FiliiSolis (FS) cyber risk management plan proposal. In this presentation you will propose, and justify, a cyber risk management plan for FiliiSolis to the company’s senior leadership. Remember, you’ve only been at FiliiSolis a short time. You do not have all of the data you need to conduct a full risk assessment or even a complete asset inventory. Your goal in this report is to convince leadership that the company’s exposure to cyber risk is too high and then lay out the steps needed to bring that exposure down to a reasonable level. Justify any suggestions and note any assumptions. To be effective in this presentation you must clearly demonstrate business impacts of the current cyber exposure and the value of an improved security posture.
Your proposal is ultimately a sale pitch. Why should your CFO and CEO view cyber as a risk, why should they care at all, and why should they spend their limited money on protecting the company when their goal is growth and IPO? The key to performing well on this assignment is to tailor your message to your non-technical audience to help them understand the how good CRM can help safeguard the company (reduce cyber exposure), enable the business to meet its goals, and reduce its cyber risk so that it can
PART 1: MOTIVATION – THE NEED FOR CYBER RISK MANAGEMENT AT FS
- Current state of cyber & why FS should care
a. General attack trends in cyber, costs / damages to companies (focus on those most relatable to FS)
b. Who might be a threat for FS? What are the attacker types, targets, and motivations?
c. What types of attacks might these attackers launch against FS? Why are small businesses like FS targets? Emphasize how vulnerable FS is to these attacks.
d. Provide an explanation of: strategic cyber risks, damage sources, and financial exposures that apply to FS. Think broadly about the consequences for FiliiSolis if these risks are realized (lost IP means going out of business, a breach of customer data could mean lost government contracts, high risk disclosures in financials may undermine the desired IPO.) Using the strategic cyber risk graphics would be helpful here. - How can FS reduce its cyber risk?
a. Threats (attackers and attacks) have become more sophisticated so we need to think about cyber in a strategic way. Clearly explain the goals of cyber risk management (CRM) how it’s different from a control-focused, mitigation approach to cyber.
b. As part of your sales pitch, explain the value FS will get from implementing a CRM plan. Think about the company’s current and future goals (such as grants, contracts, IPO) and how CRM will enable the business to meet those goals.
PART 2: CRM IN ACTION
Protecting FS is going to be a big task that will involve everyone in the business, so we will have to prioritize our efforts. Thankfully there are cyber risk management models that we can follow. - Briefly identify the risk management approach (Wheeler, FRAAP, FAIR, or OCTAVE Allegro) or combination of model components, you feel is best fit for FS and why you chose it. Define important concepts in laymen’s terms. Be sure to cover at a high level, the steps in the approach
- Provide a high-level illustration of each step of our CRM approach using a few examples
a. An example business impact analysis (BIA) using either Wheeler’s approach, NIST 800-37 R1 RMF, or VDEP to identify at least 4 of the company’s most valuable processes / resources – based on the data you have – and briefly explain the criteria you used to identify them. A table would present this information well. If using VDEP, must include dependency analysis
b. In a table format, provide a Threat / Vulnerability Assessment (at least 3 threat / vulnerability pairs) for those assets (Wheeler) or dependencies (VDEP) your BIA analysis identified as most critical. In this table, rate these pairs in terms of severity and likelihood using tools from Wheeler or one of the provided frameworks (FRAAP, FAIR, or OCTAVE Allegro). It’s okay if a threat / vulnerability pair is relevant to more than one of your processes / resources. Remember that for a vulnerability assessment you’ll need to consider state of preparedness the critical assets, or if you use VDEP, the preparedness of the dependencies underlying your critical processes – this could be a separate column in your table. Be careful there though to keep the discussion high level and easy to follow by a non-technical. Your goal is to reinforce the need to protect these assets / processes, not drown the CEO and CFO in detail.
c. Prioritization of most pressing risks for FS based on your BIA and threat/vulnerability assessment. List the type of strategic risk and financial exposures incurred for each of these risks. Again, a table would be beneficial
d. Suggested risk treatments (Accept, Avoid, Transfer, Mitigate) for each highlighted risk. Note tradeoffs, where appropriate, but justify treatments by explaining how these measures will support the company’s ability to create value in the long run.
PART 3: LOOKING FORWARD, FS CYBER RISK MANAGEMENT PLAN PROPOSAL - Present an implementation roadmap: Format: The roadmap should be broken down into the following three timeframes (or something similar)
a. Immediate measures (triage measures, mostly mitigation, such as RBAC and encryption of sensitive data, that sort of thing but other treatment options should be considered). These should address the company’s most pressing risks if possible.
b. Short term measures, any highlighted risks not addressed immediately should be addressed here. Be sure to consider all treatment options, not just mitigation. Note the CIA tradeoff but justify increased controls by explaining how these measures will support the company’s ability to create value in the long run. If stakeholders outside of security are needed for short term measures, clearly identify who they are and their role. Again, a table would work well here.
c. Long term measures: Layout a timeline for completing a full CRM approach at FS. Consider all of the steps, from resource profiling to monitoring and audit. Be sure to list all involved stakeholders but keep this discussion high level.
Sample Solution