πŸ“šοΈ 13.1 Introduction & Exam Objectives - Featuring Simply Cyber Jaw Jacking

πŸ“šοΈ Exam Objectives

Candidates must be able to conduct CR-MAP Phase Two actions to create a Cyber Risk Management Action Plan (CR-MAP). Given a scenario:

3.1 Verify how each top risk is covered by the mitigation roadmap

3.2 Rate each mitigation’s business value based on the Business Value Model

  • Financial returns
  • Technical risk mitigation
  • Legal risk mitigation
  • Reliability of operations

3.3 Create custom mitigations based on organization questionnaire and interviews

3.4 Create standard operating procedures (SOPs) for custom mitigation and control

  • Understand and know how to implement every mitigation/control recommended to the target organization
  • Recommend contractors for mitigations/controls you cannot advise on

3.5 Generate a cost estimate for each mitigation and control

  • Understand the common costs associated with given mitigations and controls

3.6 Create an implementation roadmap for the organization

  • Assign mitigations to specific organizational units
  • Group mitigations by owner type
  • Generate a Gantt chart with the availability of each organizational unit
  • Understand resource limitations: time, money, skilled personnel


Transcript

Welcome to Chapter 13 of "Mastering Cyber Resilience", where we dive into phase 2 of creating a CR-MAPβ€”a Cyber Risk Management Action Plan. This is a critical section, where theory meets action. It’s about taking your understanding of cyber risk at a company and determining practical steps to improve their cyber resilience.

This chapter covers Domain 3 of your exam, which represents 27% of the questions. Let’s review what we’ll learn, in the exam objectives.

Exam Objectives

3.1: Verify Risk Coverage

  • Identify how each top risk is covered by the mitigation roadmap.
  • Ask: What are we doing about the problem? So what? What’s next?
  • Ensure traceability and auditability, essential for demonstrating due diligence and due care.

3.2: Rate Each Mitigation’s Business Value

  • Measure the value of each mitigation, considering financial returns, risk reduction (technical and legal), and operational reliability.
  • It’s not just about being a cost center; it's about enabling business objectives. As Joseph from Simply Cyber highlighted, it’s vital to speak the language of business.

3.3: Tailor Custom Mitigations

  • Customize mitigations based on organizational needs. Conduct interviews to ensure tailored solutions that support business objectives.

3.4: Create Standard Operating Procedures (SOPs)

  • Develop SOPs for the recommended controls and mitigations. These should be clear and actionable to ensure the organization can implement them effectively.

3.5: Generate Cost Estimates

  • Understand the common costs associated with each mitigation. This is critical for obtaining management approval and securing executive sponsorship for resilience efforts.

3.6: Build an Implementation Roadmap

  • Prioritize threats, assign responsibilities, and track progress. Adapt as needed based on time, budget, and available resources.

Complete and Continue