Security-Leadership
- Buy now
- Learn more
- Discussions
  Feb 24
Governance, Risk, and Compliance

An Analysis of Governance, Risk, and Compliance
Activity - Governance and Security Leadership
NIST Cybersecurity History with Dr. Ron Ross (10 Min)
The Strategic Imperative - Systems Lifecycle Management
Activity - Systems Lifecycle Management (Part1)
Contracts - Security point of view
Activity - SDLC - Part 02
Risk Management

The Strategic Evolution of Cybersecurity Risk Management:
IBM: Cybersecurity Trends in 2026: Shadow AI, Quantum & Deepfakes (20 min)
Activity- Risk Management
IBM (9 min) - Cybersecurity Framework
Laws and regulations

101 - Due Care vs. Due Diligence
Trans-Border Data Flows and Digital Sovereignty
Activity - Laws and regualtions
Optional: USA versu EU model
Legal Jurisdictions and the Global Regulatory Environment
Activity - Digital Forensics
Records Management and Employee Monitoring
Activity - Legal terminology
Security Operations and BCM

YT: How is Software built? (8min)
Contingency Management
Activity - SecOps - The Sociotechnical Evolution of Cyber Defence
The Architectural and Sociological Foundations of Modern Contingency Management
Activity - BCM from ISO point of view
(optional) Microsoft: Understanding Chaos Engineering (20 min)

Activity - Legal terminology

Activity - Legal terminology and other terminology

Here is the comprehensive and corrected list of terms and concepts extracted from the provided documents. As requested, the label "Term" has been removed, and the concept of "Strict Liability" has been corrected to its proper legal term based on the provided definition.

Legal Jurisdiction
- Definition: The legal authority of a court or government to control a specific subject, person, or area.
- Relevance/Example: In the digital world, jurisdiction depends on factors such as where data is collected, stored, and processed, creating a "fragmented global rulebook" for data breaches, in which a single event can trigger legal liabilities across dozens of systems simultaneously.
Unified Control Framework (UCF)
- Definition: A compliance strategy where an organisation identifies the strictest legal and regulatory requirements across all its operating regions and applies them universally as a baseline.
- Relevance/Example: Adopting the EU GDPR’s strict 72-hour breach notification window across a global organisation to simplify its compliance posture.
Inference Risk
- Definition: The privacy risk associated with modern AI systems ingesting seemingly innocuous datasets to deduce highly sensitive personal attributes.
- Relevance/Example: Using data like geolocation or purchase history to infer a person's mental health status or political affiliation, which is increasingly becoming a focus for regulatory authorities.
Duty of Care
- Definition: A legal obligation to act in a manner that avoids causing foreseeable harm to others.
- Relevance/Example: Maintaining rigorous documentation of risk assessments and remediation efforts serves as evidence that an organization exercised "due diligence" and met its duty of care if a breach ever occurs.
Proximity (Legal)
- Definition: The closeness of the relationship between an organisation and the party harmed, which helps establish a clear duty of care.
- Relevance/Example: A bank has a high level of proximity to its depositors, requiring strict protection of their financial data.
Forum Shopping
- Definition: The strategic practice of litigants filing lawsuits in jurisdictions they believe will be most favourable to their desired outcome.
- Relevance/Example: A lawsuit against a U.S. company for a data breach might be filed in a European court to take advantage of the higher penalties afforded under the GDPR rather than U.S. state laws.
Cyber-libel
- Definition: The use of digital platforms, such as social media or websites, to spread false information that harms the reputation of an individual or organisation.
- Relevance/Example: The use of AI-generated disinformation or "Deepfake" technology to create highly convincing but false representations of corporate executives making damaging statements.
Downstream Liability
- Definition: A legal concept where an organisation is held responsible for system damages that affect others outside its immediate environment.
- Relevance/Example: If a company's systems are compromised and used to attack another entity, the original company might be held liable for the downstream damages.
Direct Liability
- Definition: When a company is held liable for employee actions or crimes that it permitted or caused.
- Relevance/Example: If an organisation's culture or lack of oversight allows an employee to use corporate assets to commit a cybercrime, the organisation is directly liable.
Vicarious Liability
- Definition: A legal doctrine where a company is held liable for a crime or tort committed by an employee within the scope of their employment or authority, regardless of the company's direct intent or fault.
- Relevance/Example: An employer is held responsible if an employee misuses access privileges to commit a crime, even if the employer did not expressly authorise the specific act.
Deemed Export
- Definition: A regulatory violation that occurs when technical data or source code is shared with a foreign national within the borders of the host country (e.g., the United States).
- Relevance/Example: Discussing architectural specifications on an unsecured video call or hiring a foreign engineer to work on proprietary encryption systems without proper clearance.
System Development Life Cycle (SDLC)
- Definition: The complete, structured process for creating and maintaining information systems, encompassing stages from initial planning to operation and disposal.
- Relevance/Example: Integrating security early in the SDLC ("shifting left") reduces long-term costs and mitigates vulnerabilities much sooner than addressing them post-deployment.
Change Control Board (CCB)
- Definition: A committee of stakeholders and management that formally reviews change proposals, evaluates operational impacts, and makes binding implementation decisions.
- Relevance/Example: A qualified security representative must sit on the CCB to assist with risk identification and mitigation before any major network or system modifications are approved.
Security Impact Analysis (SIA)
- Definition: An evaluation process to determine how a proposed change will affect an organization's security posture, specifically its confidentiality, integrity, and availability.
- Relevance/Example: Integrating automated SIA scanning into CI/CD pipelines in fast-paced Agile/DevOps environments to catch vulnerabilities without slowing down software deployment cycles.
Compensating Controls (Workarounds)
- Definition: Alternative security measures utilised to provide an equivalent or comparable level of protection when an original security control cannot be implemented due to legitimate constraints.
- Relevance/Example: If a system limitation prevents data encryption at rest, utilising strict access controls combined with a VPN can serve as an effective compensating control.
Privacy Impact Assessment (PIA)
- Definition: An assessment conducted before implementing new tools or systems to ensure privacy risks are identified, and the least intrusive alternatives are used.
- Relevance/Example: Conducting a PIA before rolling out intensive employee monitoring software to balance security needs with reasonable expectations of privacy.
Configuration Management
- Definition: A process that ensures system configurations are consistently documented, controlled, and maintained to support secure, reliable operations.
- Relevance/Example: Tracking items and version updates to prevent "configuration drift" in multi-cloud environments, which can create blind spots for attackers.
Right to be Forgotten (Right to Erasure)
- Definition: A privacy right, notably under the GDPR, that allows individuals to request the deletion of their personal data from an organisation's systems.
- Relevance/Example: An organisation must have processes in place to completely remove a user's data upon request to avoid stiff GDPR financial penalties.