Module 7 Assignment: Governance, compliance, and audit

Module 7 Assignment: Governance, compliance, and audit#

Scenario#

You are advising a cyber risk committee prioritizing mitigation across assets with different exposure and business value. The stakeholders are: CISO, risk officer, system owner, auditor, and executive sponsor.

Task#

Answer the module question: How do AI risk tools support formal obligations?

Use the module lab and course readings to produce: cyber risk assessment package with scoring rationale, treatment plan, and executive dashboard focused on governance, compliance, and audit: Draft compliance and audit evidence..

Required Evidence#

  • Define the decision or system boundary in one paragraph.

  • Identify the dataset, proxy data, or evidence source you used: synthetic asset risk records with exposure, vulnerability severity, control strength, threat activity, and business impact.

  • Compare at least two alternatives, baselines, policies, or designs.

  • Report one quantitative result or structured scoring table.

  • Explain two failure modes and one mitigation for each.

  • State what additional evidence would be required before real deployment.

Submission#

Submit the completed notebook plus a 900-1200 word memo. The memo must include clear headings for context, method, evidence, risks, recommendation, and open questions.

# Assignment workspace for Module 7: Governance, compliance, and audit
module = 7
decision = "How do AI risk tools support formal obligations?"
artifact = "cyber risk assessment package with scoring rationale, treatment plan, and executive dashboard focused on governance, compliance, and audit: Draft compliance and audit evidence."

alternatives = [
    {"option": "baseline_or_manual_process", "strength": "", "risk": "", "evidence": ""},
    {"option": "ai_assisted_or_advanced_option", "strength": "", "risk": "", "evidence": ""},
]

recommendation = {
    "decision": decision,
    "recommended_option": "",
    "minimum_evidence_before_pilot": [],
    "monitoring_metric": "",
    "rollback_trigger": "",
}

{"module": module, "artifact": artifact, "alternatives": alternatives, "recommendation": recommendation}

{'module': 7,
 'artifact': 'cyber risk assessment package with scoring rationale, treatment plan, and executive dashboard focused on governance, compliance, and audit: Draft compliance and audit evidence.',
 'alternatives': [{'option': 'baseline_or_manual_process',
   'strength': '',
   'risk': '',
   'evidence': ''},
  {'option': 'ai_assisted_or_advanced_option',
   'strength': '',
   'risk': '',
   'evidence': ''}],
 'recommendation': {'decision': 'How do AI risk tools support formal obligations?',
  'recommended_option': '',
  'minimum_evidence_before_pilot': [],
  'monitoring_metric': '',
  'rollback_trigger': ''}}

Acceptance Criteria#

Your submission is complete only if another reviewer can reproduce your reasoning from the evidence you provide. You do not need production-grade data, but you must be explicit about proxy-data limits and what would change with real institutional data.