GRC Final Project

Throughout the Flatiron cyber security analytics bootcamp we learned many important pieces of the cyber security world in our GRC, Network, Systems, Hunt, SIEM, Strategy, and Threat courses. Theses courses all contained a plethora of the technical skills we needed to master in order to be successful in becoming effective cyber security professionals, but the non-technical skills of GRC course were also just as important.

Every industry carries its own rules and regulations that must be followed, and its own unique sets of risks associated with doing business. In our final GRC project we focused on the financial industry and the set of challenges that face an organization trying to grow in that space. We specifically were tasked with finding the rules and regulations regarding new services the company wanted to expand in to, and defining a strategy for building a new data center.

Our first task was to research all of the domestic, foreign, and future regulations we could possibly face and what steps we would have to take in order to ensure our compliance. I volunteered to do most of the research for this particular task, so I gained a deep understanding of various financial regulations, and the risks they are meant to reduce. Though new regulations are ever changing and must be kept up with especially when dealing with foreign regulations.

With the first part of the project out of the way, it was time for us to determine the best strategy for building a new data center. We covered pretty much all of our bases when defining our strategy, we utilized insurance data to determine prime geographical regions for our center, we examined various control catalogs so that we could implement the proper safeguards to improve our availability and decrease risk, and we established internal management procedures and policies to secure against insider threats.

With all of our bases covered we working on expanding our findings in those areas. I worked on defining which controls from the NIST SP 800–53 were applicable, and why they were applicable within the context of our strategy for designing a data center. I also specifically pointed a few controls that we should use in order to protect our assets. This was another great skill I gained from the course and a great resource for me to become more familiar in regards to the SP 800–53. Other group members expanded upon the controls I mentioned to describe how we could use physical, logical, and administrative controls in order to be as secure as possible.

The other group members focused on researching the geographic location we should use, as well as a couple different disaster scenarios we might face. We defined an eight piece strategy for our data center that covered all of the bases with items such as communications plans, emergency drills, and service restoration procedures.

Next we focused on the two scenarios we could potentially face at our data center. One was a natural disaster scenario and the other was an attack from a potential threat. Determining what risks an organization can face is an extremely important part of sustaining a successful business. By knowing what you may potentially face, you can be prepared and reduce the damage and impact that may face you. We made sure our incident response was effective and as forward thinking as possible so that we could be of as much value as possible to the organization we were hired by.

Our final task was to set up policies and procedures for data loss prevention. Again we referred back to the many regulations of the financial industry and what they require in order to be in compliance. We also discussed the differences in physical theft and information theft and how we could prevent both. Data loss prevention is also a major threat in all organizations, as ransomware is becoming a major threat to data.

Our research became a 15 page slide deck not including title cards of reference pages, and our presentation was just over forty minutes in length. This was a very intense project especially since it was only our second of the bootcamp. However despite working remotely and having to deal with three other different personal schedules we were able to come together and get 100% on the assignment. We definitely learned a lot from this project and the rest of our projects and Flatiron and I felt very prepared to take on the role as a cyber security consultant after this project.