MASTERING

CYBER
RESILIENCE

Kip Boyle
Jason Dion
Lisa McKinley
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2
DISCLAIMER
While Akylade carefully ensures the accuracy and quality of these materials, we
D @g
cannot guarantee their accuracy, and all materials are provided without any
warranty whatsoever, including, but not limited to, the implied warranties of
FO m
merchantability or fitness for a particular purpose. The name used in any data
files provided with this course is that of a fictitious company and fictional
R ail.
employees. Any resemblance to current or future companies or employees is
purely coincidental. If you believe we used your name or likeness accidentally,
US co

please notify us, and we will change the name in the next revision of the
manuscript. Akylade is an independent provider of certification solutions for
E m·

individuals, businesses, educational institutions, and government agencies. The

use of screenshots, photographs of another entity's products, or another entity's
ON A

product name or service in this book is for educational purposes only. No such
use should be construed to imply sponsorship or endorsement of this book by
LY UG

nor any affiliation of such entity with Akylade. This book may contain links to
sites on the Internet that are owned and operated by third parties (the "External
Sites"). Akylade is not responsible for the availability of, or the content located
BY 22,

on or through any External Site. Please contact Akylade if you have any
concerns regarding such links or External Sites. Any screenshots used for
: R 20

illustrative purposes are the intellectual property of the original software owner.
AM 23

TRADEMARK NOTICES
Akylade®, Akylade Certified Cyber Resilience Fundamentals®,, A/CCRF®,,
ES

Certified Cyber Resilience Practitioner®,, and A/CCRP®, are registered

trademarks of Akylade LLC in the United States and/or other countries. All
H

other product and service names used may be common law or registered
trademarks of their respective proprietors.
AM

PIRACY NOTICES
GA

This book conveys no rights in the software or other products about which it
was written; all use or licensing of such software or other products is the
responsibility of the user according to the terms and conditions of the software
I

owner. Do not make illegal copies of books or software. If you believe that this
book, related materials, or any other Akylade materials are being reproduced or
transmitted without permission, please email us at legal@akylade.com.

Copyright ©2023

Akylade LLC
https://www.akylade.com
All rights reserved. Except as permitted under the United States Copyright Act
of 1976, this publication, or any part thereof, may not be reproduced or
transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, storage in an information retrieval system, or
otherwise, without express written permission of Akylade.

ISBN: 979-8-9886499-0-8

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

BONUS CONTENT
AM 23
ES

Please visit https://www.akylade.com/mastering-cyber-resilience to register

your book and receive access to some online practice exams to help prepare
H

you for your certification exams.

AM
GA
I

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 CONTENTS
D @g
1 Introduction 1
FO m

2 Cybersecurity Fundamentals 13
R ail.
US co

3 Risk Management Fundamentals 23

E m·

4 NIST Cybersecurity Framework 39

ON A

5 Framework Components 57
LY UG

6 The Five Functions 65

BY 22,

7 Controls and Outcomes 83

: R 20
AM 23

8 Implementation Tiers 103

ES

9 Using the Profiles 115

H

10 Assessing Cyber Risk 141

AM

11 The CR-MAP Process 155

GA

12 Phase One: Discovering Top Cyber Risks 165

I

13 Phase Two: Creating a Cyber Risk 197

Management Action Plan

14 Phase Three: Maintenance and Updates 219

15 Conclusion 229

Appendix A A/CCRF Exam Objectives 233

Appendix B A/CCRP Exam Objectives 243

Appendix C Glossary 249

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG

ACKNOWLEDGMENTS
BY 22,

This book is written for our community of students worldwide who have
: R 20

allowed us to continue to develop our video courses and books over the
years. Your hard work has led you to positions of increasing responsibility
AM 23

throughout your careers, and we are grateful to have been a small part of
ES

your success.
H

We truly hope that you all continue to love the method to our madness as
AM

you work to conquer the Akylade Certified Cyber Resilience Fundamentals

(A/CCRF) and Akylade Certified Cyber Resilience Practitioner (A/CCRP)
GA

certification exams.
I

We wish you all the best as you continue to accelerate your careers to new
heights!

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2 CONTRIBUTORS

Akylade would like to thank the following people for their hard work and
D @g
support in developing the A/CCRF and A/CCRP certifications with us.
FO m
Each of these individuals spent countless hours helping to help us bring
these certifications to the world.
R ail.
US co

• CG Acharjya
• Matthew C. Bascom, IT Systems Analyst at Modoc County IT (A+, Linux+, CySA+)
E m·

• Reed Bidgood, Project Manager at Dion Training Solutions

ON A

• Ahanu Boyle, Cyber Risk Analyst at Cyber Risk Opportunities LLC

• Nicholas Bradburn
LY UG

• Evan Branstner
• Walt V. Carillion (CISSP, CISA, CTPRP, CIA, CFE, CPA)
• Julio Ricardo Duarte, Cybersecurity Expert at Amitego Latin America - LLD Internacional
BY 22,

• Michael Efenaro
• Robert Finch, Cyber Risk Analyst at Cyber Risk Opportunities LLC
: R 20

• Ken Fishkin
• Peter H. Gregory, CISSP, CISA, CISM, CRISC, CDPSE, CIPM, DRCE, CCSK, is the author of
AM 23

more than 50 cybersecurity and technology books, including Solaris Security, CISSP For Dummies,
and CISM All-In-One Exam Guide. He has written certification study guides for CISSP, CISA,
ES

CISM, CRISC, CIPM, CDPSE, and SCSA, and certification exam questions for CISSP, CRISC,
CCSK, and CISA. He is a member of the Forbes Technology Council, CyberEdBoard, and
H

InfraGard, and resides in Central Washington.

• Timothy D. Harmon, M.S. (Associate of ISC2, Cisco Certified CyberOps Associate, Cisco
AM

Champion) https://harmont2007.wixsite.com/cybertalk
• Alan How
GA

• Bob Malin, Technical Account Manager at Qualys, bmalin77@gmail.com

• Josh Mason, Senior Consultant at Neuvik Solutions (MBA, CISSP)
•
I

Steve McMichael, Director of Governance, Risk and Compliance at BlackBerry (CPA, MBA,
CISA)
• Marc Menninger (CISSP, CRISC)
• Galen Minev, CISO at Paysera LTD (M.S. Cybersecurity)
• Keith Morgan IS Security/GSEC (CISSP, CEH, CISA, GSEC, GSEC )
• Joshua Peskay, 3CPO at RoundTable Technology (CISSP, CISM)
Committed to serving the nonprofit and mission-driven sector
• Susan Sarit, Chief Operating Officer at Dion Training Solutions
• Wayne Seavolt
• Muhammad Shahzad
• Bryon Singh, Director of Security Operations at Railworks Corporation
(https://www.linkedin.com/in/bryonsingh/)
• Yuri Soldatenkov, Cybersecurity Advisor (CISSP, CCSP, GDSA, GSTRT, GSLC)
• Galina's Husband & Bianca, Dylan, and Lauriana's Dad
• David John Sopala, Orami (A+, Network+, Security+, CySA+) david.sopala@gmail.com
• Glen Sorensen, vCISO at Cyber Risk Opportunities LLC
• Apurv Tiwari
• Christopher Uloko, Lead Evangelist and Lead Humanitarian at Rod Of Jesse Ministries, Reflecting
Jesus Everywhe

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER ONE
AM 23
ES

INTRODUCTION
H
AM

In this book, you will learn how to master cyber resiliency in your
organization and also learn everything you need to know to pass the
GA

Akylade Certified Cyber Resilience Fundamentals (A/CCRF) and Akylade

Certified Cyber Resilience Practitioner (A/CCRP) certification exams. This
I

book covers the essentials with no fluff, filler, or extra material, so you can
easily learn the material and conquer the certification exam.

The Akylade Certified Cyber Resilience Fundamentals (A/CCRF)

exam is the first certification exam in Akylade’s Cyber Resilience
certification path. This certification is designed to assess your theoretical
understanding of the NIST Cybersecurity Framework (CSF) and your
ability to plan, manage, and optimize its use within your organization.

The Akylade Certified Cyber Resilience Practitioner exam is the

second certification exam in Akylade’s Cyber Resilience certification path.
This certification is designed to test your ability in planning, managing, and
optimizing the NIST Cybersecurity Framework (CSF) within an

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
organization by placing you into the role of a virtual cyber resiliency
consultant throughout numerous different scenarios and real-world case
SE 3 2
studies.
D @g
This book assumes that you have no previous experience with the
FO m

NIST Cybersecurity Framework and is designed to teach you exactly what

R ail.
you need to know to take and pass the Akylade Certified Cyber Resilience
US co

certification exams on your first attempt.

E m·

This text is designed to serve as a common body of knowledge for

ON A

the certification exams and as a hands-on guide and workplace reference to

operationalizing the NIST Cybersecurity Framework daily within your
LY UG

organization.
BY 22,

This book has also been designed to serve as the official textbook
: R 20

for the Akylade Certified Cyber Resilience series of certification exams. As

such, this textbook has been divided into two portions.
AM 23

The first portion of the book focuses on the basics of the NIST
ES

Cybersecurity Framework. It is designed to aid in your studies for the

H

Akylade Certified Cyber Resilience Fundamentals (A/CCRF) certification

AM

exam. This portion consists of Chapter 2 through Chapter 7.

GA

The second portion of the book focuses on the application of the

NIST Cybersecurity Framework using the proprietary Cyber Risk
I

Management Action Plan (CR-MAP), which operationalizes and applies the

CSF for use in the real world. If you are studying for the Akylade Certified
Cyber Resilience Practitioner (A/CCRP) certification, you should focus on
the second portion of the textbook but be aware that everything covered in
the first portion is fair game on this examination, too. This portion consists
of chapter 8 through chapter 11.

Throughout the textbook, we will pause and visit various real-

world organizations to observe how they have implemented the NIST
Cybersecurity Framework to increase cyber resilience within their
organization. For each of these case studies, you gain insight into the
successes achieved by various organizations across different industries and
locations across the globe.

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
After the conclusion of the textbook, we have also included
additional features to help you conquer the certification exams.
SE 3 2
D @g
In Appendix A and Appendix B, you will find the exam objectives
for each of the two certification exams, including the domains covered by
FO m

each exam and their corresponding objectives.

R ail.
US co
To help you prepare for the Akylade Certified Cyber Resilience
Fundamentals (A/CCRF) and Akylade Certified Cyber Resilience
E m·

Practitioner (A/CCRP) certification exams, we have a full-length practice

ON A

exam for each certification available for download at our website,

https://www.akylade.com, which includes the practice exam, answer key,
LY UG

and explanations for each question.

BY 22,

If you fully understand the contents of this book and successfully

: R 20

complete the associated practice exam for the selected certification (scoring
at least 85% or higher), you should be ready to take and pass your Akylade
AM 23

Certified Cyber Resilience Fundamentals (A/CCRF) and Akylade Certified

Cyber Resilience Practitioner (A/CCRP) certification exams on your first
ES

attempt!
H
AM

AKYLADE CERTIFIED
CYBER RESILIENCE FUNDAMENTALS
GA

(A/CCRF)
I

The Akylade Certified Cyber Resilience Fundamentals (A/CCRF)

certification exam is an entry-level certification used to demonstrate that a
candidate understands all the material aspects of the NIST Cybersecurity
Framework, including:

• The origin and original purpose of the framework

• The applicability of the framework across industries and sectors

• The three fundamental parts of the framework: the Core, the

implementation Tiers, and the Profiles

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
• The five functions: Identify, Protect, Detect, Respond, and
Recover, as well as the 23 categories (activities) and 108
SE 3 2
subcategories (outcomes) under each of the five functions
D @g
FO m
• The purpose, utility, and intended use of the Implementation
Tiers, Profiles, and Informative References
R ail.
US co

• The use of the framework for identifying, assessing, and managing

cybersecurity risk
E m·
ON A

The Akylade Certified Cyber Resilience Fundamentals (A/CCRF)

certification exam consists of 40 multiple-choice questions, which must be
LY UG

completed within 60 minutes. A minimum score of 700 points on a scale of

BY 22,

100-900 points is required to pass the certification exam. This certification

exam is a closed-book examination, so candidates are not allowed to use
: R 20

any notes or study materials during their examination.

AM 23

The current cost of the exam at the time of publication of this

ES

book is $125 (USD). To sit for the exam, you must pay this exam fee at the
time of booking, purchase an exam voucher from Akylade’s website
H

(www.akylade.com), or you may purchase a discounted exam voucher

AM

through one of our Authorized Training Partners (ATPs) as part of a

course/voucher bundled offering. Please visit www.akylade.com/partners
GA

to view a complete list of Authorized Training Partners.

I

The certification exam can be taken online through Akylade’s

testing partner, Certiverse (www.certiverse.com), through their online web
proctoring service from the comfort of your home or office.

AKYLADE CERTIFIED
CYBER RESILIENCE PRACTITIONER
(A/CCRP)

The Akylade Certified Cyber Resilience Practitioner certification

exam is an advanced-level certification for cybersecurity and information
technology professionals interested in mastering cyber resiliency by
implementing the NIST Cybersecurity Framework to an organization’s
specific situations and needs. This advanced-level certification thoroughly

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
covers the NIST Cybersecurity Framework and how to apply it to a real-
world organization using the Cyber Risk Management Action Plan (CR-
SE 3 2
MAP) process.
D @g
To pass the Akylade Certified Cyber Resilience Practitioner
FO m

(A/CCRP) certification exam, you must demonstrate that you can

R ail.
implement and apply all the material aspects of the NIST Cybersecurity
US co

Framework, including:
E m·

• How to coordinate with management for organizational buy-in

ON A

and how to establish risk profiles for organizations

LY UG

• How to Discover top organizational cybersecurity risks using

rigorous prioritization methods
BY 22,
: R 20

• How to create a personalized cybersecurity risk management

strategy tailored to an organization’s unique requirements
AM 23
ES

• How to conduct maintenance and updates to the organization’s

cybersecurity risk posture and how to perform continuous
H

improvement
AM

The Akylade Certified Cyber Resilience Practitioner (A/CCRP)

GA

certification exam consists of 30 multiple-choice questions, which must be

completed within 90 minutes. These questions are all based on case studies
I

from real-world organizations. You will be asked to analyze their

organization and make recommendations to improve their cyber resiliency
based on your knowledge of the NIST Cybersecurity Framework and the
Cyber Risk Management Action Plan (CR-MAP) process. A minimum
score of 700 points on a scale of 100-900 points is required to pass the
certification exam. This certification exam is a closed-book examination, so
candidates are not allowed to use any notes or study materials during their
examination.

The current cost of the exam at the time of publication of this

book is $200 (USD). To sit for the exam, you must pay this exam fee at the
time of booking, purchase an exam voucher from Akylade’s website
(www.akylade.com), or you may purchase a discounted exam voucher

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
through one of our Authorized Training Partners (ATPs) as part of a
course/voucher bundled offering. Please visit www.akylade.com/partners
SE 3 2
to view a complete list of Authorized Training Partners.
D @g
The certification exam can be taken online through Akylade’s
FO m

testing partner, Certiverse (www.certiverse.com), through their online web

R ail.
proctoring service from the comfort of your home or office.
US co

EXAM TIPS AND TRICKS

E m·
ON A

Before we dig into the contents of the Akylade Certified Cyber

Resilience Fundamentals (A/CCRF) and the Akylade Certified Cyber
LY UG

Resilience Practitioner (A/CCRP) certification exams, it is important for

you to understand some exam tips and tricks that will help you improve
BY 22,

your performance on these exams. By understanding these tips and tricks,

: R 20

you can better grasp how to study for the exam as you read through the rest
of this textbook. It will help you focus your efforts to get the most out of
AM 23

this material.
ES

The most important thing to remember when taking the

H

certification exams is that there are no trick questions on test day. Every
AM

question is precisely worded to match the material that you are about to
study in this textbook.
GA

During the exam, you should read each question multiple times to
I

ensure that you understand exactly what it’s asking and that you are
answering the question being asked. Anytime you see the words ALWAYS
or NEVER in an answer, think twice about selecting it. As in most things in
life, rarely is there a case where something ALWAYS or NEVER applies to
a given situation when using the NIST Cybersecurity Framework and the
Cyber Risk Management Action Plan (CR-MAP) process.

As you read the questions and answers, you should be on the

lookout for distractions or red herrings. Generally, at least one of these is
listed in the possible answer choices to try and distract you from the correct
answer. If you can identify the distractor, you can increase your chances of
guessing the correct answer from the remaining answer choices provided.

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Also, if you see part of a question with bold, italics, or all uppercase
letters, you should pay close attention to those words because the writers of
SE 3 2
the exam questions decided that those keywords are important to selecting
D @g
the correct answer.
FO m

For the Akylade Certified Cyber Resilience Fundamentals

R ail.
(A/CCRF) certification, you can rely on your knowledge of the NIST
US co

Cybersecurity Framework from this textbook, a video training program, or

the official NIST publication as the certification ties directly to the NIST
E m·

publication.
ON A

When you sit for the Akylade Certified Cyber Resilience

LY UG

Practitioner (A/CCRP) you should only rely on official sources, such as this
textbook or training received from one of Akylade’s Authorized Training
BY 22,

Partners (ATP) certified to provide training for this certification exam.

: R 20

The reason for this is that the Akylade Certified Cyber Resilience
AM 23

Practitioner (A/CCRP) exam relies heavily on the implementation of the

NIST Cybersecurity Framework using the Cyber Risk Management Action
ES

Plan (CR-MAP) process.

H
AM

The CR-MAP process is not outlined or mentioned within the

NIST Cybersecurity Framework itself or any of the NIST publications. This
GA

is because the CR-MAP is a proprietary framework and methodology

created by Cyber Risk Opportunities to help operationalize the NIST
I

Cybersecurity Framework and apply it to the daily operations of an

organization during your future work as a cybersecurity practitioner or
consultant.

Therefore, it is important to remember what concepts in the NIST

Cybersecurity Framework and the Cyber Risk Management Action Plan
process were covered in this textbook or an officially approved training
course through an Authorized Training Partner since you will see questions
about this process and its application during your exam.

Remember, you will not see anything on the exam that was not
covered by the official textbook. This textbook covers all the testable
concepts within its pages, as these are the building blocks of the Akylade

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Certified Cyber Resilience curriculum and its associated certification exams.
If you study the textbook properly, you will be setting yourself up for
SE 3 2
success.
D @g
On test day, you must answer the exam questions based on your
FO m

knowledge of the NIST Cybersecurity Framework and CR-MAP process

R ail.
from this textbook, not from your own personal work experience.
US co

Your workplace may implement the NIST Cybersecurity

E m·

Framework and its concepts differently due to their own unique situation or
ON A

use cases. When in doubt, you should always select the textbook answer
when answering a question on the certification exam since that is what the
LY UG

official examination question writers used as the definitive source of

information when creating the Akylade Certified Cyber Resilience
BY 22,

Fundamentals (A/CCRF) and the Akylade Certified Cyber Resilience

: R 20

Practitioner (A/CCRP) certification exams.

AM 23

On exam day, you should seek to select the best answer from the
options provided. We know that sounds a bit silly, but sometimes a
ES

question may have several right answers, but one is always the best, or most
H

correct, answer.
AM

In the world of cyber resilience and cybersecurity, there is rarely a

GA

recommendation or solution that is right 100% of the time. Instead, things

tend to be more situational in the real world. The Akylade Certified Cyber
I

Resilience Practitioner (A/CCRP) exam will simulate placing you into a

real-world situation as a cyber resiliency consultant to provide advice,
recommendations, or solutions to a fictional client during your certification
exam. When in doubt, choose the correct answer in the greatest number of
situations, and you should get the question correct on the exam.

On test day, you don’t have to memorize the terms of the official
NIST Cybersecurity Framework publication from this textbook word for
word. Instead, you must recognize the right terms from the multiple-choice
options provided.

During certification exams, you will choose your answer from a

multiple-choice style question instead of a fill-in-the-blank or essay

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
question. This is an essential difference between certification testing and the
tests you may have taken in high school or college. In the certification
SE 3 2
world, you just need to be able to recognize, not regurgitate, the
D @g
information being asked on the exam.
FO m

As you read this textbook and study for your upcoming exam,
R ail.
remember that it is important to recall the keywords and definitions for the
US co

Akylade Certified Cyber Resilience Fundamentals (A/CCRF) exam. For the

fundamentals level exam, you will be asked to define, recall, and explain
E m·

various terms and parts of the NIST Cybersecurity Framework.

ON A

But, as you move into your studies for the Akylade Certified Cyber
LY UG

Resilience Practitioner (A/CCRP) exam, you’ll be focusing on the

implementation and application of the NIST Cybersecurity Framework and
BY 22,

the Cyber Risk Management Action Plan process in a variety of different

: R 20

situations based on real-world events and case studies provided to you. This
makes the practitioner-level exam much more difficult than the
AM 23

fundamental-level exam since it requires a deeper understanding than

ES

simply memorizing terms or concepts and regurgitating them on test day.

H

SUMMARY
AM

This book is a comprehensive guide designed to prepare readers to

GA

successfully complete the Akylade Certified Cyber Resilience Fundamentals

(A/CCRF) and Practitioner (A/CCRP) certification exams. By focusing on
I

the NIST Cybersecurity Framework, the text will equip an individual with
no prior experience with the necessary knowledge and skills to implement,
manage, and optimize the framework within an organization.

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

10

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

PART ONE
AM 23
ES
H
AM

CYBER RESILIENCE
GA
I

11

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

12

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER TWO
AM 23
ES

CYBERSECURITY FUNDAMENTALS
H
AM

In this chapter, we are going to introduce some key cybersecurity

concepts to ensure you have the necessary knowledge needed to navigate
GA

the complexities you will face while working in the cybersecurity industry.
I

Your understanding of the key cybersecurity terms is crucial as you

begin to implement the NIST Cybersecurity Framework out in the field.
Your familiarity with these terms will ensure that you can effectively
communicate and collaborate with a variety of people who are involved in
implementing the NIST Cybersecurity Framework by ensuring that
everyone is speaking the same language so that misunderstandings and
misinterpretations are reduced.

This chapter will be a review for those of you who have already
passed any of the following industry certifications: CompTIA Security+,
CompTIA CySA+, CompTIA PenTest+, CASP+, ISACA’s Certified
Information Security Manager (CISM), ISC2’s Systems Security Certified
Practitioner (SSCP), ISC2’s Certified Information Systems Security

13

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Professional (CISSP) or any equivalencies for these cybersecurity
certification exams.
SE 3 2
D @g
WHAT IS CYBERSECURITY?
FO m
Over the years, many terms have been used to describe the process
R ail.
of protecting networks and the data they contain. As you enter the industry,
US co
you may hear four different terms, which sound the same, but represent a
slightly different approach to protecting your organization’s systems. These
E m·

four terms are information security, information systems security,

ON A

information assurance, and cybersecurity.

LY UG

Information security refers to the protection of information and

data assets from unauthorized access, use, disclosure, alteration, or
BY 22,

destruction. It involves implementing security measures, policies,

: R 20

procedures, and controls to ensure information confidentiality, integrity,

and availability. Information security focuses on protecting all forms of
AM 23

information, regardless of the technology or system used to store or

transmit it.
ES
H

For example, encrypting sensitive data stored on a server and

AM

implementing access controls to limit unauthorized access to a safe

containing a top-secret printed report are both examples of information
GA

security measures.
I

Information systems security, on the other hand, specifically

focuses on protecting computer systems and the associated infrastructure
that store, process, transmit, and manage information. It encompasses the
security measures, policies, and controls implemented to safeguard
computer hardware, software, networks, and databases from unauthorized
access, attacks, and disruptions. Information systems security aims to
ensure the availability, integrity, and confidentiality of information
processed by computer systems.

An example of information systems security is the deployment of

firewalls, intrusion detection systems, and antivirus software to protect a
company’s network infrastructure and systems from external threats.

14

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Information assurance, also known as IA, is a new term in the
computer security field that arose over time. Information assurance is a
SE 3 2
broader concept encompassing the management and protection of
D @g
information assets, including information security and information systems
FO m
security. It emphasizes the holistic approach of ensuring confidentiality,
integrity, availability, and non-repudiation of information. Information
R ail.

assurance goes beyond technical controls and includes integrating people,

US co

processes, and technology to address risks related to information.

E m·

Information assurance also involves implementing policies,

ON A

procedures, training, and risk management frameworks to ensure the

proper handling and protection of information throughout its lifecycle. An
LY UG

example of information assurance is the development of a comprehensive

BY 22,

information security program that includes security policies, regular risk

assessments, security awareness training, incident response planning, and
: R 20

ongoing monitoring.
AM 23

Cybersecurity is a term that has gained significant prominence in

ES

recent years and is often used interchangeably with information

security. Cybersecurity specifically focuses on protecting computer systems,
H

networks, and digital information from cyber threats, which include

AM

unauthorized access, cyber-attacks, data breaches, and other malicious

activities conducted through digital means. Cybersecurity involves a
GA

combination of technical, operational, and managerial measures to identify,

I

protect, detect, respond to, and recover from cyber incidents.

Cybersecurity is preferred over information assurance when

addressing the unique challenges posed by the interconnectedness and
digital nature of modern technology. Some examples of Cybersecurity
measures include implementing multi-factor authentication, conducting
regular vulnerability assessments, and establishing incident response plans.

Many of these terms sound quite similar, but there are some
distinctions between them that you should be aware of. Information
security and information systems security have several overlapping areas of
focus, with information security encompassing a broader scope that
includes both information and the systems that process it. Information

15

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
systems security, on the other hand, specifically focuses on protecting just
computer systems and associated infrastructure.
SE 3 2
D @g
Information assurance, though, is considered a more
comprehensive approach that incorporates both information security and
FO m

information systems security, emphasizing the integration of people,

R ail.
processes, and technology to manage an organization’s information risks.
US co

Finally, cybersecurity is the most recently used term, and it emphasizes

protecting against cyber threats that are specific to the digital realm to
E m·

address the unique challenges posed by technology interconnectivity and

ON A

digital attacks.
LY UG

It is important to understand the distinction between these three

terms from a theoretical perspective because many cybersecurity
BY 22,

certification exams will focus on these distinctions in their questions. In the

: R 20

real world, you will often see these terms used interchangeably by
practitioners in the field or one term being preferred over another based on
AM 23

the practitioner’s previous work experience.

ES

The changing of these terms over time has also affected higher
H

education’s naming schemas for their degrees. For example, from 2008-
AM

2015, most degrees in computer security were termed information

assurance, but since 2015 most degrees now opt to use the term
GA

cybersecurity. Similarly, any degrees in this area of study earned before 2008
were almost exclusively termed as information systems Security or the even
I

older term, computer security.

THE CIANA PENTAGON

The CIANA Pentagon refers to the five core principles of

cybersecurity that form the foundation for protecting digital assets and
maintaining secure environments: confidentiality, integrity, availability, non-
repudiation, and authentication. As an aspiring cybersecurity consultant, it is
imperative that you have an understanding of these core principles as you
apply the NIST Cybersecurity Framework within an organization.

Confidentiality in cybersecurity refers to the protection of

sensitive information from unauthorized access or disclosure by ensuring

16

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
that only authorized individuals or entities can access and view confidential
data.
SE 3 2
D @g
For example, encrypting sensitive customer data stored in a
database ensures confidentiality by rendering the information unreadable
FO m

without the proper decryption key, even if an attacker steals it. By

R ail.
safeguarding confidential information, organizations can mitigate the risk of
US co

data breaches and unauthorized disclosures, thereby maintaining the trust

of their stakeholders and meeting compliance requirements associated with
E m·

various privacy regulations.

ON A

Integrity ensures that data remains accurate, consistent, and

LY UG

unaltered throughout its lifecycle by protecting it against unauthorized

modification, deletion, or corruption.
BY 22,
: R 20

For instance, cryptographic hashing algorithms can be used to

detect changes in data by generating unique hash values known as a hash
AM 23

digest. By comparing the hash digest of the original data with the
recalculated hash digest, integrity violations can be detected, ensuring the
ES

data’s trustworthiness and preventing tampering or unauthorized

H

modifications to the critical data contained within your information

AM

systems.
GA

Availability refers to the accessibility and usability of digital assets

and services when needed. In cybersecurity, ensuring availability means
I

protecting against disruptions or denial of service that may render systems

or resources inaccessible to legitimate users.

For example, implementing redundant systems and robust backup

strategies can mitigate the impact of hardware failures, natural disasters, or
cyber-attacks. This can ensure that critical services and resources remain
available and operational for your organization’s authorized users.

Non-repudiation is the assurance that the originator of a digital

communication or transaction cannot deny their involvement or the
authenticity of the data being exchanged.

In cybersecurity, cryptographic techniques such as digital signatures

can provide non-repudiation by using a hashing algorithm to generate a
17

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
unique hash value for the message and then encrypting that value with the
sender’s private key. By digitally signing a document or message using this
SE 3 2
digital signature, the sender can prove their identity by encrypting the hash
D @g
digest with their private key and ensuring the integrity of the information
FO m
being exchanged through the hash digest itself, thereby preventing any
subsequent denial of their involvement in the data exchange.
R ail.
US co

Authentication verifies the identity of individuals or entities

attempting to access digital systems or resources. It ensures that only
E m·

authorized users gain entry and prevents unauthorized access by impostors

ON A

or malicious actors. In cybersecurity, authentication methods include

passwords, biometrics, and multi-factor authentication.
LY UG

For instance, requiring users to provide a unique username and

BY 22,

password, along with a fingerprint scan or a one-time verification code sent

: R 20

to their mobile device, would be considered a form of multi-factor

authentication. Multi-factor authentication is considered the strongest form
AM 23

of authentication currently. It is used to thwart any attempted unauthorized

ES

access by an attacker.
H

The CIANA Pentagon encapsulates five foundational pillars of

AM

cybersecurity: confidentiality, integrity, availability, non-repudiation, and

authentication. In order for you to safeguard digital assets, you will need to
GA

have a comprehensive understanding of these principles. In short,

remember that confidentiality protects sensitive information, integrity
I

ensures data remains unaltered, availability ensures resources are accessible,

non-repudiation prevents denial of involvement, and authentication verifies
user identities. By mastering these concepts over time, you will be well-
equipped to protect digital systems, preserve privacy, and ensure the
security of digital assets in an ever-evolving threat landscape.

CYBERSECURITY INCIDENTS

A cybersecurity incident is any unauthorized or malicious event

that compromises the confidentiality, integrity, or availability of an
organization’s digital assets, systems, or networks. In 2022, the average cost
of cleaning up a data breach was $4.2 million per cybersecurity incident that

18

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
occurred at companies worldwide. Each of these cybersecurity incidents
results from a vulnerability being exploited by a threat.
SE 3 2
D @g
Often, people who are new in the cybersecurity industry will use
the words threat and vulnerability interchangeably. However, they are not
FO m

technically the same thing; you must know the difference between them.
R ail.
US co
A threat is defined as any potential source or actor that has the
capability to exploit a vulnerability, weakness, or flaw that causes harm to
E m·

an organization’s digital systems, networks, or data. An even more generic

ON A

way to think about this is that a threat is a person or event that has the
potential to impact a valuable resource in some kind of negative manner.
LY UG

So, cybercriminals or nation-state actors might be a threat if they wish to

steal your organization’s confidential data, but a hurricane is also a threat
BY 22,

because it could cause a power outage that would render your network and
: R 20

systems unusable.
AM 23

A vulnerability, on the other hand, refers to a weakness or flaw in

a system, network, or software that a threat actor can exploit to
ES

compromise the security and integrity of digital assets. What makes

H

something a vulnerability is a quality or characteristic within a given

AM

resource or its environment that might allow the threat to be realized.

GA

If there is any weakness in the system design, implementation,

software code, or lack of preventative mechanisms within an organization’s
I

information systems, then a vulnerability exists within them. For example, if

the organization utilizes an end-of-life version of Microsoft Windows on its
file servers, this would be classified as a vulnerability.

Similarly, if the organization only has a battery backup system for

their servers that would last only 15 minutes during a power outage, then
the organization is vulnerable to power outages that could be caused by
inclement weather. This vulnerability can be mitigated by implementing a
longer-term power generation capability, like a diesel generator, to power
the backup power. But, if no longer-term power generation capability exists
within the organization, then a hurricane could cause the system to lose
power completely after only 15 minutes.

19

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 RISK

Threats and vulnerabilities are directly linked to determining the

D @g
amount of risk that an organization faces. Risk refers to the potential for
loss, damage, or harm resulting from the occurrence of threats exploiting
FO m

vulnerabilities in digital systems or assets.

R ail.
US co
In fact, risk is used to measure the likelihood and impact of a given
threat exploiting a given vulnerability. This is expressed mathematically as a
E m·

formula where risk equals the threat multiplied by the vulnerability.

ON A

Risk = Threat x Vulnerability

LY UG

If the threat increases while the vulnerability remains the same,

BY 22,

then the overall risk will increase.

: R 20

Risk (↑) = Threat (↑) x Vulnerability (↔)

AM 23

If the vulnerability increases while the threat remains the same,

ES

then the overall risk will increase.

H

Risk (↑) = Threat (↔) x Vulnerability (↑)

AM

If an organization wants to keep its risk at a given level, then as the

GA

vulnerability increases, countermeasures must be put into place to reduce

I

the threat of exploitation.

Risk (↔) = Threat (↓) x Vulnerability (↑)

On the other hand, if the threat increases, then the organization

must reduce the vulnerability’s exposure to maintain the same level of risk.

Risk (↔) = Threat (↑) x Vulnerability (↓)

In order to have risk, you must have both a threat and a

vulnerability. This is obvious when you look at the mathematical formulas
presented because if either the threat or vulnerability is zero, the risk would
also equal zero.

20

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Let’s consider an example to put this concept into perspective.
Assume that you are an iPhone user and you just heard about a new piece
SE 3 2
of malware that is infecting smartphones. This threat concerns you, so you
D @g
do some additional research and discover that this piece of malware (threat)
FO m
can only be used against the Android operating system (vulnerability). Since
you are running iOS on an iPhone, your system has no vulnerability to this
R ail.

threat. Therefore, your risk is zero regarding this specific piece of malware,
US co

so you do not need to worry about it.

E m·

Conversely, let’s pretend you are the only person living on Mars. If
ON A

you are worried that someone might steal your laptop because you left the
front door to your Martian home unlocked, fear not because this
LY UG

vulnerability cannot be exploited as there is no threat. This is because there

BY 22,

is no one else on the entire planet, so there is no threat actor to exploit the
vulnerability. Since there is zero threat, there is also zero risk.
: R 20

The bottom line is that for a risk to exist, you must have both a
AM 23

threat that can exploit a given vulnerability and the vulnerability itself
ES

present in the organization’s systems. If there is no threat to exploit a

vulnerability or a vulnerability for the threat actor to exploit, then there
H

cannot be a risk, negative consequence, or cybersecurity incident. This is

AM

how threats and vulnerabilities are linked together, and this is a very
important concept to understand as you begin your journey into
GA

cybersecurity.
I

SUMMARY

In this chapter, we explored some essential cybersecurity concepts

as we laid the foundation for the rest of your journey into cyber resiliency.
By understanding key terms such as information security, information
systems security, information assurance, and cybersecurity, you should have
gained some insights into the nuances and distinctions of the language used
by practitioners in the field.

The CIANA Pentagon was also introduced, comprising the five

core principles of confidentiality, integrity, availability, non-repudiation, and
authentication. These five principles form the bedrock of cybersecurity and
ensure the protection and secure management of digital assets within our

21

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
organizations. Additionally, we examined the relationship between threats
and vulnerabilities, emphasizing the fact that both elements must be present
SE 3 2
for risk to exist.
D @g
By mastering the key concepts covered in this chapter, you will
FO m

have acquired a solid understanding of the fundamentals required to excel

R ail.
in the cybersecurity field. The knowledge gained on cybersecurity principles,
US co

threat and vulnerability interactions, and a basic understanding of what

creates a risk to an organization will lay a strong foundation for your
E m·

effective implementation of cybersecurity measures in the future. As we

ON A

move forward in subsequent chapters, this understanding will serve as a

valuable framework for applying the NIST Cybersecurity Framework and
LY UG

addressing the complex challenges of securing digital environments.

BY 22,
: R 20
AM 23
ES
H
AM
GA
I

22

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER THREE
AM 23
ES

RISK MANAGEMENT
H

FUNDAMENTALS
AM
GA

In the previous chapter, we introduced the concept of risk. Before

delving into the NIST Cybersecurity Framework, it is crucial to establish a
I

solid understanding of risk management fundamentals. This comprehensive

overview will equip you with the necessary knowledge and terminology for
navigating the cybersecurity industry’s intricate landscape. By grasping the
key concepts and principles of risk management, you will be well-prepared
to effectively identify, assess, and mitigate risks, ensuring the security and
resilience of digital systems and assets.

Before effectively identifying and prioritizing cybersecurity risks to

support an organization’s risk appetite and strategic objectives, you must
first gain an understanding of proper risk analysis, risk assessment, and risk
mitigation strategies. Your knowledge of risk management fundamentals
will allow you to also make informed recommendations or decisions
throughout the implementation process by evaluating the cost-effectiveness

23

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
of different cybersecurity measures, determining appropriate risk responses,
and prioritizing resource allocations.
SE 3 2
D @g
THE RISK MANAGEMENT LIFECYCLE
FO m
Risk management is considered to be a fundamental process in
R ail.
achieving cyber resilience. Risk management is the systematic process of
US co
identifying, assessing, prioritizing, and mitigating potential risks to an
organization’s digital systems, networks, data, and assets to ensure their
E m·

confidentiality, integrity, and availability. The conduct of proper risk

ON A

management processes is crucial to effectively manage an organization’s

risks within the ever-changing cybersecurity landscape.
LY UG

Risk management and its associated processes form what is

BY 22,

referred to as the risk management lifecycle. The risk management

: R 20

lifecycle provides a systematic and iterative approach to managing risks by

encompassing several phases: risk identification, risk assessment, risk
AM 23

response planning, risk mitigation, and ongoing risk monitoring and

review.
ES
H

The risk management lifecycle ensures that risks are continually

AM

assessed, prioritized, and addressed in a structured manner. The lifecycle

enables organizations to adapt their risk management strategies based on
GA

evolving threats, business environment changes, and the effectiveness of

implemented controls. Organizations can establish a proactive and resilient
I

approach to managing risks by following the risk management lifecycle.

PHASE ONE: RISK IDENTIFICATION

The risk management lifecycle begins with risk identification,

where potential risks are identified through various methods such as risk
assessments, threat intelligence, and stakeholder input. The
term stakeholders refer to an individual or group with an interest of
influence in the organization’s digital systems and assets, whose
perspectives and requirements may shape risk management strategies and
decisions.

For example, the Chief Executive Officer, Chief Operating Office,

Chief Financial Officer, and Chief Information Security Officer are all
24

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
examples of key stakeholders in most organizations, but so are the system
administrators, business users, and other employees who rely on the
SE 3 2
organization’s digital systems on a daily basis.
D @g
Another key stakeholder that coordinates with your organization
FO m

may be your suppliers. A supplier is an external entity that provides goods,

R ail.
services, or resources to an organization. Assessing the associated risks with
US co

suppliers is crucial to ensure they meet the organization’s security and

compliance requirements, minimizing potential vulnerabilities and threats
E m·

introduced through their products or services. For example, if your

ON A

organization uses Amazon Web Services’ cloud-based infrastructure, then

Amazon is both your supplier and a key stakeholder to consider as you
LY UG

begin to identify and manage your organization’s risk profile.

BY 22,

The risk identification phase involves systematically identifying

: R 20

vulnerabilities, threats, and potential consequences that could impact the

organization’s objectives. During the risk identification phase, it is also
AM 23

important to work with the organization’s key stakeholders to determine

ES

the organization’s risk appetite.

H

An organization’s risk appetite refers to the organization’s

AM

willingness and tolerance level for accepting potential risks related to its
digital systems and assets, guiding decision-making processes to align risk
GA

management strategies with business objectives and priorities.

I

For instance, an organization with a low-risk appetite, such as a

financial institution handling sensitive customer data, may prioritize
extensive security controls and stringent compliance measures to minimize
the likelihood of data breaches. This organization might invest heavily in
robust encryption mechanisms, implement strict access controls, and
regularly conduct vulnerability assessments to ensure a high level of
protection.

In contrast, a technology-based startup operating in the fast-paced

Silicon Valley environment may have a higher risk appetite and be more
willing to accept innovation and rapid growth risks. Due to this higher risk
appetite, the organization might adopt agile development methodologies,
embrace emerging technologies, and allocate resources to explore cutting-

25

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
edge solutions while acknowledging that some vulnerabilities or risks may
arise as a result of this more dynamic approach.
SE 3 2
D @g
This is why it is important to understand the risk appetite of any
organization you might be working in. Your recommendations to help
FO m

manage risk need to be in alignment with the organization’s risk appetite so

R ail.
that you can align the appropriate risk management strategies to that
US co

organization to ensure a balance between increasing system security,

growing their business, and their overall strategic objectives.
E m·
ON A

During the risk identification phase, each identified risk should be

recorded in a risk register. A risk register is a centralized document or
LY UG

database that systematically records and tracks identified risks, along with
their attributes, assessment results, and corresponding risk management
BY 22,

actions, to facilitate effective risk monitoring and mitigation. This risk

: R 20

register is created initially during the risk identification phase, while the
remainder of the information is added to each risk as the organization
AM 23

works through the remaining phase of the risk management lifecycle.

ES

PHASE TWO: RISK ASSESSMENT

H
AM

Once the risks have been identified, the next phase is conducting a
risk assessment. During the risk assessment, risks are analyzed and
GA

evaluated to determine their likelihood of occurrence and their potential

impact. By conducting a comprehensive risk analysis, organizations gain
I

insights into the significance and prioritization of any risk that was
identified in the risk identification phase.

During the risk assessment phase, the risk analysis process plays a
pivotal role in understanding and quantifying the identified risks. Risk
analysis involves evaluating the likelihood of a risk occurring and assessing
its potential impact on the organization’s digital systems and assets. There
are different approaches to conducting risk analysis, including the use of
qualitative, quantitative, and hybrid methods.

In qualitative risk analysis, risks are assessed based on subjective

judgments, such as the likelihood and impact of a risk using a scale instead
of numerical metrics or figures. The term likelihood refers to the

26

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
probability of a risk event occurring, while impact refers to the magnitude
of its consequences.
SE 3 2
D @g
By assigning qualitative values using a scale such as low, medium,
or high for each of these factors, an organization can gain a broad
FO m

understanding of the risks’ significance and prioritize them accordingly

R ail.
within the risk register.
US co

For example, a high likelihood and high impact risk would require
E m·

immediate attention and mitigation measures, while a low likelihood and

ON A

low impact risk may be considered a lower priority. These resulting

prioritizations can also help the organization determine which risks should
LY UG

receive more or fewer resources to be mitigated or resolved.

BY 22,

Quantitative risk analysis, on the other hand, involves evaluating

: R 20

risks using numerical values and metrics to assess the financial impact and
frequency of risk events. This approach allows organizations to assess risks
AM 23

in a more objective and measurable manner. Some common values used

with quantitative risk analysis are the Single Loss Expectancy (SLE), the
ES

Annualized Loss Expectancy (ALE), and Annualized Rate of Occurrence

H

(ARO).
AM

Single loss expectancy (SLE) is a metric used to estimate the

GA

potential financial loss an organization may experience from a single risk

event occurrence. The single loss expectancy is equal to the asset value
I

(AV) multiplied by the exposure factor (EF).

SLE = AV x EF

The asset value represents the financial worth of the asset at risk,
while the exposure factor represents the percentage of loss that would
occur if the asset were compromised. For example, if an organization’s web
server has an asset value of $100,000 and the exposure factor for a specific
risk is determined to be 60%, the SLE would be $60,000.

This means that in the event that risk materializes, the organization
could potentially face a financial loss of $60,000. Understanding the SLE
allows organizations to prioritize their risk mitigation efforts based on the
potential financial impact of each risk.
27

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Annualized loss expectancy (ALE) is a metric used to estimate
the expected financial loss over a specified time period resulting from a
SE 3 2
particular risk. The annualized loss expectancy is equal to the single loss
D @g
expectancy multiplied by the annualized rate of occurrence.
FO m

ALE = SLE × ARO

R ail.
US co
The annualized rate of occurrence (ARO) is a crucial metric in
cybersecurity that represents the estimated frequency at which a specific
E m·

risk event is expected to occur within a year. The annualized rate of

ON A

occurrence is used in conjunction with other risk metrics, such as the single
loss expectancy and the annualized loss expectancy, to assess the potential
LY UG

financial impact of risks. For example, if a particular risk event is expected

to occur three times every ten years, the annualized loss expectancy would
BY 22,

be 3/10 or 0.3.
: R 20

The annualized loss expectancy can be calculated using the

AM 23

annualized rate of occurrence and the single loss expectancy. For example,
if the SLE for a specific risk is determined to be $50,000 and the ARO is
ES

estimated to be 0.2 (meaning the risk occurs 20% of the time in a year),
H

then the ALE would be $10,000 ($50,000 × 0.2). This indicates that, on
AM

average, the organization can expect to face a financial loss of $10,000 per
year due to that specific risk.
GA

Many organization leaders prefer to use quantitative risk analysis

I

over qualitative risk analysis because it provides a more exact value for each
risk identified. By quantifying risks in monetary terms, organizations can
prioritize their mitigation efforts based on potential financial impact.

Unfortunately, it is often hard to calculate the exact value for each

risk because it could take significant time and resources to identify the asset
value, exposure value, and annualized rate of occurrence for each identified
risk in your risk register. Therefore, in some cases, a hybrid risk analysis
approach may instead be employed.

A hybrid risk analysis combines qualitative and quantitative

approaches to assess risks by incorporating subjective judgments and
numerical metrics to understand the likelihood, impact, and financial

28

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
implications of the identified risks. This combined approach can provide a
more comprehensive understanding of risks by leveraging the strengths of
SE 3 2
both methods. This allows organizations to consider factors beyond
D @g
financial impacts, such as reputation, regulatory compliance, operational
FO m
disruptions, and monetary assessments. By combining these approaches,
organizations can gain a nuanced perspective on the risks’ potential
R ail.

consequences and make informed decisions about risk mitigation strategies.

US co

By conducting risk analysis through qualitative, quantitative, or

E m·

hybrid approaches, organizations can effectively evaluate and prioritize risks

ON A

identified during the risk identification phase. This process enables them to
allocate resources, implement appropriate risk management measures, and
LY UG

focus their efforts on mitigating risks that pose the most significant threats
BY 22,

to their cybersecurity posture and overall resilience.

: R 20

PHASE THREE: RISK PLANNING

AM 23

After completing the risk assessment, the organization will begin

the risk response planning phase. Organizations develop strategies and
ES

action plans during this phase to address their identified risks. Risk
H

response actions include risk acceptance, risk avoidance, risk transference,

AM

or risk mitigation.
GA

Risk acceptance is a risk response action that involves

acknowledging the existence of a risk and choosing not to take further
I

action to avoid, transfer, or mitigate it. Organizations may opt for risk
acceptance when the cost of implementing risk mitigation measures
outweighs the potential impact of the risk.

For example, a small business may accept the risk of a minor data
breach due to limited resources and instead focus on investing their limited
resource in their core business operations. While risk acceptance does not
eliminate the risk, organizations can monitor the risk and be prepared to
respond if the impact exceeds the acceptable threshold based on the
organization’s risk appetite.

Risk avoidance is a risk response action that aims to eliminate or

minimize risks by avoiding activities or situations that pose a significant

29

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
threat. This can be achieved by modifying business processes, technologies,
or operational practices.
SE 3 2
D @g
For instance, an organization may choose to avoid the risk of a
third-party data breach by maintaining strict in-house data storage and
FO m

processing capabilities instead of relying on external service providers.

R ail.
Organizations avoid potential risks by eliminating their exposure to certain
US co

threats and vulnerabilities.

E m·

Risk transference is a risk response action that involves shifting

ON A

the potential impact of a risk to a third party, typically through contracts,

agreements, or insurance policies. An organization may transfer risk when it
LY UG

lacks the expertise, resources, or desire to handle certain risks internally.

BY 22,

For example, an organization might transfer the risk of financial

: R 20

losses resulting from cyber-attacks to an insurance provider by obtaining a

cybersecurity insurance policy. By transferring the risk, organizations can
AM 23

mitigate the financial impact and share the responsibility of managing the
risk with a third party.
ES
H

Risk mitigation is a risk response action that focuses on reducing

AM

the impact or likelihood of a risk event by implementing controls,

safeguards, and countermeasures. Mitigation measures can include technical
GA

solutions, process improvements, employee training, and policy

enforcement.
I

For instance, an organization might mitigate the risk of

unauthorized access to its network by implementing multi-factor
authentication, encryption, and regular security patch updates on its
systems. Risk mitigation aims to minimize the potential consequences of
risk and enhance the organization’s resilience to cyber threats.

By considering these different risk response actions, organizations

can make informed decisions on how to address risks based on their risk
appetite, available resources, and the specific characteristics of each risk. It
is essential to select the appropriate risk response strategy for each risk to
optimize the allocation of resources and protect the organization’s critical
assets and operations.

30

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 PHASE FOUR: RISK MITIGATION

After completing the risk response planning phase, organizations

D @g
should move into the risk mitigation phase. The risk mitigation phase
occurs when the organization implements its chosen risk response strategies
FO m

by deploying appropriate controls, policies, procedures, and technical

R ail.
measures to reduce vulnerabilities and minimize the impact of potential
US co

threats. Risk mitigation is a crucial component of the risk management

lifecycle as it aims to actively reduce the likelihood and severity of risks,
E m·

thereby enhancing the organization’s overall cybersecurity posture and

ON A

resilience.
LY UG

During the risk mitigation phase, organizations will identify specific

measures and actions to address the identified risks effectively. This
BY 22,

involves a systematic and comprehensive approach to implementing

: R 20

controls and safeguards tailored to the unique characteristics of each risk.

These measures are designed to strengthen the organization’s security
AM 23

infrastructure, enhance incident response capabilities, and protect critical

ES

assets and systems from potential threats.

H

The implementation of technical controls and measures is a key

AM

aspect of risk mitigation which can involve the deployment of firewalls,

intrusion detection systems, encryption technologies, access controls, and
GA

other security solutions that help prevent unauthorized access, detect

anomalies, and protect sensitive data. Technical controls play a vital role in
I

reducing vulnerabilities, fortifying network perimeters, and ensuring secure

configurations of hardware and software systems.

Alongside technical controls, though, an organization must also

establish and enforce robust operational procedures and policies. This
includes defining clear guidelines for access management, incident response,
data handling, change management, and employee awareness and training
programs. By fostering a strong security culture and ensuring adherence to
established procedures, organizations can mitigate risks arising from human
error, negligence, or malicious intent and maintain a resilient cybersecurity
environment.

31

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 PHASE FIVE: RISK MONITORING AND REVEIW

The final phase of the risk management lifecycle is ongoing risk

D @g
monitoring and review. This phase involves continuously monitoring the
effectiveness of risk mitigation measures, identifying new risks, and
FO m

reassessing existing risks as the business and threat landscape evolves.

R ail.
Regular reviews and updates to the risk register ensure that risk
US co

management strategies remain aligned with the organization’s objectives

and risk appetite.
E m·
ON A

An organization’s continual monitoring and assessment can ensure

the effectiveness of its implemented controls. The organization should
LY UG

conduct regular vulnerability scans, penetration testing, and security audits

to identify emerging risks or potential weaknesses. By proactively
BY 22,

identifying and addressing vulnerabilities and evolving threats, organizations

: R 20

can adapt their risk mitigation strategies and prevent potential risks from
being exploited.
AM 23

By adhering to the risk management lifecycle, organizations can

ES

establish a robust and proactive approach to risk management. This enables

H

them to enhance their overall cyber resilience by effectively identifying,

AM

assessing, and mitigating risks within their systems.

GA

INHERENT RISK AND RESIDUAL RISK

I

When working within the risk management lifecycle, it is essential

to understand the concepts of inherent risk and residual risk. Inherent and
residual risks allow an organization to make more informed decisions and
allocate resources effectively throughout the risk management lifecycle
processes. This enables them to focus on reducing risks to an acceptable
level and ensure their systems and operations’ ongoing security and
resilience.

Inherent risk refers to the level of risk in an organization’s

systems or processes without any control measures or risk mitigation
efforts. This type of risk represents the potential impact and likelihood of a
risk event occurring before any risk mitigation actions have been taken.

32

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
For example, a company’s inherent risk of a data breach might be
high if they store sensitive customer information without encryption or
SE 3 2
proper access controls in place.
D @g
Residual risk, on the other hand, refers to the level of risk that
FO m

remains after implementing risk mitigation measures. This type of risk

R ail.
represents the risk that persists despite the organization’s efforts to reduce
US co

it through controls and safeguards. Residual risk considers the effectiveness

of the implemented risk response strategies in reducing the likelihood and
E m·

impact of risks.
ON A

For instance, even after implementing encryption and access

LY UG

controls, a company may still have a residual risk of a data breach due to
the possibility of an insider threat, an advanced persistent threat, or an
BY 22,

emerging vulnerability that was just discovered.

: R 20

Differentiating between inherent and residual risks is crucial in the

AM 23

risk mitigation process. By assessing inherent risk, organizations understand

the baseline risk landscape. They can identify areas where significant
ES

vulnerabilities or threats exist. This information helps inform the selection

H

and implementation of appropriate risk response strategies.

AM

After implementing these strategies, organizations evaluate the

GA

residual risk to determine if it falls within acceptable levels based on their

organization’s risk appetite and strategic objectives. If the residual risk is
I

deemed too high, additional risk mitigation measures may be necessary to

further reduce the risk to an acceptable level.

BUSINESS IMPACT ANALYSIS

A business impact analysis (BIA) is a critical process in risk

management that examines the potential impacts of disruptions on an
organization’s systems, processes, and operations. It involves a systematic
evaluation to identify and prioritize critical systems and functions, assess
their dependencies and interdependencies, and establish recovery
objectives. By conducting a comprehensive business impact analysis, an
organization will gain valuable insights into the potential consequences of

33

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
disruptions and develop strategies to minimize their impact, enhance
resilience, and ensure the continuity of essential business activities.
SE 3 2
D @g
There are several important terms associated with a business
impact analysis that cybersecurity professionals should be aware of,
FO m

including recovery time objective, recovery point objective, mean time to

R ail.
recover, mean time between failures, single point of failure, mission
US co

essential functions, and critical systems.

E m·

The recovery time objective (RTO) is the targeted duration

ON A

within which a business process or system must be restored after a

disruption to avoid significant impacts. It defines the maximum tolerable
LY UG

downtime for a specific process or system.

BY 22,

For example, an e-commerce website may have an RTO of four

: R 20

hours, meaning that it must be back online within four hours of an incident
to minimize financial losses and customer dissatisfaction.
AM 23

The recovery point objective (RPO) determines the maximum

ES

acceptable amount of data loss that an organization can tolerate. It

H

identifies the point in time to which data must be recovered following a

AM

disruption.
GA

For instance, a financial institution may have an RPO of one hour,

meaning that the recovery process should restore data up to the latest
I

available backup taken within the last hour to ensure minimal data loss.

The mean time to recover (MTTR) represents the average time

required to restore a failed system or process to full functionality after an
incident. This metric measures the efficiency of the organization’s recovery
process. Organizations strive to minimize MTTR to reduce the duration of
service disruptions.

For instance, if a critical system experiences a failure, the system

administration team may work to ensure the MTTR is less than two hours
to minimize the impact on business operations across the organization.

The mean time between failures (MTBF) is the average duration

between two consecutive system or component failures. This metric is used

34

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
to quantify the reliability and availability of a system. A longer MTBF
indicates a more reliable system. In comparison, a shorter MTBF suggests a
SE 3 2
higher frequency of failures and potential disruptions.
D @g
A single point of failure (SPOF) refers to a component or
FO m

resource that, if it fails, would cause a complete failure of an entire system

R ail.
or process. It represents a vulnerability that can significantly impact
US co

operations.
E m·

For example, if a critical server is the single point of failure for an

ON A

organization’s network, its failure would result in a complete network

outage.
LY UG

Mission essential functions (MEFs) are the key activities or

BY 22,

processes that an organization must perform to maintain its core operations

: R 20

and fulfill its mission. Identifying MEFs is crucial in prioritizing resources

and developing recovery strategies.
AM 23

For example, a financial institution’s mission’s essential functions

ES

might include processing customer transactions, maintaining account

H

balances, and ensuring regulatory compliance.

AM

A critical system is one whose failure or disruption would

GA

significantly impact the organization’s ability to deliver essential services or

fulfill its mission. Identifying critical systems involves identifying the vital
I

systems and components for the organization’s operations. Organizations

can focus their risk mitigation efforts by identifying critical systems and
allocating resources accordingly. If a system is deemed critical, it naturally
should receive more resources and attention than one that is not considered
critical.

By conducting a thorough business impact analysis, an organization

can better understand the potential consequences of disruptions, establish
its recovery objectives, and prioritize its risk mitigation efforts. By defining
the RTO, RPO, MTTR, and MTBF, addressing single points of failure,
identifying mission essential functions, and recognizing critical systems,
organizations can enhance their preparedness and resilience in the face of

35

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
disruptions, ensuring the continuity of their operations while minimizing
the impact to their stakeholders.
SE 3 2
D @g
FINANCIAL ANALYSIS
FO m
Financial analysis is a crucial aspect of risk management that
R ail.
focuses on assessing the financial implications and considerations
US co
associated with cybersecurity measures and investments. It involves
evaluating the costs, returns, and financial performance of cybersecurity
E m·

initiatives within an organization. Three key financial metrics used in

ON A

financial analysis are total cost of ownership, return on assets, and return on
investment.
LY UG

The total cost of ownership (TCO) represents the overall cost

BY 22,

associated with owning, operating, and maintaining a particular asset or

: R 20

investment over its entire lifecycle. This total cost of ownership

encompasses the direct and indirect costs associated with implementing and
AM 23

managing cybersecurity measures, such as acquiring security technologies,

training personnel, monitoring systems, and responding to incidents.
ES
H

The total cost of ownership should consider both upfront costs

AM

and ongoing expenses, including hardware, software, personnel, training,

and maintenance. Organizations can make informed decisions regarding the
GA

cost-effectiveness of different cybersecurity investments and solutions by

understanding the potential total cost of ownership.
I

The return on assets (ROA) metric is a financial ratio that

measures the efficiency and profitability of an organization’s use of its
assets to generate earnings. Return on assets is calculated by dividing the
organization’s net income by its average total assets. This metric can be
used to evaluate the effectiveness of cybersecurity investments in protecting
and preserving the value of an organization’s assets. A higher return on
assets indicates a more efficient use of assets to generate returns, while a
lower return on assets suggests potential inefficiencies or inadequate
cybersecurity measures.

Return on investment (ROI) is a financial metric that assesses an

investment’s profitability and financial benefits relative to its cost. The

36

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
return on investment is calculated by dividing the net profit or gain
generated by the investment by the initial investment cost and expressing it
SE 3 2
as a percentage. The ROI metric helps organizations evaluate their
D @g
cybersecurity initiatives’ financial impact and benefits. It helps to quantify
FO m
the potential return or savings resulting from reduced losses due to security
incidents, improved operational efficiencies, enhanced customer trust,
R ail.

regulatory compliance, and other positive outcomes. A higher return on

US co

investment indicates a more financially rewarding investment, while a lower

return on investment suggests a need for further evaluation or adjustment
E m·

of the cybersecurity strategy.

ON A

For example, let’s consider a hypothetical scenario where a

LY UG

company invests in a new cybersecurity solution to mitigate the risk of data

BY 22,

breaches. The total cost of ownership analysis would include the upfront
costs of purchasing the solution, training staff, and ongoing expenses such
: R 20

as maintenance and updates. The return on assets analysis would evaluate

AM 23

how effectively the cybersecurity investment protects the organization’s

assets and contributes to overall profitability. Finally, the return on
ES

investment analysis would determine the financial benefits of the

investment, such as reduced losses from data breaches or potential cost
H

savings from improved operational efficiency.

AM

Organizations can make data-driven decisions regarding their

GA

cybersecurity investments by conducting financial analysis. As a

I

cybersecurity professional, you may be asked to justify your risk mitigation

recommendations to ensure they are financially sound. For this reason, you
must understand the total cost of ownership, the return on assets, or the
return on investment that your proposed solution may provide if it is
approved for implementation. These metrics assist your organization in
evaluating the financial viability, efficiency, and effectiveness of its
cybersecurity measures while ensuring that resources are allocated
appropriately for maximum value.

SUMMARY

The risk management lifecycle is used to guide an organization

through a systematic approach to identify, assess, respond to, and mitigate
risks. Risk identification involves engaging key stakeholders and suppliers to

37

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
identify potential risks and establish the organization’s risk appetite. Risk
assessment employs qualitative, quantitative, or hybrid methods to analyze
SE 3 2
and evaluate risks based on their likelihood and impact. Risk response
D @g
planning includes actions such as risk acceptance, avoidance, transference,
FO m
and mitigation to address identified risks. The risk mitigation phase focuses
on implementing controls and measures to reduce vulnerabilities and
R ail.

minimize the impact of potential threats. Ongoing risk monitoring and

US co

review ensure that risk management strategies remain aligned with the
organization’s objectives and risk landscape. It is also important to
E m·

remember that there are two types of risk: inherent risk and residual risk. By
ON A

understanding inherent risk and residual risk, your organization can make
more informed decisions and allocate resources effectively throughout the
LY UG

risk management process.

BY 22,

Business impact analysis provides insights into the potential

: R 20

consequences of disruptions and aids in prioritizing mission essential

AM 23

functions and critical systems and identifying any single points of failure. By
performing a business impact analysis, an organization can establish metrics
ES

for the recovery time objective, recovery point objective, mean time to
recover, and mean time between failures.
H
AM

Financial analysis is another key aspect of risk management.

Financial analysis evaluates the costs, returns, and financial implications of
GA

cybersecurity investments, including the total cost of ownership, return on

I

assets and return on investment. By applying these principles and practices,

organizations can enhance their cyber resilience and protect their digital
systems and assets.

38

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER FOUR
AM 23
ES

NIST CYBERSECURITY
H

FRAMEWORK
AM
GA

The NIST Cybersecurity Framework was designed to help

businesses and organizations of all sizes to better understand, manage, and
I

reduce their cybersecurity risk and protect their information systems and
the data they contain. All businesses and organizations have some level of
risk to their operations due to their increased reliance on information
technology, operational technology, and the networks that connect them
together.

To help provide a common language and systematic methodology

for managing cybersecurity risk and enhancing cyber resilience, the National
Institute of Standards and Technology (NIST) developed the NIST
Cybersecurity Framework (CSF).

The NIST Cybersecurity Framework (CSF) is defined as the set

of guidelines, best practices, and standards developed by the United States

39

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
government to help organizations manage and improve their cybersecurity
risk management processes.
SE 3 2
D @g
DEVELOPMENT OF THE
NIST CYBERSECURITY FRAMEWORK
FO m
R ail.
The National Institute of Standards and Technology
US co
(NIST) is a government organization that exists within the United States
Department of Commerce. Originally created in 1901, way before
E m·

computers were even imagined. NIST was established as a non-regulatory

ON A

federal agency that is focused on promoting innovation and industrial

competitiveness in the United States by advancing measurement science,
LY UG

standards, and technology in ways that enhance economic security and

improve our quality of life.
BY 22,
: R 20

On February 12, 2013, the then President Barack Obama

released Executive Order 13636, also known as Improving Critical
AM 23

Infrastructure Cybersecurity. This executive order aims to improve critical

infrastructure cybersecurity by establishing a framework for information
ES

sharing and collaboration between the government and private sector

H

entities.
AM

In this executive order, the President stated, “It is the policy of the
GA

United States to enhance the security and resilience of the Nation’s critical
infrastructure and to maintain a cyber environment that encourages
I

efficiency, innovation, and economic prosperity while promoting safety,

security, business confidentiality, privacy, and civil liberties.”

This executive order effectively established the requirements for

the NIST Cybersecurity Framework and provided the initial design criteria
that include the ability to:

• Identify security standards and guidelines applicable across

sectors of critical infrastructure.

• Provide a prioritized, flexible, repeatable, performance-based,

and cost-effective approach.

40

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
• Help owners and operators of critical infrastructure identify,
assess, and manage cyber risk.
SE 3 2
D @g
• Enable technical innovation and account for organizational
FO m
differences.
R ail.

• Provide guidance that is technology neutral and enables critical

US co

infrastructure sectors to benefit from a competitive market for

products and services.
E m·
ON A

• Include guidance for measuring the performance of

implementing the cybersecurity Framework.
LY UG
BY 22,

• Identify areas for improvement that should be addressed

through future collaboration with particular sectors and
: R 20

standards-developing organizations.
AM 23

While NIST was responsible for getting the framework created and
ES

published; the primary authors were cybersecurity practitioners from

multiple organizations within a variety of industries across the United
H

States. These practitioners met with NIST over five separate workshops
AM

held at different geographic locations across the United States to identify

existing cybersecurity standards, guidelines, frameworks, and best practices
GA

that applied to increasing the security of critical infrastructure sectors and

I

other interested entities; specify high-priority gaps for which new or revised
standards were needed; and collaboratively develop action plans by which
these gaps could be addressed.

The result of these workshops and the subsequent authoring

process was the first version of the cybersecurity framework titled
the Framework for Improving Critical Infrastructure Cybersecurity, which was
released in February 2014 as version 1.0.

The framework quickly began to be adopted inside the critical

infrastructure sector, which was the original intent, and across a wide
variety of industries and sectors. This led to the framework becoming more
broadly accepted and known more commonly under the name of the NIST
Cybersecurity Framework, the NIST CSF, or simply as CSF. These days,

41

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
you can find the NIST Cybersecurity Framework being used by a large
variety of companies, organizations, non-profits, and governments
SE 3 2
worldwide.
D @g
On April 16, 2018, the latest version of the NIST cybersecurity
FO m

framework, version 1.1, was released. This current version of the

R ail.
framework was designed to be backward compatible with the original
US co

framework, version 1.0. Version 1.1 was also designed with some helpful
additions, including a new self-assessment section; a greater focus on supply
E m·

chain risk management; and refinements were made to account for better
ON A

authentication, authorization, and identity proofing outcomes.

LY UG

At the time of this text’s publication, a new version of the

framework is currently in development. This version will become version
BY 22,

2.0 of the framework and is slated to be released in the first half of 2024.
: R 20

This revision of the framework, version 2.0, is being drafted with a focus on
refining, clarifying, and enhancing the existing version 1.1 for better
AM 23

understanding between the various stakeholders who may be using the

ES

framework in a given business or organization.

H

The proposed version 2.0 will also include a name change from
AM

"Framework for Improving Critical Infrastructure Cybersecurity" to the

more widely accepted and commonly used nomenclature of "Cybersecurity
GA

Framework" with an official abbreviation as the CSF.

I

Other relevant improvements include a change in the scope of the

framework. When version 2.0 is released, it will ensure that the benefits of
the framework can be applied to all organizations regardless of their
associated sector, type, or size.

42

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The final major consideration that version 2.0 will incorporate is
the addition of more international collaboration and engagement. Since the
SE 3 2
first release of the framework with version 1.0, it has been identified by
D @g
numerous organizations that the international use of the cybersecurity
FO m
framework would improve the efficiency and effectiveness of their own
organization’s cybersecurity efforts. While nothing is preventing a global
R ail.

audience from using the current version of the framework, international

US co

industry experts and foreign government representatives were not explicitly

sought out in the development of versions 1.0 and 1.1. With version 2.0’s
E m·

development, NIST has prioritized working with organizations to not just

ON A

develop the cybersecurity framework’s latest version but also to develop

translations into multiple languages outside of the current English editions.
LY UG
BY 22,

RELEVANT EXECUTIVE ORDERS

AND REGULATIONS
: R 20

The NIST (National Institute of Standards and Technology)

AM 23

Cybersecurity Framework has emerged as a foundational tool in the field of

ES

cybersecurity, aiding organizations in managing and mitigating cyber risks.

To understand its significance, it is crucial to explore its history and how it
H

relates to several key executive orders issued by the President of the United
AM

States and the regulations passed by the United States Congress.

GA

The roots of the NIST Cybersecurity Framework can be traced

back to Executive Order 13636, signed by President Barack Obama in
I

February 2013. This executive order recognized the growing threats to

critical infrastructure and called for the development of a framework to
enhance the cybersecurity posture of the United States. It aimed to foster
collaboration between the government and private sector entities to
improve the protection and resilience of critical infrastructure.

In response to Executive Order 13636, NIST embarked on an

extensive collaboration effort, engaging stakeholders from various sectors,
including industry, government, and academia. This collaborative process
aimed to develop a flexible and voluntary framework that could be widely
adopted to help organizations manage cybersecurity risks and strengthen
their resilience.

43

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The Cybersecurity Enhancement Act of 2014 was passed by
Congress and signed into law in December 2014. This regulation aimed to
SE 3 2
strengthen and advance cybersecurity research and development efforts in
D @g
the United States. The NIST Cybersecurity Framework played a significant
FO m
role in this act, providing a foundational framework for organizations to
align their cybersecurity efforts and adopt best practices.
R ail.
US co

The Federal Information Security Modernization Act

(FISMA) of 2014 is another important piece of legislation that contributed
E m·

to the framework’s relevance and use within the federal government.

ON A

FISMA updated and modernized the approach to federal information

security management to update and amend the older Federal Information
LY UG

Security Management Act of 2002. The newer FISMA emphasized the

BY 22,

adoption of risk-based approaches and the use of industry standards,

including the NIST Cybersecurity Framework, to enhance the security
: R 20

posture of federal agencies and improve the protection of federal

AM 23

information systems.
ES

In addition to these regulations, Congress also passed

the Cybersecurity Information Sharing Act (CISA) of 2015 to facilitate
H

the sharing of cybersecurity threat information between the government

AM

and the private sector. The NIST Cybersecurity Framework played a

complementary role in this act, serving as a guide for organizations to
GA

enhance their cybersecurity practices and establish effective information-

I

sharing mechanisms.

In May 2017, President Donald Trump signed Executive Order

13800, which further reinforced the importance of the NIST Cybersecurity
Framework. This order emphasized the need for executive branch agencies
to implement the framework and encouraged the private sector to adopt it.
Executive Order 13800 recognized the framework’s value in improving risk
management and prioritizing cybersecurity investments across various
sectors to aid in improving the United States’ overall national defense
posture.

Overall, the NIST Cybersecurity Framework has evolved as a

pivotal tool for cyber resiliency, having been shaped by various Executive
Orders and regulations. The framework provides us with a flexible and

44

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
adaptable approach to managing cybersecurity risks, promoting
collaboration, and improving the overall resilience of organizations. The
SE 3 2
NIST Cybersecurity Framework’s significance is further underscored by its
D @g
integration within various cybersecurity-related policies, acts, and
FO m
government initiatives, reflecting its status as a widely recognized and
respected framework in the field of cybersecurity.
R ail.
US co

APPLICABILITY OF THE
CYBERSECURITY FRAMEWORK
E m·
ON A

The NIST Cybersecurity Framework was created by the US

Government, and it is now published so that anyone can use it within their
LY UG

own organizations free of charge. The NIST Cybersecurity Framework is

provided as a public service and is considered to be public information that
BY 22,

may be fully distributed or copied for your own organization’s use without
: R 20

paying any licensing fees. This free tool is extremely valuable because it can
be quickly implemented to provide your organization with an instant return
AM 23

on its investment at little to no upfront cost.

ES

Over the past decade, doing business on the internet has become
H

an essential part of our global economy and a huge growth driver for
AM

organizations and businesses alike. The internet has allowed small

businesses to quickly scale to serve customers around the globe by
GA

leveraging its global reach.

I

For example, Jason Dion, one of the authors of this textbook,

established his small cybersecurity training company in 2017. Within six
years, they have successfully served over 1 million students across more
than 190 countries worldwide, all from the comfort of their offices in the
United States.

Despite being a small business with fewer than 20 team members,

Dion Training leveraged the power of asynchronous certification training
courses delivered online. This delivery mechanism enabled them to reach
and accommodate hundreds of thousands of students annually, with a
geographically dispersed staff spanning 7 countries and ten different time
zones.

45

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
By using the internet, they were able to extend their reach far
beyond what would have been possible in a traditional classroom setting
SE 3 2
with limited student capacity and its associated location constraints. The
D @g
impact of their online presence has allowed them to fulfill their mission and
FO m
serve a significantly larger audience than they had ever envisioned.
R ail.
These days, most businesses and organizations have at least some
US co

connectivity to the internet as part of their business operations. This makes

it difficult to even think back 30 years ago to a time before the internet had
E m·

become so ingrained into our collective business processes and our daily
ON A

lives.
LY UG

Unfortunately, with this increased scale and connectivity, our

organizations are also more at risk than ever due to the rapid rise of cyber
BY 22,

criminals and nation-state actors. Every year, more and larger data breaches
: R 20

are occurring than in the previous years, and larger and higher bandwidth
distributed denial of service attacks are being attempted by these threat
AM 23

actors.
ES

This exploitation of the cyber risks involved with operating your

H

organization’s business online is causing trillions of dollars in damages

AM

annually. This figure seems to be continuing to grow year after year, as well.
GA

For example, if we look back a few years to 2015, the global cost of
cyber failures and attacks of all kinds was estimated to only cost
I

approximately $500 billion per year globally. If we fast forward just six years
to 2021, the cost will rise to an estimated $6 trillion per year globally.

According to experts at the time of publication of this textbook, it

is estimated that this total will reach $10 trillion in damages during the 2024
calendar year. That is 66.7% in just those three years. That is a staggering
amount. If cyber risk was considered a global economy, it would become
the third largest global economy in the world after the United States and
China.

These days, it isn’t a matter of if you will become the victim of a

cyber-attack; it is really a matter of when it will occur and how bad that data
breach and its resulting cost will become. Unfortunately, running a business

46

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
in the modern economy comes with risk, and a large portion of that risk is
related to cyber-attacks, data breaches, and your organization’s own
SE 3 2
technical implementation challenges.
D @g
So, our organizations need to be prepared against these cyber risks.
FO m

Using the NIST Cybersecurity Framework, you can organize your defensive
R ail.
and incident response capabilities to be more resilient against cyber-attacks
US co

and recover more quickly in case your organization eventually becomes

victimized. This is at the heart of what you are asked to do as a cyber
E m·

resiliency consultant.
ON A

CHARACTERISTICS OF THE FRAMEWORK

LY UG

The NIST Cybersecurity Framework possesses several distinct

BY 22,

characteristics that set it apart from other frameworks available in the

: R 20

cybersecurity industry today. An organization must understand these

characteristics in order to adopt and implement the framework effectively.
AM 23

These characteristics include the voluntary set of guidelines, its flexibility,

and adaptivity, a focus on risk instead of technical controls, a focus on risk
ES

instead of compliance requirements, its ability to facilitate communication

H

and collaboration, and its continually improving and evolving nature.

AM

First, it is important to note that the NIST Cybersecurity

GA

Framework is a voluntary framework, which means that its adoption and

implementation are not mandatory for organizations. Instead, it provides a
I

flexible and customizable approach that organizations can voluntarily adopt

to enhance their cybersecurity posture. This voluntary nature allows
organizations to tailor the framework to their specific needs, considering
their unique risks, capabilities, and business objectives.

Second, the framework emphasizes flexibility and adaptivity to

accommodate the diverse cybersecurity requirements of different
organizations. It provides a risk-based approach, allowing organizations to
assess and prioritize their cybersecurity risks based on their specific context.
This flexibility enables organizations to align their cybersecurity efforts with
their business goals and adapt to the evolving threat landscape and
technological advancements.

47

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Third, the framework emphasizes a focus on risk instead of
technical controls. Unlike some other frameworks that primarily focus on
SE 3 2
technical controls and specific security measures, the NIST Cybersecurity
D @g
Framework places a greater emphasis on risk management. It encourages
FO m
organizations to identify, assess, and prioritize their cybersecurity risks,
enabling them to make informed decisions about allocating resources and
R ail.

implementing appropriate controls.

US co

Fourth, the framework focuses on risk instead of compliance

E m·

requirements: It also distinguishes itself by prioritizing risk management

ON A

over compliance requirements. While compliance with regulations and

standards is important, the framework encourages organizations to go
LY UG

beyond mere compliance by fostering a risk-based mindset. By focusing on

BY 22,

risk, organizations can better understand their vulnerabilities, anticipate

threats, and proactively address cybersecurity challenges.
: R 20

Fifth, the NIST Cybersecurity Framework helps facilitate effective

AM 23

communication and collaboration among organizational stakeholders. It

ES

provides a common language and structure for discussing cybersecurity

risks, enabling different teams and departments to communicate effectively
H

and align their efforts. This characteristic fosters a culture of collaboration,

AM

ensuring that cybersecurity considerations are integrated into various

aspects of the organization’s operations.
GA

Sixth, the NIST Cybersecurity Framework is continually improving

I

and evolving. The framework is designed to evolve and adapt to emerging

threats, technologies, and best practices by undergoing regular updates and
revisions based on feedback from stakeholders and the evolving
cybersecurity landscape. This characteristic ensures that the framework
remains relevant and effective in addressing the ever-changing nature of
cyber risks, enabling organizations to stay current with the latest
cybersecurity practices.

By embracing these characteristics, organizations can leverage the

NIST Cybersecurity Framework to build a robust and adaptable
cybersecurity program. The framework’s voluntary nature, flexibility, risk
focus, and emphasis on collaboration empower organizations to proactively
manage cyber risks and protect their valuable assets and operations. As

48

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
organizations engage with the framework, they can contribute to its
ongoing improvement and align themselves with industry-leading
SE 3 2
cybersecurity best practices.
D @g
CYBER RESILIENCE
FO m
R ail.
Cyber resilience refers to an organization’s ability to withstand
US co
and adapt to cyber threats by implementing proactive measures, effectively
responding to and recovering from cyber attacks or disruptions, and
E m·

maintaining essential functions while minimizing damage. This

ON A

encompasses a range of strategies, including robust security controls,

regular vulnerability assessments, employee education on cybersecurity best
LY UG

practices, and the establishment of incident response plans.

BY 22,

By taking proactive steps, organizations can prevent or minimize

: R 20

the impact of cyber incidents. However, in the event of an incident, cyber

resilience is crucial for ensuring business continuity and rapid recovery. A
AM 23

resilient organization should be able to quickly isolate, restore, and recover

its systems to their comparable state prior to the incident or cyber attack.
ES
H

The benefits of cyber resilience are substantial. By effectively

AM

implementing cyber resilience measures, organizations can reduce the

financial cost of incidents, minimize downtime, and protect their reputation
GA

with key stakeholders. The NIST Cybersecurity Framework provides

valuable guidance for achieving cyber resilience, and the public nature of
I

the framework means organizations can derive significant upfront value

without the need for additional funding or procurement.

Consider the example of an organization with robust security

controls in place, regularly tests for vulnerabilities, and well-trained
employees who can swiftly detect and respond to a cyber attack. By
isolating and containing the incident effectively, they can limit the damage,
minimize downtime, and restore normal operations efficiently. This
safeguards critical functions and helps maintain trust and confidence among
customers, partners, and other stakeholders.

By embracing cyber resilience, organizations can fortify their

defenses, enhance their incident response capabilities, and ensure their

49

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
ability to recover swiftly from cyber incidents. This proactive approach
enables them to navigate the evolving cybersecurity landscape confidently
SE 3 2
and resiliently.
D @g
CRITICAL INFRASTRUCTURE
FO m
R ail.
The NIST Cybersecurity Framework was initially created for
US co
organizations and businesses that operate critical infrastructure in the
United States, but it has since expanded in its usage and acceptance well
E m·

beyond just those working in the critical infrastructure sectors.

ON A

The term critical infrastructure is defined by the United States

LY UG

Department of Homeland Security as any physical or virtual infrastructure

that is considered so vital to the United States that its incapacitation or
BY 22,

destruction would have a debilitating effect on security, national economic

: R 20

security, national public health or safety, or any combination of these.

AM 23

As defined by the Department of Homeland Security, there are 16

critical infrastructure sectors:
ES
H

• Commercial Facilities - Buildings, facilities, and spaces used for

AM

commercial purposes, including retail, entertainment, and

hospitality
GA

• Communications - Networks, systems, and assets involved in

I

providing communication services, including broadcasting,

telecommunications, and internet service providers

• Critical Manufacturing - Facilities and processes involved in

the production of essential goods, such as metals, machinery,
transportation equipment, and pharmaceuticals

• Dams - Structures, systems, and resources related to dam

operations and water control, including hydroelectric power
generation

50

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
• Defense Industrial Base - Companies and assets involved in
the research, development, production, and maintenance of
SE 3 2
defense-related equipment, systems, and services
D @g
FO m
• Emergency Services - Agencies, organizations, and personnel
responsible for emergency management, firefighting, medical
R ail.

services, and public safety

US co

• Energy - Resources, systems, and infrastructure involved in the

E m·

production, transmission, and distribution of energy, including

ON A

electricity, oil, and natural gas

LY UG

• Financial Services - Institutions and systems providing financial

BY 22,

services, including banking, insurance, investment, and

payment systems
: R 20

•
AM 23

Food and Agriculture Sector - Facilities, systems, and resources

related to the production, processing, and distribution of food,
ES

beverages, and agricultural products

H

• Government Facilities - Buildings, offices, and structures used

AM

by federal, state, local, tribal, and territorial governments for

administrative and public services
GA
I

• Healthcare and Public Health - Facilities, personnel, and

networks involved in providing healthcare services, medical
research, and public health support

• Information Technology - Systems, networks, and

infrastructure used for information processing, storage, and
communication, including software development and
cybersecurity

• Nuclear Reactors, Materials, and Waste - Facilities, processes,

and materials associated with nuclear power generation,
research, and waste management

51

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
• Transportation Systems - Infrastructure, networks, and assets
involved in the movement of people and goods, including
SE 3 2
aviation, maritime, rail, and road transportation
D @g
FO m
• Water and Wastewater Systems - Facilities, systems, and
resources responsible for providing drinking water and
R ail.

managing wastewater treatment and disposal

US co

To help oversee the protection of the various organizations and

E m·

businesses in each critical infrastructure sector, one of the US government

ON A

departments is assigned as the Sector-Specific Agency lead for each of the

16 sectors. For example, the Department of Health and Human Services is
LY UG

the assigned Sector-Specific Agency for the Healthcare and Public Health
BY 22,

Sectors. Similarly, the Environmental Protection Agency is assigned as the

Sector-Specific Agency for the water and wastewater systems sector.
: R 20

Due to the increasing threat of cyber-attacks that could exploit

AM 23

cyber risks in an organizational network, the organizations responsible for

ES

critical infrastructure need to have a modern approach to identifying,

assessing, and managing cybersecurity risk. This approach needs to work
H

regardless of the organization’s size, threat exposure, or cybersecurity

AM

sophistication because threat actors aren’t simply going to take it easier on

your company just because it is a smaller organization.
GA

In fact, the opposite is quite often true. Attackers will target smaller
I

organizations because they tend to be easier targets and do not have a

robust cybersecurity workforce to help them defend their systems against
attack. This is one of the reasons why the NIST Cybersecurity Framework
was created. The framework is designed to work for organizations of all
sizes and reduce the complexity of other existing available frameworks that
are available for use.

INTENDED AUDIENCE FOR THE

NIST CYBERSECURITY FRAMEWORK

Even though the NIST Cybersecurity Framework was initially

focused on cyber risk management for organizations operating critical
infrastructure, it has since been expanded for use well beyond those 16

52

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
sectors. Since the framework is flexible in nature, many other organizations
and industries saw the benefit of adopting it for their own use, which in
SE 3 2
turn has led to the exponential growth in the adoption of the NIST
D @g
Cybersecurity Framework.
FO m

The NIST Cybersecurity Framework provides valuable guidance to

R ail.
organizations in various industries. For example, it can be used to help retail
US co

organizations protect their customer’s data, secure the company’s online

transactions, and manage their supply chain vulnerabilities. The framework
E m·

is also used in manufacturing to address industrial control system security

ON A

and intellectual property protection and to help secure product

development. It is important to note that neither retail nor manufacturing is
LY UG

classified as part of the critical infrastructure of the United States. By

BY 22,

adopting the framework, organizations across most industries and sectors

can enhance their cybersecurity practices, mitigate risks, and ensure their
: R 20

continuity of operations.
AM 23

The framework itself can be used by organizations of any size.

ES

However, with versions 1.0 and 1.1, many practitioners believe it is more
relevant or skewed toward larger organizations with at least 500 employees.
H

That said, it has also been adopted and implemented by small and medium-
AM

sized businesses, known collectively as the SMB market, which have

organizations with somewhere between 1 and 500 employees.
GA

When it comes to determining who is best suited to use the NIST

I

Cybersecurity Framework, the answer comes down to who is willing to

adopt and implement it within their organization. The framework is a series
of best practices and guidelines and not a compliance standard that must be
strictly adhered to, so it can be scaled up or down in size to meet the
requirements of your specific organizational needs. In fact, the entire
framework is only 55 pages long, making it quite concise and relatively
quick to implement within your organization.

PURPOSE OF THE NIST CSF

The purpose of the framework is to help organizations to:

(1) Describe their current cybersecurity posture.

53

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 (2) Describe their target state for cybersecurity.

(3) Identify and prioritize opportunities for improvement

D @g
within the context of a continuous and repeatable process.
FO m
(4) Assess progress toward the target state.
R ail.

(5) Communicate among internal and external stakeholders

US co

about an organization’s cybersecurity risk.

E m·
ON A

The framework is not considered a one-size-fits-all approach to

managing cybersecurity risk, but instead, it allows organizations to vary how
LY UG

they customize the practices and processes described in the framework to

best meet their own threats, vulnerabilities, risk tolerances, and
BY 22,

organizational size and capabilities.

: R 20

In addition to the core framework, NIST also publishes

AM 23

implementation guidance for different industries and use cases, such as

federal agencies trying to implement the framework for use within their
ES

organization or a manufacturing business trying to implement the

H

framework within their industry.

AM

Ultimately, organizations can determine activities important to

GA

critical service delivery and prioritize investments to maximize the impact of

each dollar spent as they aim to reduce and better manage their
I

organization’s cybersecurity risk.

SUMMARY

The NIST Cybersecurity Framework (CSF) is a comprehensive set

of guidelines and best practices developed by the National Institute of
Standards and Technology (NIST) to assist organizations in managing
cybersecurity risks and safeguarding their information systems. It has gained
widespread adoption across industries and sectors since its creation in
response to Executive Order 13636, written by President Barack Obama in
2014.

The framework is flexible, scalable, and applicable to organizations

of all sizes, enabling them to assess their cybersecurity posture, set target

54

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
states, identify areas for improvement, measure progress, and communicate
risks effectively. The NIST Cybersecurity Framework is used to emphasize
SE 3 2
resilience and to help organizations prepare for, and respond to, cyber risks
D @g
while facilitating quick recovery from incidents. With the increasing
FO m
frequency and cost of cyber threats, the NIST Cybersecurity Framework
offers a systematic approach to cybersecurity management and aligns with
R ail.

relevant executive orders and regulations, supporting an organization’s risk-

US co

based approaches and information-sharing initiatives.

E m·

Overall, the NIST Cybersecurity Framework is highly regarded for

ON A

its practicality and effectiveness in enhancing cybersecurity practices and

mitigating risks. It provides organizations with valuable guidance to protect
LY UG

their information systems and data, ensuring the continuity of their

BY 22,

operations. By adopting the framework, organizations can effectively

manage cybersecurity risks and bolster their resilience in the face of an ever-
: R 20

evolving threats landscape.

AM 23
ES
H
AM
GA
I

55

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

56

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro
ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23

CHAPTER FIVE
ES

FRAMEWORK COMPONENTS
H
AM

Imagine that you are about to embark on a cross-country road trip,

GA

eager to explore new destinations and experiences along the way. To ensure
a smooth journey, you’ll need a roadmap that outlines the best routes,
I

highlights key landmarks, and offers guidance on potential challenges.

Similarly, organizations require a reliable roadmap in cybersecurity to
navigate the complex landscape of cyber threats and protect their digital
assets. This is where the NIST Cybersecurity Framework and its
components come into play.

Just as a roadmap provides structure and direction for a journey,

the framework core, framework implementation tiers, and framework
profile, collectively known as the framework components, help
organizations establish a strong cybersecurity foundation, assess their
current posture, and tailor their security practices to meet specific goals and
requirements.

57

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Throughout this book, we will delve into the intricacies of each
framework component in its own chapter in order to explore how they
SE 3 2
contribute to an organization’s cyber resilience and overall cybersecurity
D @g
posture. Before we do, though, it is important that you gain an overall
FO m
understanding of the framework components so that you can understand
how they are intricately linked together.
R ail.
US co

First, we will look at the framework core that forms the heart of
the NIST Cybersecurity Framework and guides organizations in identifying,
E m·

protecting, detecting, responding to, and recovering from cyber incidents.

ON A

Then, we will examine the framework implementation tiers that enable

organizations to assess and express their cybersecurity maturity level and
LY UG

determine the effectiveness of their security practices. Finally, we will

BY 22,

explore the framework profile, which is a customizable tool that allows

organizations to align the Framework with their unique risk management
: R 20

objectives, industry-specific regulations, and internal priorities.

AM 23

By better understanding and leveraging these framework

ES

components, organizations can better navigate the ever-evolving

cybersecurity landscape, enhance their defenses, and build a resilient
H

cybersecurity posture that effectively safeguards their critical assets and

AM

operations. So, fasten your seatbelts as we embark on a journey through the

framework components, uncovering the essential elements that empower
GA

organizations to establish a robust cybersecurity foundation and adapt to

I

the challenges of today’s digital world.

THE FRAMEWORK CORE

The framework core, commonly referred to as the core, is a set of

common cybersecurity activities, desired outcomes, and applicable
references that help organizations manage and mitigate cyber risks across
most businesses and organizations. The core presents industry standards,
guidelines, and best practices in a way that allows communication with
various stakeholders across the organization, regardless of whether they
operate at the executive, operational, implementation, or tactical levels. By
giving everyone a common lexicon to use when describing cybersecurity
activities and outcomes, it can greatly enhance communication up and
down the organizational hierarchy and ensure everyone is well understood.

58

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The core consists of five concurrent and continuous functions that
SE 3 2
all organizations perform when conducting cybersecurity activities. The
D @g
term function refers to a high-level cybersecurity category that groups
related activities and outcomes together in order to achieve specific
FO m

cybersecurity objectives. The five functions are identify, protect, detect,

R ail.
respond, and recover.
US co

For each function, there are also underlying key categories and
E m·

subcategories with specific outcomes. For each subcategory, these activities

ON A

are then matched with example informative references from existing

standards, guidelines, and best practices used throughout the industry.
LY UG

The core is one of the largest parts of the framework, consisting of

BY 22,

23 cybersecurity activities and 108 distinct outcomes that are commonly

: R 20

found across most businesses and organizations. It is important to

remember that the functions should be performed concurrently and
AM 23

continuously to form an operational culture that addresses the dynamic

nature of cybersecurity risk. These functions are not intended to form a
ES

serial or linear path that will ultimately achieve a static desired end state.
H

Instead, just as the adversary is constantly evolving and adapting, your

AM

organization needs to continually adopt and adapt, too.

GA

THE FRAMEWORK IMPLEMENTATION TIERS

I

The framework implementation tiers, also known as the tiers,

are used to provide context on how an organization perceives a given
cybersecurity risk and the processes or mitigations put in place to better
manage that risk. An implementation tier represents the level of
effectiveness in implementing cybersecurity practices within an
organization, ranging from partial to adaptive. The implementation tiers
help an organization understand how well it’s practicing cyber security risk
management activities as described by the framework.

These tiers help understand how well an organization is aware of

its risks and threats, how repeatable the outcomes they produce are, and
how well the organization adapts to new risks and threats. The
implementation tiers are broken down and classified using a tier number

59

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
from one to four, with one being the lowest tier and four being the highest
SE 3 2
tier.
D @g
Tier 1 organizations are labeled as partial organizations. Tier 1
FO m
organizations have overall ineffective risk management methods. This tier
represents an initial stage of cybersecurity implementation where
R ail.

organizations have limited awareness and capabilities, with cybersecurity

US co

practices being ad hoc and reactive in nature. They usually have

unsystematic risk management processes, unreliable risk management
E m·

programs, and unresponsive risk management participation. It is hard to

ON A

think of any reason an organization would want to be labeled as a Tier 1

LY UG

organization, but often that is where your organization starts out.

Hopefully, that isn’t their desired end state or targeted tier level you are
BY 22,

trying to achieve.
: R 20

Tier 2 organizations are labeled as risk-informed organizations. Tier

AM 23

2 organizations have informal risk management methods with unfinished

risk management processes, underdeveloped risk management programs,
ES

and incomplete risk management participation. They aren’t as bad off as the
Tier 1 organizations, but there is still a lot of room for improvement.
H

Generally, we define a Tier 2 organization as having a higher level of

AM

cybersecurity implementation within an organization by having developed

some formalized policies and procedures and with greater awareness and
GA

proactive cybersecurity practices in place.

I

Tier 3 organizations as labeled as repeatable organizations. Tier 3

organizations have structured risk management methods with orderly risk
management processes, robust risk management programs, and routinely
reviewed risk management participation. Tier 3 organizations are doing
relatively well in terms of risk management, and this is often a good place
for an organization to be in terms of its tier level. While there is room for
improvement, overall, they are doing a good job with risk management.
Many organizations will decide that reaching Tier 3 is good enough based
on the cost and resources that may be required to achieve the next higher
tier level. Tier 3 organizations demonstrate a proactive approach to
cybersecurity, focusing on continuous improvement and the ability to
respond effectively to emerging threats and vulnerabilities.

60

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Tier 4 organizations are labeled as adaptive organizations. Tier 4
represents the highest level of cybersecurity implementation within the
NIST implementation tiers. These organizations have a proactive,
D @g
innovative, and adaptive approach to cybersecurity and the organization’s
FO m
risk management methods. These organizations demonstrate the
characteristics of Tier 3 and have an advanced capability to adapt and
R ail.

respond to evolving cybersecurity risks. Tier 4 organizations actively seek

US co

out emerging technologies, collaborate with industry partners, and

E m·

participate in research and development efforts to stay ahead of cyber

threats. Tier 4 organizations continuously strive for excellence and maintain
ON A

a strong cybersecurity posture that enables them to effectively protect their

LY UG

systems, assets, and sensitive information.

BY 22,

It can be very difficult to reach Tier 4 in most organizations, and it

takes a significant investment in your organization’s programs and people to
: R 20

reach this level of adaptivity. Many organizations decide it simply isn’t

AM 23

worth the cost or effort, so they may remain at Tier 3 instead.

ES

Remember, the organization self-assigned these implementation

tiers based on where they perceive themselves currently and which tier they
H

wish to reach in the future. The organization should consider its current
AM

risk management practices, threat environment, legal and regulatory

GA

requirements, business and mission objectives, and organizational

constraints when selecting its implementation tier.
I

Not every organization will be considered a Tier 4 or adaptive

organization, but similarly, not all organizations strive to become a Tier 4
organization in the future. Instead, think of the tiers as a clear status report
of where you are and where you are going, not a graded report card from A
to F like you may have had back in high school.

THE FRAMEWORK PROFILE

The framework profile, or the profile, represents an organization’s

cybersecurity objectives, current state, and target state that provide a
roadmap for aligning cybersecurity activities and priorities with the
organization’s business requirements. This profile is created from outcomes
based on an organization's business needs selected from the framework

61

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
core’s categories and subcategories. This profile can be considered the
SE 3 2
alignment of standards, guidelines, and best practices to the framework core
in a particular implementation scenario for a given organization. Your
D @g
organization will need to develop its own profile to effectively use the NIST
FO m
Cybersecurity Framework in order to manage and mitigate your risks. The
R ail.
profile can then be used to identify opportunities for improving your
US co

cybersecurity posture by comparing your current profile with a target

profile. This will allow you to assess where you are today, where you want
E m·

to be in the future, as well as the gap between those two profiles.

ON A

To develop a profile, your organization should review all the

LY UG

categories and subcategories in the framework and then select the relevant
ones based on your business or mission drivers and a risk assessment to
BY 22,

determine which are the most important for your specific organization.
: R 20

Once you identify those categories and subcategories that are important to
meet your business’s objectives by reducing or mitigating risk, you can then
AM 23

craft an appropriate profile for your organization.

ES

The current profile depicts an organization’s existing cybersecurity

H

practices, including its cybersecurity activities, desired outcomes, and

AM

current risk management approaches. The target profile, on the other

hand, represents the organization’s desired state of cybersecurity practices
GA

and outcomes and outlines the specific cybersecurity improvements and

goals it aims to achieve.
I

Once the organization creates its current profile and target profile,
it can be used to conduct a gap analysis between your current state and
desired future state. The results of this gap analysis will then be used to
create a plan of action. This action plan should use proper prioritization
based on the profiles you created and factor in other business needs,
including the cost-effectiveness of the controls and the innovation required
to implement those controls.

An organization’s current profile and target profile are very useful

when conducting self-assessments and when communicating with various
stakeholders across the organization or between your organization and
partners or suppliers. These profiles ensure that everyone knows what the

62

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2target is based on the target profile created and adopted by the
D @gorganization, as well as the desired end state based on the target profile.

When developing your profiles, remember that there are 108

FO m
outcomes listed in the framework that you can choose from, but you do not
need to use them all. For example, ID.BE-2 states, “The organization’s
R ail.

place in critical infrastructure and its industry sector is identified and

US co

communicated.” If we were creating a profile for our company, Akylade

LLC, we would not select this outcome to include in our profiles. This is
E m·

because Akylade is not a part of any critical infrastructure sectors. Since

ON A

Akylade is a certification exam provider and not one of the 16 critical

LY UG

infrastructure sectors defined by the Department of Homeland Security, the

outcomes related to critical infrastructure will not apply to our organization.
BY 22,

SUMMARY
: R 20
AM 23

Remember, the framework consists of three key components: the

framework core, implementation tiers, and profile. The framework core is
ES

the framework's foundation and encompasses five key functions: identify,

protect, detect, respond, and recover. These functions are interconnected
H

and form an operational culture that addresses the dynamic nature of

AM

cybersecurity risks.
GA

The framework implementation tiers are used to categorize

I

organizations based on their cybersecurity maturity level, ranging from Tier

1 (partial) to Tier 4 (adaptive).

The framework profile, on the other hand, is used as a

customizable tool that allows organizations to align the framework with
their unique risk management objectives and prioritize their cybersecurity
improvements. By understanding and leveraging these framework
components, organizations can enhance their cyber resilience and
effectively protect their critical assets and operations in today’s highly
connected digital world.

Keep in mind, though; it is imperative that you understand that the

NIST Cybersecurity Framework is not a compliance requirement or
regulation. The current NIST Cybersecurity Framework is considered to be

63

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
voluntary. Therefore, it is important you are truthful when determining
SE 3 2
your organization’s framework tier and creating its current profile and target
D @g
profile. There is no right or wrong answer when developing these tiers
within your organization, but instead, you need to ensure what you identify
FO m

as your current state accurately reflects where you truly are and that your
R ail.
target state is where you truly plan to work across the entire organization.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

64

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER SIX
AM 23
ES

FIVE FUNCTIONS
H
AM

Imagine a skilled orchestra where each musician plays a unique

instrument, harmonizing their melodies and rhythms to create a captivating
GA

symphony. In the realm of cybersecurity, the NIST Cybersecurity

Framework functions in a similar manner, with its five core functions
I

working together in harmony to protect organizations against cyber threats

and ensure the continuity of their operations. In this chapter, we will delve
deeper into these five functions; identify, protect, detect, respond, and
recover. We will also explore their significance, outcomes, objectives, and
the activities involved in each function’s implementation.

The NIST Cybersecurity Framework provides a comprehensive

roadmap for organizations to enhance their cybersecurity posture, and the
five functions serve as the key pillars of this framework. Understanding
these functions is crucial for organizations to establish effective
cybersecurity practices, as they guide the identification of risks,
implementation of protective measures, detection of potential incidents,
response to attacks, and recovery from disruptions.

65

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Each function plays a vital role, working in tandem to create a
robust and resilient cybersecurity ecosystem. By gaining a deeper
understanding of these functions, organizations can develop a more
D @g
proactive and comprehensive approach to cybersecurity, aligning their
FO m
strategies with industry best practices and leveraging existing standards and
guidelines.
R ail.
US co

As we journey through the five functions - identify, protect, detect,

respond, and recover — we will uncover each step's specific actions and
E m·

considerations. From conducting risk assessments and implementing access

ON A

controls to deploying intrusion detection systems and developing incident

LY UG

response plans, each function offers a unique perspective and set of

activities to strengthen an organization’s cybersecurity defenses.
BY 22,

By following the guidance in this chapter, organizations can

: R 20

confidently navigate the complex landscape of cyber threats. The five

AM 23

functions will empower organizations to develop a holistic cybersecurity

framework tailored to their specific needs, enabling them to identify
ES

vulnerabilities, protect critical assets, detect potential breaches, respond

H

effectively to incidents, and recover swiftly from disruptions. These five

functions all work together to provide a high-level, strategic view of an
AM

organization’s management lifecycle of any given cybersecurity risk.

GA

Now, let’s dive into the intricacies of the five functions and explore
I

how they form the backbone of an organization’s cyber resilience by

fostering a secure environment in the face of evolving cyber threats and
challenges.

IDENTIFY (ID)

The identify (ID) function involves developing an organizational

understanding of cybersecurity risks risk to systems, people, assets, data,
and capabilities. This function helps to prioritize and align resources to
cybersecurity efforts with the organization’s business objectives and risk
management strategies.

The activities contained in the identify function are considered

foundational for the effective use of the NIST Cybersecurity Framework.

66

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2The identify function is used to understand the business within the
environmental and organizational context, determine which resources
support critical functions, and recognize the related cybersecurity risks
D @g
affecting the organization. This enables your organization to focus and
FO m
prioritize its cybersecurity defense efforts while being consistent with its
risk management strategy and business needs.
R ail.
US co

Each function in the framework is divided into outcome categories.

Each category is labeled using a short code, such as ID.AM to signify that
E m·

asset management is a category under the identity function.

ON A
LY UG

Under each outcome category, there are also subcategories and

activities that add a number to the end of a given shortcode. For example,
BY 22,

ID.AM-1 represents the activity specified as the “Physical devices and

systems with the organization are inventoried” within the NIST
: R 20

Cybersecurity Framework.
AM 23

There are 108 different subcategories and activities spread amongst

ES

the five functions, 23 outcome categories, and 108 subcategories and

activities. When working as a practitioner in the field, you can always
H

reference the official framework documentation to determine which

AM

functions, categories/outcomes, and subcategories/activities would best

align with your organizational needs.
GA
I

The identify function contains six outcome categories: asset

management, business environment, governance, risk assessment, risk
management strategy, and supply chain risk management. Under each
identify outcome category is three to six different subcategories and
activities notated in the format of ID.xx-y, where xx is the two-letter code
for the outcome category. Y is the number that represents a specific
subcategory and activity.

The asset management (ID.AM) outcome category involves the

identification of data, personnel, devices, systems, and facilities that enable
the organization to achieve business purposes. These assets must be
managed consistently with their relative importance to organizational
objectives and risk strategy.

67

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
ID.AM-1 states that physical devices and systems within the
organization are inventoried.
D @g
FO m
ID.AM-2 states that software platforms and applications within the
organization are inventoried.
R ail.
US co

ID.AM-3 states that organizational communication and data flows

are mapped.
E m·
ON A

ID.AM-4 states that external information systems are cataloged.

LY UG

ID.AM-5 states that resources (e.g., hardware, devices, data, time,

personnel, and software) are prioritized based on their classification,
BY 22,

criticality, and business values.

: R 20

ID-AM-6 states that cybersecurity roles and responsibilities for the

AM 23

entire workforce and third-party stakeholders (e.g., suppliers, customers,

partners) are established.
ES
H

The business environment (ID.BE) outcome category focuses on

AM

understanding and prioritizing the organization’s mission, objectives,

stakeholders, and activities. The information gathered from this
GA

understanding is then used to inform cybersecurity roles, responsibilities,

and risk management decisions.
I

ID.BE-1 states that the organization’s role in the supply chain is

identified and communicated.

ID.BE-2 states that the organization’s place in critical infrastructure

and its industry sector is identified and communicated.

ID.BE-3 establishes and communicates the priorities for

organizational mission, objectives, and activities.

ID.BE-4 establishes the dependencies and critical functions for the

delivery of critical services.

68

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
ID.BE-5 establishes the resilience requirements to support the
delivery of critical services for all operating states, such as under
SE 3 2
duress/attack, during recovery, and for normal operations.
D @g
The governance (ID.GV) outcome category manages and
FO m

monitors the organization’s regulatory, legal, risk, environmental, and

R ail.
operational requirements. This governance must be understood and
US co

informs the management of cybersecurity risk in the organization or

business.
E m·
ON A

ID.GV-1 establishes and communicates the organizational

cybersecurity policy.
LY UG

ID.GV-2 coordinates and aligns the cybersecurity roles and

BY 22,

responsibilities with the organization’s internal roles and external partners.

: R 20

ID.GV-3 is used to understand and manage the legal and regulatory

AM 23

requirements regarding cybersecurity, including privacy and civil liberties

obligations for the organization.
ES
H

ID.GV-4 addresses the governance and risk management processes

for the organization’s cybersecurity risks.
AM
GA

The risk assessment (ID.RA) outcome category ensures that the

organization understands the cybersecurity risk to its organizational
I

operations (including mission, functions, image, or reputation),

organizational assets, and individuals.

ID.RA-1 identifies and documents any asset vulnerabilities in an

organization’s systems.

ID.RA-2 states that cyber threat intelligence is received from

information-sharing forums and sources.

ID.RA-3: Threats, both internal and external, are identified and

documented

ID.RA-4 identifies the potential business impacts and likelihoods

associated with a given risk.

69

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
ID.RA-5 is used to determine the threats, vulnerabilities,
likelihoods, and impacts of a given risk.
SE 3 2
D @g
ID.RA-6 identifies and prioritizes the risk responses for the
FO m
organization.
R ail.
The risk management strategy (ID.RM) outcome category
US co

establishes the organization’s priorities, constraints, risk tolerances, and

assumptions to support operational risk decisions.
E m·
ON A

ID.RM-1 states that risk management processes are established,

managed, and agreed to by organizational stakeholders.
LY UG

ID.RM-2 determines and clearly expresses the organizational risk

BY 22,

tolerance or risk appetite.

: R 20

ID.RM-3 states that the organization’s determination of risk

AM 23

tolerance is informed by its role in critical infrastructure and sector-specific

risk analysis.
ES
H

Supply chain risk management (ID.SC) establishes and uses the

organization’s priorities, constraints, risk tolerances, and assumptions to
AM

support risk decisions associated with managing supply chain risk. Supply
GA

chain risk management used to be a part of the overall risk management

strategy but has become its own category in version 1.1 of the NIST
I

Cybersecurity Framework due to the importance of establishing and

implementing the processes to identify, assess and manage supply chain
risks within modern enterprises and organizations.

ID.SC-1 states that organizational stakeholders identify, establish,

assess, manage, and agree to the cyber supply chain risk management
processes.

ID.SC-2 states that information systems, components, and services

suppliers and third-party partners are identified, prioritized, and assessed
using a cyber supply chain risk assessment process.

ID.SC-3 states that the contracts with suppliers and third-party

partners are used to implement appropriate measures designed to meet the

70

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
objectives of an organization’s cybersecurity program and Cyber Supply
Chain Risk Management Plan.
SE 3 2
D @g
ID.SC-4 states that the suppliers and third-party partners are
routinely assessed using audits, test results, or other evaluations to confirm
FO m

they meet their contractual obligations.

R ail.
US co
PROTECT (PR)
E m·

The protect (PR) function is used by organizations to develop and

ON A

implement safeguards to ensure the delivery of critical services and the

protection of physical and digital assets against cyber threats. This protect
LY UG

function supports the organization’s ability to limit or contain the impact of

a potential cybersecurity event or incident. The protect function contains
BY 22,

six outcome categories: identity management, authentication and access

: R 20

control, awareness and training, data security, information protection

processes and procedures, maintenance, and protective technology.
AM 23

The identity management, authentication, and access

ES

control (PR.AC) outcome category is used to implement effective

H

mechanisms for the management of user identities, ensuring proper

AM

authentication processes, and controlling access to systems and resources to

prevent unauthorized activities. This access control focuses on the access to
GA

physical and logical assets and associated facilities being limited to

authorized users, processes, and devices. Its management should also be
I

consistent with the assessed risk of unauthorized access to authorized

activities and transactions.

PR.AC-1 states that the identities and credentials are issued,

managed, verified, revoked, and audited for authorized devices, users, and
processes.

PR.AC-2 manages and protects physical access to assets.

PR.AC-3 manages remote access.

PR.AC-4 states that access permissions and authorizations are

managed, incorporating the principles of least privilege and separation of
duties.

71

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
PR.AC-5 protects network integrity, such as by using network
segregation or network segmentation.
SE 3 2
D @g
PR.AC-6 states that identities are proofed, bound to credentials,
FO m
and asserted in interactions.
R ail.
PR.AC-7 authenticates users, devices, and other assets
US co

commensurate with the risk of the transaction. This is done using single-
factor, multi-factor, or other authentication mechanisms that provide
E m·

adequate security for the individual’s security, privacy, and other

ON A

organizational risks.
LY UG

The awareness and training (PR.AT) outcome category

emphasizes the importance of educating and raising awareness among
BY 22,

personnel about cybersecurity risks, threats, and best practices to foster a

: R 20

security-conscious culture and enhance the organization’s overall

cybersecurity posture. The organization’s personnel and partners should be
AM 23

provided cybersecurity awareness education and trained to perform their

ES

cybersecurity-related duties and responsibilities consistent with the

organization’s related policies, procedures, and agreements.
H
AM

PR.AT-1 states that all users are informed and trained.

GA

PR.AT-2 states that privileged users understand their roles and

responsibilities.
I

PR.AT-3 states that third-party stakeholders understand their roles

and responsibilities, such as suppliers, customers, and partners.

PR.AT-4 states that senior executives understand their roles and

responsibilities.

PR.AT-5 states that physical and cybersecurity personnel

understand their roles and responsibilities.

The data security (PR.DS) outcome category focuses on

protecting the confidentiality, integrity, and availability of sensitive data
within an organization’s systems and networks, ensuring appropriate
safeguards are in place to mitigate data breaches and unauthorized access. It

72

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
involves establishing and implementing data protection measures, controls,
SE 3 2
and procedures to secure data at rest, in transit, and during processing to
maintain the organization’s data integrity and prevent data loss or
D @g
compromise.
FO m

PR.DS-1 emphasizes the need to ensure that data at rest is

R ail.

protected. This includes the use of security controls to safeguard sensitive

US co

information stored in databases, file systems, or other data storage

E m·

repositories.
ON A

PR.DS-2 highlights the importance of protecting data in transit.

LY UG

This includes protecting data during transmission by implementing secure

communication protocols, encryption, and other safeguards to prevent
BY 22,

unauthorized interception or modification.

: R 20

PR.DS-3 ensures that assets are formally managed through

AM 23

removal, transfers, and disposition. This includes the use of access controls,
authentication mechanisms, and monitoring to ensure that only authorized
ES

individuals can access and manipulate sensitive data.

H

PR.DS-4 emphasizes the need for the organization to have

AM

adequate capacity to ensure availability is maintained. This includes having

data backup and recovery procedures to protect against data loss or
GA

corruption so that the organization can restore critical data in the event of
I

an incident.

PR.DS-5 stresses the importance of implementing protection

against potential data leaks.

PR.DS-6 requires integrity-checking mechanisms to be used to

verify software, firmware, and information integrity. This is normally done
by implementing hashing functions to create unique hash values or hash
digests for each piece of data that the organization wishes to validate the
integrity of over time.

PR.DS-7 ensures that the development and testing environments

are separated from the production environment.

73

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
PR.DS-8 requires that integrity-checking mechanisms are used to
verify hardware integrity. This is usually implemented through the use of
SE 3 2
trusted platform modules, eFUSE, and other related technologies.
D @g
Information Protection Processes and Procedures (PR.IP)
FO m

focuses on establishing and maintaining robust processes and procedures to

R ail.
effectively protect sensitive information within an organization. It involves
US co

implementing comprehensive safeguards, controls, and policies to safeguard

information assets, prevent unauthorized access, and promote the integrity
E m·

and availability of critical information.

ON A

PR.IP-1 emphasizes the need to create and maintain a baseline

LY UG

configuration of information technology/industrial control systems by

incorporating security principles, such as the concept of least functionality.
BY 22,
: R 20

PR.IP-2 highlights the importance of implementing the Systems

Development Life Cycle to manage systems. This creates a repeatable
AM 23

development process that helps ensure that all systems are created to the
appropriate security standards.
ES
H

PR.IP-3 ensures that configuration change control processes are in

AM

place within the organization. Change control processes refer to formalized

procedures and practices used to manage and track changes to systems,
GA

software, configurations, or processes within an organization, ensuring that

changes are properly reviewed, authorized, documented, and implemented
I

in a controlled manner.

PR.IP-4 stresses the importance of conducting, maintaining, and

testing the organization’s information backups.

PR.IP-5 emphasizes the need for using policies and regulations

regarding the physical operating environment for organizational assets. By
protecting the physical operating environment, the organization can be
posed to prevent physical vulnerabilities from being exploited by a threat
actor.

PR.IP-6 states that data is destroyed according to policy. After all,

if the data is not properly destroyed, then it could become part of a data
leak or be subject to theft by a threat actor.
74

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 PR.IP-7 ensures that protection processes are improved. This leads
to continual improvement and an increase in the security of the
organization’s systems over time.
D @g
FO m
PR.IP-8 suggests that the effectiveness of protection technologies
is shared amongst the organization. This allows the organization to learn
R ail.

more about its vulnerabilities and its current attack surface.

US co

PR.IP-9 requires that response plans (incident response and

E m·

business continuity) and recovery plans (incident recovery and disaster

ON A

recovery) are in place and properly managed.

LY UG

PR.IP-10 requires that the response and recovery plans be tested.

BY 22,

PR.IP-11 emphasizes the need for cybersecurity to be included in

: R 20

human resources practices, such as during the personnel screening,

onboarding, and offboarding processes.
AM 23

PR.IP-12 requires a vulnerability management plan to be developed

ES

and implemented within the organization.

H
AM

The maintenance (PR.MA) outcome category ensures that

maintenance and repairs of industrial control and information system
GA

components are performed consistently with policies and procedures.

I

PR.MA-1 states that maintenance and repair of organizational

assets are performed and logged with approved and controlled tools.

PR.MA-2 focuses on the remote maintenance of organization

assets and requires that it be approved, logged, and performed to prevent
unauthorized access.

The protective technology (PR.PT) outcome category manages

technical security solutions to ensure the security and resilience of systems
and assets are consistent with related policies, procedures, and agreements.

PR.PT-1 states that audit/log records are determined, documented,

implemented, and reviewed in accordance with policy.

75

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
PR.PT-2 requires the protection of removable media and its use to
be restricted according to an organizational policy.
SE 3 2
D @g
PR.PT-3 emphasizes the need to incorporate the principle of least
functionality by configuring systems to provide only essential capabilities.
FO m
R ail.
PR.PT-4 requires that communications and control networks be
US co
protected.
E m·

PR.PT-5 recommends the implementation of mechanisms, such as

ON A

using a failsafe, load balancing, and hot swap capabilities to achieve

resilience requirements in normal and adverse situations.
LY UG

DETECT (DE)
BY 22,

The detect (DE) function is used by organizations to develop and

: R 20

implement appropriate activities to identify the occurrence of a

AM 23

cybersecurity event. This detect function enables the organization to make

timely discoveries of cybersecurity events and incidents. The detect
ES

function contains three outcome categories: anomalies and events, security

H

continuous monitoring, and detection processes.

AM

The anomalies and events (DE.AE) outcome category ensures

GA

that anomalous activity is detected and the potential impact of events is

understood.
I

DE.AE-1 establishes and manages a baseline of network

operations and expected data flows for users and systems.

DE.AE-2 analyzes detected events to understand attack targets and

methods.

DE.AE-3 collects and correlates event data from multiple sources

and sensors.

DE.AE-4 determines the impacts of detected events.

DE.AE-5 establishes the incident alert thresholds for detected

events.

76

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The security continuous monitoring (DE.CM) outcome category
ensures that the information system and assets are continually monitored to
SE 3 2
identify cybersecurity events and verify the effectiveness of protective
D @g
measures.
FO m

DE.CM-1 monitors and detects potential cybersecurity events in

R ail.
the network.
US co

DE.CM-2 monitors the physical environment to detect potential

E m·

cybersecurity events.
ON A

DE.CM-3 monitors personnel activity to detect potential

LY UG

cybersecurity events.
BY 22,

DE.CM-4 states that malicious code must be detected.

: R 20

DE.CM-5 states that unauthorized mobile codes must be detected.

AM 23

DE.CM-6 monitors external service provider activity to detect

ES

potential cybersecurity events.

H

DE.CM-7 performs monitoring for unauthorized personnel,

AM

connections, devices, and software.

GA

DE.CM-8 performs vulnerability scans.

I

The detection processes (DE.DP) outcome category is used to

maintained and tested to ensure that processes and procedures create
awareness of anomalous events.

DE.DP-1 requires that roles and responsibilities for detection are

well-defined to ensure accountability.

DE.DP-2 ensures that detection activities comply with all

applicable requirements.

DE.DP-3 tests the organization’s detection processes.

DE.DP-4 requires that event detection information be

communicated.
77

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
DE.DP-5 emphasizes the need to continuously improve
SE 3 2
organizational detection processes.
D @g
RESPONSE (RS)
FO m

The response (RS) function is used by organizations to develop

R ail.

and implement appropriate activities to perform actions regarding a

US co

detected cybersecurity incident. This response function supports the ability

E m·

of the organization to contain the impact of a potential cybersecurity

ON A

incident. The response function contains five outcome categories: response

planning, communications, analysis, mitigation, and improvements.
LY UG

The response planning (RS.RP) outcome category executes and

BY 22,

maintains response processes and procedures to ensure appropriate

responses to detected cybersecurity incidents.
: R 20
AM 23

RS.RP-1 states that the response plan is executed during or after an

incident.
ES

The communications (RS.CO) outcome category ensures that all

H

response activities are coordinated with internal and external stakeholders,

AM

such as external support from law enforcement agencies if required.

GA

RS.CO-1 requires that personnel know their roles and order of

I

operations when a response is needed.

RS.CO-2 dictates that incidents are reported consistently with

established organizational criteria.

RS.CO-3 emphasizes that information is shared consistently with

response plans during a response effort.

RS.CO-4 states that coordination with stakeholders occurs

consistent with organizational response plans.

RS.CO-5 encourages voluntary information sharing with external

stakeholders to achieve broader cybersecurity situational awareness.

78

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The analysis (RS.AN) outcome category ensures that proper
analysis is conducted to ensure effective response and support recovery
SE 3 2
activities.
D @g
RS.AN-1 investigates notifications from detection systems.
FO m
R ail.
RS.AN-2 helps to understand the impact of the incident.
US co

RS.AN-3 states that forensics is performed.

E m·
ON A

RS.AN-4 categorizes the incidents consistent with organizational

response plans.
LY UG

RS.AN-5 established processes to receive, analyze, and respond to

BY 22,

vulnerabilities disclosed to the organization from internal and external

sources, including internal testing, security bulletins, or security researchers.
: R 20
AM 23

The mitigation (RS.MI) outcome category ensures that activities

are performed to prevent the expansion of an event, mitigate its effects, and
ES

resolve the incident.

H

RS.MI-1 seeks to contain incidents.

AM

RS.MI-2 seeks to mitigate incidents.

GA

RS.MI-3 requires that newly identified vulnerabilities are mitigated

I

or documented as accepted risks.

The improvements (RS.IM) outcome category ensures that the

organization’s response activities are continually getting better by
incorporating lessons learned from current and previous detection and
response activities.

RS.IM-1 incorporates lessons learned into the organizational

response plans.

RS.IM-2 updates the organizational response strategies.

79

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 RECOVER (RC)

The recover (RC) function helps an organization develop and

D @g
implement appropriate activities to maintain resilience plans and restore any
capabilities or services that were impaired due to a cybersecurity incident.
FO m

This recover function is focused on supporting the timely restoral back to

R ail.
normal operations in order to reduce the impact of a cybersecurity incident.
US co

The recover function contains three outcome categories: recovery planning,

improvements, and communications.
E m·
ON A

The recovery planning (RC.RP) outcome category executes and

maintains the recovery processes and procedures to ensure the restoration
LY UG

of systems or assets affected by cybersecurity incidents.

BY 22,

RC.RP-1 executes the recovery plan during or after a cybersecurity

: R 20

incident.
AM 23

The improvements (RC.IM) outcome category ensures that the

organization’s recovery planning and processes are continually getting
ES

better by incorporating lessons learned into future activities.

H

RC.IM-1 incorporates lessons learned into the organizational

AM

recovery plans.
GA

RC.IM-2 updates the organizational recovery strategies.

I

The communications (RC.CO) outcome category ensures that all

restoration activities are coordinated with internal and external parties, such
as with their coordinating centers, Internet Service Providers, owners of
attacking systems, victims, other cybersecurity incident response teams, and
vendors, as appropriate.

RC.CO-1 is used to manage public relations.

RC.CO-2 ensures the organizational reputation is repaired after an

incident.

RC.CO-3 communicated recovery activities to internal and external

stakeholders and the executive and management teams.

80

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 SUMMARY

This chapter covered all five functions, the 23 outcome categories

D @g
underneath the functions, and the 108 subcategories and activities under
those outcome categories. It is important that you can relate a given
FO m

subcategory or activity to the appropriate category and the category to the

R ail.
appropriate function. You will not be asked to expand a given short code
US co

from memory, such as DE, for the exam.DP-3, but it would be fair to ask
you to identify the function or category to which DE.DP-3 is linked. In this
E m·

case, it would be sufficient to remember that DE is the detect function and

ON A

DP is the detection processes outcome category.

LY UG

When you are working in the field as a practitioner, you can always
carry a copy of the NIST Cybersecurity Framework version 1.1 to reference
BY 22,

the individual subcategories and activities, as needed. You will find a table
: R 20

provided as Appendix A of the NIST Cybersecurity Framework version 1.1

that includes the function, category, subcategory, and associated
AM 23

informative references for each shortcode covered in this chapter.

ES

It is important to remember that within the 23 categories are

H

specific subcategories and their corresponding activities, such as

AM

inventorying physical devices and systems, mapping organizational

communication and data flows, and establishing cybersecurity roles and
GA

responsibilities. These 108 subcategories and activities enable organizations

to prioritize resources, understand their business environment, assess risks,
I

and develop effective risk management strategies.

As you work in the field, you will find that you don’t need to use all
108 subcategories and outcomes with every organization. Instead, it is more
important that you review them all during your engagements and select the
activities that best align with organizational objectives and overall risk
management strategies being pursued.

81

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

82

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER SEVEN
AM 23
ES

CONTROLS AND OUTCOMES

H
AM

Imagine you’re about to get into your car and drive to work. Before
you even leave your driveway, there is an essential step that you must always
GA

take: putting on your seatbelt. But why?

I

Well, in most countries around the world, there are laws that
dictate you must wear a seatbelt when driving a car. If you don’t wear your
seatbelt and a police officer pulls you over, you may simply receive a ticket
or a fine for not following this regulation.

But, seatbelt laws were not passed by our governments to simply

collect additional revenue through fines. Instead, these regulations were
created to save people’s lives.

In the event of a sudden stop or collision, your seatbelt should

keep you safely in your seat instead of allowing forward momentum to
throw you through your windshield.

83

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
In this chapter, we will explore the different controls and outcomes
SE 3 2
used within the NIST Cybersecurity Framework. We will observe that, just
D @g
like the seatbelt in your car, controls, and outcomes in cybersecurity serve
as vital safeguards that help protect your systems, assets, and data from
FO m

potential cyber threats.

R ail.
US co

So, fasten your cybersecurity seatbelt as we explore the world of

controls and outcomes, discovering the key practices that will keep your
E m·

organization secure when operating on the information superhighway.

ON A

CONTROLS
LY UG

If you have used other cybersecurity frameworks, like the Risk

BY 22,

Management Framework, the Center of Internet Security Critical Security

: R 20

Controls, COBIT 5, or the ISO/IEC 27001 series, you are probably used to
dealing with controls.
AM 23

In cybersecurity, controls refer to specific measures, practices, or

ES

safeguards that organizations implement to manage and mitigate

H

cybersecurity risks. These controls are tangible actions or mechanisms that

AM

help prevent, detect, respond to, and recover from cybersecurity incidents.
They can include technical solutions, policies, procedures, training
GA

programs, and other security measures designed to protect systems, assets,

and data.
I

For example, one control for increasing the security of an

organization’s authentication system might require all users to utilize a long,
complex password containing at least 16 characters and a mixture of
uppercase, lowercase, numeric, and special characters. If the organization
has a higher security system they wish to protect, they could instead opt to
remove password-based logins from their system completely and migrate to
a multi-factor authentication system based on a smart card and PIN for
user logins.

The idea with control is that the organization wants to apply

countermeasures that make it more difficult for a threat actor to
compromise the organization’s systems, assets, and data. These controls act

84

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
as your organization’s safety mechanism, mitigating risks and providing a
SE 3 2
level of assurance against potential cybersecurity incidents from occurring.
D @g
Depending on the framework used, there will be a list of controls
FO m
that can be selected to ensure the organization complies with that given
R ail.
framework. In most frameworks, controls are a requirement that must be
US co

followed for all organizations. These are known as prescriptive controls,

and they are specific and detailed control measure that provides explicit
E m·

instructions or requirements on how to implement a security measure or

ON A

safeguard in a standardized and structured manner.

LY UG

Unlike many prescriptive frameworks, the NIST Cybersecurity

Framework doesn’t utilize these prescriptive or mandatory controls.
BY 22,

Instead, this framework focuses on using outcomes to achieve higher levels

: R 20

of cybersecurity tailored for specific organizational needs.

AM 23

VOLUNTARY NATURE OF
THE NIST CSF FRAMEWORK
ES
H

The NIST Cybersecurity Framework is completely voluntary for

AM

companies and organizations to use. As such, it was developed with no

specific prescriptive controls. Organizations using the framework are given
GA

wide latitude and freedom to perform the functions and activities in any
way that makes sense in order to achieve their desired outcomes. These
I

outcomes are categorized under the five functions, while 108 subcategories
and activities are found underneath the 23 outcome categories.

When many first hear that the NIST CSF framework does not have
specific prescriptive controls, they immediately believe this makes it less
secure. This is an incorrect assumption, though. In fact, one of the biggest
issues with more prescriptive frameworks is that they set forth requirements
that MUST be complied with due to their prescriptive nature, even though
the requirements add no additional security benefits.

A great example of this is the password complexity requirement

mentioned earlier. Many people believe that long, complex passwords are
more secure because they increase the time required for an attacker to guess

85

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
or brute force that password. In theory, this would be a true statement, but
that’s not how it works in the real world.
SE 3 2
D @g
Studies have shown time and time again that long, complex
passwords are often less secure than a less complex password might be.
FO m

Why would that be?

R ail.
US co
Well, it comes down to human nature. Humans have a hard time
remembering a twenty-character complex password with lots of different
E m·

letters, numbers, and symbols. For example, a very long, strong, and
ON A

complex password might be a 32-character randomly generated password

like @Q*Qi6sTAYV4TkU4oTrhs3s-XPKhMo42. Now, even though this is
LY UG

a very long, strong, and complex password, most people will be unable to
remember it. So, they simply write it down or type it into a virtual sticky
BY 22,

note on their computer.

: R 20

So, if an attacker compromises the person’s computer using an

AM 23

exploit or uses social engineering to gain access to the machine, they could
now locate the password stored in the virtual sticky note. During on-site
ES

penetration tests, we have often observed physical paper notes located

H

underneath an employee’s keyboard with their long, strong password

AM

written there for anyone to see. Therefore, longer and more complex
passwords become less secure when applied to real-world conditions.
GA

Instead, it would be for the organization to implement a good

I

multi-factor authentication. But, if the prescriptive control in another

framework states that you must use a long, complex password, then you
can’t enable multi-factor authentication because your organization would
not comply with the password length and complexity control in that
framework.

This is where the true power of the NIST Cybersecurity

Framework comes into play because it focuses on outcomes, not
prescriptive controls. How an organization will achieve that outcome is left
up to the organization to determine. If you need some guidance for finding
controls to reach your outcomes, you can look at the informative references
which provide the compensating controls that other frameworks require,
such as CIS CSC, COBIT 5, or ISA 62443-2-1:2009.

86

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
As an organization begins to develop its profiles and lists the
different outcomes it wants to achieve, it can then choose and implement
SE 3 2
its own internal controls, or it may opt to use the controls from another
D @g
framework. But the key is the organization itself oversees its cybersecurity
FO m
risks. It has the power to choose the proper controls from any source
needed to deliver the outcomes chosen in the organizational target profile.
R ail.
US co

OUTCOMES
E m·

An outcome refers to the desired result or objective that an

ON A

organization aims to achieve through implementing cybersecurity controls

and practices, focusing on those measures' overall effectiveness and impact.
LY UG

Simply put, an outcome is a change or result the organization expects to

observe from a given process or action.
BY 22,
: R 20

In the NIST Cybersecurity Framework, outcomes are specific to

each category and subcategory within the framework. They provide
AM 23

guidance on the intended goals and results that an organization should

strive for when implementing controls related to a particular aspect of
ES

cybersecurity.
H
AM

The one thing people struggle with when they are new to the NIST
Cybersecurity Framework is that each outcome is written as a requirement.
GA

For example, we find Outcome PR under the Protect Function in the

Information Protection Processes and Procedures category.IP-4 states,
I

“Backups of information are conducted, maintained, and tested.” This

sounds extremely broad and generic to newcomers to the NIST
Cybersecurity Framework, and these newcomers often get frustrated with
the way they are written.

To increase their productivity, many cyber resiliency professionals

have learned to take these outcomes and rewrite them into testable pieces
or questions before they use them in evaluating how well an organization
delivers results for each chosen outcome.

For example, if PR.IP-4 is going to be broken down into smaller

testable items; we might have three separate and specific requirements:

1. Backups of information are conducted.

87

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 2. Backups of information are maintained.
D @g 3. Backups of information are tested.

For each of these requirements, the cyber resiliency professional

FO m
might then convert these specific requirements into testable questions that
can be used during their internal assessment of an organization to
R ail.

determine if they are following best practices and recommendations for

US co

conducting, maintaining, and testing the system backups.

E m·

It is important to remember that the NIST Cybersecurity

ON A

Framework is not a checklist because a checklist is a list of required items,

LY UG

things to do, or points to be considered. In fact, NIST is very clear about

this point in their guidance for the implementation of the NIST
BY 22,

Cybersecurity Framework. The framework was never designed to be a

mandatory compliance framework or used as a prescriptive checklist of
: R 20

controls.
AM 23

Consider another example from within the detect function. In the

ES

detect function, there is an outcome category called security continuous

monitoring (DE.CM). Under this outcome category, there are eight
H

subcategories and activities that can help define the specific outcomes that
AM

need to be achieved in order to state that the organization’s security

continuous monitoring is satisfactory. For instance, DE.CM-8 states that
GA

vulnerability scans are performed.

I

This activity, though, is being performed to achieve an outcome

and not to meet a prescriptive control in the framework. The organization
can determine what actions will meet their needs regarding vulnerability
scans.

Will they perform internal or external vulnerability scans of their

systems? Will their own cybersecurity practitioners be responsible for
conducting those scans, or will a third-party firm be contracted to perform
them? Will they use open-source or proprietary tools to conduct the
vulnerability scans? Will they be required to conduct an offensive
vulnerability scan, like a penetration test? How often do these vulnerability
scans need to be performed?

88

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
All these questions are left up to the organization to determine
what best meets their needs because the NIST Cybersecurity Framework is
SE 3 2
not prescriptive in nature.
D @g
For example, if the organization is trying to protect its credit card
FO m

processing systems, it may fall under the requirements of the PCI-DSS

R ail.
contractual obligations. This may require them to do a quarterly
US co

vulnerability scan using an external consultant who is certified by the

Payment Card Industry to perform that work.
E m·
ON A

If this organization is also a healthcare provider, it may fall under

the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
LY UG

requirements, as well.
BY 22,

Both the PCI-DSS and HIPAA requirements will have certain

: R 20

controls that must be used, but the organization can combine all of their
required controls across all regulations and create a singular action plan
AM 23

using the NIST Cybersecurity Framework, as well.

ES

Regarding these vulnerability scans, the NIST Cybersecurity

H

Framework requires that you achieve your organizational desired outcome.

AM

In this case, it may be to identify and remediate 98% of known

vulnerabilities within 90 days of discovery. To verify that is being done, the
GA

organization will need to perform vulnerability scans every 90 days to

determine what vulnerabilities have been patched or mitigated and which
I

still remain. In addition, if the organization needs to meet the quarterly

requirements for PCI-DSS, the organization may decide to utilize a third-
party, PCI-approved consultant to perform the scans instead of having their
own internal cybersecurity analysts. This is the flexibility the NIST
Cybersecurity Framework provides an organization over a traditional, more
prescriptive framework.

Remember, outcomes serve as measurable indicators of the

effectiveness and maturity of an organization’s cybersecurity practices. They
provide a tangible way to assess progress and determine if the desired
objectives are being met. By focusing on outcomes, organizations can align
their efforts with specific goals, continuously monitor their performance,
and make informed decisions to improve their cybersecurity posture.

89

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 It is important to note that outcomes are not rigid requirements
but rather flexible guidelines that can be adapted and tailored to each
organization's unique needs and priorities. This allows for flexibility in
D @g
implementation while ensuring that the desired security objectives are being
FO m
addressed.
R ail.

The NIST Cybersecurity Framework provides you the latitude to

US co

adjust it to meet organizational needs. Many people find this frustrating

when they first begin using the framework because they may want to be
E m·

clearly told what they need to do and which controls to implement. The
ON A

problem with this approach is that it doesn’t scale very well. Prescriptive
LY UG

frameworks tend to be less relevant in the long term because systems and
the technology controls needed to secure those systems change at an
BY 22,

alarming rate these days.

: R 20

INFORMATIVE REFERENCES
AM 23

If the organization wants to combine the NIST Cybersecurity

ES

Framework with some other more prescriptive control-based frameworks,

it certainly can. In fact, all of the outcomes listed in Table 1 of Appendix A
H

of the NIST Cybersecurity Framework version 1.1 contains a fourth

AM

column with informative references that link back to the controls of other
frameworks.
GA
I

An informative reference is a specific section of standards,

guidelines, and practices common among critical infrastructure sectors that
illustrates a method to achieve the outcomes associated with each
subcategory and activity. For example, in Table 1 of Appendix A, you can
locate the subcategory PR.DS-1 that states “data-at-rest is protected.” In
the fourth column, you will find the informative references listed, including
controls from CIS CSC, COBIT 5, ISA 62443-3-3:2013, ISO/IEC
27001:2013, and NIST SP 800-53 Rev. 4.

90

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
If the organization follows the ISO/IEC 27001:2013 standard,
then you can select that line item as the control you wish to utilize to ensure
SE 3 2
data-at-rest is protected. In this case, that would be ISO/IEC 27001:2013
D @g
A.8.2.3.
FO m

The NIST Cybersecurity Framework is simply acting as an index to

R ail.

other established controls, in this case, so to determine what the control

US co

requires, you would need to look it up in the ISO/IEC 27001:2013 under

A.8.2.3 which covers the handling of assets, including the storage of those
E m·

assets.
ON A

OTHER FRAMEWORKS
LY UG

By looking at the informative references column in Table 1 of

BY 22,

Appendix A of the NIST Cybersecurity Framework, you will see many

: R 20

different frameworks being referenced, including many of the following:

AM 23

• International Organization for Standardization (ISO)/International

ES

Electrotechnical Commission (IEC) 27001 and 27002

• National Institute of Standards and Technology (NIST) Special
H

Publications (SP 800-53, SP 800-171, and SP 800-37)

AM

• Center for Internet Security Critical Security Controls (CIS CSC)

• Control Objectives for Information and Related Technology
GA

(COBIT 5)
I

• Information Technology Infrastructure Library (ITIL)

• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• North American Electric Reliability Corporation (NERC) Critical
Infrastructure Protection (CIP) Standards
• Federal Risk and Authorization Management Program
(FedRAMP)
• Open Web Application Security Project (OWASP)
• Cloud Security Alliance (CSA) Security, Trust and Assurance
Registry (STAR)

For the certification exams, you are not required to know any of
these frameworks in-depth, but you should have a basic understanding of

91

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
the types of information they contain and that they can be used as sources
SE 3 2
for controls to achieve the organization’s desired outcomes within the
NIST Cybersecurity Framework.
D @g
FO m
INTERNATIONAL ORGANIZATION FOR
R ail.
STANDARDIZATION (ISO)/INTERNATIONAL
ELECTROTECHNICAL COMMISSION (IEC) 27001 AND 27002
US co
E m·

The International Organization for Standardization

ON A

(ISO)/International Electrotechnical Commission (IEC) 27001 and 27002

framework is a set of international standards that provide guidelines and
LY UG

best practices for establishing, implementing, maintaining, and continually

improving an information security management system (ISMS). ISO/IEC
BY 22,

27001 specifies the requirements for establishing and maintaining an ISMS,

: R 20

while ISO/IEC 27002 provides a comprehensive set of controls and

implementation guidance for information security management.
AM 23

ISO/IEC 27001 focuses on the management aspects of

ES

information security, emphasizing the need for a systematic approach to

H

identify, assess, and manage information security risks within an

AM

organization. It provides a framework for establishing policies, processes,

and procedures to ensure information assets' confidentiality, integrity, and
GA

availability. The controls outlined in ISO/IEC 27001 cover a wide range of

areas, including information security policies, organizational security, asset
I

management, human resource security, physical and environmental security,

communications and operations management, access control, information
systems acquisition, development and maintenance, and incident
management, among others.

Organizations can leverage the ISO/IEC 27001 and 27002

frameworks to enhance their cybersecurity posture when used in
conjunction with the NIST Cybersecurity Framework. The NIST
Cybersecurity Framework provides a flexible and risk-based approach to
managing and mitigating cyber risks, while ISO/IEC 27001 and 27002 offer
detailed controls and implementation guidance. By aligning the two
frameworks, organizations can benefit from the comprehensive control
framework of ISO/IEC 27001 and 27002 while leveraging the risk

92

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2management and organizational framework provided by the NIST
D @gCybersecurity Framework.

NIST SPECIAL PUBLICATIONS

FO m
(SP 800-53, SP 800-171, AND SP 800-37)
R ail.

The National Institute of Standards and Technology (NIST)

US co

Special Publications (SP 800-53, SP 800-171, and SP 800-37) are a

collection of guidelines, standards, and procedures developed by NIST to
E m·

assist organizations in managing and enhancing their cybersecurity

ON A

practices. These publications provide comprehensive guidance on various

aspects of cybersecurity, including risk management, security controls, and
LY UG

security assessment and authorization.

BY 22,

SP 800-53, also known as the “Security and Privacy Controls for

: R 20

Federal Information Systems and Organizations,” outlines a set of security

AM 23

controls that can be implemented to protect information systems'

confidentiality, integrity, and availability. It provides a catalog of control
ES

families, such as access control, incident response, and system and

information integrity, each containing specific controls and implementation
H

guidance.
AM

SP 800-171, titled “Protecting Controlled Unclassified Information

GA

in Nonfederal Systems and Organizations,” focuses on safeguarding

I

sensitive information that is not classified but still requires protection. It

provides a set of security requirements that nonfederal organizations must
meet when handling controlled unclassified information (CUI) on behalf of
the federal government. These requirements cover areas such as access
control, media protection, incident response, and system and
communications protection.

SP 800-37, known as the “Risk Management Framework for

Information Systems and Organizations,” provides a structured and flexible
approach to managing cybersecurity risks. The Risk Management
Framework (RMF) outlines the process for selecting and implementing
security controls based on risk assessments, continuous monitoring, and
ongoing authorization. SP 800-37 helps organizations integrate risk
management into their overall cybersecurity program and ensures that

93

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
security controls are effectively implemented and maintained throughout
SE 3 2
the system’s lifecycle.
D @g
CENTER FOR INTERNET SECURITY
FO m
CRITICAL SECURITY CONTROLS (CIS CSC)
R ail.

The Center for Internet Security (CIS) Critical Security Controls

US co

(CSC) is a set of best practices and guidelines designed to help

organizations enhance their cybersecurity defenses and reduce the risk of
E m·

cyber threats. The CIS CSC provides a prioritized and actionable security
ON A

controls framework that organizations can implement to improve their

LY UG

overall security posture.

BY 22,

The CIS CSC consists of 20 specific controls that cover a wide

range of cybersecurity areas, including asset management, secure
: R 20

configuration, continuous vulnerability management, and incident response.

AM 23

These controls are based on real-world attack patterns and are regularly
updated to address emerging threats and vulnerabilities. The controls are
ES

organized into three implementation groups: Basic, Foundational, and

Organizational, which represent progressive levels of security maturity and
H

coverage.
AM

The CIS CSC is a valuable resource for organizations looking to

GA

establish a solid foundation of cybersecurity controls. It provides practical

I

and effective measures that can be implemented to mitigate common

security risks and enhance the organization’s ability to detect, respond to,
and recover from cyber incidents. The controls are designed to be adaptable
to various environments. They can be tailored to meet different
organizations' specific needs and requirements.

CONTROL OBJECTIVES FOR INFORMATION

AND RELATED TECHNOLOGY (COBIT 5)

Control Objectives for Information and Related Technology

(COBIT 5) is a comprehensive framework that provides guidance and best
practices for the governance and management of enterprise information
technology systems. COBIT 5 is developed by the Information Systems

94

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Audit and Control Association (ISACA) and focuses on aligning
SE 3 2
information technology activities with business objectives, ensuring
D @g
effective risk management, and optimizing IT resources.
FO m
COBIT 5 defines a set of control objectives that cover various
R ail.
information technology domains, including governance, risk management,
strategic alignment, value delivery, and performance measurement. These
US co

control objectives serve as targets or desired outcomes that organizations

E m·

aim to achieve through the implementation of specific controls and

ON A

processes. They provide a systematic approach to managing information

technology risks, improving information technology processes, and
LY UG

ensuring the delivery of value to the organization.

BY 22,

By implementing COBIT 5, organizations can establish a clear

: R 20

governance and management framework for their information technology

activities. The framework helps organizations identify and prioritize
AM 23

information technology risks, define control objectives, and implement

controls to mitigate those risks. It also provides a structured approach for
ES

measuring and monitoring the performance of information technology

H

processes, ensuring that they align with the organization’s strategic goals
AM

and deliver value.

GA

INFORMATION TECHNOLOGY
INFRASTRUCTURE LIBRARY (ITIL)
I

ITIL, formerly known as the Information Technology

Infrastructure Library, is a widely adopted framework that provides best
practices for information technology service management (ITSM). In its
latest version, ITIL 4, a holistic approach to service management that
focuses on value co-creation, continual improvement, and integrating
information technology services with business processes is utilized.

At its core, ITIL focuses on delivering value to customers through

the service value system (SVS) to effectively and efficiently manage
information technology services to co-create value between a service
provider and their customer. It emphasizes the importance of
understanding and meeting customer requirements, establishing clear

95

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
service strategies, designing robust service architectures, and continuously
monitoring and improving service delivery.
SE 3 2
D @g
ITIL defines a range of control objectives and processes covering
various aspects of information technology service management through its
FO m

34 individual practices, including incident management, problem

R ail.
management, measurement and reporting, change enablement, service level
US co

management, and service desk operations. These control objectives outline

the desired outcomes and objectives that organizations aim to achieve in
E m·

each of its 34 practice guides.

ON A

By implementing ITIL, organizations can establish standardized

LY UG

service management practices, improve IT operations' efficiency and

effectiveness, and enhance customer satisfaction.
BY 22,
: R 20

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

(PCI DSS)
AM 23

The Payment Card Industry Data Security Standard (PCI DSS) is a

ES

security framework developed by major payment card brands to protect

H

cardholder data and ensure the secure handling of payment transactions. It

AM

applies to organizations that store, process, or transmit cardholder data,

including merchants, service providers, financial institutions, and other
GA

entities involved in the payment card ecosystem.

I

The PCI DSS provides a set of comprehensive requirements and

controls that organizations must adhere to in order to maintain a secure
environment for cardholder data. These requirements cover various security
aspects, including network security, system hardening, access control, data
encryption, vulnerability management, and ongoing monitoring and testing.

The primary goal of the PCI DSS is to protect cardholder data

from unauthorized access, fraud, and misuse. It helps organizations
establish a secure infrastructure, implement robust security measures, and
maintain a proactive approach to managing security risks associated with
payment card transactions.

The PCI DSS includes specific control objectives and requirements

that organizations must meet to demonstrate compliance. These
96

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
requirements include maintaining secure network configurations,
SE 3 2
implementing strong access controls, regularly monitoring and testing
D @g
systems, and maintaining an information security policy.
FO m
HEALTH INSURANCE PORTABILITY AND
R ail.
ACCOUNTABILITY ACT (HIPAA)
US co

The Health Insurance Portability and Accountability Act (HIPAA)

E m·

is a regulatory framework established in the United States to protect

ON A

individuals' health information's privacy, security, and integrity. HIPAA sets

forth comprehensive standards and requirements for covered entities, such
LY UG

as healthcare providers, health plans, and healthcare clearinghouses, as well

as their business associates, to safeguard patient data. HIPAA comprises
BY 22,

two key rules: the Privacy Rule and the Security Rule.
: R 20

The Privacy Rule establishes the rights of individuals regarding

AM 23

their health information and outlines the responsibilities of covered entities

in ensuring its confidentiality. It governs the use, disclosure, and access to
ES

protected health information (PHI). It grants individuals control over their

H

personal health data.

AM

The Security Rule, on the other hand, focuses on the technical and
GA

administrative safeguards that covered entities must implement to protect

electronic PHI (ePHI) from unauthorized access, use, or disclosure. It
I

requires the implementation of measures such as access controls,

encryption, audit trails, and contingency plans to ensure the confidentiality,
integrity, and availability of ePHI.

Complying with HIPAA is crucial for healthcare organizations to

safeguard patient privacy, maintain trust, and avoid potential legal and
financial consequences. Organizations can establish a comprehensive
approach to protecting health information by aligning the NIST
Cybersecurity Framework with HIPAA requirements. This integration
enables healthcare entities to address cybersecurity risks while ensuring
compliance with HIPAA regulations, creating a secure environment for
handling sensitive patient data.

97

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 NORTH AMERICAN ELECTRIC RELIABILITY
CORPORATION (NERC) CRITICAL INFRASTRUCTURE
PROTECTION (CIP) STANDARDS
D @g
FO m
The North American Electric Reliability Corporation (NERC)
Critical Infrastructure Protection (CIP) standards are a set of mandatory
R ail.

cybersecurity regulations developed to ensure the reliability and security of

US co

the electric grid in North America. These standards are designed to protect
critical infrastructure assets and systems within the electric power industry
E m·

from cyber threats and potential disruptions.

ON A
LY UG

NERC CIP standards comprise a comprehensive framework

encompassing a wide range of cybersecurity requirements and controls
BY 22,

specifically tailored to the electric utility sector. The standards address

various aspects of cybersecurity, including security management, access
: R 20

control, incident response, physical security, and personnel training.

AM 23

The primary objective of the NERC CIP standards is to establish a

ES

consistent and effective cybersecurity posture across the electric power

industry. Compliance with these standards is mandatory for entities
H

responsible for operating the bulk electric system, including generation

AM

facilities, transmission operators, and distribution utilities.

GA

By integrating the NIST Cybersecurity Framework with the NERC

I

CIP standards, organizations in the electric power sector can enhance their
cybersecurity practices and align them with industry-specific requirements.
This integration allows utilities to adopt a risk-based approach to identify,
assess, and manage cybersecurity risks while ensuring compliance with the
NERC CIP standards. The combined use of these frameworks enables
utilities to enhance the resilience and reliability of the electric grid,
protecting it from cyber threats and maintaining the secure and continuous
delivery of electricity to consumers.

FEDERAL RISK AND AUTHORIZATION

MANAGEMENT PROGRAM (FEDRAMP)

The Federal Risk and Authorization Management Program

(FedRAMP) is a government-wide program established to provide a

98

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2standardized approach for assessing and authorizing federal agencies' cloud
computing services and products. FedRAMP aims to ensure the security,
privacy, and reliability of cloud services deployed within the federal
D @g
government by establishing a rigorous risk management and compliance
FO m
framework.
R ail.

FedRAMP defines a set of security controls and requirements that

US co

cloud service providers must adhere to in order to meet the program’s

standards. These controls cover various aspects of cloud security, including
E m·

data protection, access controls, incident response, and continuous

ON A

monitoring. By implementing these controls, cloud service providers can

LY UG

demonstrate their commitment to safeguarding sensitive government data

and infrastructure.
BY 22,

The primary goal of FedRAMP is to streamline the process of

: R 20

assessing and authorizing cloud services, reducing duplication of efforts,

AM 23

and providing a consistent and efficient approach for federal agencies to

evaluate and adopt cloud solutions. By leveraging the FedRAMP
ES

framework, government agencies can assess the security posture of cloud

service providers and make informed decisions about which services meet
H

their specific security and compliance requirements.

AM

Integrating the NIST Cybersecurity Framework with FedRAMP

GA

allows federal agencies to align their cloud security strategies with industry
I

best practices and standards. The NIST framework provides a

comprehensive set of guidelines and controls that complement the
FedRAMP requirements, enabling agencies to develop robust cybersecurity
programs and effectively manage risks associated with cloud services. By
combining these frameworks, federal agencies can leverage the benefits of
cloud computing while ensuring the confidentiality, integrity, and
availability of their sensitive information and systems.

CLOUD SECURITY ALLIANCE (CSA) SECURITY,

TRUST, AND ASSURANCE REGISTRY (STAR)

The Cloud Security Alliance (CSA) Security, Trust, and Assurance

Registry (STAR) program is designed to promote transparency and trust in
cloud service providers. STAR provides a framework for cloud service

99

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
providers to self-assess their security practices and disclose relevant
SE 3 2
information to customers and stakeholders. It enables customers to make
D @g
informed decisions about cloud services based on the provider’s security
controls, compliance with industry standards, and overall trustworthiness.
FO m
R ail.
Under the STAR program, cloud service providers can complete a
self-assessment questionnaire covering various cloud security domains,
US co

including data protection, access management, incident response, and

E m·

compliance. The questionnaire provides a standardized set of criteria and

ON A

best practices for assessing and benchmarking the security capabilities of

cloud providers.
LY UG

The STAR program offers different levels of assurance: the

BY 22,

Consensus Assessments Initiative Questionnaire (CAIQ) allows providers

: R 20

to document their security practices, while the Cloud Security Alliance

Security, Trust, and Assurance Registry (CSA STAR) Certification provides
AM 23

independent third-party assessment and certification of a provider’s security

controls.
ES
H

By participating in the CSA STAR program, cloud service

AM

providers demonstrate their commitment to transparency and

accountability in delivering secure cloud services. Customers can refer to
GA

the CSA STAR registry to access participating providers' self-assessment

reports and certifications, helping them evaluate the security posture of
I

potential cloud service partners.

Integrating the CSA STAR program with the NIST Cybersecurity

Framework enhances the assurance and trustworthiness of cloud services.
The NIST framework provides a comprehensive set of security controls
and guidelines, while CSA STAR offers a mechanism for providers to
demonstrate their compliance and adherence to industry best practices. By
aligning these frameworks, organizations can assess and select cloud
services that meet their security requirements and ensure a higher level of
confidence in the security and trustworthiness of their cloud environment.

100

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 OPEN WEB APPLICATION SECURITY PROJECT
D @g (OWASP)

The Open Web Application Security Project (OWASP) is a

FO m
nonprofit organization dedicated to improving the security of web
applications. OWASP provides a wide range of resources, tools, and best
R ail.

practices to help organizations identify and address vulnerabilities in their

US co

web applications.
E m·

OWASP focuses on raising awareness about web application

ON A

security risks and promoting the adoption of secure development practices.

LY UG

They offer guidance on secure coding, vulnerability testing, and secure

deployment strategies. One of the key initiatives of OWASP is the OWASP
BY 22,

Top Ten, a regularly updated list of the most critical web application
security risks. This list serves as a guide for developers and organizations to
: R 20

prioritize their efforts in mitigating common vulnerabilities.

AM 23

In addition to the OWASP Top Ten, OWASP provides a wealth of

ES

resources, including documentation, cheat sheets, code samples, and

security testing tools. These resources help developers and security
H

professionals understand and address the various aspects of web application

AM

security, such as input validation, authentication, session management, and

secure communication.
GA
I

The integration of OWASP resources and recommendations with

the NIST Cybersecurity Framework can greatly enhance an organization’s
web application security posture. By leveraging the best practices and tools
OWASP provides, organizations can effectively manage the risks associated
with their web applications and protect sensitive data from common
security vulnerabilities. The NIST framework provides a broader
framework for managing cybersecurity risks, and by incorporating
OWASP’s specific guidance, organizations can strengthen their overall
security strategy, particularly in the context of web applications.

SUMMARY

The NIST Cybersecurity Framework was developed to support a

wide variety of organizations across multiple sectors and industries. As

101

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
such, it had to remain generic and broad in nature instead of setting up
specific and prescriptive controls.
SE 3 2
D @g
While some people view this as a potential drawback, this is
actually one of the biggest benefits of the NIST Cybersecurity Framework.
FO m

Since CSF is non-prescriptive, it allows all organizations the flexibility

R ail.
needed to achieve the desired outcomes in whichever way makes the most
US co

sense based on their unique business needs and operating environment.

E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

102

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER EIGHT
AM 23
ES

IMPLEMENTATION TIERS
H
AM

When implementing the NIST Cybersecurity Framework (CSF),

there is no strict order in which the core, tiers, and profiles must be
GA

implemented and utilized. However, following a logical sequence that

I

ensures a comprehensive and effective implementation is generally

recommended.

As a cyber resilience professional, you will determine the most

efficient and effective method to implement the framework based on your
specific organizational needs and workflows. Many people prefer to choose
an implementation tier first, then create a profile based on the selected tier
level and utilize the core to determine which outcome categories and
activities should become a part of your organization’s planned
implementation, monitoring, and maintenance requirements.

Before you begin to implement the framework using this sequence,

it is important that you have a good understanding of the basics of the
framework core. Remember, the framework core serves as the foundation

103

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
for implementing the NIST cybersecurity framework because it outlines the
SE 3 2
five functions (identify, protect, detect, respond, recover) and their
D @g
associated outcome categories and subcategories (activities). If you don’t
have a solid understanding of the core functions, you will have a hard time
FO m

adopting the framework because you will be unable to create a holistic

R ail.
approach to managing cybersecurity risks using the framework.
US co

By following this order of implementation, organizations can

E m·

progressively build a strong cybersecurity foundation. Remember that the

ON A

core provides the fundamental functions and activities, the tiers enable the
evaluation of maturity and progress, and the profiles customize the
LY UG

framework to align with organizational goals and risk management

strategies. This implementation is not solely linear but an iterative process
BY 22,

where organizations may revisit and refine their implementation over time
: R 20

to adapt to evolving threats and changing business requirements.

AM 23

CHOOSING AN IMPLEMENTATION TIER

ES

Once the core functions are well understood, organizations can

H

assess their cybersecurity maturity using the framework implementation

AM

tiers. These implementation tiers provide a benchmark for evaluating the

effectiveness of an organization’s cybersecurity practices.
GA

By first assessing the organization’s current tier level, it can identify

I

its strengths and areas for improvement to allow for a targeted and strategic
approach to enhancing its cybersecurity capabilities.

Choosing an implementation tier step is crucial during the

implementation of the NIST Cybersecurity Framework. This step allows
organizations to assess their current cybersecurity maturity and determine
the desired level of cybersecurity practices they aim to achieve. This process
involves evaluating the effectiveness of the organization’s existing
cybersecurity practices and identifying areas that require improvement.

During the assessment, organizations can identify their strengths

and weaknesses in various cybersecurity domains, such as risk management,
threat intelligence, incident response, and security controls. By

104

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
understanding their current tier level, organizations gain valuable insights
SE 3 2
into their cybersecurity posture and can prioritize their efforts accordingly.
D @g
When choosing an implementation tier, organizations should
FO m
consider their risk tolerance, available resources, business objectives, and
R ail.
the cybersecurity maturity level they aspire to attain. Selecting an
implementation tier that aligns with the organization’s risk appetite and
US co

long-term cybersecurity goals is important. This ensures that the chosen tier
E m·

represents a realistic and achievable target for the organization.

ON A

Recall that the NIST Cybersecurity Framework has four different

LY UG

implementation tiers in which your organization can fall and be classified.

These tiers go from Tier 1 to Tier 4, going from least to most mature in
BY 22,

terms of their organizational cybersecurity program.

: R 20

Tier 1 organizations, also referred to as Partial, have ineffective and

AM 23

inconsistent cyber risk management methods. These organizations have

limited awareness of cybersecurity risks and lack systematic risk
ES

management processes. Instead, they use an ad hoc and reactive approach

H

to cybersecurity by implementing fragmented practices without a structured

AM

approach.
GA

Tier 2 organizations, also referred to as Risk-Informed, have a

higher level of cybersecurity implementation. These organizations have
I

developed some formalized policies and procedures and demonstrate a

greater level of awareness and proactive cybersecurity practices. Cyber
resilience professionals often describe these organizations as having risk
management methods that are information and underdeveloped. Their
organizational risk management processes are still evolving, and there is still
much room for improvement.

Tier 3 organizations, also referred to as Repeatable, have structured

risk management methods and well-defined processes in place. These
organizations have robust risk management programs and routinely review
their risk management participation. Tier 3 organizations demonstrate a
proactive approach to cybersecurity, focusing on continuous improvement
and effective response to emerging threats. Cyber resilience professionals

105

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
believe these organizations can deliver consistent results from their cyber
SE 3 2
risk management practices.
D @g
Tier 4 organizations, also referred to as Adaptive, have a proactive,
FO m
innovative, and adaptive approach to cybersecurity. These organizations not
only demonstrate the characteristics of Tier 3 but also have an advanced
R ail.

capability to adapt and respond to evolving cybersecurity risks. Tier 4

US co

organizations actively seek out emerging technologies, collaborate with

industry partners, and continuously strive for excellence in their
E m·

cybersecurity posture. Cyber resilience professionals identify these

ON A

organizations as having risk management methods with feedback loops that

LY UG

aid the organization in learning from experience and organizations that are
continually getting better over time. In the NIST Cybersecurity Framework,
BY 22,

Tier 4 is considered the highest of the implementation tiers.

: R 20

Many perceive these tiers as a representation of the organization’s

AM 23

progression upward in cybersecurity maturity and signify their level of

effectiveness in managing cybersecurity risks. Organizations can assess their
ES

current tier level and set goals to advance to the next tier, gradually
improving their cybersecurity practices and enhancing their overall
H

resilience.
AM

IMPLEMENTATION TIER PROGRESSION

GA
I

Implementation tier progression is critical to enabling organizations

to advance their cybersecurity capabilities and maturity over time. As
organizations assess their current tier level and identify areas for
improvement, the implementation tier progression provides a roadmap for
strategic growth and enhancement of cybersecurity practices. By
understanding the key factors that drive progression from one tier to the
next, organizations can establish clear objectives, allocate resources
effectively, and develop targeted action plans to elevate their cybersecurity
posture.

For example, if an organization is currently at Tier 1 (Partial) with

limited awareness and ad hoc cybersecurity practices, they may choose to
set their target tier as Tier 2 (Risk Informed). This would involve
developing formalized policies and procedures, enhancing awareness and

106

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2proactive cybersecurity practices, and building a stronger foundation for
D @grisk management.

Choosing the right implementation tier sets the stage for

FO m
organizations to plan and implement the necessary improvements in their
cybersecurity practices. It provides a roadmap for enhancing their
R ail.

cybersecurity maturity level and progressing toward a more robust and

US co

resilient security posture. The implementation tier acts as a guide to help

organizations allocate resources, prioritize initiatives, and track progress as
E m·

they work toward their cybersecurity goals.

ON A

There are three dimensions of cyber risk management that are

LY UG

measured within each tier level, including the risk management process, the
BY 22,

integrated risk management program, and external participation.

: R 20

The dimension of the risk management process within the

implementation tier progression refers to the organization’s approach and
AM 23

effectiveness in identifying, assessing, mitigating, and managing

ES

cybersecurity risks. It encompasses the methodologies, procedures, and

practices the organization employs to systematically address risks to its
H

systems, assets, and data. This evaluation helps determine if the

AM

organization has a structured and well-defined process in place and if it

consistently applies risk management principles to identify, analyze, and
GA

respond to cybersecurity risks. During the evaluation of this dimension, the

I

question being addressed is: “How well does the organization establish and
execute a risk management process that aligns with its risk tolerance,
objectives, and overall business strategy?” and “How well does my
organization practice risk management?”

The dimension of the integrated risk management program focuses

on the organization’s ability to integrate cybersecurity risk management into
its overall business processes and decision-making. It assesses the extent to
which cybersecurity risk considerations are embedded within the
organization’s governance structure, policies, and practices. This dimension
evaluates whether the organization has established a comprehensive and
cohesive program that aligns cybersecurity objectives with its broader
strategic goals. By evaluating this dimension, organizations can identify gaps
and opportunities for integrating cybersecurity risk management more

107

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
effectively across their operations, thereby enhancing their overall risk
posture. The questions being addressed during the evaluation of this
SE 3 2
dimension are: “To what extent is cybersecurity risk management integrated
D @g
into the organization’s overall governance and business processes?” and
FO m
“How repeatable are the outcomes that the organization produces?”
R ail.
The dimension of external participation focuses on the
US co

organization’s engagement with external stakeholders, industry

collaborations, and information-sharing efforts. It assesses the
E m·

organization’s involvement in relevant cybersecurity communities, its

ON A

partnerships with other entities, and its participation in information-sharing

initiatives. This dimension recognizes the importance of collaboration and
LY UG

the exchange of best practices and threat intelligence in enhancing an

BY 22,

organization’s cybersecurity capabilities. By evaluating this dimension,

organizations can determine the level of their external engagement and
: R 20

identify opportunities for strengthening collaboration with other

AM 23

stakeholders to bolster their cybersecurity defenses. The evaluation question

for this dimension is: “To what extent does the organization engage in
ES

external partnerships and information sharing to enhance its cybersecurity

posture?” and “How well does my organization adapt to new risks and
H

threats?”
AM

MATURITY MODELS
GA

Determining the appropriate implementation tier to target is a

I

crucial step in the implementation of the NIST Cybersecurity Framework

(CSF). While the CSF implementation tiers provide a benchmark for
evaluating an organization’s cybersecurity practices, it is important to note
that they are not a traditional maturity model like some other frameworks
or models in the industry.

A maturity model is a structured framework that assesses and

guides the progression of an organization’s capabilities and maturity levels
in a specific domain, providing a roadmap for improvement and growth.
Maturity models typically provide a structured progression of maturity
levels, whereas the CSF implementation tiers focus on evaluating the
effectiveness of cybersecurity practices rather than the organization’s
maturity level.

108

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
To determine the desired implementation tier, organizations can
SE 3 2
consider using established maturity models that align with their
cybersecurity goals and objectives. These maturity models provide a
D @g
roadmap for organizations to assess their current state, define target
FO m
maturity levels, and identify the steps required to progress toward those
R ail.
levels. Four commonly used maturity models are the Capability Maturity
Model Integration (CMMI, the ISO/IEC 27001 maturity model, the
US co

Cybersecurity Maturity Model Certification (CMMC), and the Cybersecurity

E m·

Capability Maturity Model (C2M2).

ON A

The Capability Maturity Model Integration (CMMI) is a widely

LY UG

recognized model that assesses the maturity of an organization’s processes

across various domains, including cybersecurity. CMMI consists of five
BY 22,

maturity levels, moving through from initial, managed, defined,

: R 20

quantitatively managed, and optimizing, and it provides organizations with a

framework to assess and improve their process maturity.
AM 23

The ISO/IEC 27001 maturity model is a framework that assesses

ES

the maturity level of an organization’s information security management

H

system (ISMS) based on the ISO/IEC 27001 standard. This maturity model
AM

provides a structured approach for organizations to evaluate their current

state of information security practices and measure their progress toward
GA

achieving higher levels of maturity. It defines a set of criteria and indicators

to assess the effectiveness, efficiency, and sustainability of the
I

organization’s ISMS. Using the ISO/IEC 27001 maturity model,

organizations can identify areas for improvement, prioritize their efforts,
and establish a roadmap for advancing their information security
capabilities. The model enables organizations to systematically enhance
their security controls, risk management processes, and overall information
security posture in alignment with international best practices.

The Cybersecurity Maturity Model Certification (CMMC) is a

maturity model developed by the U.S. Department of Defense (DoD) to
assess and certify the cybersecurity maturity of organizations participating in
DoD contracts. The latest version of CMMC only consists of three levels,
moving from level 1 (foundational cyber hygiene) to level 2 (advanced cyber
hygiene) to level 3 (expert cyber hygiene). Each level represents a different

109

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
level of cybersecurity maturity and serves as a framework for organizations
to align their cybersecurity practices with DoD requirements.
SE 3 2
D @g
The Cybersecurity Capability Maturity Model (C2M2) is a
maturity model developed by the U.S. Department of Defense (DoD) to
FO m

assess and improve an organization’s cybersecurity capabilities and maturity.

R ail.
It offers a comprehensive framework encompassing various cybersecurity
US co

domains, such as risk management, incident response, secure configuration

management, and security awareness. The latest version of the C2M2
E m·

evaluates organizations on a three-level scale, ranging from Initiated to

ON A

Performed to Managed, to determine their level of maturity in cybersecurity

practices. Each level represents an increasing level of sophistication and
LY UG

effectiveness in cybersecurity measures. By leveraging the C2M2,

BY 22,

organizations can gain valuable insights into their current cybersecurity

capabilities, identify areas of weakness or improvement, and establish a
: R 20

clear roadmap for enhancing their cybersecurity posture. The model

AM 23

provides a standardized approach for benchmarking and measuring

progress, enabling organizations to prioritize resource allocation and
ES

effectively address critical areas of cybersecurity enhancement.

H

These maturity models, among others, can complement the NIST

AM

CSF implementation tiers by providing organizations with a more detailed

and structured approach to assessing and improving their cybersecurity
GA

maturity.
I

It is important to note that the NIST Cybersecurity Framework’s

implementation tiers are not considered a maturity model. The official
guidance from NIST makes this extremely clear, “While organizations
identified as Tier 1 (Partial) are encouraged to consider moving to Tier 2 or
greater, Tiers do not represent maturity levels.”

Instead, while the CSF implementation tiers focus on evaluating

the effectiveness of cybersecurity practices, maturity models offer a broader
perspective on the overall maturity and capability of an organization’s
cybersecurity program. By leveraging both the NIST CSF implementation
tiers and relevant maturity models, organizations can develop a
comprehensive approach to enhance their cybersecurity practices and
maturity, aligning with their specific goals and industry requirements.

110

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
STRATEGIES FOR MOVING
SE 3 2
BETWEEN IMPLEMENTATION TIERS
D @g
The implementation tiers are the most helpful for setting the tone
FO m
of the cybersecurity practices within an organization from top executives.
R ail.
When the senior leaders of an organization set a target tier for the
US co

organization, such as Tier 2 or Tier 3, this dictates the level of effort and
resources that the organization will use toward its cybersecurity and risk
E m·

management programs.
ON A

As previously stated, though, the implementation tiers are not

LY UG

considered a maturity model, so there is no requirement that states an

organization must aim to one day become a Tier 4 organization. Instead,
BY 22,

your target tier should typically be determined by the organization’s unique

: R 20

characteristics and risk tolerance. It is enough to have the organizational

leadership state, “Let’s be Tier 2”. The organization is not required, or even
AM 23

encouraged, to necessarily aim at reaching Tier 3 or 4 unless it makes sense

ES

for their organization’s needs and risk profile.

H

As a cyber resilience professional, you may be asked to help an

AM

organization move from one tier to another. The best way to approach this
is with a five-step process.
GA

First, the organization must assess the current state of its

I

cybersecurity and risk management programs and practices to determine its

current implementation tier level. This allows everyone to identify that
starting point for the organization once the implementation plan is created.

Second, the organization must define the target state based on the
tier level they want to move toward. After all, if the organization doesn’t
have a target tier or goal selected, the organization can never determine if it
has succeeded in its efforts to move between different tier levels.

Third, the organization must develop a plan of action. This plan

may include purchasing and installing new technologies, writing new
policies, or training existing employees on the organization’s current
programs and processes. This action plan will depend on the exact situation

111

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
and challenges the organization is trying to address by setting its target tier
SE 3 2
level differently than its current tier level.
D @g
Fourth, the organization will implement the plan of action. For
FO m
example, consider an organization that identified itself as a Tier 1
organization and set a target of becoming a Tier 2 organization. In this case,
R ail.

the organization currently has ineffective and inconsistent cyber risk

US co

management methods and fragmented practices being deployed using an

unstructured methodology. To reach Tier 2, the organization will need to
E m·

develop formalized policies and create a basic risk management program,

ON A

even if it is an informal and underdeveloped program compared to a Tier 3

LY UG

organization.
BY 22,

Fifth, the organization will monitor and adjust. Improving an

organization’s cybersecurity and risk management programs will not happen
: R 20

overnight, and it is rare to see an organization try to move from Tier 1 to

AM 23

Tier 4 quickly. Instead, this becomes a continual improvement process until

the organization reaches the level identified as its target tier. So, if the
ES

organization is trying to move from Tier 1 to Tier 2, it developed a plan,

implemented a plan, and now it is monitoring to see if the desired results
H

are achieved. If they are not, then the organization will need to adjust by
AM

returning to step three (develop a plan of action) and selecting a new

GA

approach to continually improve itself until it reaches the desired target tier
initially selected by the organization.
I

Unfortunately, selecting your target implementation tier is not

useful for determining gaps that can be closed within a reasonable amount
of time and at a reasonable cost. Too many things could be covered
between each tier level, so the available detail received by selecting Tier 2 or
Tier 3 as the target tier is simply not actionable enough. To really identify
and close these gaps between the tiers, an organization will need to also use
profiles built out of the outcome categories and subcategories and activities
from the framework core.

SUMMARY

In this chapter, we explored the concept of implementation tiers

within the NIST Cybersecurity Framework (CSF) and their role in

112

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
evaluating an organization’s cybersecurity practices. We began by
SE 3 2
understanding that there is no strict order in which the core, tiers, and
profiles must be implemented, but following a logical sequence can lead to
D @g
a comprehensive and effective implementation.
FO m

Remember, there are four implementation tiers: Tier 1 (Partial),

R ail.

Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive). Each tier
US co

represents a level of maturity in an organization’s cybersecurity practices,

E m·

with Tier 4 being the highest level of maturity. Even though the term
ON A

maturity is used heavily when describing the implementation tiers, it is

important to note that the implementation tiers are not a maturity model.
LY UG

Instead, organizations can select a compatible maturity model if they wish

to certify their maturity, such as the capability maturity model integration
BY 22,

(CMMI), the ISO.IEC 27001 maturity model, the Cybersecurity Maturity

: R 20

Model Certification (CMMC), and the Cybersecurity Capability Maturity

Model (C2M2).
AM 23

Furthermore, we delved into the importance of implementation tier

ES

progression and how organizations can strategically advance their

H

cybersecurity capabilities. We emphasized that progression from one tier to

AM

the next involves setting clear objectives, allocating resources effectively,

and developing targeted action plans. By understanding the dimensions of
GA

the risk management process, integrated risk management program, and

external participation, organizations can evaluate their current tier level and
I

chart a path toward higher maturity. Also, recall that the process of moving
between different implementation tiers is not meant to be seen as a linear
progression, but instead, it is more agile and spiral in nature as the
organization identifies its current practices, attempts to improve them,
monitors the results and then adapts a new plan to continue their
improvement in the identified areas.

The implementation tiers in the NIST CSF provide organizations

with a framework to assess and enhance their cybersecurity practices. The
tiers act as guideposts, allowing organizations to identify their current
capabilities, set targets for improvement, and allocate resources effectively.
Implementing the framework in a systematic and progressive manner helps
organizations build a strong cybersecurity foundation and adapt to evolving

113

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
threats, ultimately enhancing their overall cybersecurity posture and
resilience.
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

114

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER NINE
AM 23
ES

PROFILES
H
AM

Imagine you’re a master chef preparing a delicious meal. As you

gather your ingredients, you realize that each person who will be dining
GA

tonight has their own unique tastes and preferences. One person loves spicy
I

flavors, while another prefers mild and savory ones. To satisfy everyone’s
palate, you customize each dish, adjusting the seasonings, ingredients, and
cooking techniques used to prepare the meal.

In the world of cybersecurity, organizations face a similar challenge

when implementing the NIST Cybersecurity Framework. While the core
functions and implementation tiers provide a solid foundation for cyber
resilience, the customization of the framework using profiles is key to
aligning the framework with an organization’s unique needs, goals, and risk
management strategies.

In this chapter, we will explore the concept of profiles within the

NIST Cybersecurity Framework. A profile consists of an organization’s
cybersecurity objectives, current state, and target state, providing a roadmap

115

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
for aligning cybersecurity activities and priorities with the organization’s
SE 3 2
business requirements.
D @g
These profiles allow you to tailor the framework to an
FO m
organization’s specific requirements. Just as a chef may customize each
R ail.
dish, a profile enables you to adjust and fine-tune the framework to
effectively address an organization’s unique cybersecurity challenges.
US co

Essentially, it is a specific and tailored version of the framework core’s

E m·

functions, outcomes, and activities selected just for that organization.

ON A

Before diving into the intricacies of profiles, it is essential to have a

LY UG

solid understanding of the framework core and the organization’s selected

target implementation tier. As we mentioned in the previous chapter, the
BY 22,

core functions form the foundation of the NIST Cybersecurity Framework

: R 20

by encompassing the five key areas of identity, protect, detect, respond, and
recover. These functions and their associated outcome categories and
AM 23

activities provide the building blocks for managing cybersecurity risks. By

familiarizing yourself with the core, you can better appreciate how profiles
ES

enhance and complement the framework, allowing for a more tailored and
H

targeted approach to cybersecurity.

AM

Throughout this chapter, we will explore the role of profiles in

GA

customizing the NIST CSF. We will delve into the process of creating a
profile, examining how it aligns with organizational goals and risk
I

management strategies. Additionally, we will discuss the benefits of profiles

in promoting effective communication, collaboration, and decision-making
within the organization. By the end of this chapter, you will understand
how profiles empower your organization to navigate the complex landscape
of cybersecurity with a customized approach that enhances your overall
cybersecurity posture.

KEY COMPONENTS OF A PROFILE

A profile within the NIST Cybersecurity Framework (CSF) is a

customizable tool that allows organizations to align the framework with
their specific risk management objectives, industry-specific regulations, and
internal priorities. Profiles enable organizations to tailor the framework to

116

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2their unique needs, ensuring their cybersecurity efforts are focused and
D @geffective.

To create a comprehensive and meaningful profile, it is important

FO m
to consider a profile’s three key components: core functions, categories, and
subcategories.
R ail.
US co

First, the core functions. The core functions are the foundation of
the framework and provide a structured approach to managing
E m·

cybersecurity risks. The five functions of identity, protect, detect, respond,

ON A

and recover encompass a wide range of activities and outcomes that

organizations need to address in their cybersecurity practices. When
LY UG

creating a profile, evaluating each core function and determining its

BY 22,

relevance and priority to a specific organization is essential. By

understanding and selecting the core functions that align with your risk
: R 20

management objectives, you can effectively tailor the profile to meet the
AM 23

organization’s unique needs.

ES

Second, the outcome categories. Within each core function, the

framework defines various outcome categories that further break down into
H

subcategories and activities. These outcome categories provide a more

AM

granular view of the specific areas organizations should consider when

managing their cybersecurity risks. Outcome categories include asset
GA

management, risk assessment, awareness and training, data security, and

I

many others. When developing a profile, it is important to identify the

relevant categories that align with your organization’s priorities and risk
management strategies. By focusing on these specific categories, you can
customize your profile to address the areas that are most critical to your
organization’s cybersecurity posture.

Third, the subcategories and activities. Under each outcome

category, defined subcategories represent specific activities within each
category. These subcategories provide further detail and guidance on which
activities organizations should undertake to achieve desired cybersecurity
objectives. When developing a profile, reviewing the subcategories within
the selected categories and assessing their relevance and applicability to
your organization’s context is important. By identifying the specific
subcategories that align with your risk management goals, you can

117

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
customize your profile to include the activities and outcomes that are most
SE 3 2
relevant to your organization’s cybersecurity practices.
D @g
CREATING A PROFILE
FO m

In cyber resilience, a one-size-fits-all approach rarely yields the best

R ail.

results. Each organization around the world faces unique challenges,

US co

operates in specific industries, and has distinct risk management objectives.

By creating a profile within the framework, organizations can customize the
E m·

framework to their specific requirements, aligning their cybersecurity efforts

ON A

with their unique risk landscape and business priorities. This unique profile
that the organization creates will be used to establish a roadmap that aligns
LY UG

its cybersecurity practices with its risk management strategy to enhance its
BY 22,

resilience against cyber threats and enables effective protection of its critical
assets and operations.
: R 20
AM 23

To create a profile, the cyber resilience professional should follow a

basic six-step process to identify organizational requirements and
ES

objectives, evaluate the framework core, select and prioritize outcome

categories, define subcategories and activities, establish performance goals
H

and metrics, and document and implement the profile.

AM

The first step is to identify organizational requirements and

GA

objectives. You should begin by thoroughly assessing the organization’s risk

I

management objectives, industry-specific regulations, business priorities,

and cybersecurity needs. It is important to identify the key drivers that
shape the organization’s cybersecurity strategy, such as protecting sensitive
data, complying with regulatory requirements, or safeguarding its critical
infrastructure. This step is crucial in understanding the organization’s
unique cybersecurity requirements and setting the foundation for creating a
tailored profile.

The second step is to evaluate the framework core. As stated

previously, the cyber resilience professional must be familiar with the
framework core and its five functions (identify, protect, detect, respond,
recover), outcome categories, and subcategories. You should assess how
each core component aligns with the organization’s objectives and its risk
management strategy. With the help of key stakeholders, you should

118

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
identify the specific outcome categories and subcategories that are most
relevant and critical to the organization’s cybersecurity efforts. This
SE 3 2
evaluation will help determine the core components that must be included
D @g
in the tailored profile you are now creating.
FO m

The third step is to select and prioritize outcome categories. Based

R ail.
on the evaluation conducted in the second step, you should select the
US co

outcome categories that align with the organization’s priorities and risk
management objectives. Considering the unique cybersecurity challenges
E m·

and focus areas that are specific to the organization, you must prioritize
ON A

these outcome categories based on their importance and relevance to the

organizational cybersecurity strategy. This step ensures that the created
LY UG

profile is tailored to address the most critical aspects of the organization’s

BY 22,

cybersecurity needs because no organization has enough time or money to

focus on everything all of the time. Choices will have to be made, and that
: R 20

is why selecting and prioritizing the outcome categories becomes so

AM 23

important.
ES

The fourth step is to define subcategories and activities. Within

each selected outcome category, define the specific subcategories and
H

activities that will guide the organization’s cybersecurity efforts. These

AM

subcategories and activities provide a more granular level of detail and

actionable steps to achieve the desired cybersecurity outcomes. Customize
GA

these subcategories and activities to align with the organization’s specific

I

needs, resources, and risk landscape. This step ensures that the newly
created tailored profile includes the necessary measures and controls to
address the organization’s cybersecurity challenges effectively.

The fifth step is to establish performance goals and metrics. Setting

performance goals and metrics will allow the organization to measure the
effectiveness and progress of its cybersecurity practices. These goals and
metrics should align with the organization’s risk appetite, compliance
requirements, and overall cybersecurity strategy. Also, take the time to
define clear indicators that will help to evaluate the success and maturity of
the organization’s cybersecurity program. By establishing performance goals
and metrics, you can monitor the organization’s cybersecurity posture, track
its improvements over time, and make informed decisions to enhance its
cybersecurity capabilities.

119

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The sixth step is to document and implement the profile.
Documenting the customized profile helps capture the selected outcome
SE 3 2
categories, subcategories, activities, performance goals, and metrics for later
D @g
review and analysis. By ensuring that the profile is well-documented, easily
FO m
understood, and accessible to relevant stakeholders within your
organization, you can more easily communicate the profile to the key
R ail.

personnel responsible for implementing and managing the organization’s

US co

cybersecurity program. During this step, it is also important to actually

conduct the implementation of the profile by integrating the defined
E m·

measures, controls, and practices into the organization’s cybersecurity

ON A

operations. After the initial implementation is complete, it is important to

periodically review and update the profile as the organization’s cybersecurity
LY UG

needs evolve over time.

BY 22,

By creating a profile within the NIST Cybersecurity Framework,

: R 20

organizations are empowered to tailor their cybersecurity efforts and focus

AM 23

their actions on their specific risk landscape and priorities. By following this
step-by-step process, organizations can create a profile that aligns with their
ES

unique requirements, enhances their cybersecurity posture, and enables

proactive risk management.
H
AM

PROFILE TAILORING
GA

A framework profile can measure the gap between the current state
of cybersecurity practices and the target state, including the target
I

implementation tier selected by the organization. As the organization begins

to create its profile, it may discover that removing some outcomes or entire
activities from the definition of the organizational target state is needed.

For example, you might be creating a profile for the framework to

focus on how well an organization performs the detect function while
making the conscious decision to leave out the other four functions until
the organization has more time, resources, and effort available to focus on
them. Alternatively, you might focus on only the five outcomes for the
supply chain risk management (ID.SC) activity and ignore every other
outcome and activity in the framework core for the time being. Either of
these are acceptable ways to create a scoped-down target profile for an
organization if you intend to conduct a limited engagement with them.

120

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Consider a tailored profile for a certification examination institute:
SE 3 2
Overall Objective:
D @g
To enhance the protection of sensitive data and ensure the secure
FO m
access and authentication of users in the certification exam systems.
R ail.

Profile Components:
US co

1. Protect (PR) Function

• PR.AC: Identity Management, Authentication, and Access Control.
E m·

• PR.AT: Awareness and Training.

ON A

Profile Objectives:
LY UG

• Establish robust identity management, authentication, and access

control measures to safeguard sensitive data in our certification exam
BY 22,

systems.
: R 20

• Enhance cybersecurity awareness and provide effective training to our

personnel and users to mitigate the risk of unauthorized access and
AM 23

security incidents.
ES

Profile Activities:
H

• PR.AC-1: Implement strong user authentication mechanisms, such as

multi-factor authentication, to ensure secure access to certification
AM

exam systems.
GA

• PR.AT-2: Provide comprehensive cybersecurity awareness training to

personnel and privileged users, emphasizing their roles and
I

responsibilities in maintaining the security and integrity of the

certification exam systems.

Profile Performance Goals:

• Increase the usage of multi-factor authentication for privileged user
system access.
• Achieve high completion rates for cybersecurity awareness training
modules.
• Reduce the number of unauthorized access incidents.

Profile Metrics:
• Percentage of privileged users utilizing multi-factor authentication
• Completion rates of cybersecurity awareness training modules
• Number of unauthorized access incidents reported

121

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Since we assume an extremely limited engagement with the
organization for this example, we have developed a tailored profile by
identifying the most important items from the larger NIST Cybersecurity
D @g
Framework that address this organization’s key areas of concern: the
FO m
protect (PR) function and the PR.AC outcome category, and the AC and
AT subcategories and activities.
R ail.
US co

As you read through the sample target profile, you should have
noticed several interesting things about it.
E m·
ON A

Notice that the first section contains only one of the five functions
being considered in this profile. Remember that the framework is voluntary,
LY UG

and the organization can use as much or as little of it as they desire. In this
BY 22,

example, the organization and its consultants have only focused on the
protection function in this profile.
: R 20

In the second section, the organization and its consultant have

AM 23

decided to only adopt a profile with two outcome categories Identity

ES

Management, Authentication, and Access Control (PR.AC) and Awareness

and Training (PR.AT). While there may have been other subcategories and
H

activities that could have been added to help meet the overall organizational
AM

objective, the decision was made to limit the scope of the profile and the
number of activities selected to only the most important for this particular
GA

engagement. This decision may have been made due to the amount of time
I

and resources available from the organization for its cybersecurity program
and risk management programs, or it could have been because the
organization was extremely new and just trying to establish its initial actions
in a new cybersecurity program.

In the third section, you will notice that the profile objectives were
not written exactly as they are presented in the NIST Cybersecurity
Framework official documentation. In the target profile, it states that the
organization will “Establish robust identity management, authentication,
and access control measures to safeguard sensitive data in our certification
exam systems.” This most closely aligns with the outcome category of
PR.AC which states that “access to physical and logical assets and
associated facilities is limited to authorized users, processes, and devices,
and it is managed consistent with the assessed risk of unauthorized access

122

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2to authorized activities and transactions.” The important concept here is
that you can tailor your profile however you see fit. In this case, the
objectives were tailored to have a very narrow focus and to be written in a
D @g
more business-like and non-technical tone so that they could be more easily
FO m
communicated to the organization’s executives.
R ail.

In the fourth section, if you cross-reference the PR.AC-1 and

US co

PR.AT-2 activities from the official NIST Cybersecurity Framework

documentation with the tailored profile provided are found to not be a
E m·

direct match word for word. This, again, is part of the tailoring. For
ON A

example, PR.AC-1 in the official documentation is written as “Identities

LY UG

and credentials are issued, managed, verified, revoked, and audited for
authorized devices, users, and processes.” In the tailored profile, this was
BY 22,

written as “implement strong user authentication mechanisms, such as

multi-factor authentication, to ensure secure access to certification exam
: R 20

systems.” The difference here is that the tailored version is more specific
AM 23

and even provides a potential solution that the organization seeks to

implement.
ES

In the final two sections, you will notice the performance goals and
H

metrics. These are not found inside the NIST Cybersecurity Framework
AM

itself, but they are critically important when developing a targeted profile
for an organization. The performance goals state what we are trying to
GA

achieve with the actions specified in the profile. These tend to be more
I

generic in nature, such as “reduce the number of unauthorized access

incidents.”

The metrics, on the other hand, indicate how that performance

goal will be measured. In this case, the target profile states that this
performance goal will be measured by counting the number of
unauthorized access incidents reported.

Notice that the target profile did not include the specific number to
be used as a goal for this metric. This is because we want to keep this target
profile generic enough that we can reuse it over the years. During the kick-
off of the organization’s action plan, the metrics will be given a specific
target number that the organization is working toward. At this point,
though, we don’t know how many incidents the organization has had over

123

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
the last 12 months, so it is impossible to provide an exact number for the
metric while drafting up the target profile.
SE 3 2
D @g
Please note this tailored profile is an extremely simplified profile
created for illustrative purposes. Organizations should customize their
FO m

profiles based on their specific needs, risk landscape, and cybersecurity

R ail.
objectives. A typical profile can end up being twenty to one hundred pages
US co

in length or more.
E m·

PROFILE TEMPLATES
ON A

Creating a profile within the NIST Cybersecurity Framework can

LY UG

be a complex and time-consuming task, requiring careful consideration of

an organization’s unique needs, risk landscape, and cybersecurity
BY 22,

objectives.
: R 20

A profile template can be utilized to simplify the profile creation

AM 23

process and provide organizations with a starting point. These templates

serve as pre-defined frameworks that outline a profile’s key components
ES

and structure, allowing organizations to customize and tailor them

H

according to their specific requirements.

AM

Profile templates provide several benefits, including consistency,

GA

efficiency, and alignment with recognized cybersecurity best practices. They

offer a structured framework that guides organizations through the profile
I

creation process, ensuring that essential elements are included and relevant
outcome categories and activities are considered. Templates also promote
consistency across an organization or industry profiles, facilitating easier
benchmarking, sharing of best practices, and collaboration.

While profile templates can vary based on organizational needs,

some common elements are typically included, such as organizational
information, profile summary, profile components, profile objectives,
profile activities, performance goals, and metrics.

The organization information should be clearly listed in the profile

template. This helps identify the organization’s name and relevant details to
provide context and ownership.

124

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The profile summary section provides a concise overview of the
profile. It helps to summarize the key objectives and focus areas.
SE 3 2
D @g
The profile components section outlines the specific framework
components that the profile will address, such as functions, categories, and
FO m

subcategories.
R ail.
US co

The profile objectives section articulates the goals and intentions of

the profile, highlighting the desired outcomes and improvements to be
E m·

achieved.
ON A

The profile activities section lists the specific activities or actions

LY UG

the organization will undertake to meet the described profile objectives.

BY 22,

The performance goals are used to provide clear and measurable

: R 20

goals are established to assess the success and effectiveness of the profile
implementation.
AM 23

The metrics section provides quantifiable metrics to track progress,

ES

measure performance, and evaluate the impact of the profile on the

H

organization’s cybersecurity practices.

AM

Organizations can leverage existing profile templates available from

GA

reputable sources such as industry associations, government agencies, or

cybersecurity frameworks and create their own library of profile templates
I

based on previous engagements at organizations with whom they worked.

These templates can serve as a starting point, providing a framework that
can be customized and tailored to fit the organization’s specific needs and
requirements.

Organizations can expedite the profile creation process by utilizing

profile templates, ensuring consistency across profiles, and leveraging
established best practices. It enables organizations to focus their efforts on
customizing the template to their specific context and cybersecurity goals to
align with the organization’s risk landscape, industry regulations, and
internal priorities while still achieving a robust and effective tailored profile.

125

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 SECTOR-SPECIFIC PROFILES

In the diverse landscape of cybersecurity, different sectors and

D @g
industries face unique challenges and have specific requirements for
FO m
protecting their critical assets and infrastructure. To address these sector-
specific needs, the NIST Cybersecurity Framework provides the flexibility
R ail.

to develop tailored profiles that align with specific sectors’ cybersecurity

US co

objectives and risk landscapes. In addition to generic profile templates,

many sector-specific profiles have been created, including the
E m·

Manufacturing Profile, Election Infrastructure Profile, Satellite Networks

ON A

Profile, Smart Grid Profile, Connected Vehicle Profiles, Payroll Profile,

LY UG

Maritime Profile, and Communications Profile.

BY 22,

Each profile focuses on the cybersecurity considerations and

controls that are most relevant to the respective sector, providing
: R 20

organizations with guidance and best practices specific to their industry. By

AM 23

leveraging these sector-specific profiles, organizations can enhance their

cybersecurity posture and effectively mitigate sector-specific risks, ensuring
ES

the resilience and security of critical systems and operations.

H

MANUFACTURING PROFILE
AM

In October 2020, NIST published a Manufacturing Target Profile

GA

based on version 1.1 of the NIST CSF. This document is officially called
I

the “National Institute of Standards and Technology Internal Report 8183

Revision 1”. If you want to download a copy, you can find it at
https://doi.org/10.6028/NIST.IR.8183r1.

Manufacturers are a unique industry from a cybersecurity

perspective because they have the traditional IT infrastructure to automate
routine office tasks, like writing documents and processing emails. But they
also use computers to support their manufacturing operations, whether
process-based, discrete-based, or some combination of both.

These special-purpose computers are broadly known as industrial

control systems (ICS). There are different types of control systems,
including supervisory control and data acquisition systems (SCADA),
distributed control systems, and programmable logic controllers (PLC). If

126

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2an Industrial Control System stops working, this also causes the production
line to have a work stoppage, too. This means that no work can be done,
and therefore revenue will stop flowing in, too. Manufacturing isn’t just
D @g
used to create large, complex machines like cars, airplanes, televisions, and
FO m
computers. Manufacturing also includes most things we consume daily,
including cans of soda, a plastic bag filled with apples, or even the paper
R ail.

bag where your takeout food is placed.

US co

Because of the heavy emphasis on industrial control systems in

E m·

manufacturing, the Manufacturing Target Profile better incorporates

ON A

ISA/IEC 62443 as the basis for the controls needed to reliably produce the
LY UG

desired outcomes. The ISA/IEC 62443 is an international series of

standards on “IT security for networks and systems for Industrial
BY 22,

communication networks.” The International Society of Automation (ISA)

and the International Electrotechnical Commission (IEC) are two
: R 20

organizations that worked together to create the ISA/IEC 62443 standard.

AM 23

There are two particularly good use cases for this Target Profile.
ES

The first is to help an organization express its cybersecurity risk

management requirements to an external service provider. The second is to
H

help the organization compare its current profile to the Manufacturing

AM

Target Profile in order to reveal gaps or weaknesses that might result in its
GA

systems being exploited.

I

The Manufacturing Target Profile defines three impact levels for

each outcome: low, medium, and high. The profile also defines five impact
categories examples within it, including injuries to people, financial loss,
environment release, interruption of production, and damage to public
image.

Each outcome presented in the profile has more or fewer controls

recommended depending on the impact level. This is easy to understand if
you think about the impact of an industrial control system’s failure to milk
production as compared to refining gasoline: sour milk will get thrown out,
but a gasoline spillage could cause an explosion that might kill somebody.

To demonstrate how the Manufacturing Target Profile could be

used, let’s consider how one outcome is profiled within it. The subcategory

127

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
and activity are known as PR.AC-5 is defined as “network integrity is
protected” within the NIST Cybersecurity Framework official
SE 3 2
documentation. In the Manufacturing Target Profile, if a failure to protect
D @g
network integrity will result in a low impact, the following informative
FO m
references and associated controls are recommended:
R ail.
(1) [4.3.3.4] from ISA/IEC 62443-2-1:2009
US co

(2) [SR 3.1 and 3.8] from ISA/IEC 62443-3-3:2013

E m·
ON A

(3) [SC-7] from NIST special publication 800-53.

LY UG

If a medium impact level is expected, then the profile recommends

that the organization add AC-4 from the NIST SP800-53 as an additional
BY 22,

control to further help control the risk. The AC-4 control is focused on
: R 20

enforcing approved authorization for the flow of information within the

system and connected systems based on information flow control policies.
AM 23

Simply put, the organization should implement firewall and routing access
control lists to determine which systems can communicate with other
ES

systems in the organization’s network.

H
AM

If a high impact level is determined to exist, then both SC-7(8) and

SC-7(21) from the NIST SP800-53 are recommended as additional controls
GA

for implementation. The SC-7(8) control states that boundary protection

should be implemented by routing network traffic to authenticated proxy
I

servers. The SC-7(21) control states that boundary protection should also
be implemented through the use of isolation of system components based
on different missions or business functions.

ELECTION INFRASTRUCTURE PROFILE

The Election Infrastructure Profile is specifically designed to

address the unique cybersecurity challenges faced by organizations involved
in electoral processes. This profile aims to ensure the integrity, security, and
resilience of the election infrastructure, which includes systems, networks,
and data during publicly held elections within a city, state, or country.

The Election Infrastructure Profile focuses on several key areas of

cybersecurity to safeguard the election process. It emphasizes the

128

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2identification and protection of critical assets, such as voter registration
databases, voting machines, and communication networks, to prevent
unauthorized access or tampering. The profile also emphasizes the
D @g
importance of continuous monitoring and detection of potential
FO m
cybersecurity incidents, allowing timely responses to any threats or
anomalies. Additionally, the profile encourages robust incident response
R ail.

and recovery capabilities to ensure quick restoration of services and the

US co

integrity of the electoral process.

E m·

By implementing the Election Infrastructure Profile, election

ON A

organizations can enhance their cybersecurity posture, strengthen public

LY UG

trust in the electoral system, and safeguard the democratic process. This
profile serves as a valuable resource for election stakeholders, providing
BY 22,

guidance and best practices to address the unique cybersecurity risks and
challenges faced in the context of elections.
: R 20
AM 23

SATELLITE NETWORKS PROFILE

ES

The Satellite Networks Profile is designed to address the specific

cybersecurity considerations and challenges faced by organizations
H

operating satellite networks. As satellite networks play a crucial role in

AM

various industries such as telecommunications, broadcasting, and remote

sensing, ensuring the security and resilience of these networks is of the
GA

utmost importance.
I

The Satellite Networks Profile focuses on key cybersecurity areas

to protect the integrity, confidentiality, and availability of satellite systems
and their associated data. It emphasizes the identification and protection of
critical assets, including ground stations, satellites, and communication
links, to mitigate the risk of unauthorized access or interference. The profile
also emphasizes the implementation of robust monitoring and detection
mechanisms to identify and respond to potential cybersecurity incidents
that could impact the functionality and reliability of the satellite network.

By implementing the Satellite Networks Profile, organizations

operating satellite networks can enhance their cybersecurity capabilities,
safeguard the integrity of their operations, and maintain the trust of their
customers and stakeholders. This profile provides valuable guidance and

129

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
best practices tailored to the unique challenges faced by satellite network
operators, enabling them to address cybersecurity risks and maintain the
SE 3 2
resilience of their systems in an ever-evolving threat landscape.
D @g
SMART GRID PROFILE
FO m
R ail.
The Smart Grid Profile addresses the specific cybersecurity
US co
concerns and requirements related to the operation and management of
smart grid systems. As the energy sector increasingly adopts advanced
E m·

technologies to improve efficiency and reliability, protecting the smart grid

ON A

infrastructure becomes crucial for ensuring the continuous and secure

delivery of electricity.
LY UG

The Smart Grid Profile focuses on key areas of cybersecurity to

BY 22,

address the unique challenges faced by smart grid systems. It emphasizes

: R 20

the identification and protection of critical assets, including control systems,

data centers, communication networks, and IoT devices, to mitigate the risk
AM 23

of unauthorized access or disruption. The profile also highlights the need

for robust monitoring and detection capabilities to quickly identify and
ES

respond to potential cybersecurity incidents that could impact the reliable

H

functioning of the smart grid.

AM

By implementing the Smart Grid Profile, organizations operating

GA

smart grid systems can enhance their cybersecurity posture and resilience,
ensuring the secure and reliable delivery of electricity to consumers. The
I

profile provides valuable guidance and best practices tailored to the specific
requirements of smart grid systems, enabling organizations to effectively
manage cybersecurity risks and maintain the integrity and availability of
their critical infrastructure.

CONNECTED VEHICLE PROFILE

The Connected Vehicle Profile addresses the cybersecurity

challenges and considerations specific to the connected vehicle ecosystem.
With the increasing integration of advanced technologies and connectivity
in vehicles, ensuring the security and privacy of connected vehicles
becomes paramount for maintaining the safety and trust of passengers and
road users.

130

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 The Connected Vehicle Profile focuses on safeguarding the critical
components and communication networks within connected vehicles. It
emphasizes the need for secure authentication and access controls to
D @g
prevent unauthorized access to vehicle systems and data. The profile also
FO m
highlights the importance of secure communication protocols and
encryption to protect the integrity and confidentiality of data transmitted
R ail.

between vehicles and infrastructure.

US co

By implementing the Connected Vehicle Profile, organizations in

E m·

the automotive industry can enhance the cybersecurity of their connected

ON A

vehicle systems. The profile provides specific guidance and controls to

LY UG

address the unique risks associated with connected vehicles, promoting the
adoption of best practices for secure vehicle-to-vehicle and vehicle-to-
BY 22,

infrastructure communications. By implementing the recommended

cybersecurity measures, organizations can ensure the safety, privacy, and
: R 20

resilience of connected vehicles, contributing to the overall advancement

AM 23

and acceptance of connected and autonomous transportation.

ES

PAYROLL PROFILE
H

The Payroll Profile focuses on the specific cybersecurity challenges

AM

and risks associated with payroll systems and processes. Payroll systems
play a critical role in organizations as they handle sensitive employee data
GA

and financial information. Safeguarding the confidentiality, integrity, and

I

availability of this data is crucial to protect employee privacy and prevent

financial fraud or unauthorized access.

The Payroll Profile emphasizes the need for strong access controls
and identity management to ensure that only authorized personnel can
access payroll systems and data. It also emphasizes the importance of data
encryption and secure transmission protocols to protect sensitive
information during transit. Additionally, the profile highlights the
significance of regular monitoring, detection, and response mechanisms to
identify and mitigate any potential payroll system vulnerabilities or
unauthorized activities.

By implementing the Payroll Profile, organizations can enhance the

security of their payroll systems and protect sensitive employee information.

131

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
It provides a set of controls and best practices tailored specifically to
SE 3 2
address the unique cybersecurity risks faced by the organization’s payroll
functions. By adopting these measures, organizations can ensure the
D @g
accuracy and confidentiality of payroll data, promote employee trust, and
FO m
mitigate the potential financial and reputational impacts of payroll-related
security incidents.
R ail.
US co

MARITIME PROFILE
E m·

The Maritime Profile addresses the cybersecurity challenges and

ON A

risks specific to the maritime industry. The maritime sector encompasses a

wide range of activities, including shipping, ports, offshore operations, and
LY UG

maritime transportation. As technology advances and digitalization

BY 22,

becomes more prevalent in the maritime domain, ensuring the security and
resilience of critical maritime infrastructure and systems becomes extremely
: R 20

important for the safety of the industry and the people working within it.
AM 23

The Maritime Profile focuses on key areas such as vessel and

ES

facility security, navigational systems, port operations, and communication

networks. It emphasizes the need for robust access controls, authentication
H

mechanisms, and encryption protocols to protect critical maritime assets

AM

and data from unauthorized access or tampering. Additionally, the profile

underscores the significance of continuous monitoring, incident response
GA

planning, and information sharing to detect and respond to potential cyber

I

threats in real time.

By implementing the Maritime Profile, organizations in the

maritime sector can strengthen their cybersecurity posture and safeguard
their critical assets, operations, and data. This profile provides tailored
controls and recommendations that address the unique maritime
cybersecurity risks, helping organizations build a resilient cybersecurity
framework. With effective cybersecurity measures in place, the maritime
industry can ensure the safety and security of vessels, ports, and associated
infrastructure, maintain smooth operations, and protect against potential
cyber incidents that may disrupt maritime activities or compromise
maritime safety.

132

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 COMMUNICATIONS PROFILE

The Communications Profile is designed to meet the specific

D @g
cybersecurity needs and challenges within the communications sector. As
FO m
the communications industry becomes increasingly reliant on digital
technologies and interconnected networks, it is crucial to protect the
R ail.

integrity, confidentiality, and availability of critical communications

US co

infrastructure and services.

E m·

The Communications Profile focuses on areas such as network

ON A

security, data protection, threat intelligence, and incident response. It

LY UG

highlights the importance of implementing strong access controls,

encryption mechanisms, and secure network architectures to safeguard
BY 22,

sensitive information and prevent unauthorized access. Additionally, the

profile emphasizes the need for continuous monitoring, vulnerability
: R 20

assessments, and proactive threat detection to identify and mitigate

AM 23

potential cyber risks.

ES

By adopting the Communications Profile, organizations in the

communications sector can enhance their cybersecurity resilience and
H

mitigate the potential impacts of cyber threats. It provides industry-specific

AM

guidance and recommendations for implementing effective cybersecurity

controls, ensuring the reliability and security of communication networks,
GA

services, and customer data. With a robust cybersecurity framework in

I

place, the communications industry can foster trust, maintain the

confidentiality of sensitive communications, and protect against
cyberattacks that may compromise network infrastructure or disrupt
communication services.

CURRENT PROFILE VERSUS TARGET PROFILE

The current profile and target profile are essential components of

the framework that organizations use to assess their cybersecurity posture
and establish a roadmap for improvement.

The current profile represents the organization’s existing

cybersecurity practices, including its current cybersecurity activities, desired
outcomes, and risk management approaches. It provides a snapshot of the

133

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
organization’s current state of cybersecurity, highlighting strengths,
SE 3 2
weaknesses, and areas for improvement. By understanding the current
profile, organizations can identify gaps in their cybersecurity defenses and
D @g
determine the necessary steps to enhance their security posture.
FO m

On the other hand, the target profile represents the organization’s

R ail.

desired state of cybersecurity practices and outcomes. It outlines the

US co

specific cybersecurity improvements and goals that the organization aims to

achieve. The target profile is aligned with the organization’s risk
E m·

management objectives, industry-specific regulations, and internal priorities.

ON A

By comparing the current profile with the target profile, organizations can
LY UG

identify the gaps and prioritize the actions needed to bridge those gaps and
move toward their desired cybersecurity state.
BY 22,

The process of transitioning from the current profile to the target

: R 20

profile involves assessing the organization’s current cybersecurity practices,

AM 23

identifying areas for improvement, and developing a strategic action plan. It

requires a comprehensive understanding of the organization’s risk
ES

landscape, business objectives, and available resources. The target profile

serves as a guide to help organizations align their cybersecurity practices
H

with their overall business strategy and risk management goals. It provides a
AM

roadmap for prioritizing cybersecurity initiatives, allocating resources

GA

effectively, and tracking progress toward the desired cybersecurity state.

I

PROFILES FOR REGULATORY COMPLIANCE

If your organization works in a highly regulated industry, tailoring

profiles to support its regulatory compliance requirements is an important
aspect of implementing the NIST Cybersecurity Framework. Regulatory
compliance mandates specific security controls and practices that
organizations must adhere to in order to meet legal and industry-specific
obligations. By tailoring profiles to support regulatory compliance
requirements, organizations can ensure that their cybersecurity efforts align
with the necessary regulatory standards to avoid fines and other negative
consequences.

When tailoring profiles for regulatory compliance, organizations

need to carefully assess the specific requirements and guidelines set forth by

134

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
the relevant regulatory bodies. This involves understanding the regulatory
landscape, identifying the applicable regulations, and determining the specific
SE 3 2
cybersecurity controls and practices mandated by those regulations.
D @g
Organizations can then align their profiles to include the necessary outcome
FO m
categories and activities that address their regulatory compliance
requirements.
R ail.
US co

Tailoring profiles to support regulatory compliance also involves

incorporating industry-specific regulations and standards into the profile.
E m·

Many industries have their own specific cybersecurity requirements and best
ON A

practices that organizations must adhere to. By customizing the profile to

include these industry-specific regulations and standards, organizations can
LY UG

ensure that their cybersecurity practices not only meet regulatory compliance
BY 22,

but also address the unique challenges and risks associated with their specific
industry.
: R 20

Furthermore, tailoring profiles to support regulatory compliance

AM 23

helps organizations establish a structured and systematic approach to meeting

ES

their compliance obligations. By mapping the regulatory requirements to the

outcome categories and activities in the profile, organizations can identify
H

gaps in their current cybersecurity practices and develop a targeted plan to

AM

address them. This tailored approach enables organizations to demonstrate

their commitment to regulatory compliance, enhance their security posture,
GA

and mitigate potential risks associated with non-compliance.

I

SECURE ONCE AND COMPLY MANY

Using the framework core will help you focus the organization on
doing the Activities and Outcomes that make the biggest difference toward
achieving cyber resilience. There are many things you could do to become
more resilient. You have a lot of technical choices, but there are also non-
technical possibilities, too.

Most organizations also have a lot of constraints in terms of budget

limitations and competing priorities, so they simply cannot do everything
they might desire to increase their security. So, of all the things you could
do to become more resilient, which ones will give the organization the
biggest return on its investment of resources?

135

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Well, you can use the Framework Core to take out a lot of the
guesswork involved in taking that decision. You can use the framework
core to simplify and turbocharge your cybersecurity program by combining
D @g
it with a “secure once and comply many” approach. To do this, you need to
FO m
map all of the organization’s compliance requirements back to the
outcomes in the framework profile.
R ail.
US co

One place to start identifying the current mandates is within the

informational references column of the framework core, such as those
E m·

listed as ISO 27001, since this is an international standard on how to

ON A

manage information security in an organization. Then, add any other

LY UG

compliance mandates, including laws, regulations, and data security

addendums, from the organization’s contracts.
BY 22,

Anytime new mandates arrive, they should be checked against the

: R 20

current framework profile to see if the organization is already meeting those

AM 23

compliance requirements. If the organization isn’t, you may need to add

more controls or even a new row into its framework profile to account for
ES

everything required of the organization.

H

Essentially, using this approach, you are creating a compliance

AM

architecture. Compliance architecture refers to the structure and framework

that organizations establish to ensure adherence to regulatory and legal
GA

requirements related to cybersecurity and data privacy. This involves

I

designing and implementing policies, processes, controls, and technologies

that enable the organization to meet its compliance obligations.

This practice alone will substantially reduce any disruption to your

workforce, as you only need to deploy any new controls above and beyond
your existing profile’s control set.

The main idea behind this secure once and comply many
approaches is to make it easier to operationalize the framework while
including all of the other cybersecurity obligations the organization might
have based on their industry or business model This allows the organization
to spend less time and money implementing controls because often a single
control can satisfy multiple requirements.

136

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Another benefit of this approach is that the organization will get
SE 3 2
more consistent execution during the implementation phase since they only
need to learn to use one control, regardless of how many requirements that
D @g
one control satisfies. For instance, the organization may implement a single
FO m
control that could prevent the need for having one method for deleting
R ail.
PCI-DSS data and a different method for deleting sensitive data regulated
by HIPAA.
US co
E m·

Even better, the organization’s staff can also save lots of time
ON A

because new data protection requirements are first analyzed centrally to

discover any duplication of effort before any changes are rolled out.
LY UG

Consider the following diagram showing how the different

BY 22,

components of a compliance architecture work together under a secure one

and comply with many approaches:
: R 20
AM 23

SECURE ONCE
AND
ES

COMPLY MANY
H
AM
GA
I

On the left-hand side of the diagram, notice the center of the circle
is the NIST Cybersecurity Framework. It includes the core and its 23
outcome categories and 108 subcategories activities.

Around the outside of the circle are all the other cybersecurity and
data protection requirements that the organization may have. In this
example, this organization is trying to comply with the ISO 27001
requirements, HIPAA regulatory requirements, information security policy,
and customer’s requirements. By mapping these different requirements
back to the framework core, duplication can be detected and removed to
provide a singular set of controls to meet all four sets of requirements at
once.

137

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The arrow pointing to the right side of the diagram indicates this
consolidated set of controls that are created as a tailored framework profile
SE 3 2
for the organization. This is then used to create the standards, processes,
D @g
and procedures the organization will utilize to meet the controls selected
FO m
within its target profile.
R ail.
Let’s work through a real-world example of a company that is
US co

affected by HIPAA regulations because they are a HIPAA business

associate. A HIPAA business associate is a designation given to a company
E m·

that isn’t in the healthcare industry but has a customer who is in the
ON A

healthcare industry.
LY UG

In this example, we will call this company Akylade Document

Processing Services (ADPS). ADPS is about to take on a few doctor’s
BY 22,

offices and hospital systems that want to use their services to print out the
: R 20

customer’s Explanation of Benefits statements and mail them to the

customer’s home address. These statements contain protected health
AM 23

information, such as the reason for the doctor’s visit and what services were
ES

performed on the patient.

H

Because Akylade Document Processing Services will now have

AM

access to the patient’s electronic medical records to print out these

documents and mail them, the company will now be responsible for
GA

complying with HIPAA, too.

I

ADPS has already been using the NIST Cybersecurity Framework

for several years, but these are the first clients that work with healthcare-
related data. Therefore ADPS will have to become HIPAA-compliant to
conduct this service on behalf of the doctor’s offices and hospital systems.

First, ADPS should analyze the HIPAA requirements to see if any

new controls must be added to the organization’s profile. For example,
there is an Administrative Safeguard that requires ADPS to have a “Data
Backup Plan” listed under 164.308(a)(7)(ii)(A) in the HIPAA regulation.

The full regulatory text states that an organization shall “establish

and implement procedures to create and maintain retrievable exact copies
of electronic protected health information.”

138

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Looking at the NIST Cybersecurity Framework, we can identify a
related outcome under PR.IP-4 states, “information backup is conducted,
SE 3 2
maintained, and tested.”
D @g
ADPS is already following the ISO 27001 standard, as well, so we
FO m

should cross-reference any of its existing controls that we have in place. For
R ail.
example, ISO 27001 has several requirements related to data backup,
US co

including A.12.3.1, A.17.1.2, A.17.1.3, and A.18.1.3.

E m·

By carefully reading the ISO requirements and then reviewing my

ON A

existing data backup plan, which is also ransomware resistant because

ADPS has recent and complete offline copies of all of its data, we can see
LY UG

that ADPS is already set up for success and doesn’t have to add an entirely
new set of controls to meet this HIPAA requirement.
BY 22,
: R 20

So, by using this secure once and complying with many

approaches, we can simply ensure that the customer’s HIPAA data is
AM 23

backed up using ADPS’ existing backup plans and methodologies, which

already include the products and procedures needed. Since ADPS already
ES

uses validated data backup practices that remain consistent with the ISO
H

27001 requirements, the organization isn’t sacrificing compliance with one

AM

standard just to comply with the newer HIPAA-based one.

GA

SUMMARY
I

In this chapter, we explored the concept of profiles within the

NIST Cybersecurity Framework.

Profiles provide a customizable approach for organizations to align

the framework with their specific goals, risk management strategies, and
regulatory compliance requirements. The key components of a profile,
including the core functions, categories, and subcategories, serve as the
building blocks for defining cybersecurity activities and outcomes.

To create a tailored profile, you should use a step-by-step process

to identify organizational requirements and objectives, evaluate the
framework core, select and prioritize outcome categories, define
subcategories and activities, establish performance goals and metrics, and
document and implement the profile.
139

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Profile templates can also be used as a starting point for
organizations to create their own profiles, streamlining the profile
SE 3 2
development process. NIST has even created a handful of sector-specific
D @g
profiles that can be used as profile templates in certain industries, including
FO m
the Manufacturing Profile, Election Infrastructure Profile, Satellite
Networks Profile, Smart Grid Profile, Connected Vehicle Profiles, Payroll
R ail.

Profile, Maritime Profile, and Communications Profile. These sector-

US co

specific profiles provide guidance and tailored recommendations for

organizations operating in specific industries, helping them address the
E m·

unique cybersecurity challenges they may face.

ON A

Lastly, the importance of aligning profiles with regulatory

LY UG

compliance requirements was discussed. By leveraging the NIST CSF

BY 22,

profiles to support their compliance efforts, organizations can ensure that

cybersecurity practices align with applicable laws, regulations, and industry
: R 20

standards.
AM 23

Organizations can use profiles to tailor their implementation of the

ES

NIST Cybersecurity Framework to their specific needs and objectives,

enhance their cybersecurity resilience, and effectively manage their risks.
H

Profiles enable organizations to prioritize and focus their cybersecurity

AM

efforts while also supporting compliance requirements within their

respective industries.
GA
I

140

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER TEN
AM 23
ES

ASSESSING CYBERSECURITY RISK

H
AM

In today’s digital landscape, organizations face a wide range of

cybersecurity risks that can compromise their operations, assets, and
GA

reputation. Assessing these risks and implementing effective risk mitigations

I

are essential steps toward ensuring the security and resilience of an

organization’s systems and data.

In this chapter, we will apply the concepts covered in the previous

chapters through a case study approach. By examining the cybersecurity risk
landscape of Akylade Learning Company, an online asynchronous video
training company, we will explore how to identify threats, vulnerabilities,
and risks and recommend specific risk mitigations to enhance their
cybersecurity posture. This practical and real-world example will help
illustrate the process of assessing cybersecurity risk and making informed
decisions to protect an organization’s assets and interests.

141

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 CASE STUDY

Akylade Learning Company is a leading provider of online

D @g
asynchronous training programs that specializes in helping students prepare
FO m
for certification exams across various industries. As an e-learning platform,
Akylade Learning relies heavily on technology infrastructure, data storage,
R ail.

and online communication channels to deliver its training content to

US co

students worldwide. With a vast amount of sensitive student data, including

personal information and exam results, the company must prioritize
E m·

cybersecurity and safeguard its systems and data’s confidentiality, integrity,

ON A

and availability.
LY UG

However, like many organizations operating in the digital space,

BY 22,

Akylade Learning faces numerous cybersecurity risks. Threats such as data

breaches, ransomware attacks, and unauthorized access pose significant
: R 20

challenges to the company’s operations and reputation. Additionally,

AM 23

vulnerabilities in their technology infrastructure, employee awareness, and

third-party dependencies create potential entry points for cyberattacks. It is
ES

crucial for Akylade to conduct a thorough assessment of these threats and

H

vulnerabilities, identify the associated risks, and implement effective risk

mitigations to ensure the security and resilience of their operations.
AM

Through the case study of Akylade Learning, we will delve into the
GA

process of evaluating and addressing cybersecurity risks, providing insights

I

into the practical application of risk management principles and strategies.

It is important to note that this case study of the Akylade Learning

Company will serve as an illustrative example throughout this chapter,
focusing on a few selected risks and risk mitigations to provide a
comprehensive understanding of the cybersecurity risk assessment process,
as opposed to providing a full cyber risk assessment of the organization.

IDENTIFYING THREATS

As we dive into the cybersecurity risk assessment process for

Akylade Learning, it is crucial to begin by identifying the potential threats
that could jeopardize the organization’s systems, data, and operations.
Threats encompass a wide range of malicious actors, events, or

142

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
circumstances that can potentially exploit vulnerabilities and cause harm. By
SE 3 2
identifying these threats, Akylade Learning can clearly understand the risks
D @g
they face and develop appropriate risk mitigations. Some of the threats the
organization may encounter include malware and ransomware attacks,
FO m

social engineering attacks, and attacks by insider threats.

R ail.
US co

The increasing prevalence of malware and ransomware poses a

significant threat to Akylade Learning’s systems and data. Malicious
E m·

software can infiltrate the organization’s networks, compromising the

ON A

confidentiality and integrity of student information and potentially

disrupting their training programs.
LY UG

Cybercriminals may also attempt to exploit human vulnerabilities

BY 22,

within the organization by employing social engineering techniques.

: R 20

Phishing emails, impersonation, and other forms of manipulation can

deceive employees into divulging sensitive information or granting
AM 23

unauthorized access to systems.

ES

While Akylade Learning trusts its employees, there is always a risk

H

of insider threats. An employee with malicious intent or inadvertently

AM

negligent behavior can compromise the organization’s systems and data,

potentially causing significant damage.
GA

IDENTIFYING VULNERABILITIES
I

In addition to threats, it is crucial to identify vulnerabilities within

Akylade Learning’s technology infrastructure, processes, and practices.
Vulnerabilities are weaknesses or gaps in security measures that threat
actors can exploit. By understanding these vulnerabilities, Akylade Learning
can prioritize its efforts to strengthen its security posture. Some of these
vulnerabilities could include inadequate patch management, weak access
controls, and insecure third-party dependencies.

If the organization has an inadequate patch management program

in place, then it may fail to promptly apply security patches and updates to
software and systems, which can leave them vulnerable to known
vulnerabilities. Outdated software versions could provide easy entry points

143

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
for attackers seeking to exploit known vulnerabilities and are a common
intrusion vector used by threat actors.
SE 3 2
D @g
Another vulnerability could be that the organization is using weak
access controls. These inadequate access controls and weak passwords
FO m

could lead to unauthorized access to sensitive student data, accounting

R ail.
systems, or critical information technology systems. Insufficient
US co

authentication mechanisms or improper user privileges can also increase the

risk of unauthorized access and is a commonly exploited vector used by
E m·

threat actors.
ON A

Akylade Learning Company may also rely on numerous third-party

LY UG

vendors or service providers for various aspects of their operations, such as

cloud hosting or payment processing. However, these dependencies can
BY 22,

introduce vulnerabilities if the third-party organizations do not have robust

: R 20

cybersecurity measures in place. When an organization uses third-party

services or software, these still must be considered as part of the
AM 23

organization’s overall attack surface. There have been numerous cases

ES

where a large organization has suffered a data breach simply because one of
its smaller trusted third-party vendors didn’t secure its own systems. Once a
H

threat actor is able to exploit the vendor, they can then pivot into the larger
AM

organization’s network to conduct further exploitation and attacks.

GA

IDENTIFYING RISKS
I

Having identified the threats and vulnerabilities that Akylade

Learning Company may encounter, the next step is to analyze and
determine the specific risks faced by the organization. By combining the
identified threats and vulnerabilities, we can assess the potential impact of
these risks on Akylade Learning's operations and objectives. This process
involves evaluating the likelihood of each risk occurring and the potential
consequences if they were to materialize.

To effectively identify risks, we will move through combining

threats and vulnerabilities to determine which will affect the organization,
conduct an assessment of the likelihood of each risk occurring, conduct an
impact assessment for each risk, and the perform a risk prioritization to
determine which risks should be addressed first.

144

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 First, we want to identify all of the threats and vulnerabilities
during our initial assessment of the organization, and then we will assess
how they intersect and create specific risks. Remember, if there is a threat
D @g
without a vulnerability, or a vulnerability without a threat, then there is no
FO m
risk. So, by identifying that the threat of a malware attack exists, and it can
be combined with an identified vulnerability of inadequate patch
R ail.

management within the organization, this indicates an increased risk of a

US co

successful malware intrusion and a potential data compromise that could

E m·

occur.
ON A

Next, we should determine the likelihood of a risk occurring by

LY UG

evaluating the probability of the associated threat exploiting the identified

vulnerability. This assessment considers factors such as the prevalence of
BY 22,

similar attacks, the effectiveness of existing security controls, and any

historical data or trends relevant to the organization's industry.
: R 20
AM 23

After that, we want to assessing the potential impact of each risk by

considering the potential consequences in terms of financial, operational,
ES

reputational, and regulatory aspects. The impact assessment helps prioritize

H

risks based on their potential severity and the magnitude of their potential
impact on the organization and its operations.
AM

Then, we should conduct risk prioritization. With a comprehensive

GA

understanding of these identified risks, it is essential to prioritize them

I

based on their significance to the organization's objectives. This

prioritization ensures that resources and efforts are allocated effectively to
mitigate the most critical risks first. Factors considered during prioritization
include the likelihood, potential impact, strategic importance, and the
organization's risk appetite.

By following these steps, Akylade Learning can gain a clear

understanding of the risks they face and develop an informed risk
management strategy.

RECOMMENDATIONS FOR RISK MITIGATION

Based on the identified risks to the organization, it is crucial to

propose specific risk mitigation measures that can help minimize the

145

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
potential impact and likelihood of these risks. A cyber resilience
SE 3 2
professional should outline targeted strategies to address each identified risk
D @g
effectively by including risk mitigation measures, the rationale for the
recommended risk mitigation measures, and aligning the recommended
FO m

mitigations with the organization’s objectives and risk appetite.

R ail.

For each identified risk, tailored risk mitigation measures should be

US co

implemented. These measures may include technical controls, process

E m·

improvements, policy enhancements, and employee awareness and training

ON A

initiatives. For example, to mitigate the risk of data breaches resulting from
inadequate access controls, implementing multi-factor authentication,
LY UG

regular access reviews, and employee cybersecurity training programs can

significantly reduce this identified risk.
BY 22,
: R 20

It is also important to explain the underlying rationale behind each

recommended risk mitigation strategy. A cyber resilience professional
AM 23

should highlight the specific benefits and advantages that these risk
mitigation measures offer in addressing the identified risks. For instance,
ES

implementing regular data backups and disaster recovery mechanisms can

H

mitigate the risk of data loss or system failures, ensuring business continuity
AM

and reducing the impact of potential disruptions.

GA

The recommended risk mitigation measures need to be aligned

with Akylade Learning Company's strategic objectives and risk tolerance.
I

Each recommendation should be evaluated in terms of its feasibility, cost-

effectiveness, and potential impact on the organization's operations. It is
crucial to consider the organization's risk appetite and ensure that the
proposed mitigations strike a balance between enhancing cybersecurity
resilience and maintaining the organization’s operational efficiency.

By implementing these recommendations, Akylade Learning

Company can proactively address the identified risks and improve their
cybersecurity posture. It is essential to regularly review and update the risk
mitigation measures as the threat landscape evolves and new risks emerge.

146

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 BENEFITS AND
D @g TRADE-OFFS OF RISK MITIGATION

When considering the implementation of recommended risk

FO m
mitigations for an organization, it is essential to assess the anticipated
benefits and understand the trade-offs associated with each strategy. It is
R ail.

also important that you have a solid methodology to aid in your decision-
US co

making process.
E m·

As you develop your risk mitigation recommendations, it is

ON A

important to realize that each recommended risk mitigation strategy offers

specific benefits that contribute to improving the organization’s
LY UG

cybersecurity resilience. These benefits may include enhanced data

BY 22,

protection, reduced likelihood of security incidents, improved business

continuity, increased customer trust, and regulatory compliance. For
: R 20

example, implementing regular vulnerability assessments and patch

AM 23

management processes can reduce the risk of exploitation by cyber threats,

ensuring the integrity and availability of Akylade Learning Company’s
ES

systems and data.

H

On the other hand, it is important to acknowledge that

AM

implementing certain risk mitigations may also involve trade-offs or

challenges. These trade-offs can manifest in various ways, such as increased
GA

costs, additional resource requirements, changes in user experience, or

I

potential disruptions to existing workflows. For instance, implementing

stringent access controls may introduce additional authentication steps,
potentially impacting user convenience or locking out legacy systems
completely if they cannot technically support the updated authentication
process. Therefore, it is crucial to carefully evaluate and balance the
potential trade-offs against the anticipated benefits while considering the
organization’s specific context and priorities.

The decision-making process for selecting or prioritizing specific

risk mitigations involves considering factors such as the potential impact on
risk reduction, cost-effectiveness, feasibility, and alignment with
organizational goals. It requires thoroughly analyzing the benefits, trade-
offs, and the organization’s risk appetite. A structured approach, such as
conducting a cost-benefit analysis or risk assessment, can aid in decision-

147

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
making process and ensure that the chosen risk mitigations align with the
SE 3 2
organization’s overall risk management strategy.
D @g
By understanding the anticipated benefits and trade-offs of the
FO m
recommended risk mitigations, Akylade Learning Company can make more
R ail.
informed decisions when selecting and prioritizing specific risk mitigation
strategies. It is important to involve relevant stakeholders, including
US co

executive leadership and management, information technology teams, and

E m·

the organization’s end-users, in the decision-making process to ensure a

ON A

comprehensive evaluation of the potential impacts and trade-offs associated

with each risk mitigation strategy.
LY UG

EVALUATING THE
BY 22,

EFFECTIVNESS OF RISK MITIGATION

: R 20

Once risk mitigations have been implemented at Akylade Learning,

AM 23

assessing their effectiveness in reducing risks and achieving the desired

outcomes is crucial. This evaluation process involves establishing evaluation
ES

criteria, conducting post-implementation assessments, and analyzing the

H

success of the implemented measures.

AM

Clear evaluation criteria need to be established to evaluate the

GA

effectiveness of risk mitigations. These criteria should be aligned with the

objectives set during the risk mitigation planning phase. Common
I

evaluation criteria include:

• The reduction in the likelihood or impact of identified risks.

• The improvement of system resilience and availability.
• The level of compliance with relevant regulations or standards.
• The overall cost-effectiveness of the implemented measures.

Post-implementation assessments are then conducted to measure

the impact of the implemented risk mitigations and identify gaps or areas
requiring further attention. These assessments may involve various
methods, such as security audits, vulnerability scans, penetration testing,
and incident response exercises. The findings from these assessments

148

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
provide valuable insights into the implemented measures' effectiveness and
SE 3 2
help identify areas for potential improvements.
D @g
Next, the cyber resilience professional should conduct an analysis
FO m
of the implemented measures that focuses on evaluating their success in
R ail.
reducing the identified risks. This analysis may involve comparing pre-
US co
implementation risk levels with post-implementation levels, evaluating
incident trends and patterns, and gathering feedback from various
E m·

stakeholders. By analyzing these factors, Akylade Learning will be able to

ON A

determine the overall effectiveness of the implemented risk mitigations and

identify any adjustments or additional measures needed to further reduce
LY UG

risks.
BY 22,

By regularly evaluating the effectiveness of risk mitigations,

: R 20

Akylade Learning can ensure that the implemented measures continue to

address the identified risks and meet their desired objectives. This allows
AM 23

the organization to make informed decisions on refining and improving its

risk mitigation strategies by establishing clear evaluation criteria, conducting
ES

thorough assessments, and analyzing the success of implemented measures.

H

This process is not necessarily solely linear in nature, though. It is also

AM

important to iterate and adapt the risk management approach as new

threats emerge, technologies evolve, and the organization’s risk landscape
GA

changes.
I

DEVELOPING A RISK MANAGEMENT PLAN

To effectively manage risks, the Akylade Learning Company will

need to develop a comprehensive risk management plan tailored to its
specific needs and objectives. The creation of a risk management plan
includes:

• Outlining the key components of the plan.

• Defining roles and responsibilities within it.
• Describing the processes and procedures for ongoing risk
monitoring and assessment.

149

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 The risk management plan for Akylade Learning should include
key components such as risk identification methods, risk assessment
criteria, risk treatment strategies, and risk monitoring and review processes.
D @g
These components provide a structured approach to managing risks and
FO m
ensure consistency in risk management practices throughout the
organization.
R ail.
US co

Next, it is imperative that the organization clearly defines the roles

and responsibilities involved to be able to effectively conduct risk
E m·

management. The risk management plan should identify the individuals or

ON A

teams responsible for different aspects of risk management, including risk

LY UG

identification, assessment, treatment, and monitoring. This helps ensure

accountability and promotes a shared understanding of everyone’s roles in
BY 22,

mitigating risks.
: R 20

Risk management is considered an ongoing process that requires

AM 23

continuous monitoring and assessment. The risk management plan should

outline the processes and procedures for regularly monitoring risks,
ES

reviewing control effectiveness, and assessing the organization's overall risk

posture. This may involve regular risk assessments, vulnerability scans,
H

threat intelligence gathering, and incident reporting mechanisms. By

AM

consistently monitoring risks, the organization can identify emerging

GA

threats, evaluate the effectiveness of implemented controls, and adapt its

risk management approach accordingly.
I

By developing a robust risk management plan, the Akylade

Learning Company can proactively identify and address risks, protect its
assets and operations, and make informed decisions to minimize potential
disruptions. The plan serves as a guide for risk management activities,
ensuring a systematic and structured approach to addressing risks
throughout the organization. It also enables effective communication and
coordination among stakeholders, facilitating a shared understanding of the
organization’s risk management objectives and strategies.

DEVELOPING A CYBERSECURITY STRATEGY

Once the risk management plan has been completed, it is time to

develop a comprehensive cybersecurity strategy to effectively protect

150

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2against cybersecurity threats and ensure a robust security posture within the
company. This involves integrating risk management practices into the
overall strategic plan, addressing the identified risks and mitigations, and
D @g
aligning the cybersecurity strategy with the organization’s objectives and
FO m
risk appetite.
R ail.

Risk management and cybersecurity are closely intertwined, and the

US co

cybersecurity strategy should also incorporate risk management practices.

By integrating risk assessment, mitigation, and monitoring into the
E m·

cybersecurity strategy, Akylade Learning can ensure that cybersecurity

ON A

measures are aligned with the organization’s risk profile and business
LY UG

objectives. This includes identifying high-priority risks, determining the

most effective controls, and establishing processes to continuously evaluate
BY 22,

and improve cybersecurity measures.

: R 20

The cybersecurity strategy should specifically address the identified

AM 23

risks and recommended risk mitigations. It outlines the measures and

controls that will be implemented to protect against these risks, considering
ES

factors such as technology, processes, policies, and people. The strategy

should also include clear guidance on implementing and enforcing security
H

controls to mitigate risks effectively.

AM

The cybersecurity strategy being developed needs to align with the

GA

organization’s overall objectives and risk appetite. This strategy needs to

I

take into account the organization’s industry regulations, compliance

requirements, and customer expectations. The strategy should also consider
cybersecurity incidents' financial, operational, and reputational impacts and
align risk management efforts with the organization’s risk tolerance.

The Akylade Learning Company can establish a proactive and

holistic approach to cybersecurity by developing a cybersecurity strategy
that integrates risk management practices. The strategy provides a roadmap
for implementing security measures, addressing identified risks, and aligning
cybersecurity efforts with the organization’s goals. It also ensures that
cybersecurity becomes an integral part of the organization’s overall strategic
planning process, effectively protecting sensitive data, systems, and
operations.

151

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 SUMMARY

In this chapter, we looked at a case study focused on a fictional

D @g
company, Akylade Learning Company, to explore the process of assessing
cybersecurity risks and recommending risk mitigations. We began by
FO m

identifying threats and vulnerabilities specific to the organization and

R ail.
thoroughly examining their risks. With a clear understanding of the risks,
US co

we proceeded to propose targeted risk mitigation strategies tailored to

Akylade Learning’s unique circumstances.
E m·
ON A

Throughout the chapter, we emphasized the significance of taking

a systematic and tailored approach to manage risks. Organizations can
LY UG

comprehensively understand their risk landscape by combining threat

identification, vulnerability assessment, and risk analysis. This enables them
BY 22,

to prioritize risks based on their potential impact and likelihood, directing

: R 20

their efforts and resources toward the most critical areas.

AM 23

Furthermore, we highlighted the ongoing nature of risk

management. Cybersecurity risks evolve continuously, making it essential
ES

for organizations to establish a continuous monitoring and adaptation

H

culture. The recommended risk mitigation strategies should be regularly

AM

assessed for their effectiveness, with adjustments made as necessary to

ensure optimal protection.
GA

Following the case study process outlined in this chapter,

I

organizations can strengthen their cybersecurity posture and effectively

safeguard their assets. A systematic approach to risk management and
tailored risk mitigations enables organizations like Akylade Learning
Company to mitigate threats, reduce vulnerabilities, and create a more
resilient cybersecurity foundation.

152

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG

PART TWO
BY 22,
: R 20
AM 23
ES

THE CR-MAP
H
AM
GA
I

153

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

154

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER ELEVEN
AM 23
ES

THE CR-MAP PROCESS

H
AM

Expeditors, a Fortune 500 logistics company, operates as a global

freight travel agent, managing freight movements across air, sea, and
GA

ground transportation. With a workforce of approximately 18,000

employees, they handle various forms of freight, including ocean, air, road,
I

and rail shipments.

Picture those towering stacks of 40-foot-long steel intermodal

shipping containers commonly seen at waterfronts and truck yards.
Expeditors are a crucial link in the supply chain for some of its customers,
playing a tightly integrated role.

On February 20, 2022, Expeditors made a distressing

announcement that its entire global computer network had experienced a
complete outage. The outage lasted for three weeks, during which they
gradually restored enough functionality to resume serving customers,
including basic bookkeeping and accounting tasks. However, it took several
additional weeks to fully restore their systems’ functionality.

155

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 The company openly admitted that the cyberattack it suffered
could have a significant negative impact on its financial results.
Unfortunately, the impact has been tangible and continues to mount.
D @g
Expeditors have already incurred losses of $47 million due to disrupted
FO m
business operations and fines caused by the accumulation of shipping
containers in depots and terminals worldwide.
R ail.
US co

Additionally, they have spent $18 million on investigating and

recovering from the incident and covering shipping-related claims. The
E m·

total cost, which stands at $65 million and continues to rise, is being directly
ON A

deducted from their cash flow as they did not possess cyber insurance.
LY UG

In April 2023, one of Expeditors’ customers, iRobot Corp., the

BY 22,

renowned Roomba robot vacuum cleaner manufacturer, filed a $2.1 million

lawsuit against the logistics provider. The lawsuit alleged that Expeditors
: R 20

had breached contractual obligations to ship products and provide real-time

AM 23

inventory data over their 15-year partnership.

ES

iRobot specifically accused Expeditors of inattentiveness and

negligence, which exposed their systems to the cyberattack. Furthermore,
H

Expeditors was said to lack a proper business continuity plan to ensure

AM

uninterrupted services to iRobot. As a result, iRobot had to physically count

their products at Expeditors’ warehouses and arrange to load nearly 12,000
GA

pallets into 207 rented tractor-trailers to fulfill customer orders. The delayed
I

deliveries forced iRobot to refund retailers an amount of $900,000 and

spend an additional $23,000 on expedited shipping to reach consumers
directly.

According to their contract, Expeditors was obligated to receive

iRobot’s new products, store and maintain them, and ship them to
customers within 24 hours of order receipt. Additionally, Expeditors had to
update their system within four hours of any order or stock movement.
However, when Expeditors shut down its operating systems, all the services
iRobot relied on suddenly stopped. Products in transit were left idle, and
customer orders went unfulfilled.

To fulfill their customer commitments, iRobot had to switch to a

new logistics provider, incurring an additional cost of $1.1 million. Despite

156

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2their best efforts to mitigate the effects of Expeditors’ failure, iRobot faced
D @gan extra $1 million in storage costs and back charges from retailers.

iRobot claims that Expeditors’ 10-K filing had identified the

FO m
cyberattack as a foreseeable risk. Yet, the company failed to implement any
risk mitigation measures. As a result, iRobot is seeking a minimum
R ail.

compensation of $2.1 million, along with interest at the statutory rate of 9%

US co

from the breach date, as well as court and legal fees.

E m·

While the outcome of the lawsuit may remain undisclosed due to

ON A

potential out-of-court settlements, the public release of the details

LY UG

underscores the severe financial consequences Expeditors has faced due to

their lack of cyber resilience.
BY 22,

REASONABLE AND REPEATABLE

: R 20

CYBERSECURITY PRACTICES
AM 23

As we have witnessed, the magnitude of cyber threats continues to

ES

rise. It is projected to increase further in the years ahead. Recognizing this

new reality, the United States government introduced the NIST
H

Cybersecurity Framework, emphasizing the need for reasonable

AM

cybersecurity practices rather than solely relying on prevention measures.

This framework was developed as a response to the escalating cyber threat
GA

landscape. It provided organizations with a flexible and adaptable approach

I

to effectively manage cyber risks. As either a cyber resilience professional or

an executive leader, it is crucial to understand and adhere to this new
standard in dealing with cyber risks, as formidable forces are at play.

On one side, adversaries persistently launch cyber attacks, making

it inevitable that your organization will experience a breach at some point.
Therefore, alongside your ongoing prevention efforts, preparing for the
eventuality of a breach without prior warning is essential, as your public
reputation is at stake.

To emphasize the human factor in cybersecurity, it is imperative to

cultivate a culture within your organization that values daily cyber hygiene
and the practice of reasonable cybersecurity. This includes raising employee
awareness, providing regular training programs, and fostering a sense of

157

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
responsibility among all staff members to actively participate in protecting
SE 3 2
the organization’s digital assets. Organizations can significantly strengthen
D @g
their defense against cyber threats by developing a cyber-resilient culture.
FO m
On the other side, the Federal Trade Commission (FTC) mandates
R ail.
that organizations implement “reasonable security measures” based on their
US co

size, sophistication, and data collection practices. Failure to comply may

result in charges of unfair or deceptive acts, leading to severe consequences
E m·

such as corrective orders, extensive oversight of cybersecurity programs for

ON A

up to two decades, and fines of up to $40,000 per violation.

LY UG

What follows is not just a theoretical concept or hypothetical

scenario; it is a proven system that has helped numerous organizations
BY 22,

around the globe to get a handle on their organization’s cybersecurity risks.

: R 20

As the threat landscape continues to evolve, it is no longer enough to focus

solely on good cyber hygiene and defense.
AM 23

Instead, your organization must demonstrate that it uses reasonable

ES

cybersecurity practices and has a repeatable approach to maintaining it's

H

cyber resiliency. Documentation and implementation are critical, as they

AM

provide evidence of your cybersecurity practices, especially in situations

such as potential acquisitions or investigations.
GA

Furthermore, it is imperative to cultivate a culture within your

I

organization that values daily cyber hygiene and the practice of reasonable
cybersecurity. You can thrive amidst evolving cyber risks by gaining insights
from the front lines and using that information to drive necessary changes.
As noted by leadership expert John P. Kotter, effective leadership lies in
facilitating meaningful change.

Within your grasp, you hold a practical guide that will assist you in
implementing and documenting your cybersecurity plan to such a degree
that it not only safeguards against reasonable threats but protects you
during potential acquisitions and investigations.

158

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 THREE PHASES OF THE
D @g CYBER RISK MANAGEMENT ACTION PLAN

To establish a robust cyber resilience program within your

FO m
organization, you should consider implementing the Cyber Risk
Management Action Plan (CR-MAP) process. This process will significantly
R ail.

enhance your organization’s cybersecurity while positively impacting your

US co

bottom line and saving substantial time.

E m·

This comprehensive plan encompasses three distinct phases and

ON A

serves as a practical roadmap to managing cyber risks effectively. These

phases include actions to discover your top cyber risks, making your cyber
LY UG

risk management action plan, and performing maintenance and updates.

BY 22,

The first phase of the CR-MAP is to discover your top cyber

: R 20

risks. This phase spans a period of thirty days. It focuses on assessing and
AM 23

evaluating your company’s existing cyber risks. As an executive, you

encounter infinite cyber risks that can impact your organization, but it is
ES

crucial to prioritize them effectively, given your limited resources. During

this phase, your goal is to develop a rigorous prioritization method to
H

determine your company's most critical risks.

AM

The second phase of the CR-MAP is used to make your cyber

GA

risk management action plan itself. This phase also lasts thirty days and
I

involves the creation of a personalized cyber risk management strategy

tailored to your organization’s specific needs. This strategy should address
the top five cyber risks identified in the previous phase. Throughout this
phase, you will ensure that every dollar invested in cyber risk management
provides maximum value in mitigating one of the prioritized risks. Your
strategy will encompass four key dimensions of business value: technical
risk mitigation, enhanced operational reliability, legal risk mitigation, and
financial returns. By adopting reasonable cybersecurity practices, you will
manage your risks effectively and improve your competitive advantage.

The third phase of the CR-MAP is used to conduct

maintenance and updates to the organization’s cybersecurity posture and its
cyber risk management action plan. This phase spans a period of at least ten
months, and when combined with phase one and phase two of the CR-

159

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
MAP process, it completes the first-year cycle of the three-phase plan.
Cybersecurity is an ongoing journey, and phase three of the CR-MAP
SE 3 2
emphasizes the importance of implementing, maintaining, and continuously
D @g
improving your organization’s risk management strategy.
FO m

Throughout phase three, regular monthly check-ins and

R ail.
comprehensive quarterly reviews will be conducted to monitor your
US co

organization's progress. If any gaps or challenges arise in implementing the

cyber risk management action plan effectively, this maintenance phase
E m·

offers an opportunity to investigate the underlying reasons and develop

ON A

corrective measures to regain momentum. Additionally, it serves as a

platform to acknowledge and celebrate your company’s achievements in
LY UG

managing cyber risks.

BY 22,

By following this comprehensive approach and committing to

: R 20

ongoing vigilance, you can bolster your organization’s cyber resilience and
ensure effective management of cyber risks in a rapidly evolving threat
AM 23

landscape.
ES

THE THIRTEENTH MONTH

H
AM

After successfully concluding the third phase, which signifies the

completion of an entire year (or more) since commencing the first phase of
GA

the CR-MAP, you might question whether the journey has come to an end.
I

What awaits you beyond this point?

The answer is straightforward: you must return to the first phase

and repeat the three-phase CR-MAP process again. Time after time, you
will persistently strive for improvement and progress.

It is important to note that the progress made during the first year
does not go to waste. On the contrary, based on the cyber risk management
action plan you have developed, more work is likely needed to refine and
enhance your cyber risk management efforts. It would be a misstep to
simply halt the process at this stage and claim victory.

After all, cyber risks continually evolve as adversaries innovate, and

your business can also undergo drastic changes over time. Additionally, the

160

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
interview process and discussions surrounding cyber risks serve as valuable
reminders for your employees regarding the significance of practicing good
SE 3 2
cyber hygiene and maintaining reasonable cybersecurity practices.
D @g
FO m
Therefore, it is prudent to embrace the structured, systematic, and
comprehensive approach provided by the cyber risk management action
R ail.

plan on an annual basis within your organization. Repeating the three

US co

phases each year ensures that your organization remains resilient and
adaptive to evolving cyber threats while continuously improving your cyber
E m·

risk management capabilities.

ON A

THE FIVE QUESTIONS

LY UG

Once you have created your cyber risk management action plan,
BY 22,

you should be able to confidently answer the following five questions:

: R 20

1. What are the top five cyber risks to my organization?

AM 23

2. Am I getting the biggest return possible for my cyber risk

ES

management dollars?
H
AM

3. Do all our organization’s executives and leaders understand

our cybersecurity plans?
GA

4. Does everyone at work know how they can help to mitigate

I

our top cyber risks?

5. What do I tell our biggest customers or stakeholders when they

ask, “What are you all doing about cybersecurity?”

These five questions serve as a crucial checkpoint for evaluating

the effectiveness of your organization’s cyber risk management action plan.
By confidently answering these questions, you demonstrate a strong
understanding of your top cyber risks, the return on investment for your
cyber risk management efforts, the level of awareness and understanding
among executives and leaders, the engagement of all employees in
mitigating cyber risks, and your ability to communicate your cybersecurity
measures to key stakeholders.

161

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 These questions are used to guide you in assessing the
comprehensiveness and alignment of your cybersecurity practices, ensuring
that your organization is well-prepared to navigate the evolving threat
D @g
landscape and meet the expectations of its customers and stakeholders.
FO m
Continually revisiting and refining your responses to these questions can
enhance your organization’s cyber resilience and maintain a proactive and
R ail.

informed approach to cybersecurity.

US co

ATTORNEY-CLIENT PRIVILEGE
E m·
ON A

Trying to actively manage every cyber risk facing your company

can be overwhelming. However, even by working through the cyber risk
LY UG

management action plan process and identifying your risks, you will already
BY 22,

be ahead of most other organizations in terms of cyber risk management.

: R 20

Before delving into the process, it is crucial to understand the

AM 23

concept of attorney-client privilege and its potential role in protecting

yourself and your organization. If one of your identified cyber risks
ES

manifests as a data breach, failure to prioritize that risk in your cyber risk
management game plan could lead to accusations of negligence, both legally
H

and in the court of public opinion. By conducting this work under attorney-
AM

client privilege, you retain control over your cyber risk records. You can
navigate any potential requests for a copy of those records as potential
GA

evidence.
I

It is important to note that establishing attorney-client privilege

over your cyber risk management records may also come with certain
disadvantages, such as increased costs and potentially longer timelines to
complete the work. While the authors are not lawyers ourselves, we do
recommend that you check with your organization’s in-house counsel or
consider hiring an outside attorney with cybersecurity expertise to assist in
establishing attorney-client privilege for your organization’s cyber risk
management activities. Other practical steps you can take include outlining
contractual arrangements with qualified cyber risk experts and adhering to
the attorney’s instructions regarding the handling and sharing of cyber risk
information to ensure you do not break attorney-client privilege when
working on your organization’s cyber risk management action plan.

162

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 While it is essential to clarify that this is not legal advice,
organizations can begin the process by engaging an outside attorney who
can guide them through the necessary steps. The attorney can then contract
D @g
with a qualified cyber risk expert to perform the work detailed as part of
FO m
your cyber risk management action plan and to ensure that the
arrangements are properly established and followed to protect your
R ail.

organization’s attorney-client privilege status.

US co

By incorporating attorney-client privilege into your cyber risk

E m·

management practices, you can add an extra layer of protection and

ON A

maintain control over your cyber risk records, bolstering your

LY UG

organization’s ability to respond effectively to potential legal challenges and

safeguarding your reputation in the face of cyber incidents.
BY 22,

SUMMARY
: R 20
AM 23

This chapter introduced the three-phase cyber risk management

action plan (CR-MAP) process. The first phase focuses on discovering and
ES

assessing the top cyber risks faced by the organization. This phase involves
prioritizing risks to allocate limited resources effectively. The second phase
H

involves creating a personalized cyber risk management action plan that

AM

addresses the top five risks identified in phase one. This plan considers
various dimensions of business value and aims to mitigate risks while
GA

enhancing operational reliability and competitive advantage. The third

I

phase emphasizes the importance of maintaining, updating, and

continuously improving the organization’s cybersecurity posture and risk
management strategy.

The concept of the thirteenth month was introduced to emphasize

the need for an ongoing and iterative approach to cyber risk management.
Rather than considering the completion of the initial three-phase cycle as
the end of the journey, organizations are encouraged to repeat the CR-MAP
process annually. This repetition ensures continual improvement and
adaptation to evolving cyber threats and the alignment of cyber risk
management efforts with changing business dynamics.

In summary, the CR-MAP process provides organizations with a

structured and comprehensive framework to strengthen their cyber

163

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
resilience. By systematically identifying and managing cyber risks,
organizations can proactively mitigate potential incidents, safeguard
SE 3 2
valuable assets, and sustain a competitive advantage in the modern digital
D @g
landscape. However, it is vital to emphasize the significance of perpetual
FO m
vigilance, continuous improvement, and the ingrained integration of
cybersecurity practices into the organization’s culture to effectively achieve
R ail.

these objectives.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

164

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER TWELVE
AM 23
ES

PHASE 1: DISCOVERING
H

TOP CYBER RISKS

AM
GA

Phase 1, which takes place over the course of thirty days, is

comprised of measuring and scoring your company’s current cyber risks. As
I

an executive, you encounter unlimited risks to your company, but your

resources to manage those risks are limited, so you need a strict prioritization
method. That’s what you’ll develop in phase 1: priority.

The first phase of the Cyber Risk Management Action Plan (CR-
MAP) spans thirty days. It marks the critical stage of measuring and scoring
your company’s existing cyber risks.

As a cyber resilience professional, you should be well aware of the

countless risks that can impact an organization. However, the resources
available to manage these risks are limited; thus, a rigorous prioritization
method is required to determine which risks will receive which resources to
help mitigate, transfer, avoid, or accept those identified risks.

165

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 During the first phase of the CR-MAP process, our goal is
“Discovering Top Cyber Risks” within the organization. This will help us as
we embark on the journey of establishing clear priorities for our cyber risk
D @g
management strategy. By the end of this phase, we will have a comprehensive
FO m
understanding of the most significant risks an organization faces and be
equipped with the necessary insights to allocate organizational resources
R ail.

effectively.
US co

The first phase of the cyber risk management action plan includes
E m·

eight steps:
ON A

1. Widen Your Scope

LY UG
BY 22,

2. Get Buy-In
: R 20

3. Select Interviewees
AM 23

4. Generate the Questionnaire

ES

5. Determine Your Target Scores

H
AM

6. Conduct the Interviews

GA

7. Compile and Average the Scores

I

8. Communicate Your Top Five Cyber Risks

Let us delve into the intricacies of Phase 1 and explore how this
foundational phase and its eight steps can set the stage for a resilient and
proactive approach to managing cyber risks.

STEP 1: WIDEN YOUR SCOPE

Before laying the foundation of your cyber risk management game

plan, it is crucial to broaden the scope of what you want to measure and
evaluate within the organization. When guiding stakeholders through the
CR-MAP process, we often find that they have a narrow focus primarily
centered on improving their technological defenses. They may prioritize
protecting customer credit card information or preventing the leakage of

166

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2user password data while completely overlooking other key and important
areas of risk. While these technical defenses are important considerations,
we always encourage organizations to expand their scope and measure
D @g
every facet of their cybersecurity risk posture when embarking on creating a
FO m
cyber risk management action plan.
R ail.

This broader perspective encompasses a comprehensive

US co

assessment of the people, processes, management, and technology used by

the organization to achieve its mission. The people perspective focuses on
E m·

the organization’s employees and their awareness and adherence to

ON A

cybersecurity practices. The process perspective is used to evaluate the

LY UG

effectiveness of established procedures and protocols. The management

perspective is focused on the organizational leadership’s commitment and
BY 22,

oversight of cybersecurity initiatives. The technology perspective assesses

the robustness of the technological systems and infrastructure.
: R 20
AM 23

It is essential to recognize that cybersecurity encompasses more

than just technological aspects. An organization must include all of its
ES

digital assets, such as customer data, payroll data, reputation, and trade
secrets, within the purview of its assessment. Moreover, involving all
H

departments across the organization is crucial, ensuring a holistic

AM

understanding and involvement in cybersecurity efforts.

GA

We recommend incorporating all twenty-three categories outlined

I

in the NIST Cybersecurity Framework to guide your assessment. While this

assessment is not an external audit or a response to regulatory
requirements, it is a conscious choice you make to enhance your
cybersecurity. Therefore, embracing a more comprehensive approach is
prudent as you begin developing your cyber risk management action plan.

Transparency and open communication are paramount. If any

information is hidden or withheld, it will only hinder your progress and
jeopardize the effectiveness of your cybersecurity initiatives. By adopting
this inclusive approach and thoroughly examining all facets of your
organization’s cybersecurity, you demonstrate a commitment to
comprehensive protection and lay the groundwork for a robust cyber risk
management game plan.

167

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23

STEP 2: GET BUY-IN

ES
H

This cyber risk management action plan you are developing simply
will not work without buy-in from your employees. Gathering this buy-in
AM

begins with the tone and approach you adopt when engaging with the
GA

organization’s stakeholders. Your ability to foster a collaborative mindset is

essential when you distribute questionnaires and seek open and honest
I

input on their perceptions and activities within the company. The way you
communicate about the organization’s new action plan will set the stage for
a more collaborative approach.

You will want to conduct an assessment, not an audit. Some people

use the terms audit and assessment synonymously, but we don’t. To us,
they’re strikingly dissimilar.

An audit involves an external evaluation aimed at finding faults

within the organization, most insiders assume. An audit generally puts
people on the defensive.

Assessments, however, are different. Assessments are internal

management actions focused on identifying areas for improvement. Even if

168

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
an outsider assists with the assessment, the assessment process itself
SE 3 2
remains owned by management, is internally focused, and is focused on a
different objective than audits.
D @g
FO m
When reaching out to the organization’s employees for the first
time, having an internal champion assist with getting the initial message out
R ail.

to the potential interviewees can be helpful. This is extremely helpful if you

US co

are being brought in as part of an outside consulting team that doesn’t

E m·

already have strong relationships within the organization or with its affected
ON A

stakeholders.
LY UG

In our experience, having someone from the C-suite (CEO, COO,

CFO, CIO, or CISO) send out the initial interview selection email can
BY 22,

effectively garner initial support. Given below for your reference and
review, is a sample email template the organization’s leadership can us.
: R 20
AM 23

It is important to ensure the team knows you’re not here as an

adversary or to cause them issues. Instead, you are simply asking questions
ES

in order to gather valuable information. To that end, you should be open

about the process your company is undertaking, and your email
H

communication should reflect that open, collaborative spirit. You will

AM

inevitably get questions in return, many of which will spawn from people’s
GA

anxieties about being interviewed. Be sure that your response to those

questions reinforces the collaborative nature of the interview.
I

Sample Email Template

To: All Hands

From: CEO
Re: Cyber Risk Assessment

Hello team,

I am extremely concerned about our cybersecurity, and I hope you are,

too. The crooks are out there, and we can’t even begin to imagine how
they are penetrating companies, stealing trade secrets, money, and
customer lists, and generally disrupting businesses.

169

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
In order to combat this, we are implementing a cyber risk management
SE 3 2
action plan. Our first step to implementing that plan is to conduct
interviews with many of you so we can fully assess our current cyber
D @g
risks.
FO m

These interviews aim to learn how we can best balance our cybersecurity
R ail.

needs with our day-to-day business needs. Each interview will take 30–90
US co

minutes and will be conducted in person here in [city] or via video call, as
E m·

necessary.
ON A

[Point of contact name] will coordinate with each of you to find a

LY UG

workable time slot for your interview.

BY 22,

If you have any questions about the program itself, let me know. If you
have questions about the logistics of the interviews, let [point of contact
: R 20

name] know.
AM 23

Thank you!
ES

[Your name]
H
AM

STEP 3: SELECT INTERVIEWEES

GA
I

During the first phase of the cyber risk management action plan,
you must determine the right individuals to interview during your
assessment. The number and type of interviews conducted will depend on
the size and revenue of your company.

As a general guideline, conducting fifteen to twenty in-person

interviews is recommended if your company has an annual revenue of
approximately $100 million. If your annual revenue is less than $10 million,
forming a group of around six individuals to generate scores is considered a
reasonable approach.

If you are working with a larger organization with revenues of over

$1 billion annually, sending out electronic questionnaires instead of
conducting in-person interviews may be a more cost-effective option.

170

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Online platforms like Survey Monkey or Google Forms can be utilized for
administering questionnaires in an asynchronous and passive manner.
SE 3 2
D @g
Alternatively, if you are working with a non-profit or any other
organization where the ratio of revenue to interviews would drastically skew
FO m

the number of interviews you might conduct, you can use a different
R ail.
guideline to select the appropriate number of employees to interview.
US co

For example, we have worked with several non-profits where we

E m·

have used guidelines based on a percentage of their total staff size instead
ON A

of relying on the revenue targets listed above. In these cases, we have found
that an interview ratio of 1:5 is appropriate if the organization has 50 of less
LY UG

staff members. If the organization has between 51-1000 staff members,

then a ratio of 1:10 is more appropriate. As you begin to work with larger
BY 22,

organizations, you should continue to increase the ratio, thereby decreasing

: R 20

the overall number of interviews needing to be conducted. Again, these are

loose guidelines that you can adjust based on your target organization’s
AM 23

needs and specific use case.

ES

When selecting interviewees, it is important to focus on middle

H

managers and senior-level individual contributors from key departments

AM

such as finance, human resources, operations, and information technology.

These individuals, whom we will refer to as the organization’s cyber risk
GA

experts, possess valuable knowledge of the cyber risk practices occurring at

the operational level. While they may not be cybersecurity experts, they
I

offer firsthand insight into a given organization's cyber risk landscape. They
are also, in fact, internal influencers. This means the very act of interviewing
them will make them better cyber risk managers, and this will shift your
culture toward more reasonable cybersecurity.

We have found these middle managers and senior-level individual

contributors to be at the sweet spot for providing us with all kinds of
valuable information during the interview process. If you instead choose
more junior-level employees, they might lack the necessary perspective to
provide substantial input. On the other hand, if you interview only senior
executives, they are often more detached from day-to-day operations and
don’t fully understand the operational cyber risks that exist within the
organization.

171

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
If your organization operates across multiple geographic locations,
it is essential to also include experts from different regions to capture a
SE 3 2
more comprehensive understanding of the organization’s complete cyber
D @g
risk landscape. By selecting the right individuals for interviews, you ensure
FO m
that you gather insights from those who possess relevant knowledge and
can contribute meaningful perspectives to developing the organization’s
R ail.

new cyber risk management action plan.

US co

STEP 4: GENERATE THE QUESTIONNAIRE

E m·
ON A

The questionnaire administered during the interviews plays a

pivotal role in collecting crucial data for your cyber risk management game
LY UG

plan. Through a series of carefully crafted questions tailored to align with

the NIST Cybersecurity Framework, you will assess your organization’s
BY 22,

adherence to key cybersecurity principles, which will increase your cyber

: R 20

resilience.
AM 23

These questions serve as an essential tool for evaluating your

organization’s capabilities in identifying, protecting against, detecting,
ES

responding to, and recovering from cybersecurity risks. This is critically

H

important to any organizations that are based in the United States because
AM

there are now laws that require organizations to meet certain levels of cyber
resiliency and cybersecurity.
GA

For example, the Federal Trade Commission (FTC) Safeguards

I

Rule of 2023 requires “non-banking financial institutions to develop,

deploy, and maintain a comprehensive security program to keep customer
financial data safe.” One way to meet this requirement is to implement the
NIST Cybersecurity Framework and your associated cyber risk
management action plan. To ensure you have a comprehensive plan in
place, you should consider the following five questions:

1. How well does the organization identify digital assets and cyber
risks?

2. How well does the organization protect your assets against

those risk?

3. How well does the organization detect cybersecurity breaches?

172

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 4. How well does the organization respond to those breaches?

5. How well does the organization recover from those breaches?

D @g
Notice that the five underlined keywords in these questions all
FO m
directly map back to the five functions presented in the NIST Cybersecurity
R ail.
Framework. By leveraging this basic questionnaire, you will gain valuable
US co
insights into the effectiveness of your cybersecurity practices and uncover
areas for improvement, ultimately strengthening your organization’s overall
E m·

cyber resilience.
ON A

When you create your questionnaire, you can keep it broad using
LY UG

just these five questions and ask the interviewees to assign a value from 0 to
10 to each response.
BY 22,
: R 20

For other engagements, you may find that these questions don’t dig
deep enough to get the answers you seek. In these cases, you will want to
AM 23

use a more in-depth series of questions to generate the necessary responses

from your interviewees.
ES
H

Most people believe you can never have too many resources
dedicated to protecting a digital asset in your organization, but this is simply
AM

not true. It is possible to have too much (or too little) security. Your risk
GA

mitigations and controls should be based on a reasonable level of

protection based on the asset being protected.
I

For example, building a $100,000 state-of-the-art garage to house a

$5,000 car would be ridiculous. Not only is the new garage too expensive
and complicated for the relatively low-valued car, but it is also really
unnecessary, given the asset value we are trying to protect. In this case, I
could have the $5,000 car destroyed twenty times before the added cost of
protecting it using this new garage would have made financial sense.

Similarly, we don’t want to overengineer a security solution to

protect a relatively low-value asset. In addition to wasting money, we will
also be adding a lot of friction to the organization’s workflows and
processes if we don’t think holistically about the controls being
recommended for inclusion as part of the cyber risk management action
plan.
173

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
There is always a tradeoff between security and operations. As we
make things more secure, we often reduce our operational efficiencies. In
SE 3 2
fact, an excess of cybersecurity controls can hinder productivity, leading
D @g
individuals to seek alternative methods to complete their assigned tasks.
FO m

If we require that every system utilized by the organization has a

R ail.
different long, strong, and complex password, then the end user will be
US co

confronted with an overwhelming number of user IDs and passwords to

remember and manage. Most people simply can’t, or won’t, remember
E m·

them all. Therefore they resort to writing down the passwords in a

ON A

notebook or sticky note. However, this defeats the entire purpose of long,
strong, and complex passwords because the note can now easily be stolen
LY UG

and the password discovered.

BY 22,

As each question is asked, the interviewee will be required to

: R 20

provide a score from zero through ten.

AM 23

If the score is between zero and four, this is generally considered to

represent a level of insecurity, from no security at all to some security.
ES
H

If the score is between five and eight, this is generally considered to

AM

provide an acceptable level of security, from minimally acceptable security to

fully optimized security.
GA

If the score is either a nine or a ten, this is generally considered to

I

provide too much security and a waste of resources, including time, money,
and employee morale.

We have created a standard score key to use during the interview

process that uses definitive statements about the organization’s cybersecurity
practices to better identify the appropriate number for an interviewee to use.

So, how do you implement this in the real world?

Let’s pretend you have been brought in as an external consultant to

assist with running an organization-wide self-assessment. You are
interviewing one of the organization’s identified cyber risk experts and ask,
“How well has the organization established and implemented the processes
to identify, assess, and manage supply chain cybersecurity risks?”

174

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,

Using the potential scorecard, the cyber risk expert states, “Our
: R 20

organization rarely or never does this,” which corresponds with a score of

AM 23

zero. If your expert knows or perceives that the organization is a bit better
than that, then they could have instead read the next score statement, “Our
ES

organization sometimes does this, but unreliably. Rework is common.” A

score of three is recorded as the answer to this question.
H
AM

If your expert knows or perceives that your organization is better

than a three, then they read the next score statement, and so on, until they
GA

find a statement that most closely matches their perception from the
I

associated scoring statements from zero to ten.

It is important to recognize that there are two other possible

responses that the expert can choose: unknown and not applicable. Usually,
these responses should be careful if you have properly identified the right
cyber risk experts to interview, but they occasionally happen. For example,
if you are interviewing a database administrator and ask them a question
about how accounting does a certain process, then an unknown answer
would be appropriate. But, if you are asking if the database is using data-at-
rest encryption and the database administrator tells you that it is unknown,
this may be a clue that you do not have the right cyber risk expert involved
in your interview process, and you may need to ask for another expert to
find out the true nature of the organization’s cyber risk.

175

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Now, you might be wondering how you’ll develop the exact
questions to use in your questionnaire. While you could write a question for
each of the 108 subcategories/outcomes in the NIST Cybersecurity
D @g
Framework, that might be unnecessary for your use case. If you are working
FO m
as a consultant working with the NSIT Cybersecurity Framework on a daily
basis, though, you may prepare a set of questions for each of the
R ail.

subcategories and outcomes and reuse them across many of your

US co

engagements.
E m·

However lengthy it is, your questionnaire should be tailored to the

ON A

specific organization that you are working with. In most of our

LY UG

engagements, we focus on thirty-one specific questions that have provided

us with the best information about an organization’s current cyber risk
BY 22,

posture. You can use these questions as a baseline for your default
questionnaire but remember you can always remove unneeded questions
: R 20

and add questions you may find useful based on your own experience.
AM 23

Each question in the following table is matched to a corresponding

ES

activity from the NIST Cybersecurity Framework. For each question, we

have provided you the identification code, the question, and a short
H

explanation about the question being asked.

AM

The identification code relies on the standard function. Category-

GA

Activity format, such as ID.AM-1 represents the Identify (ID) function, the
I

Asset Management (AM) category, and the first activity (1) in this category.

Activity Question Explanation

Assets that are worth more

How well are our to your business objectives
organization’s data, deserve more protection
Asset people, devices, systems, than less valuable assets.
Management and facilities managed Prioritize spending this way
(ID.AM-1) according to their relative unless it costs the same to
importance to our business protect all assets as it does
objectives? to protect only a few high-
value ones.

176

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
Assets that help you
How well are our
achieve your cyber risk
organization’s data,
D @g
strategy deserve more
people, devices, systems,
FO m
Asset protection than less
and facilities managed in
Management valuable assets. Prioritize
R ail.
accordance with their
(ID.AM-2) spending this way unless it
relative importance to our
US co

costs the same to protect all

organization’s cyber risk
assets as it does to protect
E m·

strategy?
only a few high-value ones.
ON A

To get the greatest return

LY UG

How well are our for your efforts,

organization’s mission, cybersecurity spending and
BY 22,

Business objectives, stakeholders, focus should be prioritized

: R 20

Environment and activities understood based on what’s truly

(ID.BE-1) and prioritized so they important to your
AM 23

support our cybersecurity organization and not just

roles and responsibilities? on what’s easy to do or
ES

satisfies a generic checklist.

H
AM

To get the greatest return

for your efforts, cyber risk
GA

How well are our decisions must reflect the

organization’s mission, reality that you need to
I

Business objectives, stakeholders, manage infinite risks with a

Environment and activities understood finite budget. The better
(ID.BE-2) and prioritized so they organizational priorities are
support our cyber risk clearly communicated, the
management decisions? more likely the highest and
most relevant risks will be
well-managed.

How well do our policies, Old, incomplete, or missing

Governance procedures, and processes documentation often leads
(ID.GV) guide the way we manage to poor or inconsistent
cybersecurity risk? cyber risk mitigations.

177

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
The risks come from both
outside and inside your
R ail.

organization and are

US co

directed at assets whose

How well does our
value may be perceived
E m·

organization understand
differently by attackers than
ON A

Risk Assessment the cybersecurity risk to

you perceive them. For
(ID.RA) our organization’s assets,
example, a staff directory
LY UG

operations, reputation,
may seem ordinary to you,
and people?
but is highly sought after by
BY 22,

attackers who use the data

: R 20

to plan and execute social

engineering attacks.
AM 23

Executive management
ES

How well are our

must communicate these
organization’s priorities,
H

key inputs to all people who

Risk constraints, risk
make cyber risk decisions
AM

Management tolerances, and

every day; otherwise, the
Strategy assumptions used to
GA

decisions will be
(ID.RM) support operational
inconsistent, and some will
cybersecurity risk
I

be bad for your

decisions?
organization.

How well has our

All vendors who play a
organization established
Supply Chain large role delivering results
and implemented
Risk to customers must be
processes to identify,
Management actively included in your
assess, and manage
(ID.SC) cyber risk management
supply chain
activities.
cybersecurity risks?

178

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
People must be identified
and allowed to access only
FO m
Identity those physical assets needed
How well is access to our
R ail.
Management, to do their job. For
organization’s physical
Authentication, example, access to rooms
US co

assets limited to
and Access and storage areas
authorized users,
E m·

Control containing personnel

processes, and devices?
ON A

(PR.AC-1) records or computer servers

should be granted on a
LY UG

need-to-know basis.
BY 22,

People must be identified

: R 20

Identity and allowed to access only

How well is access to our
Management, those digital assets needed
organization’s digital assets
AM 23

Authentication to do their job. For

limited to authorized
and Access example, access to sensitive
ES

users, processes, and

Control payroll and customer data
devices?
H

(PR.AC-2) should be granted on a

need-to-know basis.
AM

Everyone in your
GA

How well are our

organization who handles
Awareness and organization’s personnel
sensitive data and systems
I

Training and partners provided

must be made aware of the
(PR.AT-1) with cybersecurity
importance of good,
awareness education?
ongoing cybersecurity.

How well are our

Everyone in your
organization’s personnel
organization who handles
Awareness and and partners trained to
sensitive data and systems
Training perform their
must be trained so they
(PR.AT-2) cybersecurity-related
know how to play their
duties and
part.
responsibilities?

179

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
These are the basics of
SE 3 2
good cyberhygiene, the
things you do every day to
D @g
How well are our
avoid cybersecurity
FO m
information and records
incidents, like using a high-
Data Security (data) managed to protect
quality password manager,
R ail.
(PR.DS) the confidentiality,
encrypting data during
US co

integrity, and availability

storage and transfer, and
of information?
following data protection
E m·

checklists to prevent costly

ON A

errors.
LY UG

How well are our security

Information Write down everything
policies, processes, and
BY 22,

Protection important that needs to be

procedures maintained
Processes and done to manage cyber risks
: R 20

and used to manage the

Procedures so everyone can follow the
protection of information
AM 23

(PR.IP) requirements.
systems and assets?
ES

Industrial control systems

H

How well are the include computer-

maintenance and repairs controlled thermostats,
AM

of our organization’s door access card readers,

Maintenance
GA

industrial control systems video surveillance cameras,

(PR.MA-1)
performed consistently and lighting. All must be
I

with our policies and protected against

procedures? unauthorized access during
maintenance.

Information systems
How well are the include servers, desktops,
maintenance and repairs laptops, mobile devices, and
of our organization’s cloud services. All must be
Maintenance
information systems protected against
(PR.MA-2)
performed consistent unauthorized access during
with our policies and maintenance to guard
procedures? against data loss or
malicious code infection.

180

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
How well are our Cybersecurity systems (like
Protective technical security systems antimalware) enforce
FO m
Technology managed to ensure the policies to protect assets
R ail.
(PR.PT) security and resilience of and therefore need to be
our systems and assets? carefully managed.
US co

In order to know when

E m·

someone is intruding on
ON A

Anomalies and How well is anomalous

your network, it’s important
Events activity detected in our
to know what kind of
LY UG

(DE.AE-1) systems and networks?

traffic is considered to be
BY 22,

normal.
: R 20

Some time must be spent

How well are the
Anomalies and analyzing detected events to
AM 23

potential impacts of
Events know whether an incident
security events
ES

(DE.AE-2) has occurred and how

understood?
impactful it is.
H
AM

How well are our

To keep cyber risk at an
information systems and
Security acceptable level, you need
GA

assets monitored to
Continuous to watch what’s happening
identify cybersecurity
I

Monitoring to your assets and know

events and to verify the
(DE.CM) about vulnerabilities in your
effectiveness of
systems.
protective measures?

How well are our

Be clear about who and
detection processes and
how detecting is to be
Detection procedures maintained
done, to include testing
Processes and tested to ensure
detection capabilities, and
(DE.DP) awareness of anomalous
communicating results to
events in our systems and
management.
networks?

181

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
How well are our
response processes and
SE 3 2
Preparing in advance to
Response procedures executed and
respond to a major incident
D @g
Planning maintained, to ensure
will increase your chances
(RS.RP) prompt response to
FO m
of minimizing damages.
detected cybersecurity
R ail.
incidents?
US co

To understand how your

E m·

How well are our organization is affected,

Response response activities incident reports need to be
ON A

Communications coordinated with internal made clear to management

LY UG

(RS.CO-1) stakeholders, like executive and shared on a need-to-

management? know and timely basis with
BY 22,

insiders.
: R 20

To understand how your

organization is affected, and
AM 23

How well are our

to make our online
Response response activities
ES

community safer, incident

Communications coordinated with external
reports need to be made
(RS.CO-2) stakeholders, like law
H

clear and shared on a need-

enforcement agencies?
AM

to-know and timely basis

with selected outsiders.
GA

How well does our

Past notifications from
I

organization analyze past

Response detection systems need to
incidents to ensure
Analysis be investigated and
effective response and
(RS.AN) understood to improve
support recovery
response strategies.
activities?

When incidents happen,

they need to be stopped
How well does our
from spreading and kept
Response organization prevent the
from happening again. And
Mitigation spread of a cybersecurity
newly identified
(RS.MI) event, mitigate its effects,
vulnerabilities need to be
and resolve the incident?
either fixed or documented
as accepted risks.

182

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
How well does our
organization improve our Because cyber attackers
SE 3 2
Response
response activities by innovate all the time, we
Improvements
D @g
incorporating lessons need to be regularly
(RS.IM)
learned from current and improving, too.
FO m
previous incidents?
R ail.

How well does our

US co

organization use recovery Preparing in advance to

E m·

Recovery processes and procedures recover after a major

Planning to ensure restoration of incident will increase your
ON A

(RC.RP) systems or assets affected chances of quickly

LY UG

by cybersecurity returning to normal.

incidents?
BY 22,

How well does our

: R 20

organization improve our

Because cyber attackers
Recovery recovery planning and
AM 23

innovate all the time, we

Improvements processes by
need to be regularly
(RC.IM) incorporating lessons
ES

improving, too.
learned into future
H

activities?
AM

How well does our

organization coordinate To return to normal
GA

Recovery
restoration activities with quickly, insiders need to be
Communications
I

internal stakeholders, kept informed as the

(RC.CO-1)
such as executive recovery continues.
management?

How well does our

organization coordinate
restoration activities with
external parties, such as To return to normal quickly
Recovery cyber incident and protect the online
Communications coordinating centers, community, outsiders need to
(RC.CO-2) Internet service be kept informed as the
providers, owners of recovery continues.
attacking systems,
victims, other Computer
Security Incident

183

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Response Teams
(CSIRTs), and vendors?
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A

STEP 5: DETERMINE YOUR TARGET SCORES

LY UG

With a clear understanding of the questions and the zero-to-ten

BY 22,

scoring system, your next crucial step is to establish specific targets within
the range of five to eight for each of the five functions outlined in the NIST
: R 20

Cybersecurity Framework: identify, protect, detect, respond, and recover.

AM 23

Recognize that your organization is unique, and your cyber risk

ES

requirements may differ from others. Consequently, it is important to

H

prioritize certain aspects of cybersecurity based on your organization’s

needs.
AM
GA

While a score of five represents the minimum acceptable level, and

eight signifies full optimization, your organization has the flexibility to
I

choose scores that it deems appropriate and reasonable in alignment with

its perception of the threat landscape and risk tolerance. This customized
approach ensures that your cyber risk management efforts align precisely
with your organization’s threat landscape and risk appetite.

When determining its target scores, the organization can choose

one of several different approaches, including the minimum score
approach, the strong castle approach, the first responder approach, the big
city approach, or the world-class approach. Each of these approaches has
its own advantages and disadvantages, too.

The minimum score approach sets out to achieve a minimum

score across the board based on the belief that this is reasonable within the
organization’s industry, customer expectations, and organizational maturity.

184

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2In a minimum score approach, each of the five functions is assigned a
target score within the minimum acceptable range. This means that the
identify, protect, detect, respond, and recovery are each assigned a target
D @g
profile score of five.
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23

The strong castle approach selects a target score profile

emphasizing the protect function. In a strong castle approach, each
ES

functional area is assigned a value of 5 (the minimum acceptable score)

H

except for the protect function, which receives a higher target score of 7 or
AM

8.
GA
I

The idea behind the strong castle approach is to identify the most
critical things to protect and then focus your time, effort, and resources on
protecting those things. This strong castle approach and its associated target
score profile is still the current practice of many organizations across

185

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
various industries. When implemented well, this strategy should minimize
SE 3 2
the need for optimal cybersecurity in the other functions since you’ve
already assumed that only minor incidents would occur within them.
D @g
FO m
We call this the strong castle approach because it is similar to a
R ail.
medieval castle or fortress. When it was built, these structures could
withstand any attack currently available to its occupants’ enemies: arrows,
US co

battering rams, swords, etc.

E m·
ON A

But as weaponry evolved and progressed, a castle or fortress could

no longer withstand any attack. Could you imagine a medieval castle
LY UG

surviving a missile attack from a drone?

BY 22,

Well, it isn’t likely, and that’s why the strong-castle approach to

cybersecurity has been declining in popularity in recent years. As cyber
: R 20

attackers have become more effective at compromising people rather than

AM 23

just the organization’s technology, this strong castle approach is becoming

less and less effective in our modern networks.
ES

The first responder approach is an approach that sets the target

H

score for the respond function as a 7 or 8 while allowing relatively lower

AM

target scores in the other four functional areas. This approach focuses the
GA

organization’s resources on building out a fast, high-quality response

capability in order to mitigate the other functional areas having lower target
I

scores.

186

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The big city approach is a modern and mature perspective to
cybersecurity in which the organization’s data network is viewed as a
SE 3 2
modern city as opposed to a medieval fortress. Like a big city, the
D @g
organization prioritizes response and recovery functions instead of heavily
FO m
focusing on the identify, protect, and detect functions. In the big city
approach, a zero-trust mentality is required where any user is treated as
R ail.

untrusted, and the organization is poised to respond and recover as soon as

US co

an incident occurs.
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H

The world-class approach is one in which every functional area is

AM

treated as equally important, and a target score of 8 is assigned to all five

functional areas. Being world-class at cyber risk management is very
GA

expensive and difficult to achieve. Oddly, it’s only practical for either very
I

small organizations or a government operation, such as the National

Security Agency (NSA), the Central Intelligence Agency (CIA), and others
who can spend whatever is needed to achieve this level of cybersecurity.

187

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 While the minimum score approach, the strong castle approach,
the first responder approach, the big city approach, and the world-class
approach are all valid options, your organization doesn’t have to pick a
D @g
single named approach to utilize. Instead, they can choose any target score
FO m
for any functional area they determine is important to their specific
circumstances.
R ail.
US co

For example, if you are working with a software as a service (SaaS)

business with around $10 million in annual revenue. In that case, this
E m·

organization may be focused on its ability to maintain records of its

ON A

sensitive digital assets, like its customer’s names, mailing addresses, and
LY UG

credit card information. Additionally, this organization likely has its own
source code and trade secrets that must be protected. In this scenario, you
BY 22,

may want to assign a target profile score of 6 or 7 to the protect function

while assigning a minimum score of 5 to the other four functions.
: R 20
AM 23

Conversely, if you are working with a geographically dispersed $800

million annual revenue company, the big city approach, focusing on
ES

response and recovery, might be more appropriate.

H

Regardless of your specific reasoning for selecting a certain

AM

approach or the assigned target profile score, you should take the time to
record it before you begin conducting the interviews with the cyber risk
GA

experts within the target organization.

I

STEP 6: CONDUCT THE INTERVIEWS

It is now time to conduct interviews with our cyber risk experts

from the organization. It might be tempting to simply send the thirty-one-
item questionnaire we developed earlier to the organization’s employees in a
mass email, but that is not ideal.

In fact, the best way to conduct the interviews is by doing them in

person, or by video call, with a select group on an individual level. The very
process of asking these questions is a marvelous training opportunity for
the interviewee because most people don’t know the definition of good
cyber risk management and have, therefore, never even considered
measuring it. It’s also best if you’re not the one conducting the interviews

188

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2either. Instead, having a well-respected senior employee or a neutral
D @goutsider conduct the interviews is better.

During the interview, give each interviewee a printed copy of your

FO m
score key. That way, when you ask them each of the thirty-one questions
out loud, they can easily choose the score that best reflects their experiences
R ail.

in your company. Moreover, having the scoring table on hand helps to keep
US co

your respondents’ answers uniform, thus giving you more reliable data
across all the people you will be interviewing.
E m·
ON A

As you prepare to conduct your interviews, it is important that you

set proper expectations with the organization and your interviewees. In the
LY UG

ever-evolving business landscape, companies often face the challenge of

BY 22,

adapting to changes in order to survive and thrive. When a large

corporation becomes entrenched in a certain way of doing business, it may
: R 20

encounter a crisis that necessitates a transformative shift. This can involve

AM 23

strengthening cybersecurity measures or even discontinuing entire product

lines.
ES

An example of such a transformation occurred at IBM in the early

H

1990s, when they recognized the need to shift from hardware

AM

manufacturing to providing services. IBM changed its product offerings

and redirected its focus to develop the necessary skillsets for the service
GA

industry. Companies that endure understand the importance of self-

I

evolution, as failure to adapt can lead to stagnation and eventual

bankruptcy, as exemplified by Kodak’s struggle to transition to digital
photography.

Undertaking significant organizational changes, such as

modernizing its operations, culture, and customer-centric mindset, can be
overwhelming for employees if not managed effectively. It is not
uncommon for people to resist changes in cybersecurity practices. To
overcome this resistance, it is crucial to emphasize the collaborative nature
of the transformation and highlight that everyone has a role to play.

The interviews should foster a candid and respectful atmosphere

while maintaining a good pace. Encourage employees to provide forthright
responses, assuring them that their scores will remain confidential and that

189

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
no specific comments or scores will be attributed to individuals. Valuable
SE 3 2
insights can emerge when individuals freely express their perspectives,
including scores of zero or explanations behind their assessments.
D @g
Additionally, to prepare employees for the interview process, provide them
FO m
with comprehensive information about what to expect.
R ail.

By managing organizational changes actively, setting the right tone,

US co

and ensuring transparency and confidentiality, you can gather the best
possible data and insights from your employees. This will enable you to
E m·

navigate the cybersecurity transformation effectively and drive meaningful

ON A

progress within your organization.

LY UG

As you begin the interview, you should spend the initial ten
BY 22,

minutes of each interview to provide them with an overview of the process

you are using. The interviewer should reiterate that this is a management
: R 20

improvement effort, emphasizing that it is not an external audit. Encourage

AM 23

the expert to be candidly respectful in their responses and inquire if they

have any questions regarding the zero-to-ten scoring scale. Take the time to
ES

provide them with the score key and a brief explanation of the scoring
process and the purpose of the interview.
H
AM

Throughout the interviews, you should maintain a brisk tempo and

aim for a duration of less than an hour per interviewee. Avoid requesting
GA

any justifications for scores, but if interviewees voluntarily provide

I

explanations, be sure to record them in the spreadsheet, as they can prove

helpful during phase two of the CR-MAP process. These interviews should
not be lengthy or arduous. Both you and the expert desire an efficient
process that respects their time and expertise while allowing them to leave
the session with a positive impression of the process.

During the interviews, you may encounter respondents claiming to

have limited cybersecurity knowledge. In such cases, acknowledge their
perspective but emphasize that they possess expertise within their own
department and are more knowledgeable about its practices than anyone
else, which is why they were chosen as one of the cyber risk experts you
have been asked to interview. Reiterate that their opinions are valuable,
even based on perceptions or partial information.

190

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
When it comes to organizational change management, it is crucial
to understand that people are usually uncomfortable with proposed
SE 3 2
changes. Actively listening to their opinions from the outset goes a long
D @g
way in securing their ongoing buy-in and fostering a collaborative
FO m
atmosphere. When people feel heard, they also feel respected and will be
more supportive of potential changes.
R ail.
US co

STEP 7: COMPILE AND AVERAGE THE SCORES

E m·

Once you’ve completed all the interviews and recorded the

ON A

associated scores, your next step is to average them out and compare them
to your target scores for each function, category, and activity of the NIST
LY UG

Cybersecurity Framework from your questionnaire.

BY 22,

In our engagements, we use a customized spreadsheet to record all

: R 20

of the answers and generate a radar diagram with the results.

AM 23
ES
H
AM
GA
I

In this diagram, you will notice two circular rings. The outer green
ring is the target score chosen for this particular organization, which is a six
for this diagram. The inner orange ring is the minimum acceptable risk
target score for this organization, which is a five. Near the rings, you will
notice the average response received from the interviewees, for each of the
functions, categories, and activities, as indicated by the black line.

191

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Based on the diagram, we can quickly identify this organization's
top five cyber risks, including DE.DP (average response of 1.4), ID.GV
SE 3 2
(average response of 1.8), RS.IM (average response of 2.5), RC.CO-1
D @g
(average response of 2.5), and DE.AE (average response of 2.6). Notice all
FO m
of these are well below the minimum acceptable target of 5 and our actual
target of 6.
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

Notice this list is in order of gap size (rightmost column) and

includes activities from the detect, identify, response, and recover functions.
You may be wondering why is the protect function not included in the top
five cyber risks being displayed.

In our experience, most companies are underinvested in all of the

functions except protect. That doesn’t mean the protect function is meeting
or exceeding targets, but it does mean that your biggest cybersecurity gaps
likely exist within the other four functions as opposed to the protect
function.

Another thing to worry about in this seventh step of phase one is

what we refer to as junk data. Once the interviews are complete and the
data has been collected, you will analyze that data to determine its true

192

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2value. Sometimes, your interviewee’s may give you junk data, such as when
interviewees simply respond with a score of eight or a similar high score
without actually considering what that represents. This can be caused by a
D @g
lack of knowledge on the organizational practices, overestimating the
FO m
abilities of the organization’s IT department, or simply wanting to get the
interview over with as quickly as possible, but in each of these cases the
R ail.

result is junk data being collected during our interviews.

US co
E m·

So, what should you do with this junk data?

ON A

The biggest mistake you could make is to simply delete the data,
LY UG

which is often people’s first thought. Instead, the best course of action is to
keep the data, but not include it in the calculations of the client’s scores to
BY 22,

prevent the junk data from skewing the organization’s scores calculated
during CR-MAP process.
: R 20
AM 23

Instead of using the data in calculations, think about why the data
is unusable, and what that might say about the broader environment in the
ES

client’s organization. Did all the executives give unrealistic scores for every
question or did all the operations personnel answer with an eight simply
H

because they wanted to get their interviews finished quickly?

AM

In either case, you need to undercover the root cause of this junk
GA

data and then incorporate it into the organization’s CR-MAP results as a

I

theme to be addressed in phase two or phase three of the process.

STEP 8: COMMUNICATE YOUR TOP FIVE CYBER RISKS

As we near the completion of the first phase of the cyber risk

management action plan, you may find that the results fall slightly short of
your expectations. If so, you may seek additional details from the identified
cyber risk experts to understand why the actual scores deviated significantly
from the organization’s target scores. But, in general, most of your work in
phase 1 will now be complete, and it’s time to analyze the data to uncover
the narratives they might reveal.

From our experience, two prevalent themes often emerge:

organizations tend to excel in the protect function where they invest

193

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
significant time and effort, and at the same time, most organizations are
SE 3 2
lagging behind in the detect and recover functions. Why is this the case?
D @g
Historically, cyber risks have been predominantly viewed as
FO m
technological challenges, leading to a strong focus on the information
technology departments’ ability to maintain operational systems. As a result,
R ail.

they excel in detecting service outages but often fall short in detecting
US co

potential breaches of sensitive corporate data. Additionally, organizations

commonly struggle in the recover function because they are unaccustomed
E m·

to public scrutiny of their technological failures. Consequently, they lack the

ON A

internal capacity to communicate technical breakdowns and data breaches

LY UG

effectively to the public. They often rely on marketing departments that

may not possess the required expertise.
BY 22,

This brings us to a crucial point: it is possible that your target

: R 20

scores deviate significantly due to a perception influenced by fear-inducing

AM 23

headlines and narratives from vendors. It’s important to note that the
questionnaire we created does not directly address specific technological
ES

measures like firewalls. This was not an oversight in the questionnaire but
instead was a deliberate approach that stems from our perspective of
H

treating cyber risks as business risks and using a top-down approach rather
AM

than a bottom-up approach starting from inside the IT organization. We

recognize that while strong technological defenses, such as firewalls and
GA

anti-spam filters, are essential, relying solely on them will not guarantee
I

success in today’s cybersecurity landscape. Instead, our CR-MAP process

guides you toward practicing reasonable cybersecurity while accounting for
a broader range of factors that can help your organization achieve cyber
resilience.

Unfortunately, sensationalized headlines of major cybersecurity

breaches, like the widely documented Expeditors incident, and marketing
tactics employed by vendors seeking to sell their products often provide an
incomplete picture. However, with the scores obtained from your
questionnaires, you possess the complete story specific to your company or
organization, which truly matters in shaping your cyber risk management
strategy.

194

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SUMMARY
SE 3 2
In this chapter, we delved into the first phase of the cyber risk
D @g
management action plan (CR-MAP) process, which focuses on discovering
FO m
the top cyber risks faced by your organization. We discussed the
R ail.
importance of prioritizing risks effectively, given limited resources. We
US co

emphasized the need to widen the scope of cybersecurity considerations

beyond technological defenses alone.
E m·
ON A

We explored the significance of setting proper expectations when

initiating organizational changes, drawing insights from the experiences of
LY UG

companies like Expeditors, IBM, and Kodak. It became evident that

actively managing the changes and ensuring employee buy-in is crucial for
BY 22,

successful cybersecurity improvements.

: R 20

There is also a strong need for effective communication during the

AM 23

interview process, emphasizing a candid and respectful approach to

encourage honest responses. We emphasized the brisk tempo of the
ES

interviews and the importance of respecting the interviewees’ time and

H

expertise. Additionally, we addressed the importance of gathering as much

AM

information as possible, including providing resources to help interviewees

understand the scoring and interview process.
GA

We then discussed the importance of determining specific targets

I

within the five-to-eight range for each function in the NIST Cybersecurity
Framework. This tailored approach ensures that your organization’s cyber
risk management efforts align with its unique needs and risk landscape.

Lastly, we explored the significance of effectively communicating

your top five cyber risks. We identified common themes observed in
organizations, such as excelling in the protect function but struggling in the
detect and recover functions. We highlighted the need to view cyber risks as
business risks rather than purely technological challenges. We stressed the
importance of relying on a comprehensive understanding of your
organization’s specific risks rather than being influenced solely by fear-
mongering headlines or vendor narratives.

195

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
By following these steps and prioritizing cybersecurity
SE 3 2
considerations beyond technology, organizations can gain valuable insights,
D @g
make informed decisions, and lay the foundation for effective cyber risk
management in the subsequent phases.
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

196

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER THIRTEEN
AM 23
ES

PHASE 2: CREATING A CR-MAP

H
AM

In 2016, AsusTek, a computer hardware company, learned of some

vulnerabilities in their routers. Instead of disclosing the vulnerability to the
GA

public, they hid it from their consumers. They continued selling the
defective—and, frankly, dangerous—routers. As a result, widespread
I

exploitation by hackers occurred, and the attackers were able to gain access
to more than 12,900 connected storage devices.

AsusTek didn’t notify their consumers or their retailers because they

were concerned that if they did, their reputation would be diminished in the
marketplace, which would negatively impact their sales. Their decision to
prioritize reputation over consumer safety backfired, as disgruntled
customers took control of the narrative, leading to greater long-term damage
to the company’s sales and reputation. As usual in these situations, someone
found out about the vulnerability anyway, and rather than the company being
in control of the story, the disgruntled consumers controlled the narrative in
the press, and this hurt the company’s sales even more in the long run than
it would have if they just came clean and disclosed the issue.

197

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Remember, if your organization discloses the vulnerability itself, you
get to control the narrative. In fact, you not only control the narrative, but
also build trust and enhance your brand image by taking ownership of the
D @g
issue and communicating openly. For example, if AsusTek had made a public
FO m
announcement saying, “We are very sorry, we have identified a problem with
our routers, and here is our solution to remedy the problem,” it could have
R ail.

actually been a brand-enhancing maneuver.

US co

People love that authenticity and vulnerability. That announcement

E m·

might have resulted in a decrease in sales for a short time, but over the long
ON A

haul, it would have enhanced their reputation, not diminished it. They would
LY UG

have become known as the straight talkers of cybersecurity. People would

want to buy their products—not because they’d expect them to be flawless,
BY 22,

but because they would know that when a flaw is discovered, they will be
upfront about it. This is called responsible disclosure.
: R 20
AM 23

To illustrate the impact of responsible disclosure, we can draw a

quick comparison between Home Depot and Target, both of which
ES

experienced significant data breaches over the years. In 2014, Home Depot
suffered a data breach that resulted in the theft of 56 million stolen credit
H

card records from their customer database. A year earlier, in 2013, Target
AM

suffered a similar data breach that caused 40 million stolen credit card records
GA

to be stolen.
I

Despite similarities in the breaches, Home Depot’s prompt and

transparent response garnered a more favorable public perception compared
to Target, which delayed informing customers for a week. Home Depot’s
proactive approach mitigated financial consequences and maintained
consumer trust, whereas Target faced greater criticism and financial
repercussions.

After both data breaches were fully responded to and recovered

from, the accountants tallied up the cost of each breach. Home Depot
suffered $179 million from its data breach. On the other hand, Target ended
up spending $292 million on its data breach, and its CEO of 35 years also got
fired due to the incident. Responsible disclosure isn’t just the right thing to
do; it can actually save your organization a lot of money in the long run.

198

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 Practicing reasonable cybersecurity measures and promptly
addressing data breaches are crucial components of a robust cyber risk
management action plan. While perfection may be unattainable, being
D @g
forthright, recovering quickly, and maintaining open communication with
FO m
customers can significantly minimize the damage caused by cyberattacks. By
learning from these examples and adopting a transparent approach,
R ail.

organizations can navigate data breaches more effectively, safeguard their

US co

business, and preserve their reputation.

E m·

KEYS TO SUCCESS IN PHASE TWO

ON A

Before we create our cyber risk management action plan, it is

LY UG

important that we look at some things that are the keys to successfully
BY 22,

being able to develop your CR-MAP in phase two of the process. This
includes prioritization, roles, and responsibilities, understanding the scale,
: R 20

keeping it simple, and controlling the rate of change.

AM 23

First prioritization. Prioritization is a critical aspect of managing

ES

cyber risks as organizations face numerous risks with limited resources.

Making tough choices and prioritizing both the risks and mitigations is
H

essential. Although prioritization doesn’t guarantee complete protection, it

AM

provides a reasonable approach to address the challenge. Trusting your

prioritization and implementing the plan may be challenging, as others may
GA

question your choices, but it’s important to listen to feedback while staying
I

committed to your chosen path, knowing that adjustments can be made as

needed during the third phase of the CR-MAP process if required.

Second, roles and responsibilities. Assigning roles to everyone in

your organization and distributing the cybersecurity responsibilities across
those roles is crucial. You should assess each job description to determine
feasible additions to ensure that cybersecurity work is effectively distributed
across the organizational staff. When assigning cybersecurity
responsibilities, ensure that individuals are set up for success by providing
the necessary resources and ensuring those roles have any required
additional tools and support. For example, if customer service employees
need to use unique passwords, systematize the process by including it in
their job description and equipping them with a high-quality password
manager with centralized reporting. Then, continue to monitor their usage

199

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
of the password manager through a single console or program that allows
SE 3 2
you to assess compliance and address any gaps in cyber hygiene or job
performance.
D @g
FO m
Third, understanding scale. When implementing changes as part of
your cyber risk management action plan, individual adjustments are typically
R ail.

simple and straightforward. For instance, adding a line to each job

US co

description can be delegated to your management team. However, as you

strive to enhance the thirty-one questions and make larger-scale
E m·

improvements, implementing changes across the entire company can

ON A

become more complex, costly, and time-consuming. While a single person

LY UG

on the customer service team can quickly adopt a password manager for
their accounts, scaling these changes becomes increasingly challenging as
BY 22,

the size of the organization grows. Scaling each element of your action plan
becomes more difficult with a larger organization, requiring careful
: R 20

consideration of complexity, costs, and time investments, so keep this in

AM 23

mind as you build for scale across the organization.

ES

Fourth, keep it simple. The complexity of cybersecurity change

often overwhelms organizations, leading to unclear priorities and benefits.
H

However, the methodology presented in this book offers a solution by

AM

providing prioritization to provide the most effective approach to

implementing cybersecurity changes in a highly focused and simplified
GA

manner. By maintaining a laser-like focus, the complexity is minimized to

I

achieve the organization’s desired target scores. This is where the data
collected back in the first phase becomes crucial. If your staff is hesitant to
implement additional security measures, you can present them with the
numbers they provided, highlighting the need for action based on their own
input.

Fifth, controlling the rate of change. When implementing your

plan, avoiding overwhelming your workforce with too many changes at
once is important. Just like with other improvement programs, such as
transitioning accounting software or email systems, the changes required for
your cyber risk mitigations should be carefully sequenced at a manageable
rate alongside other ongoing changes. Determining the appropriate pace of
implementation is a decision specific to your organization.

200

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The good news is that not all mitigations will directly involve active changes
SE 3 2
from your staff. As you will discover, some mitigations will be transparent
D @g
to them, allowing for their seamless integration alongside the more
significant changes. This can help to increase the rate of change across the
FO m

organization without causing a backlash against the cyber risk management

R ail.
action plan and its recommended risk mitigations that need to be
US co

implemented.
E m·

DEVELOPING AN ACTION PLAN

ON A

Now that you have identified and prioritized your top five
LY UG

cybersecurity risks, it’s time to develop your cyber risk management action
plan. This crucial second phase will span thirty days, during which you will
BY 22,

take significant strides toward enhancing your organization’s cybersecurity

: R 20

posture.
AM 23

It is important to acknowledge that actively managing every cyber

risk may not be feasible or necessary. Simply going through the
ES

questionnaires and identifying your risks already puts you ahead of many
H

other organizations and competitors who have yet to take similar steps.
AM

However, to safeguard yourself in case these risks materialize differently

than anticipated, it is recommended to work under attorney-client privilege.
GA

This ensures protection if a cyber risk you didn’t prioritize becomes the
source of a data breach, guarding against potential accusations of negligence
I

both legally and in the court of public opinion.

Another important factor to consider is your contractual limitations

regarding third-party vendors, contractors, and suppliers. It is crucial to
note that while I can provide guidance as a cybersecurity practitioner,
consulting with a lawyer is essential to obtain specific legal advice tailored to
your unique circumstances.

Many organizations, such as credit card processors, rely on vendors

to deliver products and services. However, if a vendor experiences a
significant cyber failure, such as a prolonged outage or a breach of sensitive
information, can severely affect your reputation and customer trust.

201

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 To mitigate potential risks, you have to communicate your
expectations to vendors and customers regarding their responsibilities in
protecting against and addressing cyber failures. This can be achieved
D @g
through well-crafted contract language that establishes indemnification
FO m
clauses, creating a contractual firewall for your organization. Indemnify here
means compensating someone for harm or loss.
R ail.
US co

When engaging with vendors, ensure that your master services

agreement or similar contract clearly outlines shared responsibility for data
E m·

security. Additionally, include an indemnification provision specifying the

ON A

financial responsibility in the event of a cybersecurity failure and defined

LY UG

limits to that responsibility. If the vendor is accountable for a failure,

stipulate that they are liable for covering costs related to liability, legal
BY 22,

defense, and crisis management, encompassing first-party and third-party

expenses.
: R 20
AM 23

In terms of customer expectations, it is prudent to limit your

liability in the event of a cybersecurity failure. To do this, you should state
ES

that your service offerings are provided as is, and your liability is restricted
H

to the actual amount customers have paid for the services.

AM

Remember, consulting with a lawyer will ensure that your

contractual agreements and limitations are legally sound and adequately
GA

protect your organization’s interests.

I

Now, to develop your cyber risk management action plan, you will
follow five steps inside of phase two of the CR-MAP process:

1. Close the identified gaps.

2. Conduct a business value analysis.
3. Create a dashboard and roadmap.
4. Conduct internal marketing.
5. Conduct external marketing.

STEP 1: CLOSE THE IDENTIFIED GAPS

Begin by focusing on your top-ranked risk and examining the

disparity between your actual scores and target scores. Take a moment to

202

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
reflect on the actions required to bridge this gap. It’s important to note that
SE 3 2
achieving a target score of 5 doesn’t necessitate investing in top-of-the-line
cybersecurity capabilities.
D @g
FO m
Instead, the key is to determine what is reasonable and appropriate
for your organization. This forms the fundamental question for resource
R ail.

allocation in managing your cyber risks: What specific measures does my

US co

company need to undertake in order to reach our target?

E m·

Let’s consider an excerpt from a top cyber risk report that includes
ON A

the DE.DP activity. The identified activity is the Detection Processes

LY UG

(DE.DP) and was identified through the question, “How well are our
detection processes and procedures maintained and tested to ensure
BY 22,

awareness of anomalous events in our systems and networks?”

: R 20

The average response from our interviewees was 1.4, while the target
AM 23

score was 6, and the minimum acceptable score was 5. This leaves the
organization with a gap of 4.6 (6 target score – 1.4 average response).
ES

To close this identified gap, we should first look at the NIST

H

Cybersecurity Framework to determine the requirements to meet its

AM

outcome. When working with the NIST Cybersecurity Framework

GA

requirements, we often reword them into questions or testable statements to

make them easier to use during our engagements.
I

• DE.DP-1: How well does our organization define roles and

responsibilities to detect cyber incidents to ensure accountability?

• DE.DP-2: How well do our organization’s cyber incident detection

activities comply with all applicable legal, regulatory, and customer
requirements?

• DE.DP-3: How well does our organization regularly test cyber

incident detection processes and procedures?

• DE.DP-4: How well does our organization communicate cyber

incident detection information to appropriate internal and external parties?

203

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
• DE.DP-5: How well does our organization regularly review and
SE 3 2
improve cyber incident detection processes?
D @g
To achieve your target score of six, it is essential to thoroughly
FO m
analyze each question and determine how to ensure that each requirement is
R ail.
met at a level of six. Once you have made the necessary improvements, the
US co

goal is to confidently state that your organization consistently fulfills these

requirements with minimal flaws. Developing specific steps for improvement
E m·

demands specialized expertise, so it’s important not to expect to tackle it

ON A

alone. Seeking assistance is crucial, especially considering the need for

customization to align with your unique security systems and business
LY UG

model.
BY 22,

While we cannot provide a one-size-fits-all solution due to these

: R 20

considerations, here are starting points for three of the activities to aid your
progress for the five detection process requirements:
AM 23

• DE.DP-1: Develop a comprehensive incident response plan

ES

defining specific roles and responsibilities. Conduct periodic

H

reviews and updates of the roles and responsibilities quarterly to

AM

ensure they align with evolving threats and organizational

changes.
GA

• DE.DP-2: Conduct an annual management review to identify and

I

understand all legal, regulatory, and customer requirements

regarding cyber incident detection. Use a requirements
traceability matrix to demonstrate compliance.

• DE.DP-3: Conduct brief, quarterly tests of cyber incident

detection processes against a serious, likely scenario. Do this as a
tabletop exercise, if necessary.

• DE.DP-4: Establish clear communication channels and

protocols for reporting and sharing information about incidents.
Develop incident response communication plans. Ensure
communication plans are regularly reviewed and updated.

204

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
• DE.DP-5: Conduct an effectiveness review of your cyber
incident detection processes every six months and make
SE 3 2
necessary improvements.
D @g
This process should be completed for each of your identified top
FO m

cyber risks to ensure each has been thoroughly considered, and appropriate
R ail.
controls and mitigations are recommended for inclusion in the cyber risk
US co

management action plan currently under development.

E m·

IN-HOUSE VERSUS OUTSOURCED TASKS

ON A

These days, cybersecurity experts are in high demand, and research

LY UG

shows that the trend will continue for years to come. Unfortunately, the
sources of cybersecurity talent have been unable to keep pace with the
BY 22,

dramatic rise in cybercrime.

: R 20

Particularly rare are cybersecurity professionals who understand

AM 23

and practice the major point made within this book: cyber risks are business
risks just as serious and worthy of the executive leader’s attention as risks to
ES

sales, order fulfillment, and accounts receivable. This means hiring the
H

talented cybersecurity people you want on your team may be difficult. Even
AM

if you can find them, they will be expensive. Also, odds are they will receive
frequent, unsolicited job offers from organizations willing to pay more than
GA

you are, in which case you will lose them from your team.
I

For example, in the Seattle area, many large, growing employers in

the technology industry are paying very high compensation for experienced
cybersecurity people. That makes it difficult for smaller, non-technical
organizations to hire and retain the cybersecurity staff they need. Some of
the struggling organizations are opening smaller offices in other cities or
countries to find the talent they need. Or they switch to outsourcing.

This means you need to be very smart about where to get the talent
you need to execute your cyber risk mitigation action plans. To help
mitigate this talent gap, we recommend carefully considering which work
you want to keep in-house versus which work will be outsourced.

The general guidance for this is simple: keep the work that is core
to your business in the hands of your trusted insiders and employees.
205

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 In contrast, there are lots of tasks that good candidates outsource
to another company. To help determine which tasks should be worked on
by which set of experts, we recommend splitting all of your tasks into one
D @g
of three categories: core tasks, strategic outsourcing tasks, or commodity
FO m
outsourced tasks.
R ail.

Core tasks are ones in which your employees perform tasks that
US co

help the business take smart cyber risks, deliver higher quality cybersecurity
decisions than outsiders would be able to, and establish and maintain
E m·

critical business relationships with people across the company so the

ON A

cybersecurity agenda gets the attention it deserves.

LY UG

Strategic outsourcing tasks are where the employees are directly

BY 22,

assisted by outside experts who do the majority (60–80%) of the detailed

work. For example, if your organization hired a consultant to lead the
: R 20

development of your first cyber risk management action plan, that would be
AM 23

classified as a strategic outsourcing task.

ES

Commodity outsourced tasks are ones in which the outsiders do all

(100%) the work under the direct oversight of your employee. For example,
H

your organization may hire an outside firm to conduct your quarterly PCI-
AM

DSS assessment vulnerability scans. This is a commodity outsourcing task

because any certified provider could do it equally well and with limited
GA

oversight from your employees. Therefore, we can shop around for the best
I

price or overall bundle of services to complete this task since it is heavily

commoditized.

Let’s consider how these three categories could be used to separate

some notional tasks.

First, we have the core tasks. Maybe we need to bring someone on,
to work as a project manager, preferably with IT security knowledge and
experience, which can be learned. Since it is a tight labor market, we may
opt to provide an internal opportunity to an existing employee first when
trying to fill this position. This project manager will be focused on several
core tasks, including committee work, chairing the cyber risk committee,
participating on the change control committee, participating on the disaster
recovery committee, developing and maintaining standards and procedures,

206

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
preparing for and supporting annual external audits, supporting the annual
cyber insurance renewal, conducting information assessments, and many
SE 3 2
others.
D @g
FO m
In addition to those tasks, we can consider several strategic
outsourcing tasks, including developing and maintaining organizational
R ail.

policies, annual company cyber risk assessments, high-risk security

US co

assessments, annual firewall effectiveness assessments, technical

vulnerability assessments, and many others.
E m·
ON A

Lastly, we have the commodity outsource tasks, which include

conducting network intrusion detection activities, performing education and
LY UG

awareness training, administering anti-phishing training programs,

BY 22,

performing periodic control reviews, and more.

: R 20

COST OF IMPLEMENTATION
AM 23

Whether you decide to keep cybersecurity services in-house or

outsource them, it is important to calculate the implementation costs. In
ES

our cyber risk management planning, we utilize the three-year total cost of
H

ownership (3TCO) to estimate the overall costs of each mitigation. This

AM

allows for a better comparison of costs across different mitigations,

considering one-time costs, ongoing expenses, and varying cost structures.
GA

The formula to calculate the 3TCO is:

I

(Implementation Cost) + (Annual Operating Cost x 3)

Implementation cost refers to the total expenses associated with

acquiring and deploying a system, service, or solution, including acquisition
costs and labor expenses for implementation. If you need to calculate the
implementation cost, you can do this using the following formula:

(Acquisition Cost) + (Implementation hours x Labor Cost)

When the specific resource responsible for the work is unknown, a

blended labor cost of $125 per hour is typically used, combining internal
and external labor rates. But, this figure does change over time and based
on the current labor rates applicable to your market. Once the responsible

207

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
resource is identified, the cost estimate can be updated accordingly, utilizing
the appropriate labor costs.
SE 3 2
D @g
The annual operating cost is another important number to
consider. Annual operating cost refers to the total expenses incurred on
FO m

an annual basis to maintain and operate a particular system, service, or

R ail.
solution, including renewal costs and ongoing labor expenses. The annual
US co

operating cost is calculated using the formula:

E m·

(Annual Renewal Cost) + (Operating Hours × Labor Cost)

ON A

To illustrate this approach, let’s consider an example where you

LY UG

need to implement a new security event log management system to enhance

your ability to detect cybersecurity incidents quickly.
BY 22,
: R 20

Let’s consider an example where operating a given system or

control would take two hours per week. This would equate to 104 hours
AM 23

per year at a cost of $13,000 ($13,000 = 104 hours x $125/hour). The

system also charges an annual licensing fee of $7,200 per year to operate.
ES

This means the total operating cost per year is $20,200 ($20,200 = $13,000
H

labor/year + $7,200 software/year).

AM

But, this is only the cost per year for a single year, not 3 years.
GA

Therefore, the total operating costs would be 3 x $20,200, a total of $60,600

to implement this control.
I

Unfortunately, we forgot about the upfront implementation cost,

so we must also add that. The implementation cost is $36,000 to acquire the
system, 80 hours to implement it, and the implementation labor rate is
$125/hour. This means we have a total implementation cost, or one-time
fee, of $46,000 ($36,000 + (80 hours x $125/hour)).

So, the total cost of ownership over the first 3-year cycle (3TCO)
would be $106,600. This is $46,000 for the implementation cost plus
another $60,600 for the operating cost over the 3 years.

Let’s consider another example. This time, we are working with an

organization that needs to implement a new crisis communication plan to
help the executive management team retain control of the organization

208

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
when its primary communication systems are down during a ransomware or
another type of cyber attack.
SE 3 2
D @g
For this organization, we are essentially rewriting policies and
FO m
determining which systems to utilize as opposed to buying and
implementing a new system. This means we have $0 in software licensing or
R ail.

system acquisition costs, but we will have 160 hours of labor required to
US co

build out the new crisis communication plan at the cost of $125/hour. This
gives us a total implementation cost of $20,000 (160 hours x $125/hour).
E m·
ON A

The organization will spend about 40 hours per year to operate and
maintain this new plan at a cost of $125/hour, generating $5,000 per year in
LY UG

operating costs.
BY 22,

To calculate the 3TCO, we will add the implementation cost

: R 20

($20,000) to three times the annual operating cost (3 x $5,000), giving us a

total of $35,000 to acquire/develop and operate this new crisis
AM 23

communication plan.
ES

Using these formulas, you should be able to calculate the cost of

H

any new system, control, or mitigation that you may want to recommend as
AM

part of your new cyber risk management action plan using a three-year total
cost of ownership (3TCO) figure for easy comparison against other
GA

potential solutions.
I

STEP 2: BUSINESS VALUE ANALYSIS

Your mitigations can create value for your company in four

dimensions: financial returns, technical risk mitigation, legal risk mitigation,
or increased reliability of operations.

The purpose of doing a business value analysis is to take what

could otherwise be an obscure set of decisions related to cybersecurity and
allow you to communicate the benefits of those actions to key decision-
makers and later to everyone else in more business-friendly terms.

The business value model contains trust at its cost and divides the
value into four quadrants.

209

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
The financial returns quadrant focuses on cost savings, competitive
differentiation, increased productivity, decision enhancement, and brand
SE 3 2
enhancement.
D @g
FO m
Technical risk mitigation is focused on data confidentiality,
trustworthiness, authorization, and business continuity.
R ail.
US co

The legal risk mitigation is focused on due diligence, increased

accountability, external and internal compliance, and improved awareness.
E m·
ON A

The increased reliability of operations is focused on increased

availability, preservation of data integrity, disaster recovery, and
LY UG

preservation of current capabilities.

BY 22,
: R 20
AM 23
ES
H
AM
GA
I

Let’s consider the example of a password manager being

recommended for implementation across the customer service team of an
organization.

The customer service director doesn’t know much about

technology, cyber risks, or password protection. After all, that isn’t their
job. Instead, their job is to serve customers.

If you go to the director and say, “We are rolling out a new
cybersecurity process for your department that will require a new piece of

210

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
software be installed on all of your customer service agent’s workstations,”
SE 3 2
you will likely get a bad reaction from them.
D @g
In the past, we’ve heard responses like, “Why are you making my
FO m
people do this” or “They’re already busy enough; how is this plan of yours
R ail.
going to help us serve our customers better” or even “I don’t see the value
US co

in that.”
E m·

In short, they will protect their team from disruptive changes

ON A

because they need to keep their team’s productivity levels high. To be

persuasive in that situation, you must use language that makes sense to
LY UG

them; by using the business value analysis model to explain your proposed
changes, you can make them understand how this change will make their
BY 22,

entire department better and, hopefully, more productive.

: R 20

Remember, if you cannot explain the purpose behind your

AM 23

cybersecurity change in a way that gets buy-in from the business side of
your organization, your changes are sure to fail. Soft skills are extremely
ES

important during this part of the CR-MAP process.

H
AM

Another way the business value model can be useful is when you
need to justify spending money on cybersecurity measures. For example, a
GA

password manager for the entire customer service department represents a

$25,000 annual expense, that money must come from somewhere else in
I

the organization’s budget. You will compete with other proposals for how
your company should spend that same $25,000 because money is a finite
resource.

Someone from the marketing department might propose to use

that $25,000 to run a marketing campaign that would increase your top-line
revenue by 2 percent. Someone from sales might say they could hire three
interns for the summer with that money and increase their number of
outbound calls by 5 percent. At the end of the day, you are competing with
all of those proposals. Hence, you need a simple, straightforward example
of how your cybersecurity measures will bring value to the business and is a
valid way to spend the organization’s valuable and limited resources.

211

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Let’s analyze the business value of implementing the crisis
communication plan mentioned earlier in this section.
SE 3 2
D @g
The crisis communication plan has its major business benefit in the
technical risk mitigation quadrant. We can identify several applicable value
FO m

factors for this proposal, including data confidentiality, trustworthiness, and

R ail.
business continuity.
US co

Implementing the crisis communication plan will reduce the risk of

E m·

unauthorized disclosure, avoid breach notification costs, and mitigate the

ON A

risk of regulatory action, leading to increased data confidentiality. The crisis

communication plan will also increase trustworthiness in the organization
LY UG

by enhancing confidence in the overall security of systems and processes.

The plan will also improve the business continuity capabilities of the
BY 22,

organization by allowing it to recover and sustain critical business functions

: R 20

and customer processes after a disaster.

AM 23

While other benefits, such as decision enhancement, may exist,

technical risk mitigation aligns most strongly with the objectives. Now that
ES

we have identified these factors and any additional ones we might want to
H

add, we build support for implementing the crisis communication plan to

AM

minimize the gap between our target score and our currently assessed score
within the organization.
GA

STEP 3: DASHBOARD AND ROADMAP

I

It is time to consolidate all the organization’s cyber risk mitigations

into a single concise dashboard and overarching roadmap. These will help
us to incorporate all the various forms of analysis we have already
performed, including the three-year total cost of ownership (3TCO), the
primary business benefits, and any secondary (or optional) business benefits
you have identified. This dashboard will serve as a prioritized list of actions,
arranged based on the magnitude of the gap each mitigation will address.

To enhance your execution efficiency, you may also consider

developing an implementation roadmap alongside the dashboard. While the
specifics of creating roadmaps can vary among organizations, it’s important
to find a method that suits your organization’s specific needs.

212

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Having worked with numerous organizations over the years, we
have seen numerous roadmap templates and styles, from traditional Gantt
SE 3 2
charts, Kanban boards, Scrum product backlogs, and other Agile tools.
D @g
Additionally, you can use any template or format your organization prefers.
FO m
You should always consult your project management team for additional
guidance on the roadmap format. If you’re unsure or just looking to create
R ail.

your own roadmap, we recommend a quick web search for the term “Gantt
US co

chart Excel” to find several different templates and tutorials to help get
your roadmap development started.
E m·
ON A

Priority Mitigation Business Estimated Estimated Three-

Name Value Implementa Maintenance year
LY UG

tion Cost Costs TCO

BY 22,

1 Implement Risk, $30,440 $38,440 $145,760

cybersecurity Legal
: R 20

training
company-wide
AM 23

2 Activate auto- Risk, $2,500 $0 $2,500

ES

encrypt of Reliability
USB storage
H

company-wide
AM

3 Revise security Legal, $6,400 $0 $6,400

requirements Risk
GA

in contracts
I

4 Implement Risk, $27,940 $38,440 $143,260

password Reliability
manager
company-wide

5 Improve Legal, $51,800 $49,700 $101,500

governance of Risk
cybersecurity

6 Implement Risk, $10,000 $18,000 $64,000

Vulnerability Reliability
Scanning

7 Implement Risk, $5,000 $0 $5,000

two-factor Legal
authentication
company-wide

213

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 As you craft your implementation roadmap, you may be tempted to
alter the order of the mitigations. If you decide to do so, ensure you have a
reasonable rationale for making that change, and you should also ensure
D @g
that rationale is documented for future reference. Remember that you may
FO m
need to explain your decisions to important stakeholders such as major
customers, investors, state regulators, or even in a legal setting someday in
R ail.

the future, so having your rationale documented will come in handy.

US co

One valid justification for a change could be managing the change

E m·

pace for the organization’s staff. In the provided table, notice that
ON A

mitigations #3 (contracts), #5 (governance), and #6 (scanning) have

LY UG

minimal impact on personnel. Adjusting their implementation sequence

might be prudent if your employees require a respite from the influx of new
BY 22,

cybersecurity practices being introduced by your recommendations.

: R 20

STEP 4: INTERNAL MARKETING

AM 23

Once you have identified the gaps that need to be addressed within
ES

your organization and assigned roles for everyone in your cyber risk
management action plan, securing buy-in from the organization’s key
H

stakeholders is crucial. This is where internal marketing plays a critical role

AM

in ensuring the success of your initiatives.

GA

To effectively communicate and engage your company, consider

I

addressing the following areas and sharing detailed information about them
through various communication channels while leveraging established
platforms such as newsletters and weekly team meetings. Collaborating with
your marketing team can be advantageous as they possess valuable tools
and techniques to support your efforts.

First, clarify the goals and objectives of implementing the next

mitigation. It is important to clearly articulate the intended outcomes and
the purpose behind the chosen approach because this helps employees
understand the significance of the changes and align their efforts
accordingly.

Next, you must establish how you will measure the success of the
implemented mitigation. Define key performance indicators (KPIs) or

214

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
metrics that will help track progress and determine if the desired outcomes
SE 3 2
are being achieved. These metrics will be used to create transparency and
D @g
provide a clear benchmark for evaluating the effectiveness of the initiatives.
FO m
Then, you need to outline the timeline for implementing the
R ail.
proposed changes. Once outlined, you should clearly communicate the
US co

expected milestones and deadlines, allowing individuals to anticipate and

plan accordingly. A well-defined timeline ensures the implementation stays
E m·

on track and helps manage expectations throughout the process.

ON A

Next, you will need to identify the individuals who will take the
LY UG

lead in driving these changes. Designate responsible leaders or champions

who will guide the implementation process, as well as those who will ensure
BY 22,

that accountability and coordination amongst the teams occur. This clarity
: R 20

of roles and responsibilities encourages active participation and helps

facilitate a smooth execution.
AM 23

Then, you must assess whether new hardware or software will be

ES

required to support your new action plan. Determine if any technological

H

investments or upgrades are necessary and communicate the rationale

AM

behind these decisions. This ensures that the required resources are
available to implement the mitigation strategies effectively.
GA

Next, you should consider your staff’s training and skill

I

development needs. Evaluate whether additional training programs or

workshops are necessary to equip employees with the knowledge and skills
needed to adapt to the changes. Communicate the availability of these
learning opportunities to support employee growth and facilitate a smooth
transition.

Lastly, the organization will need to address the cost implications

of the mitigation efforts, both in terms of financial investment and time
commitment. The associated costs must be clearly communicated, including
any required budgetary considerations or resource allocations. This
transparency enables stakeholders to understand the investment involved
and appreciate the initiatives’ value.

215

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
By effectively addressing these questions and utilizing diverse
communication channels, you can engage your company, foster
SE 3 2
understanding, and gain the necessary support to successfully implement
D @g
your cyber risk management initiatives.
FO m

STEP 5: EXTERNAL MARKETING

R ail.
US co
If you find yourself in a situation where you may need to explain
your cybersecurity work to important stakeholders, such as your biggest
E m·

customer, an investor, a state regulator, or even a judge and jury, it’s

ON A

essential to take additional steps to ensure your story is clear and

comprehensive. Let me guide you through the process of preparing a one-
LY UG

page scorecard that can be used to efficiently present your entire

cybersecurity narrative.
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

To create the scorecard, you simply need to include two small

tables with the summary scorecard and the top five identified cyber risks
and then place the radar diagram underneath them to visually represent the
organization’s cybersecurity posture. The exact layout and contents can
always be customized to meet the needs of your organization and your
specific audience’s needs. When constructing the scorecard, there are
important tips to consider.

First, excluding your company name and logo from the scorecard is
recommended. This may seem counterintuitive, but it helps prevent any
216

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
temporary weaknesses or vulnerabilities disclosed in the scorecard from
falling into the wrong hands. Usually, these scorecards are shared both
SE 3 2
internally and externally in an organization, so leaving the organization’s
D @g
specific name off the document is a good idea. Additionally, it is crucial to
FO m
strictly limit access to the data used in creating the scorecard, following a
need-to-know principle when sharing this sensitive information.
R ail.
US co

If possible, obtaining signed nondisclosure agreements (NDAs)

from those who will be viewing the scorecard adds an extra layer of
E m·

protection for the confidentiality of the data. Including a label at the

ON A

bottom of the scorecard indicating the confidentiality of the information is

also recommended. If your organization lacks specific labeling guidelines, a
LY UG

label such as “Company Restricted—Do Not Distribute Without Signed

BY 22,

NDA” should be utilized.

: R 20

It is essential to add the publication date to the footer to track the

progress and version of the scorecard. This allows for clear identification
AM 23

and reflects any subsequent iterations or updates made. Furthermore, as a

ES

security measure, random license plate codes like WHJ-597 can be assigned
and placed in the upper-left and bottom-right corners of the scorecard. This
H

anonymizes customers’ cyber risk records, safeguarding their identity even

AM

in the event of a breach or data loss.

GA

By following these guidelines and creating a clear and concise

scorecard, you will be well-prepared to effectively communicate your
I

cybersecurity efforts to key stakeholders while ensuring the confidentiality

of sensitive information.

SUMMARY

Having identified and prioritized your company’s top cyber risks, as

well as developing a comprehensive plan to manage those risks, you have
taken crucial steps to protect your organization and its stakeholders. This
includes gaining buy-in from decision-makers and employees and
determining the necessary budget for implementing the plan. Without these
proactive changes, your company and customers risk significant
consequences, such as the loss of valuable information, resources, damage
to reputation, and even potential physical harm.

217

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Many companies, like AsusTek, have made mistakes in the past,
often failing to communicate their cybersecurity failures publicly. However,
SE 3 2
with the plan you have developed during the second phase of the cyber risk
D @g
management action plan process, not only can you significantly reduce the
FO m
risk of cybersecurity breaches, but you can also leverage any breaches that
do occur as an opportunity to build trust with your customers. You can
R ail.

demonstrate your commitment to cybersecurity and strengthen customer

US co

confidence by handling incidents transparently and effectively.

E m·

It is important to remember that implementing your plan and

ON A

improving cyber hygiene is an ongoing process. Merely having a well-

designed plan is not enough. You must continue to execute and maintain
LY UG

your cyber risk management game plan to ensure long-term effectiveness.

BY 22,

Cybersecurity is not simply about purchasing the right tools and

technologies; it is about consistently implementing best practices and taking
: R 20

proactive measures to mitigate risks.

AM 23

By staying vigilant and actively practicing cybersecurity measures,

ES

you can protect your organization, maintain customer trust, and minimize
the potential impact of cyber threats.
H
AM
GA
I

218

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER FOURTEEN
AM 23
ES

PHASE 3: MAINTENANCE
H

AND UPDATES
AM
GA

In early 2017, an unprecedented cyberattack targeted Equifax, one

of the three large credit bureaus in the United States. This attack highlighted
I

their abysmal cyber hygiene practices at the time. The attackers, whose
identities remain unknown, demonstrated a high level of sophistication
given the scale and precision of the breach. They meticulously navigated
Equifax’s network, identifying valuable credit information, and
subsequently exfiltrated gigabytes of data without detection. Regrettably,
this breach compromised the credit files of countless working Americans,
raising concerns about the long-term repercussions and the motivation
behind the attack.

The nature of this breach suggests that it was not an opportunistic

act or the work of a mere political activist. Instead, it appears to have been a
deliberately calculated and silent operation to inflict maximum damage. The
stolen data’s uncertain fate hints at a larger, potentially more insidious
motive. One possibility is that the data is being amassed for future

219

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
exploitation. If a foreign government sought to undermine the United
SE 3 2
States, as witnessed during previous presidential election interference
campaigns, the compromised credit information could be weaponized to
D @g
compromise the entire credit-granting system and could undermine the
FO m
American public’s faith in the nation’s banking and credit systems.
R ail.

The consequences of such an influence attack on our economy

US co

would be dire. Imagine the repercussions if a significant number of credit

files were tampered with or filled with fraudulent entries. Every day
E m·

individuals seeking to purchase homes or cars would face insurmountable

ON A

obstacles. Although the derogatory marks in their credit files would be

LY UG

unfounded, the economic gears of the country could grind to a halt, stifling
growth and causing widespread disruption.
BY 22,

The Equifax incident carries with it immense implications. The

: R 20

company’s response to the data breach was marred by numerous missteps,

AM 23

some of which were tragically ironic. In a misguided attempt to direct

people to their site for information, Equifax inadvertently directed its
ES

Twitter followers to a phishing site by mistake. However, the most

significant error was their failure to patch their Internet-facing web servers,
H

exposing a shocking lack of cyber hygiene. The attackers did not need to
AM

resort to phishing tactics or zero-day vulnerabilities, but instead, they swiftly

breached Equifax’s network and operated undetected for a staggering one
GA

hundred days by exploiting a well-known and documented vulnerability in

I

the Apache Struts framework.

Equifax, an organization entrusted with safeguarding vast amounts

of sensitive and personally identifiable information about more than 140
million Americans, profoundly failed in its duty to protect consumers. The
repercussions of this data breach reverberated throughout our community,
impacting more than just a single company or individual. While your
organization may not handle the same magnitude of sensitive data as
Equifax did, you are still responsible for protecting your digital assets to the
best of your abilities for the sake of yourself, your customers, and the
broader community.

Achieving this level of protection necessitates more than a one-

time implementation of a cyber risk management action plan. It requires

220

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
ongoing maintenance and updates to adapt to an ever-evolving threat
landscape. The goal is to surpass the minimum standards and demonstrate a
SE 3 2
commitment to robust cybersecurity practices. By doing so, we can strive to
D @g
safeguard our digital landscape and ensure a more secure future for our
FO m
organization and its key stakeholders.
R ail.
As we enter phase three of the cyber risk management action plan
US co

process, we must note that these steps are not performed as strictly linearly
as in previous phases. Instead, these steps are often conducted at the same
E m·

time or using an iterative nature. The entirety of this third phase takes about
ON A

ten months to complete, which will complete the full twelve-month CR-
MAP process cycle.
LY UG

Regularly conducting check-ins and reviews with your team is vital

BY 22,

to sustaining your cyber risk management action plan. These sessions serve
: R 20

multiple purposes, including assessing your progress toward achieving

robust cybersecurity, acknowledging accomplishments, and updating your
AM 23

scorecard. It’s crucial to remember that the scores obtained in phase one of
ES

the CR-MAP process are not fixed or static. Instead, they should evolve
over time for each item on the questionnaire and update them based on
H

your implemented recommendations being fielded within the organization.

AM

STEP 1: CONTINUALLY
GA

UPDATE YOUR SCORECARDS

I

While implementing change is important, documenting and

tracking the progress is equally crucial. Therefore, it is advisable to regularly
track your successes and create new scorecards every ninety days. Having
up-to-date cybersecurity scorecards can serve as invaluable evidence in
challenging conversations with regulators or customers, demonstrating your
commitment to practicing reasonable cybersecurity.

Updating your scores not only provides data but also tells a
compelling story. For instance, when engaging with a regulator, you can
showcase the progress made over time by stating, “A year ago, our average
score for detecting cybersecurity incidents was 3.6 during our initial cyber
risk assessment; however, through sustained efforts over five quarters, we
have significantly improved our score to 5.1.”

221

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 This type of narrative allows you to articulate the specific measures
taken to enhance your cybersecurity posture, providing a data-driven story
rather than relying on executives' unsubstantiated general statements when
D @g
discussing their organization’s cybersecurity posture.
FO m

STEP 2: SCHEDULE
R ail.

MONTHLY CHECK-INS
US co

In addition to updating your cyber risk scores, it is essential to

E m·

establish a pre-scheduled series of monthly cybersecurity check-ins for the

ON A

entire year. These check-ins, which typically take about an hour, should be
LY UG

consistently held on the same day and time each month to maintain a sense
of regularity and consistency.
BY 22,

When scheduling these meetings, being selective about the

: R 20

attendees is important. Focus on including key individuals who can

AM 23

significantly impact the success of your cybersecurity efforts. These

meetings do not need to be large-scale gatherings; they should be kept small
ES

and tactical. The primary purpose is to monitor progress and identify any
obstacles hindering your advancement. Having too many participants can
H

hinder the efficiency of these meetings and the entire process.

AM

Since you are already aware of the cybersecurity initiatives you are
GA

actively working on, these check-ins serve as an opportunity to update each

I

other on the progress made in executing different parts of the cyber risk
management action plan. These meetings also serve as a chance to review
the plan and ensure that you are aligned with the organization’s objectives
while providing an avenue for making necessary adjustments to stay on
track.

If you find yourself off track during the monthly check-ins, the
solution might be relatively simple. It could be a matter of lacking the
necessary skill set to effectively mitigate a specific cyber risk. In such cases,
it becomes a human resources challenge that can be addressed by hiring or
contracting someone with the required expertise to help resolve the issue.

Similarly, if your company is undergoing significant corporate

changes that consume a substantial amount of energy and resources, it may

222

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2become difficult to handle multiple changes simultaneously. In such
situations, it might be necessary to temporarily pause certain aspects of your
cyber risk management action plan to prioritize the ongoing corporate
D @g
transition.
FO m

Conducting these regular meetings also allows new information to

R ail.

emerge, which may necessitate adjustments to your cyber risk management

US co

action plan. Despite thorough data gathering, unexpected discoveries may

still occur during your plan’s execution. For instance, you might realize your
E m·

protection function is weaker than initially anticipated. During these

ON A

instances, it is important to reconnect with the original purpose that

LY UG

motivated you to embark on this cybersecurity journey in the first place.

Always take the time to remind yourself of the underlying reasons for
BY 22,

pursuing reasonable cybersecurity and what is truly at stake. By

reconnecting with your purpose, navigating unexpected information and
: R 20

making informed decisions becomes easier.

AM 23

In addition to monitoring progress and addressing challenges, these

ES

monthly meetings present an opportunity to celebrate the accomplishments

and successes of your organization in the realm of cybersecurity. How you
H

choose to celebrate reflects your company’s culture, but its significance

AM

should not be underestimated. While it is essential to recognize

achievements across all areas of the business, celebrating cybersecurity wins
GA

in a distinct way can inadvertently reinforce the notion that cyber risks are
I

separate from other aspects of the business.

To overcome this counterproductive narrative, it is crucial to

integrate cybersecurity celebrations seamlessly into your overall company
culture. Treating cybersecurity milestones and achievements with the same
level of enthusiasm and recognition as any other business accomplishment,
you foster the perception that cybersecurity is an integral part of regular
business operations. This approach helps establish a mindset where
individuals perceive cybersecurity as a natural and essential component of
their everyday professional responsibilities.

Celebrating cybersecurity wins alongside other business

achievements reinforces the idea that effective cybersecurity practices are
not isolated or detached from the organization’s broader objectives.

223

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
Instead, they become ingrained within the fabric of your company’s regular
SE 3 2
business life. This alignment promotes a holistic and proactive approach to
D @g
cybersecurity, where individuals recognize its importance and actively
contribute to maintaining a secure and resilient digital environment.
FO m
R ail.
During the monthly meetings, the final agenda item discusses the
next steps in your cyber risk management journey. If a particular
US co

cybersecurity function has achieved its target score, you can mark it as
E m·

completed and shift your focus to the next priority on your list.
ON A

For instance, if your organization’s physical security is identified as

LY UG

a concern due to the absence of access control badges with individual

photographs, your project may involve implementing a system to
BY 22,

incorporate photographs on the organizational security badges. This project

: R 20

includes tasks such as procuring the necessary systems, organizing the

badging and photography process, and establishing administrative
AM 23

procedures to ensure that every new member receives a badge with their
photograph. Once the project is successfully handed off to the physical
ES

security team and they have commenced its operation, the risk associated
H

with inadequate physical security has been mitigated, marking the

AM

completion of that specific project. At this point, updating your cyber risk
records to reflect progress and adjusting your priorities accordingly is
GA

essential.
I

Regularly reassessing and updating your cyber risk management

initiatives ensures that your organization stays proactive in addressing
vulnerabilities and implementing effective risk mitigation strategies. This
iterative process enables you to tackle one project at a time, continuously
improving your cybersecurity posture and safeguarding your organization
against evolving threats.

STEP 3: SCHEDULE
QUARTERLY REVIEWS

While the monthly meetings focus on tactical aspects, it is equally

important to schedule quarterly reviews to assess the overall progress every
ninety days. These reviews provide an opportunity to reflect on

224

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
implementing various risk mitigations and evaluate the improvements made
SE 3 2
in cybersecurity scores during the previous quarter.
D @g
Managing and setting expectations regarding product progress, risk
FO m
reduction, and the business value generated during the quarterly reviews is
R ail.
crucial. You should always seek to emphasize not only the reduction in risks
but also the tangible benefits achieved, such as increased productivity.
US co

Highlighting the positive business outcomes resulting from your

E m·

cybersecurity efforts is essential during these meetings.

ON A

Another important agenda item for the quarterly review is to look

LY UG

beyond your organization and consider the broader cybersecurity landscape.

In order to prevent becoming the next victim of a cyber attack, your
BY 22,

organization must stay vigilant and informed about the evolving threats and
: R 20

changes in the overall cybersecurity landscape. This awareness may require

adopting new products, providing training on emerging technologies, or
AM 23

updating processes to align with the evolving landscape.

ES

Unlike the monthly meetings that focus on implementation goals,

H

quarterly meetings should also involve a wider range of participants. These

AM

meetings keep stakeholders informed about the progress and steer the
overall cyber risk management action plan. If your organization operates in
GA

highly regulated industries like banking, insurance, or healthcare, involve

sales leaders to address questions related to cybersecurity that may arise
I

during their interactions with potential customers. This ensures they are
equipped with up-to-date information and can address any potential
concerns their clients might have.

Another thing you should be prepared to do during your quarterly

meetings is to answer any questions or concerns raised by the organization’s
key stakeholders. The perception and support of these stakeholders play a
vital role in practicing reasonable and repeatable cybersecurity. By
understanding and addressing anxieties or challenges raised, you can take
proactive steps to reinforce confidence and mitigate potential obstacles, as
well as use this opportunity to manage and maintain the reputation of your
cyber risk management action plan.

225

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
One of the most crucial aspects of the quarterly review is updating
the scores from your original cyber risk scorecard. Based on the actual
SE 3 2
progress made, you need to revise the scores in your spreadsheet. As your
D @g
organization completes various risk mitigations, these improvements should
FO m
be tracked, and a noticeable change in the organization’s cybersecurity
scores should be observed over time. Additionally, it is important to
R ail.

consider any new or evolving internal and external risks to the organization.
US co

If these threats warrant adjustments to the scores or an overall change to

your priorities, they should be documented and added to your cyber risk
E m·

management action plan.

ON A

By conducting regular quarterly reviews, you can ensure ongoing

LY UG

monitoring, adaptation, and alignment of your cyber risk management

BY 22,

efforts with the changing cybersecurity landscape. These reviews facilitate

informed decision-making, enhanced risk awareness, and the ability to
: R 20

effectively respond to emerging challenges.

AM 23

STEP 4: SCHEDULE AN
ES

ANNUAL CYBERSECURITY SUMMIT

H

Hosting an annual cybersecurity summit provides an opportunity

AM

to reflect on your company’s progress throughout the year. It sets the stage
for repeating the phases of the cyber risk management action plan process
GA

as you get ready to move into your second year.

I

While similar in content to monthly and quarterly meetings, the

summit has a broader focus and serves as a comprehensive overview of
your annual journey. During the summit, you should showcase your
previous scorecard alongside the latest scores, emphasizing the
improvements made in cybersecurity. This visual representation highlights
the proactive measures taken by the organization to enhance its security.

This summit is a time for celebration, acknowledging the

achievements made and recognizing the contributions of stakeholders who
have made it all possible. Emphasize that as you enter a new year, you will
face a new set of top cyber risks together. It is important to always
demonstrate your commitment to ongoing cyber risk management as an
organizational team.

226

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 It is time for you to reenergize the company as you embark on
another round of the systematic, comprehensive, and structured process of
practicing reasonable cyber hygiene. You will inform participants that we
D @g
will start with a new interview series shortly. Just as Peter Drucker, a
FO m
renowned management theorist, emphasizes, an effective executive must
always set and adhere to priorities. Once the initial high-priority tasks have
R ail.

been accomplished, you reassess and determine your next set of priorities.
US co

This process applied to our annual interviews, as well, since they help us
answer the question, “What actions are now necessary to uphold our
E m·

reasonable cybersecurity efforts moving forward?”

ON A
LY UG

Following the annual summit and the completion of this third

phase of the CR-MAP process, you will return to the beginning and initiate
BY 22,

the data-gathering phase again. This spiral and iterative process not only
effectively manage cyber risks and adds value to your organization but also
: R 20

enables you to construct a comprehensive narrative in the event of a data

AM 23

breach. This story, supported by comprehensive interviews, detailed

meeting minutes, comprehensive scorecards, and other artifacts,
ES

demonstrates your proactive approach to cybersecurity and helps establish

H

your company’s diligence and preparedness. By leveraging these resources,

you can mitigate potential consequences and avoid the fate suffered by
AM

other organizations and their customers as they have been victimized by

GA

cyber-attacks and data breaches.

I

SUMMARY

In this chapter, we explored the importance of storytelling as you

progressed through your cybersecurity journey and the cyber risk
management action plan process. Effective storytelling is crucial in
garnering support and commitment from stakeholders within your
organization. This third phase of your cyber risk management plan provides
an opportunity to share a compelling story with key stakeholders to ensure
they continue to be bought into your greater vision for the organization.

Implementing cybersecurity measures requires people to change

their daily operations, and it is vital to provide them with a story they can
easily comprehend. Through the regular cadence of monthly, quarterly, and
annual meetings, you have the platform to narrate the story of your

227

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
collective journey. These gatherings serve as valuable occasions to engage
D @g
stakeholders, communicate progress, and reinforce the significance of
FO m
cybersecurity.
R ail.

By crafting a compelling narrative and effectively sharing it during

US co

these meetings, you can foster a deeper understanding and appreciation for
E m·

the importance of cybersecurity among your organization’s members. This

ON A

heightened awareness will contribute to their support and commitment to

maintaining a secure environment.
LY UG

Remember, your cybersecurity story is an ongoing process that

BY 22,

evolves with time. Embrace the power of storytelling to create a shared

vision, inspire action, and cultivate a culture of cybersecurity within your
: R 20

organization.
AM 23
ES
H
AM
GA
I

228

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

CHAPTER FIFTEEN
AM 23
ES

CONCLUSION
H
AM

Congratulations on completing this comprehensive guide to

mastering cyber resiliency and preparing for the Akylade Certified Cyber
GA

Resilience Fundamentals (A/CCRF) and Akylade Certified Cyber Resilience

I

Practitioner (A/CCRP) certification exams. Throughout this book, we have

provided you with the knowledge, skills, and practical insights necessary to
navigate the complex world of cybersecurity and implement the NIST
Cybersecurity Framework effectively within your organization.

We began our journey by establishing a strong foundation in the

basics of the NIST Cybersecurity Framework. From understanding the core
principles and functions to exploring the various categories and
subcategories, you have gained a solid understanding of the framework’s
theoretical aspects. This knowledge will serve as the building blocks for
your implementations within the world of cyber resiliency.

Then, we dove into the practical application of the NIST

Cybersecurity Framework using the Cyber Risk Management Action Plan

229

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
(CR-MAP). By examining real-world scenarios, you have witnessed
SE 3 2
firsthand how organizations across different industries have successfully
implemented the framework to enhance their cyber resilience. Armed with
D @g
this practical knowledge, you are now equipped to be a cyber resiliency
FO m
professional as you apply the framework effectively within your
organization.
R ail.
US co

We have emphasized the importance of hands-on practice and

continuous improvement throughout your learning journey. If you intend
E m·

to take the certification exams, we highly recommend that you first

ON A

complete the practice exams for the A/CCRF and A/CCRP certification
LY UG

exams, available to download for free at

https://www.akylade.com/mastering-cyber-resilience. These practice exams
BY 22,

are designed to provide you with an opportunity to test your knowledge and
gauge your readiness for the official certification exams.
: R 20
AM 23

Once you complete the practice exam, you should review the
correct answers and explanations included with the practice exams to
ES

further reinforce your understanding and address any knowledge gaps.

H

Remember, the pursuit of cyber resiliency is an ongoing endeavor.

AM

The field of cybersecurity is always evolving, and it requires a proactive and

adaptive approach to stay ahead of the new and emerging threats that are
GA

discovered daily. By embracing the concepts and principles covered in this

I

book, you have confidently acquired the tools to navigate the complex
cybersecurity landscape.

As you embark on your certification exams, remain focused, trust

in your preparation, and apply the knowledge you have gained throughout
this journey. Passing the Akylade Certified Cyber Resilience Fundamentals
(A/CCRF) and Akylade Certified Cyber Resilience Practitioner (A/CCRP)
certification exams will validate your expertise and enhance your
professional standing within the cybersecurity community.

Finally, we would like to express our gratitude for choosing this

book as your guide. Remember that cybersecurity is a collective effort, and
you play a vital role in safeguarding digital assets and protecting
organizations from threats. Together, let us continue to foster a

230

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2cyber-resilient future as we seek to ensure the security and resilience of our
D @gdigital world.

We hope that these certification exams are a stepping stone in your

FO m
successful cybersecurity career and that your cyber resilience efforts ensure
your organization’s future.
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

231

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

232

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

APPENDIX A
AM 23
ES

A/CCRF EXAM OBJECTIVES

H
AM

The Akylade Certified Cyber Resilience Fundamentals (CRF-001)

exam consists of five domains:
GA

Domain 1 Framework Concepts 25%

I

Domain 2 Framework Core 30%

Domain 3 Implementation Tiers 10%
Domain 4 Framework Profiles 15%
Domain 5 Risk Management 20%

Domain Objectives/Examples Questions Chapter

1.1 Identify Key Terms Related to the
NIST Cybersecurity Framework 2 2, 3

- Cybersecurity
- Information security
- Information systems security
- Information assurance

233

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Cyber resilience
SE 3 2
- Cybersecurity incident
- Stakeholder
D @g
- Supplier
FO m
- Critical infrastructure
- Threats
R ail.

- Vulnerabilities
US co

- Confidentiality
E m·

- Integrity
ON A

- Availability
- Non-repudiation
LY UG

- Authentication
1.2 Summarize key aspects of the
BY 22,

NIST Cybersecurity Framework 4 4, 5

: R 20

- Purpose of the NIST Cybersecurity

AM 23

Framework
- Components of the NIST Cybersecurity
ES

Framework
H

- Framework Core
AM

- Framework Profiles
- Implementation Tiers
GA

- Five functions of the NIST Cybersecurity

Framework
I

- Identify
- Protect
- Detect
- Respond
- Recover
1.3 Summarize how the NIST
Cybersecurity Framework is different 2 4
than other frameworks and certifications

- Applicable sectors and industries

- Government
- Healthcare
- Financial services

234

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Energy
SE 3 2
- Manufacturing
D @g
- Retail
FO m
- Transportation
- Critical Infrastructure
R ail.

- Characteristics of the framework

US co

- Voluntary set of guidelines

- Flexibility and Adaptivity
E m·

- Focus on Risk instead of Technical

ON A

Controls
- Focus on Risk instead of Compliance
LY UG

Requirements
BY 22,

- Facilitate communication and collaboration

- Continually improved and evolving
: R 20

- Other Frameworks and Informative

AM 23

References
- International Organization for
ES

Standardization (ISO)/International
Electrotechnical Commission (IEC) 27001
H

and 27002
AM

- National Institute of Standards and

Technology (NIST) Special Publications
GA

(SP 800-53, SP 800-171, and SP 800-37)

I

- Center for Internet Security (CIS) Critical

Security Controls
- Information Technology Infrastructure
Library (ITIL)
- Payment Card Industry Data Security
Standard (PCI DSS)
- Health Insurance Portability and
Accountability Act (HIPAA)
- North American Electric Reliability
Corporation (NERC) Critical Infrastructure
Protection (CIP) Standards
- Federal Risk and Authorization
Management Program (FedRAMP)

235

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Open Web Application Security Project
SE 3 2
(OWASP)
- Cloud Security Alliance (CSA) Security,
D @g
Trust and Assurance Registry (STAR)
FO m

1.4 Explain the benefits of achieving cyber

R ail.

resilience to key stakeholders 1 4

US co
E m·

- Development of the NIST Cybersecurity

ON A

Framework
- History of the NIST Cybersecurity
LY UG

Framework
- Executive Order 13636
BY 22,

- Executive Order 13800

: R 20

- Cybersecurity Enhancement Act of 2014

- Relevance of NIST Cybersecurity
AM 23

Framework to contemporary cyber risks

- Federal Information Security Modernization
ES

Act (FISMA) of 2014

H

- Cybersecurity Information Sharing Act

AM

(CISA) of 2015
2.1 Explain the importance of the
GA

Framework Core 2 6
I

- Purpose of the Framework Core

- Usage of the Framework Core
- Benefits of the Framework Core
- Effectiveness of the Framework Core
2.2 Explain how categories (outcomes) are
utilized within the five functions 5 6

- Identify
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Supply Chain Risk Management

236

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 - Protect
- Identity Management and Access Control
- Awareness and Training
D @g
- Data Security
FO m
- Information Protection Processes and
Procedures
R ail.

- Maintenance
US co

- Protective Technology
E m·

- Detect
ON A

- Anomalies and Events

- Security Continuous Monitoring
LY UG

- Detection Processes
- Respond
BY 22,

- Response Planning
: R 20

- Communications
- Analysis
AM 23

- Migration
- Improvements
ES

- Recover
H

- Recovery Planning
AM

- Improvements
- Communications
GA

2.3 Explain how subcategories (activities)

are utilized with the five functions 3 6
I

- Identify
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Supply Chain Risk Management
- Protect
- Identity Management and Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and
Procedures

237

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
- Maintenance
- Protective Technology
D @g
- Detect
FO m
- Anomalies and Events
- Security Continuous Monitoring
R ail.

- Detection Processes
US co

- Respond
E m·

- Response Planning
ON A

- Communications
- Analysis
LY UG

- Migration
- Improvements
BY 22,

- Recover
: R 20

- Recovery Planning
- Improvements
AM 23

- Communications
2.4 Summarize how the NIST
ES

Cybersecurity Framework outcomes 2 7

H

are related to controls provided by

AM

other publications
GA

- International Organization for Standardization

(ISO)/International Electrotechnical
I

Commission (IEC) 27001 and 27002

- National Institute of Standards and
Technology (NIST) Special Publications (SP
800-53, SP 800-171, and SP 800-37)
- Center for Internet Security (CIS) Critical
Security Controls
- Information Technology Infrastructure
Library (ITIL)
- Payment Card Industry Data Security Standard
(PCI DSS)
- Health Insurance Portability and
Accountability Act (HIPAA)

238

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 - North American Electric Reliability
Corporation (NERC) Critical Infrastructure
Protection (CIP) Standards
D @g
- Federal Risk and Authorization Management
FO m
Program (FedRAMP)
- Open Web Application Security Project
R ail.

(OWASP)
US co

- Cloud Security Alliance (CSA) Security, Trust

E m·

and Assurance Registry (STAR)

ON A

3.1 Explain how Implementation Tiers

are utilized in the NIST Cybersecurity 1 8
LY UG

Framework, including how they

differ from a maturity model
BY 22,
: R 20

- NIST Cybersecurity Implementation Tiers

- Capability Maturity Model Integration
AM 23

(CMMI)
- Cybersecurity Capability Maturity Model
ES

(C2M2)
H

- Cybersecurity Maturity Model Certification

AM

(CMMC)
- ISO/IEC 27001
GA

3.2 Given a scenario, analyze an

organization’s implementation tier 2 8
I

based on its current cybersecurity

posture

- Tier 1 (Partial)
- Tier 2 (Risk Informed)
- Tier 3 (Repeatable)
- Tier 4 (Adaptive)
3.3 Given a scenario, recommend strategies
for moving an organization between 1 8
Implementation Tiers

- Assess the Current State

- Define the Target State

239

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Develop a Plan of Action
SE 3 2
- Implement the Plan of Action
- Monitor and Adjust
D @g
4.1 Summarize how profiles are used to
FO m
tailor the Framework for varying risk 3 9
management strategies
R ail.
US co

- Key components of a profile

E m·

- Core functions
ON A

- Categories
- Subcategories
LY UG

- Utilizing Profiles
- Current Profile versus Target Profile
BY 22,

- Map profiles to an organization’s cybersecurity

: R 20

posture
4.2 Given a scenario, utilize a profile
AM 23

to tailor the NIST Cybersecurity 2 9

Framework to specific organizational
ES

needs
H
AM

- Tailor profiles to support risk management

strategies
GA

- Tailor profiles to support regulatory

compliance requirements
I

- Utilize profiles to measure an organization’s

cybersecurity posture over time
- Identify relevant core functions, categories,
and subcategories
4.3 Explain the use of profiles
in the Framework 2 9

- Profile templates
- Sector-specific profiles
- Manufacturing Profile
- Election Infrastructure Profile
- Satellite Networks Profile
- Smart Grid Profile

240

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 - Connected Vehicle Profiles
- Payroll Profile
- Maritime Profile
D @g
- Communications Profile
FO m
5.1 Explain the fundamentals
of risk management 2 3
R ail.
US co

- Risk Analysis
E m·

- Qualitative
ON A

- Likelihood of a risk
- Impact of a risk
LY UG

- Quantitative
- Single-loss expectancy (SLE)
BY 22,

- Annualized loss expectancy (ALE)

: R 20

- Annualized rate of occurrence (ARO)

- Hybrid
AM 23

- Business Impact Analysis

- Recovery Time Objective (RTO)
ES

- Recovery Point Objective (RPO)

H

- Mean time to repair (MTTR)

AM

- Mean time between failures (MTBF)

- Single point of failure
GA

- Mission essential functions

- Identifying critical systems
I

- Financial Analysis
- Total Cost of Ownership (TCO)
- Return on Investment (ROI)
- Return on Assets (ROA)
- Risk appetite
5.2 Given a scenario, determine the
appropriate risk response to a 2 3
given threat or vulnerability

- Risk Responses
- Acceptance
- Avoidance
- Transference

241

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Mitigation
SE 3 2
- Risk Register
- Types of Risk
D @g
- Inherent Risk
FO m
- Residual Risk
R ail.
5.3 Given a scenario, assess cybersecurity
risk and recommend risk mitigations 4 10
US co
E m·

- Identify threats to an organization

ON A

- Identify vulnerabilities to an organization

- Identify risks to an organization
LY UG

- Recommend specific risk mitigations

- Determine benefits of a particular risk
BY 22,

mitigation
: R 20

- Determine the trade-offs of a particular risk

mitigation
AM 23

- Evaluate the effectiveness of a particular risk

ES

mitigation
- Develop a risk management plan
H

- Develop a cybersecurity strategy

AM
GA
I

242

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

APPENDIX B
AM 23
ES

A/CCRP EXAM OBJECTIVES

H
AM

The Akylade Certified Cyber Resilience Practitioner (CRP-001)

exam consists of four domains:
GA

Domain 1 CR-MAP Fundamentals 22%

I

Domain 2 Phase One: Determine Top Cyber Risks 34%

Domain 3 Phase Two: Creating a CR-MAP 27%
Domain 4 Phase Three: Maintenance and Updates 17%

Domain Objectives/Examples Questions Chapter

1.1 Explain how to best prepare
for an assessment 1 11

- Understand the target organization

- Create project roadmap
1.2 Understand the CR-MAP process
1 11
- Prepare needed documents

243

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Contextualize the plan for the organization
SE 3 2
1.3 Given a scenario, coordinate
with management to achieve 2 11
D @g
organizational buy-in
FO m

- Provide adequate answers to

R ail.

management questions
US co

- Communicate potential business impacts

E m·

of cybersecurity incidents
ON A

- Communicate complex technical topics

using layperson terminology
LY UG

- Create a communication plan to achieve

buy-in
BY 22,

1.4 Explain the relationship between the

: R 20

NIST Cybersecurity Framework (CSF) 1 11

and the Cyber Risk Management
AM 23

Action Plan (CR-MAP)

ES

- Understand how CR-MAP questions relate

H

to the NIST Cybersecurity Framework

AM

outcomes
- Understand the 0-10 scale used in CR-MAP
GA

as it related to the NIST Cybersecurity

Framework
I

1.5 Given a scenario, establish a risk

profile for an organization 2 11

- Understand details about a target

organization to align them with a NIST CSF
risk profile
2.1 Given a scenario, determine the
appropriate stakeholders and create a 1 12
list of interviewees to identify cyber
risks

- Consider role and technical ability

- Consider geographic locations and branches

244

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 2.2 Given a scenario, conduct interviews,
and record responses to identify top 1 12
cyber risks
D @g
FO m
- Present questions in an unbiased manner
- Provide example answers to questions
R ail.

- Record interviewee notes

US co

2.3 Given a scenario, analyze network

E m·

diagrams to identify cyber risks 1 12

ON A

- Review subnetting data

LY UG

- Review VLAN data

- Review Virtual Private Network (VPN) data
BY 22,

- Review legacy systems data

: R 20

2.4 Given a scenario, assess any missing

details after gathering data and 1 12
AM 23

remediate the missing details

ES

- Review qualitative data

H

- Review quantitative data

AM

- Conduct additional interviews, as needed

2.5 Given a scenario, create and present
GA

the top cyber risks report for an 2 12

organization
I

- Display the top cyber risks by business

unit in aggregate
- Contextualize the top risks using themes
- Generate high-level remediation
recommendations for top cyber risks
2.6 Given a scenario, generate a custom
questionnaire for an organization 1 12

- Assign technical questions to interviewees

- Assign non-technical questions to
interviewees
- Remove any non-applicable questions

245

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
2.7 Given a scenario, create charts to
SE 3 2
visually explain the top cyber risk 1 12
D @g
categories to an organization
FO m

- Create spider charts

R ail.
- Create bar graphs
US co

- Create pie charts

- Analyze raw data
E m·

2.8 Given a scenario, set an organization’s

ON A

target scores for alignment with the 2 12

NIST Cybersecurity Framework
LY UG
BY 22,

- Understand the 0-10 CR-MAP scale in

relation to the NIST Cybersecurity
: R 20

Framework
AM 23

3.1 Given a scenario, verify how each top 1 13

ES

risk is covered by the mitigation

roadmap
H

3.2 Given a scenario, rate each

AM

mitigation’s business value based on 1 13

the Business Value Model
GA
I

- Financial returns
- Technical risk mitigation
- Legal risk mitigation
- Reliability of Operations
3.3 Given a scenario, create custom
mitigations based on organization 2 13
questionnaire and interviews
3.4 Given a scenario, create standard
operating procedures (SOPs) for 1 13
custom mitigation and control

- Implement mitigations
- Implement controls

246

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 3.5 Given a scenario, generate a cost
estimate for each mitigation and 1 13
control
D @g
FO m
- Understand the common cost associated
with given mitigations and controls
R ail.

3.6 Given a scenario, create an

US co

implementation roadmap for 2 13

E m·

an organization
ON A

- Assign mitigations to specific

LY UG

organizational units
- Group mitigations by the type of owner
BY 22,

- Generate Gannt charts

: R 20

- Understand resource limitations

- Time
AM 23

- Money
- Skilled personnel
ES

4.1 Given a scenario, assist leadership in

H

assigning mitigations and controls to 1 14

AM

internal and external parties

4.2 Given a scenario, generate an updated
GA

top risk presentations as mitigations 1 14

and controls are implemented
I

- Review completed mitigations

- Determine scores assigned to each
mitigations
- Update charts with newly received numeric
data
- Update top cyber risks
4.3 Given a scenario, explain which
mitigations and controls have been 2 14
proposed and what they accomplish

- Understand recommended
mitigations/controls

247

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
- Technical controls
- Administrative controls
SE 3 2
- Physical controls
D @g
- Preventative controls
FO m
- Detective controls
- Corrective controls
R ail.

4.4 Given a scenario, conduct ongoing

US co

reviews and maintenance of the 1 14

organization’s cyber resiliency
E m·
ON A

- Create post-assessment communication plans

- Update organizational roadmap based
LY UG

on periodic reviews
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

248

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20

APPENDIX C
AM 23
ES

GLOSSARY
H
AM

This glossary references all the terms used in the exam syllabus and the
official textbook. These key terms and definitions should be understood by
GA

candidates prior to taking their certification exams.

I

3TCO (Three-year Total Cost of Ownership)

The comprehensive cost estimation of a solution or system over three
years, incorporating both implementation costs and annual operating
costs

analysis (RS.AN)
An outcome category ensures that proper analysis is conducted to
ensure effective response and support recovery activities

annual operating cost

The total expenses incurred on an annual basis to maintain and operate
a particular system, service, or solution, including renewal costs and
ongoing labor expenses

249

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
annualized loss expectancy (ALE)
A metric used to estimate the expected financial loss over a specified
SE 3 2
time period resulting from a particular risk
D @g
annualized rate of occurrence (ARO)
FO m

A metric used to represent the estimated frequency at which a specific

R ail.
risk event is expected to occur within a year
US co

anomalies and events (DE.AE)

E m·

An outcome category ensures that anomalous activity is detected and

ON A

the potential impact of events is understood

LY UG

assessment
An internal management activities focused on identifying areas for
BY 22,

improvement
: R 20

asset management (ID.AM)

AM 23

An outcome category focused on the identification of data, personnel,

devices, systems, and facilities that enable the organization to achieve
ES

business purposes
H
AM

asset value
Represents the financial worth of the asset at risk
GA

audit
I

An external evaluation aimed at finding faults within the organization

authentication
The process of verifying the identity of individuals or entities
attempting to access digital systems or resources to prevent
unauthorized access and ensure data security

availability
The assurance that digital systems, services, and resources are accessible
and usable when needed, without disruptions or services being denied

awareness and training (PR.AT)

An outcome category that emphasizes the importance of educating and
raising awareness among personnel about cybersecurity risks, threats,

250

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
and best practices to foster a security-conscious culture and enhance
SE 3 2
the organization’s overall cybersecurity posture
D @g
big city approach
FO m
A modern and mature perspective to cybersecurity in which the
organization’s response and recover functions are the priority instead of
R ail.

heavily focusing on the identify, protect, and detect functions

US co

business environment (ID.BE)

E m·

An outcome category focused on understanding and prioritizing the

ON A

organization’s mission, objectives, stakeholders, and activities.

LY UG

CIANA pentagon
BY 22,

The five core principles of cybersecurity of confidentiality, integrity,

availability, non-repudiation, and authentication form the foundation
: R 20

for protecting digital assets and maintaining secure environments.

AM 23

Capability Maturity Model Integration (CMMI)

ES

A process improvement approach that provides organizations with a

set of best practices to enhance their capabilities and achieve higher
H

levels of maturity in software and systems development

AM

communications (RC.CO)
GA

An outcome category ensures that all restoration activities are

coordinated with internal and external parties, such as with their
I

coordinating centers, Internet Service Providers, owners of attacking

systems, victims, other cybersecurity incident response teams, and
vendors, as appropriate

communications (RS.CO)
An outcome category ensures that all response activities are
coordinated with internal and external stakeholders, such as external
support from law enforcement agencies if required

compliance architecture
The structure and framework that organizations establish to ensure
adherence to regulatory and legal requirements related to cybersecurity
and data privacy involves the design and implementation of policies,

251

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2processes, controls, and technologies that enable the organization to
D @gmeet its compliance obligations

confidentiality
FO m
The protection of sensitive information from unauthorized access or
disclosure by ensuring that only authorized individuals or entities can
R ail.

access and view confidential data

US co

controls
E m·

The specific measures, practices, or safeguards that organizations

ON A

implement to manage and mitigate cybersecurity risks

LY UG

critical infrastructure
BY 22,

Any physical or virtual infrastructure that is considered so vital to the

United States that its incapacitation or destruction would have a
: R 20

debilitating effect on security, national economic security, national

AM 23

public health or safety, or any combination of these

ES

critical system
Any system whose failure or disruption would have a significant impact
H

on the organization’s ability to deliver essential services or fulfill its

AM

mission
GA

current profile
I

A depiction of an organization’s existing cybersecurity practices,

including its cybersecurity activities, desired outcomes, and current risk
management approaches

cyber resiliency
An organization’s ability to withstand and adapt to cyber threats by
effectively responding to and recovering from cyber attacks or
disruptions while minimizing damage and maintaining essential
functions

cybersecurity
The practice of safeguarding computer systems, networks, and digital
information from cyber threats through a range of technical,
operational, and managerial measures aimed at preventing unauthorized

252

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
access, attacks, data breaches, and other malicious activities in the
digital realm
SE 3 2
D @g
Cybersecurity Capability Maturity Model (C2M2)
A maturity model developed by the US Department of Defense (DoD)
FO m

to assess and improve the cybersecurity capabilities of defense

R ail.
contractors based on their maturity across various domains uses a
US co

three-level scale of initiated, performed, and managed to assess

organizational maturity.
E m·
ON A

Cybersecurity Enhancement Act of 2014

A United States regulation signed into law in December 2014 aimed to
LY UG

strengthen and advance cybersecurity research and development efforts

in the United States
BY 22,
: R 20

cybersecurity incident
Any unauthorized or malicious event that compromises the
AM 23

confidentiality, integrity, or availability of an organization’s digital

assets, systems, or networks
ES
H

Cybersecurity Information Sharing Act (CISA) of 2015

AM

A United States regulation that facilitates the sharing of cybersecurity

threat information between the government and the private sector
GA

Cybersecurity Maturity Model Certification (CMMC)

I

A maturity model developed by the US Department of Defense (DoD)

to assess and certify the cybersecurity maturity of organizations
participating in DoD contracts that consists of three levels, moving
from level 1 (foundational cyber hygiene) to level 2 (advanced cyber
hygiene) to level 3 (expert cyber hygiene)

data security (PR.DS)

An outcome category focuses on protecting the confidentiality,
integrity, and availability of sensitive data within an organization’s
systems and networks, ensuring appropriate safeguards are in place to
mitigate data breaches and unauthorized access

253

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
detect (DE)
A function used by organizations to develop and implement
SE 3 2
appropriate activities to identify the occurrence of a cybersecurity event
D @g
detection processes (DE.DP)
FO m

An outcome category is used to maintain and test to ensure that

R ail.
processes and procedures create awareness of anomalous events.
US co

Executive Order 13636

E m·

The presidential executive order signed by Barack Obama in 2013 aims

ON A

to improve critical infrastructure cybersecurity by establishing a

framework for information sharing and collaboration between the
LY UG

government and private sector entities.

BY 22,

Executive Order 13800

: R 20

The presidential executive order signed by Donald Trump in 2017

emphasizes the need for executive branch agencies to implement the
AM 23

NIST Cybersecurity Framework and encourages the private sector to

also adopt the framework to improve risk management and better
ES

prioritize cybersecurity investments across various sectors

H
AM

exposure factor
The percentage of loss that would occur if the asset were compromised
GA

Federal Information Security Modernization Act (FISMA) of 2014

I

A United States regulation that amended the FISMA of 2002 to

emphasize the adoption of risk-based approaches and the use of
industry standards, including the NIST Cybersecurity Framework, to
enhance the security posture of federal agencies and improve the
protection of federal information systems

financial analysis
A crucial aspect of risk management that focuses on assessing the
financial implications and considerations associated with cybersecurity
measures and investments

254

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
first responder approach
An approach that focuses the organization’s resources on building out a
SE 3 2
fast, high-quality response capability in order to mitigate the other
D @g
functional areas having lower target scores
FO m

framework core
R ail.
A high-level cybersecurity category that groups related activities and
US co

outcomes to achieve specific cybersecurity objectives

E m·

framework implementation tier

ON A

An implementation tier represents the level of effectiveness in

implementing cybersecurity practices within an organization, ranging
LY UG

from partial to adaptive

BY 22,

framework profile
: R 20

An organization’s cybersecurity objectives, current state, and target

state provide a roadmap for aligning cybersecurity activities and
AM 23

priorities with the organization’s business requirements

ES

governance (ID.GV)
H

An outcome category used to manage and monitor the organization’s

AM

regulatory, legal, risk, environmental, and operational requirements

GA

hybrid risk analysis

A risk analysis approach that combines both the qualitative and
I

quantitative approaches to assess risks, incorporating both subjective

judgments and numerical metrics to gain a comprehensive
understanding of the likelihood, impact, and financial implications of
the identified risks

identify (ID)
A function that involves developing an organizational understanding of
cybersecurity risks risk to systems, people, assets, data, and capabilities

identity management, authentication, and access control (PR.AC)

An outcome category that is used to implement effective mechanisms
for the management of user identities, ensuring proper authentication
processes, and controlling access to systems and resources to prevent
unauthorized activities
255

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
impact
The magnitude of a risk’s consequences if the risk is realized
SE 3 2
D @g
implementation cost
The total expenses associated with acquiring and deploying a system,
FO m

service, or solution, including acquisition costs and labor expenses for

R ail.
implementation
US co

improvements (RC.IM)
E m·

An outcome category ensures that the organization’s recovery planning

ON A

and processes are continually getting better by incorporating lessons

learned into future activities
LY UG

improvements (RS.IM)
BY 22,

An outcome category ensures that the organization’s response activities

: R 20

are continually getting better by incorporating lessons learned from

current and previous detection and response activities
AM 23

information assurance
ES

A comprehensive approach to managing and safeguarding information

H

assets, encompassing technical controls, people, processes, and

AM

technology to ensure the confidentiality, integrity, availability, and non-

repudiation of information, as well as the implementation of policies,
GA

procedures, training, and risk management frameworks

I

information protection processes and procedures (PR.IP)

An outcome category that focuses on establishing and maintaining
robust processes and procedures to ensure the effective protection of
sensitive information within an organization

information security
The protection of information and data assets from unauthorized
access, use, disclosure, alteration, or destruction that involves the
implementation of security measures, policies, procedures, and controls
to ensure the confidentiality, integrity, and availability of information

information systems security

The protection of computer systems and the associated infrastructure
that store, process, transmit, and manage information and encompasses
256

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
the security measures, policies, and controls implemented to safeguard
computer hardware, software, networks, and databases from
SE 3 2
unauthorized access, attacks, and disruptions
D @g
inherent risk
FO m

The level of risk that exists in an organization’s systems or processes

R ail.
without any control measures or risk mitigation efforts in place
US co

integrity
E m·

Ensuring that data remains accurate, consistent, and unaltered

ON A

throughout its lifecycle by protecting it against unauthorized

modification, deletion, or corruption
LY UG

ISO/IEC 27001 maturity model

BY 22,

A framework that assesses the maturity level of an organization’s

: R 20

information security management system based on the ISO/IEC 27001

standard and provides a structured approach for organizations to
AM 23

evaluate their current state of information security practices and

ES

measures organizational progress toward achieving higher levels of

maturity
H
AM

likelihood
The probability of a risk event occurring or being realized
GA

maintenance (PR.MA)
I

An outcome category ensures that maintenance and repairs of industrial

control and information system components are performed consistent
with policies and procedures

maturity model
A structured framework that assesses and guides the progression of an
organization’s capabilities and maturity levels in a specific domain,
providing a roadmap for improvement and growth

mean time between failures (MTBF)

The average duration between two consecutive failures of a system or
component

257

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
mean time to recover (MTTR)
The average time required to restore a failed system or process to full
SE 3 2
functionality after an incident
D @g
minimum score approach
FO m

An approach that sets out to achieve a minimum score across the board
R ail.
based on the belief that this is reasonable within the organization’s
US co

industry, its customer expectations, and its organizational maturity

E m·

mission essential functions (MEFs)

ON A

The key activities or processes that an organization must perform to

maintain its core operations and fulfill its mission
LY UG

mitigation (RS.MI)
BY 22,

An outcome category ensures that activities are performed to prevent

: R 20

the expansion of an event, mitigate its effects, and resolve the incident
AM 23

National Institute of Standards and Technology (NIST)

A non-regulatory federal agency within the United States Department
ES

of Commerce whose mission is to promote innovation and industrial

H

competitiveness by advancing measurement science, standards, and

AM

technology in various fields, including cybersecurity, manufacturing,

energy, healthcare, and others
GA

NIST Cybersecurity Framework (CSF)

I

A set of guidelines, best practices, and standards developed by the

United States government to help organizations manage and improve
their cybersecurity risk management process

non-repudiation
The assurance that the originator of a digital communication or
transaction cannot deny their involvement or the authenticity of the
data being exchanged

protect (PR)
A function used by organizations to develop and implement safeguards
to ensure the delivery of critical services and the protection of assets,
both physical and digital, against cyber threats

258

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
protective technology (PR.PT)
An outcome category manages technical security solutions to ensure
SE 3 2
the security and resilience of systems and assets are consistent with
D @g
related policies, procedures, and agreements
FO m

qualitative risk analysis

R ail.
Risks assessed based on subjective judgments, such as the likelihood
US co

and impact of a risk using a scale as opposed to using numerical metrics

or figures
E m·
ON A

quantitative risk analysis

Risk evaluated using numerical values and metrics to assess the
LY UG

financial impact and frequency of risk events

BY 22,

recover (RC)
: R 20

A function that helps an organization develop and implement

appropriate activities to maintain plans for resilience and to restore any
AM 23

capabilities or services that were impaired due to a cybersecurity

ES

incident
H

recovery planning (RC.RP)

AM

An outcome category executes and maintains the recovery processes

and procedures to ensure the restoration of systems or assets affected
GA

by cybersecurity incidents.
I

recovery point objective (RPO)

The point in time to which data must be recovered following a
disruption is defined by the maximum acceptable amount of data loss
that an organization can tolerate

recovery time objective (RTO)

The targeted duration within which a business process or system must
be restored after a disruption to avoid significant impacts, and it defines
the maximum tolerable downtime for a specific process or system

residual risk
The level of risk that remains after implementing risk mitigation
measures, such as controls and safeguards

259

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
response (RS)
A function used by organizations to develop and implement
SE 3 2
appropriate activities to perform actions regarding a detected
D @g
cybersecurity incident
FO m

response planning (RS.RP)

R ail.
An outcome category executes and maintains response processes and
US co

procedures to ensure appropriate responses to detected cybersecurity

incidents
E m·
ON A

responsible disclosure
The ethical practice of promptly and transparently informing affected
LY UG

parties about discovered vulnerabilities or data breaches in order to

mitigate potential harm
BY 22,
: R 20

return on assets (ROA)

A financial ratio that measures the efficiency and profitability of an
AM 23

organization’s use of its assets to generate earnings

ES

return on investment (ROI)

H

A financial metric that assesses the profitability and financial benefits of

AM

an investment relative to its cost

GA

risk
The potential for loss, damage, or harm resulting from the occurrence
I

of threats exploiting vulnerabilities in digital systems or assets

risk acceptance
A risk response action involves acknowledging the existence of a risk
and choosing not to take further action to avoid, transfer, or mitigate it

risk appetite
An organization’s willingness and tolerance level for accepting potential
risks related to its digital systems and assets, guiding decision-making
processes to align risk management strategies with business objectives
and priorities

260

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
risk assessment (ID.RA)
An outcome category that ensures the organization understands the
SE 3 2
cybersecurity risk to its organizational operations (including mission,
D @g
functions, image, or reputation), organizational assets, and individuals
FO m

risk avoidance
R ail.
A risk response action that aims to eliminate or minimize risks by
US co

avoiding activities or situations that pose a significant threat

E m·

risk management
ON A

The systematic process of identifying, assessing, prioritizing, and

mitigating potential risks to an organization’s digital systems, networks,
LY UG

data, and assets to ensure their confidentiality, integrity, and availability

BY 22,

risk management lifecycle

: R 20

A systematic and iterative approach to managing risks by encompassing

several phases: risk identification, risk assessment, risk response
AM 23

planning, risk mitigation, and ongoing risk monitoring and review

ES

risk management strategy (ID.RM)

H

An outcome category used to establish the organization’s priorities,

AM

constraints, risk tolerances, and assumptions in order to support

operational risk decisions
GA

risk mitigation
I

A risk response action that focuses on reducing the impact or

likelihood of a risk event through the implementation of controls,
safeguards, and countermeasures

risk register
A centralized document or database that systematically records and
tracks identified risks, along with their attributes, assessment results,
and corresponding risk management actions, to facilitate effective risk
monitoring and mitigation

risk transference
A risk response action that involves shifting the potential impact of a
risk to a third party, typically through contracts, agreements, or
insurance policies
261

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
security continuous monitoring (DE.CM)
An outcome category ensures that the information system and assets
SE 3 2
are continually monitored to identify cybersecurity events and verify the
D @g
effectiveness of protective measures
FO m

single loss expectancy (SLE)

R ail.
A metric used to estimate the potential financial loss that an
US co

organization may experience from a single occurrence of a risk event

E m·

single point of failure (SPOF)

ON A

A component or resource that, if it fails, would cause a complete failure

of an entire system or process
LY UG

stakeholder
BY 22,

An individual or group with an interest of influence in the

: R 20

organization’s digital systems and assets, whose perspectives and

requirements may shape risk management strategies and decisions
AM 23

strong castle approach

ES

An approach that selects a target score profile that emphasizes the

H

protect function over the other four functions

AM

supplier
GA

An external entity that provides goods, services, or resources to an

organization, and assessing the associated risks with suppliers is crucial
I

to ensure they meet the organization’s security and compliance

requirements, minimizing potential vulnerabilities and threats
introduced through their products or services

supply chain risk management (ID.SC)

An outcome category that establishes and uses the organization’s
priorities, constraints, risk tolerances, and assumptions to support risk
decisions associated with managing supply chain risk

target profile
The organization’s desired state of cybersecurity practices and
outcomes, as well as outlining the specific cybersecurity improvements
and goals it aims to achieve

262

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
threat
Any potential source or actor that has the capability to exploit a
SE 3 2
vulnerability, weakness, or flaw in order to cause harm to an
D @g
organization’s digital systems, networks, or data
FO m

total cost of ownership (TCO)

R ail.
The overall cost associated with owning, operating, and maintaining a
US co

particular asset or investment over its entire lifecycle

E m·

vulnerability
ON A

A weakness or flaw in a system, network, or software that threat actors

can exploit to compromise the security and integrity of digital assets
LY UG

world-class approach
BY 22,

An approach where every functional area is treated as equally important

: R 20

and a target score of 8 is assigned to all five functional areas

AM 23
ES
H
AM
GA
I

263

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2
D @g
FO m
R ail.
US co
E m·
ON A
LY UG
BY 22,
: R 20
AM 23
ES
H
AM
GA
I

264

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023
LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023

LIC cro MASTERING CYBER RESILIENCE

ibj
EN evin
SE 3 2 ABOUT THE AUTHORS
KIP BOYLE is the founder and CEO of Cyber
D @g
Risk Opportunities, whose mission is to help
executives thrive as cyber risk managers. His
FO m
customers have included the US Federal Reserve
R ail.
Bank, Boeing, Visa, Intuit, DuPont, Mitsubishi,
and many others. A cybersecurity expert since
US co

1992, he was previously the director of wide area

network security for the Air Force’s F-22 Raptor
E m·

program and a senior consultant for Stanford

ON A

Research Institute (SRI). Kip has a graduate

certificate in executive leadership and a master’s in business management.
LY UG

He lives in the Seattle, Washington area with his wife and six children.
BY 22,

JASON DION is the founder of Dion Training Solutions, who strives to

: R 20

help candidates pass their cybersecurity, IT service management, and

project management certifications. To date, he has helped over 1 million
AM 23

students across 190 countries get certified and advance in their careers.
With decades of real-world experience, he has served as an Information
ES

Systems Officer, Director of a Network Operations and Security Center,

the global lead for cyber defense for U.S. Cyber
H

Command, and a Director of Information Assurance

AM

Operations (DIAO) for the National Security Agency,

amongst other high profile cybersecurity positions.
GA

Jason holds a Master of Science degree in

Information Technology with a specialization in
I

Information Assurance (IA) and a Chief Information

Officer (CIO) Graduate Certificate from National
Defense University’s College of Information and
Cyberspace (CIC). He lives in the Orlando, Florida
area with his wife and two children.

LISA MCKINLEY is a security and training

specialist who began her career in the intelligence
community in 2004 while serving in the United
States Army. She has worked with a wide range of
customers over the years, including the Department
of Defense (DoD), Defense Intelligence Agency
(DIA), Federal Law Enforcement agencies, and
numerous others. She lives in the Richmond,
Virginia area with her husband and daughter.

265

LICENSED FOR USE ONLY BY: RAMESH AMGAI · ibjcroevin32@gmail.com · AUG 22, 2023