Module 16 & 17: Risk Management & Compliance

Glossary of Terms

The probability that the actual outcome or result of an action will be different from the expected outcome.

The level of risk that an organization is prepared to accept in the pursuit of its objectives.

The degree of risk or uncertainty that is deemed acceptable to either an individual or an organization.

Risk stemming from people, such as employees falling for phishing attempts or malicious "insider threats" who sell or misuse company data.

Risk arising from sources like insecure devices, network vulnerabilities, loose firewall rules, or insecurely stored passwords.

Risk from threats that hinder everyday business functionality, such as physical threats (fires, floods) or large-scale technical issues like ransomware attacks.

The possibility that future regulations or legal restrictions may not align with the current business model, potentially forcing major changes or even business failure.

The process of identifying potential risks that could prevent an organization from achieving its objectives. It is the first step in the risk management process.

A method of creating scenarios to identify potential threats to system security. A common technique is STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

The process used to identify, evaluate, and estimate the levels of risks involved in a situation, followed by determining an acceptable risk level.

A subjective analysis of the probability and impact of risks, often based on expertise and judgment, using categories like "High," "Medium," and "Low."

A method that seeks to assign numerical values to risks, using data and statistical methods to quantify probability and potential losses (e.g., in monetary terms).

Tools designed to help identify, evaluate, and mitigate risks in organizations of all sizes. Examples include NIST RMF, TARA, COSO, and COBIT.

The National Institute for Standards and Technology (NIST) Risk Management Framework, designed to integrate security and privacy into the development cycle of digital systems from the start.

The COSO enterprise risk management framework, designed to seamlessly integrate risk management into a corporate strategy for success. It is often visualized as a cube.

The Control Objectives for Information and related Technology (COBIT) framework, developed by ISACA for IT management and governance.

Voluntary sets of guidelines and practices to help organizations mitigate risks (e.g., CIS Controls, NIST SP 800-53).

A set of rules and processes mandated by a government or other authority that individuals and companies must adhere to. Their primary aim is to minimize, mitigate, or eradicate harms.

When companies or individuals follow the rules set out in a regulation.

A law issued by Congress.

A law issued by the President (federal) or a state's Governor (state).

Enacted in 2018, it governs data collection, use, and sharing, granting California residents control over their data processing, including rights to opt out, delete, and access their data.

Enacted in 1996, most notable for **Section 230**, which grants immunity to internet service providers and platforms from liability for content published by third parties.

An organization authorized to assign CVE numbers to vulnerabilities, such as Adobe, Microsoft, or Intel.

A US law from 2000 that protects the privacy and personal information of children under 13 years old.

Regulates security and privacy for companies operating in China, including strict controls and data localization (mandates storing data locally).

Less sensitive government data that still requires specific protection measures like additional encryption, access controls, and secure communication channels.

A system managed by the MITRE Corporation that provides a standardized method for identifying and cataloging vulnerabilities in software and hardware.

A framework requiring contractors working with the U.S. Department of Defense (DoD) to comply with requirements to protect covered defense information (CDI) and report cyber incidents.

India's law passed in 2023 to safeguard personal data within its borders and for services offered within the country.

An EU directive that governs data confidentiality, spam, and tracking via cookies, and regulates the handling of metadata.

A US law that criminalizes the unauthorized possession or transmission of sensitive government information.

An EU regulation that aims to regulate the development and use of AI, classifying systems based on risks to users.

A US federal agency that regulates interstate and international communications over radio, cable, television, satellite, and wires.

A US law that imposes cybersecurity requirements on federal agencies to protect their information and systems. Contractors working with these agencies must also adhere to FISMA standards.

A bipartisan US federal agency that enforces antitrust laws, protects consumers, and investigates data privacy practices.

A regulation established by the European Union (EU) that sets standards for data security, governance, and privacy. It applies to any company that processes data of EU consumers or is located in the EU.

A US law that protects consumer financial privacy. It requires financial institutions to explain their information-sharing practices, secure sensitive data, and offer opt-out methods.

Governance: Establishes organizational structure, policies, and procedures for decision-making and accountability.
Risk: Identifies, assesses, and manages potential threats that could impact objectives.
Compliance: Ensures the organization adheres to relevant laws, regulations, and standards.

A US cabinet-level department created to protect the health of the US people and provide essential human services. HHS implements and enforces HIPAA.

A US law from 1996 that regulates the disclosure and sharing of health information. It grants individuals rights to control how their health information is used and created the Security Rule to safeguard electronic health records.

An independent examination conducted by an organization to assess its own internal processes, systems, and controls to verify compliance with regulations, standards, and policies .

A US regulation that controls the export and import of defense-related articles and services, including technical data.

The office within HHS that leads HIPAA compliance activities, including investigating complaints, conducting audits, and issuing fines.

A US federal regulatory agency responsible for protecting investors, maintaining fair markets , and mandating financial disclosures .It also approves cryptocurrency transactions .

A determination of an individual's level of access to sensitive government data. The application process involves thorough background checks, and US citizenship is typically required.

Also known as a vendor or supplier risk assessment, this is a process to manage security risks associated with a company's external partners , who often have access to sensitive data .

Frameworks & Concepts

Risk Management (Module 16)

Components of Risk Assessment (A 3-Step Process)

A comprehensive risk assessment generally involves these three main components:

1. Risk Identification: Recognizing threats that could affect the system, identifying vulnerabilities that could be exploited, and understanding the potential consequences.
2. Risk Analysis: Assessing the likelihood of each identified risk occurring and the potential impact it would have on the organization. This can be qualitative or quantitative.
3. Risk Evaluation: Comparing the estimated levels of risk against the organization's predefined risk criteria to determine which risks need treatment and prioritization.

Example: Phishing Attack Assessment

Applying the 3-step process to a phishing threat:

Identification: The threat is a phishing attack. Vulnerabilities could be weak passwords, lack of user training, and outdated software.
Analysis: Determine the likelihood is high due to industry trends, and the impact is severe due to sensitive customer data.
Evaluation: Conclude that the risk is unacceptable given the high likelihood and high impact, and therefore requires mitigation.

NIST Risk Management Framework (RMF)

The NIST RMF integrates security and privacy throughout the system development lifecycle with the following 7 steps:

Prepare: Essential activities to prepare the organization to manage security and privacy risks.
Categorize: Categorize the system and information based on an impact analysis.
Select: Select the set of NIST SP 800-53 controls to protect the system.
Implement: Implement the controls and document how they are deployed.
Assess: Assess the controls to determine if they are operating as intended.
Authorize: A senior official makes a risk-based decision to authorize the system to operate.
Monitor: Continuously monitor control implementation and risks to the system.

COSO Enterprise Risk Management Framework

The COSO framework integrates risk management into corporate strategy. Key components include:

Evaluating the internal environment (ethics, core values, risk tolerance).
Using the organization's mission for objective setting.
Distinguishing between risks (negative) and opportunities (positive) for event identification.
Identifying the likelihood and impact of risks through a risk assessment.
Selecting one of four risk responses (reduce, accept, transfer, avoid) based on risk tolerance.

NIST Cybersecurity Framework (CSF)

The NIST CSF provides flexible and cost-effective risk management strategies with three main components:

The Core: A set of cybersecurity activities and outcomes aimed at mitigating risks.
Implementation Tiers: Help organizations determine the level of risk they are willing to accept based on factors like budget and data sensitivity.
Profiles: Unique to each organization to align their cybersecurity risk with specific objectives and resources.

Regulations & Compliance (Module 17)

US Law & Regulatory Bodies

Origin of Regulations in the US

Most regulations in the United States originate from laws. There are two main types:

Legislation: A law issued by Congress. This process involves a bill being proposed, discussed in committee, approved by both the House and Senate, and signed (or vetoed) by the President.
Executive Order: A law issued by the President (federal) or a Governor (state). This process is often quicker but must ultimately be approved by Congress.

A system of **checks and balances** ensures no single branch (President, Congress, Supreme Court) has too much power.

Key US Regulatory Agencies

Federal Trade Commission (FTC): A bipartisan agency (est. 1914) that enforces antitrust laws, protects consumers, and investigates data privacy practices.
Federal Communications Commission (FCC): A federal agency that regulates interstate and international communications over radio, cable, TV, satellite, and wires.
Securities and Exchange Commission (SEC): A federal agency (est. 1934) that protects investors, maintains fair markets, and oversees the financial sector.
Department of Health and Human Services (HHS): A cabinet-level department protecting US health. Within HHS, the **Office for Civil Rights (OCR)** leads HIPAA compliance, investigates complaints, and issues fines.

Key Regulations (US & Foreign)

Major US Data Privacy Regulations

HIPAA (Health Insurance Portability and Accountability Act): Regulates the use, disclosure, and safeguarding of health information (Protected Health Information).
CCPA (California Consumer Privacy Act): A 2018 state law granting California residents rights over their data, including the right to opt-out, delete, and access.
COPPA (Children's Online Privacy Protection Act): A 2000 law protecting the personal information of children under 13.
GLBA (Gramm-Leach-Bliley Act): Protects consumer financial privacy, requiring financial institutions to explain data sharing and secure sensitive data.
CDA (Communications Decency Act): Section 230 of this 1996 law grants immunity to internet platforms from liability for content posted by third parties.
AI Executive Orders: President Biden issued EO 14110 ("Safe, Secure, and Trustworthy AI") in Oct 2023. President Trump rescinded it and signed EO 14179 ("Removing Barriers to American Leadership in AI") in Jan 2025.

Major Foreign Data Regulations

GDPR (General Data Protection Regulation) - EU: Establishes clear standards for data security, governance, and privacy. It applies to any company processing data of EU consumers, regardless of the company's location.
ePrivacy Directive (ePD) - EU: Governs data confidentiality, spam, and tracking via cookies and metadata within the EU.
AI Act - EU: Aims to regulate the development and use of AI, classifying systems based on risk.
DPDP (Digital Personal Data Protection Act) - India: Passed in 2023 to safeguard personal data within India.
China's CyberSecurity Law (CSL) - China: Regulates security and privacy for companies in China, notably mandating that data be stored locally.

HIPAA Enforcement & Penalties

HIPAA Enforcement Bodies

OCR (Office for Civil Rights): Investigates complaints, conducts audits, and imposes civil penalties.
State Attorneys General: Have authority to bring civil actions for HIPAA violations affecting their state residents.
U.S. Department of Justice (DOJ): Responsible for criminal enforcement, such as for intentional misuse of protected health information.

HIPAA Civil Penalty Tiers

Tier 1: Lack of Knowledge: Approx. $150 - $75,000 per violation.
Tier 2: Reasonable Cause: Approx. $1,500 - $75,000 per violation.
Tier 3: Willful Neglect - Corrected: Approx. $15,000 - $75,000 per violation.
Tier 4: Willful Neglect - Not Corrected: Approx. $75,000 - $2,250,000 per violation.

Corporate Compliance Programs

Governance, Risk, and Compliance (GRC)

GRC is a strategy for managing an organization's overall governance, risk management, and compliance with regulations.

Governance: Establishes the organizational structure, policies, and procedures that guide decision-making and accountability.
Risk: Identifies, assesses, and manages potential threats and uncertainties that could impact the organization's objectives.
Compliance: Ensures the organization adheres to relevant laws, regulations, and industry standards to mitigate legal and reputational risks.

GRC Framework Diagram

Benefits of a Strong Compliance Program

Meet Regulatory Compliance: Avoid penalties, fines, and legal consequences.
Protect Sensitive Information: Prevent data breaches and misuse of confidential data.
Build Trust: Assure customers and investors that their data is handled responsibly.
Avoid Reputation Damage: Demonstrate commitment to compliance and have effective incident response plans.
Increase Employee Accountability: Use training to reduce accidental violations and foster a compliance culture.
Gain a Competitive Advantage: Stand out in the market by communicating your commitment to compliance.

Building a Corporate Compliance Strategy

Conduct a Compliance Risk Assessment: Identify applicable laws/regulations and pinpoint potential risks in operations, supply chains, etc.
Establish Protocols and Roles: Define protocols for reporting and handling issues. Designate a compliance officer or team.
Set up Monitoring and Reporting: Implement systems for ongoing monitoring (audits, assessments) and create confidential channels for employees to report concerns.
Develop an Incident Response Plan: Create, test, and refine a comprehensive plan for what to do in case of a breach.
Communicate with Partners: Evaluate vendor compliance risks and ensure third parties meet similar standards.
Perform Audits and Assessments: Conduct regular internal audits and engage third-party auditors for unbiased evaluations.

5 Tips for a High-Performing Compliance Program

Rules are fundamental but values are key. Programs based on values *and* rules have a bigger impact on employee choices.
Employees need to feel safe to speak up. Engaged employees feel empowered to do the right thing.
Focus on your company's mission. Tie the compliance program to the company's mission to give employees focus.
Make the program known and then operationalize it. Don't hide it; make it part of the business process.
Empower employees to find and use what they need. Information must be easy to find and act on.

Consequences of Non-Compliance

Non-compliance has high costs for both companies (lawsuits, fines) and employees (disciplinary action, legal consequences).

Disciplinary Actions for Employees

Warnings: Verbal warnings for minor, first-time violations; written warnings for persistent or more serious violations.
Probation: A period where the employee's performance and conduct are closely monitored.
Termination: The ultimate consequence for continuous, deliberate, or irreparable non-compliance.

Legal Consequences for Employees

Personal Liability: Employees can be exposed to personal legal liability if their actions result in harm.
Fines and Penalties: Individuals may be required to pay personal fines imposed by regulatory authorities.

Impact on Reputation & Career

Perception and Trust: Negative publicity can damage a professional reputation.
Career Advancement: A history of non-compliance can create barriers to advancement.
Required Training: Employees may be mandated to complete additional ethics and compliance training.

Core Security Compliance Techniques

1.Access Controls

Principle of Least Privilege: Users and processes only have the *minimum* access required to perform their duties.
Multi-Factor Authentication (MFA): Requiring multiple forms of verification (e.g., password + SMS).
Access Control Lists (ACLs): Defining granular permissions to resources.
Role-Based Access Control (RBAC): Assigning access based on a user's role.
Regular Password Updates: Enforcing complexity and changing default passwords.

2.Incident Response

A structured plan to manage security incidents.The process includes:

Detection: Identifying potential incidents as they occur.
Reporting: Clear channels to report and escalate incidents.
Assessment: Evaluating the scope, impact, and severity.
Containment: Limiting the spread and damage.
Documentation & Improvement: Documenting the process and identifying areas for improvement.

3.Encryption

Using cryptographic techniques to secure sensitive data. This is a critical compliance requirement in many regulations, including GDPR, HIPAA, and CCPA, and is mandated in industries like healthcare and banking.

4.Training Programs

Training is essential to foster a culture of compliance, teach employees best practices, and ensure consistent application of policies.

Vulnerability Management (MITRE CVE)

What is MITRE CVE?

The **Common Vulnerabilities and Exposures (CVE)** system, managed by MITRE, provides a standardized method for identifying and cataloging publicly known vulnerabilities. It is used by cybersecurity professionals, vendors, and organizations to share information and improve security.

Note on Explaits: The most commonly exploited CVEs are often **more than 3 years old**, which highlights the critical importance of patching and updating. Common types include privilege, remote code execution, and Microsoft Office vulnerabilities.

How the CVE System Works

Identification: A vulnerability or exposure is identified.
Assignment: A **CVE Numbering Authority (CNA)** (e.g., Microsoft, Adobe) assigns a unique CVE number.
Description: The CNA creates a description and provides references.
Publication: The entry is added to the list and published on the CVE website.

Anatomy of a CVE Entry (Example: CVE-2021-43576)

CVE ID: Format `CVE-YYYY-NNNN` (e.g., `CVE-2021-43576`). Allows tools and people to correlate data about the same issue.
Dates: A `Publishing Date` (when reported) and an `Update Date` (last time info was added).
Description: Outlines the impact of the vulnerability.
Vendor: The company that created the product (e.g., Jenkins project).
Product: The specific item (e.g., Jenkins pom2config Plugin).
Versions: Details which versions are affected (e.g., "affected through 1.2").
References: Links to external sources (advisories, blog posts) for more information and solutions.

Audits & Assessments

SEC Cybersecurity Rules (2023)

The US Securities and Exchange Commission (SEC) introduced new rules requiring public companies to enhance their cybersecurity reporting.

Disclose Material Incidents: Public companies must disclose any cybersecurity incident they determine to be "material," detailing its nature, scope, timing, and impact.
Four-Day Reporting Window: This disclosure must be filed within **four business days** of determining the incident is material.
Report on Risk Management: Companies must also provide periodic disclosures (e.g., in annual reports) about their cybersecurity risk management, strategy, and governance.

Internal Audits

An internal audit is an independent examination by an organization to assess its own processes, systems, and controls to ensure compliance .

Key Steps in an Internal Audit:

Define Benchmarks: Identify all relevant regulatory requirements, industry standards, and internal policies.
Establish Objectives: Set a specific scope for the audit (e.g., focus on data protection).
Evaluate Controls: Assess existing compliance strategies (access controls, data protection, etc.).
Document & Categorize Findings: Document all findings and categorize them based on likelihood and potential impact.

Third-Party Risk Assessments

This is a process (also called vendor/supplier risk assessment) to manage security risks associated with external partners. It's essential because third parties often have access to sensitive company data, systems, or networks. The goal is to audit each partner to identify and address risks.

Example: Bank Assessment

A mid-size bank collaborates with a cloud service provider, a custodial (cleaning) company, and a payroll management company. The bank must assess the risks each partner introduces (e.g., cloud provider has data access, cleaning staff has physical access) and ensure contracts define security requirements, incident reporting, and consequences for non-compliance.

Handling Government Data

Working with government data involves extra regulations due to its sensitive nature. Non-compliance can lead to severe legal penalties, reputation damage, and loss of government contracts.

Security Clearances

Clearances determine an individual's access level to classified data. The process involves background checks (criminal history, financial stability, foreign affiliations) , and US citizenship is typically required .

Clearance Levels (from lowest to highest):

Controlled (Unclassified) (CUI)
Public Trust Position
Confidential
Secret
Top Secret
Top Secret SCI (Compartmented)

Core Compliance Requirements for Government Data

Data Residency: Rules about the physical hosting and storage location of data (e.g., must be stored within specific geographic boundaries) to mitigate espionage risks.
Insider Threat Mitigation: Mandated programs to reduce risk from malicious employees or unauthorized disclosures.
Handling Unclassified Information (CUI): Even less sensitive data (CUI) requires specific protections like extra encryption, access controls, and secure channels.
Continuous Monitoring and Auditing: Organizations must engage in continuous monitoring and periodic audits to ensure ongoing compliance.

Key Legislation & Frameworks for Government Data

Espionage Act: Criminalizes the unauthorized possession or transmission of sensitive government information.
ITAR (International Traffic in Arms Regulations): Controls the export and import of defense-related articles, services, and technical data.
FISMA (Federal Information Security Management Act): Imposes cybersecurity requirements on federal agencies and their contractors.
DFARS (Defense Federal Acquisition Regulation Supplement): Requires contractors working with the Department of Defense (DoD) to protect defense information and report incidents.