Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 12

Cybersecurity II, Unit 12: Risk Management, Governance, and Compliance

The skill that decides who runs the program. Risk math, frameworks (NIST CSF, ISO 27001, CIS), and the regulations students will actually meet at work (HIPAA, PCI DSS, SOC 2, FERPA, GDPR/CCPA).

Length
240 min
Level
intermediate
Track
Cyber II
Cadence
Semester 2

Career paths

SOC AnalystGRC & RiskNetwork Defender
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 12: Risk Management, Governance, and Compliance (GRC)

Lesson at a glance

| Item | Detail | | --------------------- | --------------------------------------------------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Week 18 | | Prerequisite | Cyber I Unit 2 | | Materials | NIST CSF 2.0 reference, CIS Controls v8 reference, sample risk register template, sample policy templates |

Safety: Standard course safety; no lab attacks in this unit.

Standards & credential alignment

  • NIST CSF 2.0 core functions: Govern, Identify, Protect, Detect, Respond, Recover.
  • ISO/IEC 27001:2022 introduction.
  • CIS Controls v8 Implementation Group 1 (IG1).
  • HIPAA / PCI DSS / SOC 2 / FERPA / GDPR / CCPA awareness.

Learning objectives

By the end of this unit, students can:

  1. Calculate qualitative and quantitative risk: Risk = Likelihood × Impact (and SLE/ARO/ALE for quant).
  2. Build a 10-row risk register with treatment decisions (accept / mitigate / transfer / avoid).
  3. Map controls to NIST CSF 2.0 functions and categories.
  4. Identify which regulation applies to which industry/data type.
  5. Read a security policy critically and propose improvements.

Vocabulary

  • Risk - The effect of uncertainty on objectives. Often Likelihood × Impact.
  • Threat / vulnerability / risk / impact - review from Cyber I.
  • SLE / ARO / ALE - Single Loss Expectancy / Annualized Rate of Occurrence / Annualized Loss Expectancy.
  • Risk treatment - Accept, Mitigate, Transfer, Avoid.
  • Control - Safeguard reducing risk (technical, administrative, physical).
  • Policy / Standard / Procedure / Guideline - Strategic → Tactical → Step-by-step → Recommended.
  • Audit / Assessment - External structured review / internal point-in-time check.

Pacing

| Day | Focus | Deliverable | | --- | ------------------------------------ | ---------------------------------------- | | 1 | Risk math + register | 10-row risk register | | 2 | Frameworks: NIST CSF, ISO 27001, CIS | Control mapping for 5 risks | | 3 | Regulations | Regulation-to-scenario matching exercise | | 4 | Policy critique + writing | Rewrite a weak policy |

Day 1 - Risk math

Qualitative grid (5×5):

| | Negligible | Minor | Moderate | Major | Catastrophic | | -------------- | ---------- | ----- | -------- | ----- | ------------ | | Almost certain | M | H | H | C | C | | Likely | M | M | H | H | C | | Possible | L | M | M | H | H | | Unlikely | L | L | M | M | H | | Rare | L | L | L | M | M |

Quantitative example:

Asset: Customer DB (replacement value $500K)
Threat: Ransomware
Exposure factor: 30%  →  SLE = $500K × 0.30 = $150K
ARO: 0.2 (once every 5 years)  →  ALE = $150K × 0.2 = $30K/year
Control under consideration: Immutable backups + EDR  → Costs $25K/year, reduces ARO to 0.05
New ALE = $7.5K/year  →  Annual benefit = $22.5K, control cost $25K
Decision: marginal. Push for vendor negotiation or include other risks the same control reduces.

Risk register columns: ID, Description, Asset, Threat, Vulnerability, Likelihood, Impact, Inherent Risk, Existing Controls, Residual Risk, Treatment, Owner, Due Date.

Day 2 - Frameworks

NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover.

CIS Controls v8 IG1 (the practical starter pack - 56 safeguards):

  • Asset inventory.
  • Software inventory.
  • Data management basics.
  • Secure configuration.
  • Account management + access control.
  • Continuous vulnerability management.
  • Audit log management.
  • Email/web protections.
  • Malware defenses.
  • Data recovery.
  • Network monitoring.
  • Security awareness training.
  • Service provider management.
  • Incident response.

Map exercise: take 5 risks from Day 1, map to NIST CSF function/category and CIS safeguards.

Day 3 - Regulations

Quick reference:

| Reg | Who must comply | What it covers | | ----------- | ------------------------------------------------- | ----------------------- | | HIPAA | US healthcare entities + business associates | PHI | | PCI DSS | Anyone handling cardholder data | Payment data | | SOC 2 | Service orgs (often SaaS) | Trust services criteria | | FERPA | US educational institutions | Student records | | GLBA | US financial institutions | Customer financial info | | GDPR | Anyone processing EU residents' personal data | Personal data, broad | | CCPA / CPRA | Businesses with CA consumer data above thresholds | Personal data, narrower | | FedRAMP | Cloud services for US federal agencies | Government data | | CMMC | DoD contractors | CUI |

Matching exercise: 12 scenarios → identify which regulation(s) apply and one key control each requires.

Day 4 - Policy critique

Provide a deliberately weak password policy (vague, no lockout, no rotation guidance, no enforcement, no exceptions process). Students:

  1. List 5 weaknesses.
  2. Rewrite into a 1-page policy.
  3. Add 1-page accompanying procedure (the actual how).

Common misconceptions

  • "Compliance = security." - Compliance is a floor. Security is a ceiling. Aim higher than the floor.
  • "More controls = lower risk." - Wrong controls ≠ lower risk. Controls have to map to actual threats.
  • "GDPR is just for Europe." - If you have any users in the EU, it likely applies to you.

Assessment

  • Day 1 risk register (10 rows, scored).
  • Day 2 mapping exercise.
  • Day 3 matching exercise.
  • Day 4 rewritten policy + procedure.

Career connection

GRC analysts $80K–$120K. Senior GRC / risk manager $120K–$180K. CISO $200K–$500K+. The career path most often overlooked by students who think "cyber = hacking."

Homework

Read NIST CSF 2.0 introduction. Identify three Govern function categories that did not exist in CSF 1.1 and write 1 paragraph on why they were added.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum