CY4: Cyber-Security Governance, Risk & Compliance

About this course

Manage cyber-security as an organizational discipline through risk assessment, security policy, compliance frameworks, and incident response.

Course format. Thirteen weeks, four contact hours each: a two-hour lecture (concepts and theory) and a two-hour practice session. The course is project-based; teams carry one running project end to end and present it three times, in weeks 5, 8, and 13.

What you will build

Authored a complete security governance program for a case-study organization, producing a prioritized SP 800-30 risk register, a CSF 2.0 profile, an ISO/IEC 27001 ISMS with statement of applicability, tailored SP 800-53 controls, an auditable policy suite, a mock internal audit, and a tabletop-validated incident response plan.

Expected outcomes

Explain governance, risk, and compliance and how they align security with business goals.
Conduct structured risk assessments using qualitative and quantitative methods.
Apply the NIST Risk Management Framework and the Cybersecurity Framework 2.0.
Build an information security management system aligned to ISO/IEC 27001.
Select and document security controls from established control catalogs.
Draft security policies, standards, and procedures that are auditable and enforceable.
Plan and execute audits and assess control effectiveness against evidence.
Design an incident response capability and run it through realistic exercises.
Evaluate compliance posture against regulatory and contractual obligations.
Communicate risk and security decisions effectively to executive stakeholders.

Key topics

Risk assessment
Standards (ISO 27001, NIST)
Policy & audit
Incident response

Theoretical foundations

The concepts and results this course rests on.

governance, accountability, and the alignment of security with business goals
the threat, vulnerability, likelihood, and impact risk model
qualitative and quantitative risk-assessment methods
the risk management framework lifecycle and control selection
the management-system model and the plan-do-check-act cycle
control catalogs, tailoring, and traceability to evidence
the incident-handling lifecycle and continuous monitoring

Prerequisites

This is a Year-3 course. It assumes the mandatory CS core: data structures and algorithms, operating systems, computer networks, databases, software engineering, and the core mathematics (linear algebra, probability and statistics, calculus, discrete mathematics). It additionally requires the specific prior courses listed below.

Course-specific prerequisites:

Software engineering
Basic information-security concepts

Weekly schedule 13 weeks · lecture + practice

Foundations

Wk 1

Governance, risk, and compliance overview

LectureDefine GRC, the roles of governance and accountability, and how security supports organizational objectives.

PracticeProfile a case-study organization and map its assets, stakeholders, and obligations.

ProjectSelect the organization and produce its context and scope document.

WatchWhat is GRC? Governance, Risk, and Compliance in 8 Minutes

Risk

Wk 2

Risk concepts and assessment methods

LectureCover threats, vulnerabilities, likelihood, impact, and qualitative versus quantitative risk methods.

PracticeBuild an asset inventory and a first threat-and-vulnerability list for the organization.

ProjectAdd an asset register and threat catalog to the project.

WatchISO/IEC 27001 Explained in Plain English: ISMS, Risk and Controls

Wk 3

Conducting a risk assessment

LecturePresent the SP 800-30 risk assessment process and risk-rating and prioritization techniques.

PracticeRun a structured risk assessment and produce a ranked risk register.

ProjectAdd a complete prioritized risk register to the project.

WatchBreaking Down NIST 800-30: Guide to Risk Assessment

Frameworks

Wk 4

Risk management frameworks

LectureExplain the NIST RMF lifecycle and the Cybersecurity Framework 2.0 functions and outcomes.

PracticeMap the organization's risks and current state onto the CSF 2.0 functions.

ProjectAdd a CSF 2.0 current-state profile to the project.

WatchThe NIST Cybersecurity Framework (CSF) 2.0 · Risk Management Framework (RMF): Overview

Wk 5

Program specification and scopePresentation

LectureDiscuss how risk results drive control selection and the structure of a security program.

PracticeTeam presentation: each team defends its risk assessment and proposed program scope.

ProjectFreeze the security program specification and scope.

WatchHow to Implement NIST RMF to an Organization (Full Course)

Management systems

Wk 6

ISO/IEC 27001 and the ISMS

LecturePresent the ISO/IEC 27001 management-system model, the PDCA cycle, and the statement of applicability.

PracticeDraft a statement of applicability and ISMS scope for the organization.

ProjectAdd the ISMS scope and statement of applicability to the project.

WatchISO/IEC 27001 Explained in Plain English: ISMS, Risk and Controls · What is ISO 27001? Explained

Controls

Wk 7

Control selection and the control catalog

LectureCover control families, the SP 800-53 catalog, and tailoring controls to assessed risk.

PracticeSelect and tailor controls to treat the top risks in the register.

ProjectAdd a tailored control set mapped to the risk register.

WatchRisk Management Framework (RMF): Overview

Policy

Wk 8

Policies, standards, and proceduresPresentation

LectureExplain the policy hierarchy, enforceability, and writing controls that can be audited.

PracticeTeam presentation: interim review of the ISMS, controls, and draft policy set.

ProjectPresent the interim program with its initial policy suite.

WatchUnderstanding Policies, Procedures, Guidelines, and Standards in Cybersecurity · CISSP Domain 1.6: Policies, Standards, Baselines, Procedures, Guidelines

Wk 9

Authoring an auditable policy suite

LectureDiscuss roles and responsibilities, exceptions, and mapping policies to controls and evidence.

PracticeWrite a full policy and matching procedure for a chosen control domain.

ProjectAdd a complete policy and procedure set to the program.

WatchCISSP Domain 1.6: Policies, Standards, Baselines, Procedures, Guidelines

Audit

Wk 10

Audit and control assessment

LectureCover audit planning, evidence gathering, sampling, and assessing control effectiveness.

PracticeConduct a mock internal audit and document findings and nonconformities.

ProjectAdd an internal audit report with findings to the project.

Wk 11

Remediation and continuous improvement

LectureExplain corrective action plans, risk acceptance, and continuous monitoring.

PracticeBuild a remediation plan and a continuous-monitoring approach for open findings.

ProjectAdd a corrective-action and monitoring plan to the program.

Response

Wk 12

Incident response and resilience

LecturePresent the SP 800-61 incident-handling lifecycle, roles, and communication and escalation paths.

PracticeRun a tabletop incident exercise and capture lessons learned for the plan.

ProjectAdd an incident response plan validated by a tabletop exercise.

WatchBreaking Down NIST 800-30: Guide to Risk Assessment

Capstone

Wk 13

Final program and defensePresentation

LectureReview the complete GRC program and how its parts trace from risk to control to evidence.

PracticeTeam presentation: final program delivery with oral defense to a simulated steering committee.

ProjectDeliver the complete GRC program package with documentation and defense.

WatchWhat is GRC? Governance, Risk, and Compliance in 8 Minutes

AI tools in this course.

Students use AI assistants as GRC drafting partners: generating first-draft policies, procedures, and statements of applicability, mapping assessed risks to SP 800-53 controls and CSF 2.0 outcomes, and summarizing long standards such as ISO/IEC 27001 and SP 800-30 into working checklists. They prompt the assistant to expand a risk register, to phrase controls so they are auditable, and to produce tabletop incident scenarios and interview questions for the mock audit. AI also helps reconcile evidence against control requirements and turn raw findings into executive-ready risk narratives, but students verify every citation, control mapping, and obligation against the authoritative source, since an AI that invents a control reference or misstates a regulatory duty would make the program fail an audit.

Student project

Teams build a complete security governance program for a case-study organization, progressing from risk assessment through framework alignment, control selection, policy authoring, audit, and incident response. Each deliverable traces from assessed risk to control to auditable evidence. The capstone defends the full program before a simulated steering committee.

Requirements

Build a working system, not a set of disconnected exercises.
Be original: a new system that solves a real problem, not a re-implementation of a tutorial or course demo.
Show real depth: real data, real users or realistic load, and engineering trade-offs that are measured rather than assumed.
Carry one running project from specification to a deployed, defensible result across the whole term.
Work in a team of three or four and defend the design at each of the three presentations (weeks 5, 8, and 13).

Example projects

Hospital ISMS programFintech risk-and-control frameworkSaaS startup compliance roadmapManufacturer ISO 27001 readinessUniversity incident response planCloud provider control mappingRetailer audit-and-remediation programPublic-sector GRC blueprint

Assessment & grading

Grading is project-based, with no written exam. Teams of three or four present one running project three times.

Component	What it covers	Weight
Project · Specification	Presentation 1 (week 5): problem, objectives, and architecture	20%
Project · Interim	Presentation 2 (week 8): the working system demonstrated live	30%
Project · Final	Presentation 3 (week 13): end-to-end demo with oral defense	50%

Tools & platforms

Eramba: GRC and risk-management platform
OpenSCAP: automated control compliance scanning
Wazuh: continuous monitoring and audit evidence
NIST CPRT: control and framework reference toolkit
MITRE ATT&CK Navigator: threat-informed control mapping
FAIR-U: quantitative risk-analysis training tool
draw.io: architecture and data-flow diagramming
Git: version control for policies and evidence
GRC spreadsheet templates: risk registers and SoA tracking
TheHive: incident case management and response

Free online courses

Existing free, video-based courses this course can build on, for self-study or as a teaching basis.

CourseraThe GRC Approach to Managing Cybersecurity
Kennesaw State; governance, risk, compliance, free

Primary literature

Seminal works to read for graduate-level depth.

PaperSP 800-30 Rev. 1: Guide for Conducting Risk Assessments
NIST, 2012
PaperSP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations
NIST, 2018
PaperSP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
NIST, 2020
PaperISO/IEC 27001:2022: Information Security Management Systems, Requirements
ISO/IEC, 2022
PaperCSWP 29: The NIST Cybersecurity Framework (CSF) 2.0
NIST, 2024

References

Books and resources link to an online or publisher page.

DocumentationISO/IEC 27001:2022 Information Security Management Systems
ISO/IEC, 2022
DocumentationThe NIST Cybersecurity Framework (CSF) 2.0
NIST, 2024
DocumentationSP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations
NIST, 2018
DocumentationSP 800-30 Rev. 1: Guide for Conducting Risk Assessments
NIST, 2012
DocumentationSP 800-61 Rev. 2: Computer Security Incident Handling Guide
NIST, 2012
DocumentationSP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
NIST, 2020
TextbookManagement of Information Security, 6th Edition
Michael Whitman, Herbert Mattord, 2018

Role in each concentration

Concentration	Role
Intelligent Software Systems	Elective
Networking & Cyber Security	Core · Semester 2
AI & Robotics	Elective
AI and Quantum Computing for Finance	Core · Semester 1
Immersive Systems & Game Development	Elective
Defense Technologies & Autonomous Systems	Elective

← CY3 · Hardware & Embedded Systems Security CY5 · Blockchain & Decentralized Systems →