RESILIA

Cyber Resilience Best Practice

Stuart Rance
Consultant, trainer and author
IT service management and information security management
@StuartRance

Agenda
Best practice overview
Certification syllabus and exam overview
Q&A

@StuartRance

Best Practice Overview

@StuartRance

RESILIA: best practice overview

RESILIA is documented in a single publication
Covering the entire lifecycle of cyber resilience

RESILIA describes a similar lifecycle to ITIL

Strategy, design, transition, operation,
continual improvement
The RESILIA lifecycle is about cyber resilience, not ITSM
RESILIA integrates well with ITSM and other management system approaches

@StuartRance

Publication structure
1.
2.
3.
4.
5.
6.
7.
8.
9.

Introduction
Risk management
Managing cyber resilience
Cyber resilience strategy
Cyber resilience design
Cyber resilience transition
Cyber resilience operation
Cyber resilience continual improvement
Roles and responsibilities
5

Three case studies

about fictional
organizations are
threaded through
all the chapters

@StuartRance

The case studies

SellUGoods

MedUServ

MakeUGoods

Private medical lab

Single location
Carries out tests for doctors
and hospitals
Worry about confidentiality
of patient records
ISO 9001 certified

Retail organization
International
Large internet presence
Many physical stores
Worry about payment card
data breaches
PCI-DSS compliant

Manufacturing
One country
Secret production methods
Customers in the defence
industry
SCADA systems
Worry about leaked secrets
and lost production

@StuartRance

1. Introduction
Cyber resilience is not just information security
More focus on network connectivity and the internet

The need for balance

Prevent, detect and correct

People, process and technology
Risks and opportunities
Getting it right and continual improvement

Characteristics needed for information

Confidentiality, integrity and availability
Authentication and non-repudiation
7

@StuartRance

2. Risk management
Cyber resilience is largely about managing risks

A risk is created by a threat exploiting a vulnerability to impact an asset

@StuartRance

3. Managing cyber resilience

You need a single management system
Not one management system for security, one for ITSM, one for quality and yet
another for governance

You can make use of many best practices and standards

ITIL
ISO/IEC 27001, ISO/IEC 20000-1
ISO 31000, Management of Risk (M_o_R)
ISO 9001, ISO 22301
COBIT 5
NIST Framework for improving Critical Infrastructure Security

@StuartRance

Chapters 4 to 8 - the lifecycle stages

Lifecycle stage summary
.1 Control objectives and controls
.2 Aligning with ITSM
.3 Scenarios (from the three case studies)
.4 Questions
10

@StuartRance

4 to 8 Aligning with ITSM - example

11

@StuartRance

4 to 8 Questions - examples
Strategy
How effective is governance of cyber resilience in your organization? Are the
right people involved? What could be improved?

Design
To what extent does your organization risk assess its supply chain?

Continual improvement
How do you measure the effectiveness of your controls?

12

@StuartRance

4. Cyber resilience strategy

Strategy controls

Establish governance
Manage stakeholders
Create and manage policies
Manage audit and compliance

Aligning with ITSM

Strategy scenarios
Strategy questions

13

@StuartRance

5. Cyber resilience design

Design controls

HR security
System acquisition, development, architecture & design
Supplier and third party security
Endpoint security
Cryptography
Business continuity management

Aligning with ITSM

Design scenarios
Design questions
14

@StuartRance

6. Cyber resilience transition

Transition controls

Asset management and configuration management

Change management
Testing
Training
Documentation management
Information retention and disposal

Aligning with ITSM

Transition scenarios
Transition questions
15

@StuartRance

7. Cyber resilience operation

Operation controls

Access control
Network security management
Physical security
Operations security
Cyber resilience incident management

Aligning with ITSM

Operation scenarios
Operation questions

16

@StuartRance

8. Cyber resilience continual improvement

Continual improvement controls

Cyber resilience audit and review

Control assessment
KPIs, KRIs and benchmarking
Improvement planning

Aligning with ITSM

Using the ITIL CSI approach
Using MSP
Maturity models
Continual improvement scenarios and questions
17

@StuartRance

9. Cyber resilience roles and responsibilities

Roles and responsibilities across the organization
Segregation of duties and dual controls
Roles and responsibilities questions

18

@StuartRance

Certification syllabus and exam overview

19

@StuartRance

RESILIA Foundation
Similar to other Axelos foundation certifications
Three day training course (online or face-to-face)
50 question multiple choice exam
Covers all chapters of the publication

General understanding of cyber resilience

Purpose of risk management and how to do it
Purpose of each lifecycle stage
Key features of each control
Interactions between cyber resilience and ITSM

EXAMPLES AND CASE STUDIES ARE NOT EXAMINED

20

@StuartRance

Example foundation question

Which could be a vulnerability?
A. A secret document
B. Anti-virus software on a laptop
C. A poorly trained staff member
D. A breach of credit card data

22

@StuartRance

RESILIA Practitioner
Similar to other Axelos practitioner certifications
Foundation is a pre-requisite
Two day training course (online or face-to-face)
50 question multiple choice exam
With a case study and scenarios
More complex questions, but still only one correct answer

Same content knowledge as foundation

Demonstrates that you can apply the knowledge

23

@StuartRance

Example practitioner question

Which is the biggest risk in the scenario?
A. There might be no virus controls on the laptop
B. The confidential data might be leaked
C. The factory might be unable to operate
D. The firewall might be breached by a hacker

25

@StuartRance

Q&A

26

@StuartRance

Thank you
@StuartRance
StuartR@optimalservicemanagement.com