Bedrock Insurance: Cybersecurity & IT Manager Masterclass 1. Introduction: Why Cybersecurity Matters

Cybersecurity Policy Update 🔑

  • Ghana Data Protection Act, 2012 (Act 843)
  • NIC Cybersecurity Directives, 2024
  • Customer trust, business resilience, compliance
Interview Side Note: “Cybersecurity isn’t just an IT problem—it’s fundamental for trust and regulatory survival. I’m ready to champion a proactive, compliant, and resilient culture at Bedrock.”
2. Governance and Accountability

Who’s Responsible?

  • Board: Approves strategy, ensures oversight
  • Senior Management: Accountable, appoints CISO/Head of IT
  • All Staff: Are data processors and must follow data security rules
Quick Response: “In Ghana, both senior management and the Board are personally liable for compliance. The Act specifies possible fines and jail terms for negligence, so leadership can’t afford to be hands-off.”
3. Data & Risk Management

Data Privacy & Risk Controls

  • Strict compliance with Act 843: privacy, minimality, consent, retention, right of access/correction/deletion
  • Maintain a risk framework: annual assessment & updates
  • Asset inventory & critical data classification
Sample Interview Response: “We perform regular data risk assessments and have clear data classification—so the most sensitive information always gets the highest protection, both technically and legally.”
4. Key Controls

Technical Controls

  • Access: MFA, strong passwords, least privilege
  • Patch management: prompt updates, vulnerability scans
  • Backups: Azure/offsite, encrypted, incremental and full images, regular restore tests
  • Monitoring: Activity logs and regular compliance checks
Quick Pitch: “I’d enforce strong access controls, continuous patching, and robust, tested backups—especially with Azure integration, which is perfect for cloud disaster recovery.”
5. Third-Party & API Security

Third Parties & APIs

  • Vendors must be vetted and contractually bound to security standards
  • APIs tested with tools like OWASP ZAP, Postman, Burp Suite
  • Monitor and limit third-party data access; require security attestations
Sample Q&A: “We treat every external API and vendor as a potential risk gateway. I’d use API scanning tools and require security certification before connecting to our core systems.”
6. Incident Response

Incident Response Workflow

  • Mandatory 14-day incident reporting to NIC & Data Protection Commission
  • Stepwise workflow: Detect & report → Contain → Notify → Investigate → Recover → Review
Incident Response Workflow Diagram: Incident Response Steps
Key Statement: “Our workflow ensures we respond fast to any threat—protecting customer trust and ensuring compliance with regulatory timelines.”
7. Training & Awareness

People: The First Line of Defense

  • Annual cybersecurity training for all staff
  • Regular simulated phishing and incident drills
  • Staff are data processors—everyone has a legal and personal responsibility
Quick Note: “Training is non-negotiable—staff are the biggest risk and the best defense. We make cyber awareness part of the company culture.”
8. Monitoring & Audit

Continuous Monitoring & Compliance

  • Centralized activity logging (user access, data changes, policy violations)
  • Annual policy review, compliance audits, and corrective actions
  • Test backups and disaster recovery plans regularly
Tip for the Panel: “Robust monitoring and scheduled audits ensure that what’s on paper is happening in reality—and help us fix gaps before regulators find them.”
9. Data Protection Stakeholders

Who Matters Under the Law?

StakeholderResponsibility
Data ControllerDecides why/how data is processed
Data ProcessorProcesses data per controller’s instructions (includes staff)
Data Protection OfficerOversees compliance, handles requests, reports to commission
MD/CEOUltimate legal accountability
Board/DirectorsOversight & governance
EmployeesFollow data protection rules in all duties
Data SubjectsHave rights to their personal data
VendorsMust comply with security terms
RegulatorData Protection Commission (DPC)
10. Windows Server & Azure: Secure File and System Management

Modern File Protection & Backups

  • Active Directory: centralized user/access management
  • Dynamic Access Control: restrict by department, sensitivity
  • NTFS Permissions & FSRM: fine-grained control and quotas
  • Folder Redirection: users’ files saved on server for central backup
  • Azure Integration: seamless, encrypted, offsite backup—file-level or full image (“bare metal”)
  • Windows Defender ATP & RMS: block unauthorized access, copying, printing (esp. Office docs)
  • Incremental backups: saves time and bandwidth; allows restore to any chosen day
Backup Workflow Diagram Diagram: Windows Server & Azure Backup Workflow
Interview Highlight: “Using folder redirection and Azure Backup means files are protected even if a PC is lost or compromised. We test restores regularly to guarantee business continuity.”
11. SQL Server Security

SQL Server: What to Watch

  • Enforce Windows Authentication, least-privilege access
  • Enable Transparent Data Encryption (TDE) for data at rest
  • SSL/TLS for data in transit
  • Regular log/audit review
  • Encrypted backups—both on-premises and in the cloud
  • Defend against SQL injection—use parameterized queries/stored procs
Panel-ready answer: “With SQL Server, I’d combine encryption, strict permissions, regular auditing, and secure backups to minimize any breach risk—while ensuring compliance and rapid recovery.”
12. Core Terms & Quick Definitions
TermSimple Definition
PhishingFake messages that trick users into giving up credentials or installing malware
MalwareMalicious software—viruses, ransomware, spyware, etc.
RansomwareMalware that locks files and demands payment
Zero-DayUnknown/unpatched software vulnerability
EncryptionScrambling data so only authorized users can read it
DDoSAttack that floods servers to disrupt services
13. Policy Enforcement & Review

Making Policy Stick

  • Violations: Disciplinary action, up to termination and legal action
  • Annual policy review, or after regulatory/operational changes
  • Continuous improvement: update controls, train staff, retest systems
Board-level closing: “This isn’t just a document—this is our business’s defense and license to operate. I’d ensure every policy is living, practical, and enforced across Bedrock.”
14. Interview Cheat Sheet – Smart Soundbites
  • “I see cybersecurity as the foundation of trust and compliance—not just a technical necessity.”
  • “Our leadership team is directly accountable. I’d make sure the board and executives are always informed and empowered.”
  • “All staff are data processors; everyone’s actions matter under the law.”
  • “Our cloud backup strategy leverages Azure’s strength—incremental, encrypted, offsite, and testable restores.”
  • “I’d ensure our vendors and APIs are as secure as our internal systems—using strong vetting and continuous monitoring.”
  • “When an incident happens, speed and transparency are vital—for regulators, customers, and our own team.”
15. Final Diagram – Stakeholder Ecosystem
Stakeholder Ecosystem Diagram Diagram: How all players interact in data protection
16. Final Recap: What Sets You ApartDeep understanding of the law, risks, and technologyPeople-focused: staff training, culture, personal accountabilityPractical knowledge: modern backups, SQL/Windows security, cloud integrationRegulatory confidence: proactive, not reactiveReady to communicate, educate, and lead at all levels

🔗 About You