ποΈ 13.1 Introduction & Exam Objectives - Featuring Simply Cyber Jaw Jacking!
ποΈ Exam Objectives
Candidates must be able to conduct CR-MAP Phase Two actions to create a Cyber Risk Management Action Plan (CR-MAP). Given a scenario:
3.1 Verify how each top risk is covered by the mitigation roadmap
3.2 Rate each mitigationβs business value based on the Business Value Model
- Financial returns
- Technical risk mitigation
- Legal risk mitigation
- Reliability of operations
3.3 Create custom mitigations based on organization questionnaire and interviews
3.4 Create standard operating procedures (SOPs) for custom mitigation and control
- Understand and know how to implement every mitigation/control recommended to the target organization
- Recommend contractors for mitigations/controls you cannot advise on
3.5 Generate a cost estimate for each mitigation and control
- Understand the common costs associated with given mitigations and controls
3.6 Create an implementation roadmap for the organization
- Assign mitigations to specific organizational units
- Group mitigations by owner type
- Generate a Gantt chart with the availability of each organizational unit
- Understand resource limitations: time, money, skilled personnel
Transcript
Welcome to Chapter 13 of "Mastering Cyber Resilience", where we dive into phase 2 of creating a CR-MAPβa Cyber Risk Management Action Plan. This is a critical section, where theory meets action. Itβs about taking your understanding of cyber risk at a company and determining practical steps to improve their cyber resilience.
This chapter covers Domain 3 of your exam, which represents 27% of the questions. Letβs review what weβll learn, in the exam objectives.
Exam Objectives
3.1: Verify Risk Coverage
- Identify how each top risk is covered by the mitigation roadmap.
- Ask: What are we doing about the problem? So what? Whatβs next?
- Ensure traceability and auditability, essential for demonstrating due diligence and due care.
3.2: Rate Each Mitigationβs Business Value
- Measure the value of each mitigation, considering financial returns, risk reduction (technical and legal), and operational reliability.
- Itβs not just about being a cost center; it's about enabling business objectives. As Joseph from Simply Cyber highlighted, itβs vital to speak the language of business.
3.3: Tailor Custom Mitigations
- Customize mitigations based on organizational needs. Conduct interviews to ensure tailored solutions that support business objectives.
3.4: Create Standard Operating Procedures (SOPs)
- Develop SOPs for the recommended controls and mitigations. These should be clear and actionable to ensure the organization can implement them effectively.
3.5: Generate Cost Estimates
- Understand the common costs associated with each mitigation. This is critical for obtaining management approval and securing executive sponsorship for resilience efforts.
3.6: Build an Implementation Roadmap
- Prioritize threats, assign responsibilities, and track progress. Adapt as needed based on time, budget, and available resources.