protection Act 2012

Question 17

What does Computer misuse and cybersecurity Act do?

Answer 17

• Secures computer systems against unauthorized access or modification
• Requires measures to ensure cybersecurity

Question 18

What does Banking Act (ch 19) do?

Answer 18

• Goven’s licensing and regulation of banks and related financial institutions
• Covers credit card and charge card business of banks and other institutions

Question 19

Examples for CII

Answer 19

banking, finance, energy, water

Question 19

What does Cybersecurity Act 2018 do?

Answer 19

Provides legal framework for protecting critical information infrastructure (CII).

Cybersecurity Code of Practice (CCOP) is issued under this Act and serves as a guideline for CII owners to follow.

CII owners has to ensure cybersecurity resilience and proactively protect CII from cyberthreats.

Question 20

What are the key requirements CCoP 2.0 addresses for CII?

Answer 20

1. Governance
2. Identification
3. Protection
4. Detection
5. Response and Recovery
6. Cyber Resiliency
7. Cybersecurity Training and Awareness
8. Operational Technology (OT) security

Question 21

What does Personal Data Protection Act 2012 do?

Answer 21

• Is a legal framework for personal data protection
• Compliance under IM8 is part of enforcement and audit requirements

Question 22

what is (IM) 8?

Answer 22

Instruction Manual (IM) 8
- It is a government policy that specifies IT security policies for IT security

• Implemented by government agencies, private vendors serving these agencies must comply

Question 23

Summary

Answer 23

By using these frameworks and tools, it helps businesses manage risk, follow laws, and stay compliant using structured tools and controls