On Thursday 28th October we are carrying out essential upgrades. The website may be unavailable for a period of time starting from 6am BST. We apologise for any inconvenience this may cause you.

RESILIA exam questions: Part Three - Protective controls

RESILIA exam questions: Part Three - Protective controls

What is currently a typical starting point when organizations are thinking about protection against cyber threat and how often is that the right place to start?

Organizations can start from one of three places when thinking about protection against cyber threat:

  1. Strategic Level
  2. Management Level
  3. Delivery Level

Organizations that start at the delivery level typically implement point solutions such as firewalls and anti-virus software without thinking too much about the bigger picture. This can lead to both insufficient controls in vital areas and over spend in non-critical areas.

Those organizations that start at the management level may begin with an ISO 27001 internal audit. This isn’t a ‘bad’ place to start and does cover all the standard controls an organization might require but can lead to tactical decisions being taken without proper consideration of the strategic context.

The best place to start is at the strategic level to understand the organizational context that cyber security must be delivered in. This ensures that any expenditure is proportional to the organization’s risk perception and risk appetite. This is where the adoption of RESILIA can really help.

For people who have studied for the RESILIA Foundation exam – or those who are wondering how it would help make their organizations more cyber resilient – one particular exam question tackles the issue of how to identify the protective controls needed in the face of cyber threats.

What BEST helps to determine countermeasures for organizational protection?

  1. Assets, threats and vulnerabilities
  2. Resource, impact, and time to resolve
  3. People, governance and compliance
  4. Capabilities, strengths and weaknesses

The question uses the terminology “countermeasures” which isn’t used in the RESILIA manual. However, a countermeasure is simply a measure or action taken to counter or offset another one. In this case the question is referring to organizational protection, so using the terms in the manual the question could have been: What BEST helps to determine Protective Controls?

Let’s consider each of the options in the real world and then in the context of the question:

Capabilities, strengths and weaknesses.

Yes, an organization needs to consider these factors when determining what protective controls to use to counteract a particular threat, if only to know when to bring in third party assistance.

People, governance and compliance

Organizations need to consider who will be involved in managing and executing the protective controls and determine governance that will ensure the protective controls are effective, up to date and compliant

Resource, impact, and time to resolve

One of the key activities in risk management is the assessment of impact, which will have a significant influence on the resources allocated to countermeasures. Impacts expected to take a long time to resolve are likely to be assessed as higher impact than those that can be resolved quickly.

Assets, threats and vulnerabilities

In any organization in the context of cyber risk, your assets are the vital information and capabilities cyber criminals want to access and are therefore under threat if there is a way for them to do so due to a vulnerability.

Therefore, going back to the question, you first need to determine your assets, threats and vulnerabilities to provide the context for all the other actions in creating protective controls. So, option (a) is the best way to determine the countermeasures your organization needs. Without understanding that first, the other actions are useless.

See our RESILIA section for more information.

Read the previous posts in Matt Trigg's RESILIA Foundation Examination Questions series

RESILIA™ exam questions: Part One

RESILIA™ exam questions: Part Two

Read Matt's previous AXELOS blog post, A culture of success: the thread that links PRINCE2 Agile, RESILIA and ITIL Practitioner.

Current rating: 5 (1 ratings)


There are no comments posted.
You must log in to post a comment. Log in

RESILIA Core Publication

RESILIA™ Cyber Resilience Best Practices Guide - Guidance Preview

Guidance Preview

Download the first two chapters of the official RESILIA Cyber Resilience Best Practices Book in our exclusive FREE preview and buy the full book to find out more.

Buy the RESILIA Book

Suggest a Blog

If there's something you'd like us to cover in a new AXELOS Blog, please complete our Suggest a Blog form and tell us what you'd like to see.

Send us your Blog idea