Embedded Files
GOVERNANCE, RISK & COMPLIANCE (GRC) FUNDAMENTALS
Overview
I ran a real-world risk assessment on a consenting household’s personal devices and home network. I identified assets, threats, and vulnerabilities, then scored likelihood and impact to prioritize mitigations. The goal was to practice Governance, Risk, and Compliance fundamentals in a familiar environment and deliver a clear plan that improves security quickly.
(How to Conduct a GRC Assessment)
Objectives
Identify assets, threats, and vulnerabilities across a home network and devices.
Score likelihood and impact to produce a risk level and priority list.
Recommend targeted mitigations and record new risk scores.
Deliver a concise report that a non-technical owner can follow.
Prerequisites
Basic security concepts: threats, vulnerabilities, assets.
Spreadsheet and document tools: Google Sheets and Google Docs.
Consent from the device and network owner.
Tools and technologies
Google Sheets and Google Docs
Router administration interface
Anti-malware and update settings on end user devices
Implementation
1. Risk identification
Assets: router, laptop, smartphone, smart speaker, sensitive data sets.
Threats: unauthorized access, phishing, malware, eavesdropping.
Vulnerabilities: weak Wi-Fi password, unpatched software, no anti-malware, default device settings.
Artifact: Risk Identification Table in Google Sheets with columns for Asset, Threat, Vulnerability.
2. Risk analysis and evaluation
Scales: Likelihood 1 to 5, Impact 1 to 5.
Formula: Risk Level = Likelihood × Impact.
Artifact: Risk Analysis Table with Likelihood, Impact, and calculated Risk Level.
3. Risk mitigation planning
Map each high risk item to a specific action.
Example: change Wi-Fi password to 16 characters and enable Wi-Fi Protected Access 3 if available.
Example: enable automatic updates and install reputable anti-malware.
Re-score each item after the proposed control.
Artifact: Risk Mitigation Plan with New Likelihood, New Impact, New Risk Level, Responsible Party, Due Date.
4. Final report
Executive summary for non-technical readers.
Summaries of identification, analysis, and top risks.
Mitigation plan with owners and dates.
Next review cadence set to quarterly.
Outcomes
Clear view of the highest risks in a real home environment.
A prioritized plan that reduced top risk levels after simple changes.
Reusable templates for future assessments.
Skills demonstrated
Risk identification and scoping
Qualitative scoring and prioritization
Control selection and risk re-scoring
Stakeholder communication in plain language
Google Sites
Report abuse