Managed Program (MP) and Cyber Risk Assessment (CRA) Service Description
The Cyber Risk Opportunities (CRO) Managed Program (MP) consists of three phases conducted over 12 months and is refreshed annually. Phases 1 and 2 together constitute a Cyber Risk Assessment (CRA), which can be purchased separately. Customers who purchase a standalone CRA can upgrade to the full MP upon completion of the CRA by paying an incremental fee.
1. MP/CRA Deliverables
CRO produces the following deliverables:
- A prioritized list of the customer’s top cyber risks, along with supporting details;
- A Cyber Risk Mitigation Plan consisting of a prioritized list of actions, along with supporting details, that we develop together with our customer, scheduled at the customer’s convenience;
- A summary of the major themes present in the customer’s overall cyber risk posture;
- A Cyber Risk Scorecard showing a summary of the customer’s overall current cyber risk posture and the Cyber Risk Mitigation Plan in both tabular and graphic depictions.
2. How We Perform the CRA
Cyber Risk Opportunities works with the designated customer staff members to accomplish the following tasks.
The CRA is accomplished in two phases, each composed of several tasks:
- Measure and Score Cyber Risk
- Create Cyber Risk Mitigation Plan with Business Value Analysis
The task breakdown is as follows:
- Phase 1: Measure and Score Cyber Risk
- Task 1.1: Hold the Project Kick-Off Meeting
- Task 1.2: Conduct Interviews to Gather Actual Scores
- Task 1.3: Analyze Data
- Task 1.4: Deliver Phase 1 Report
- Phase 2: Create Cyber Risk Mitigation Plan with Business Value Analysis
- Task 2.1: Produce Preliminary Cyber Risk Mitigation Plan
- Task 2.2: Deliver Preliminary Cyber Risk Mitigation Plan
- Task 2.3: Conduct Business Value Analysis
- Task 2.4: Deliver Phase 2 Report
CRO project team members work closely with a designated customer contact throughout the assignment. The customer contact is responsible for scheduling meetings and interviews, responding to our questions, and providing background information and documentation as needed.
Phase 1: Measure and Score Cyber Risk
Task 1.1 Hold the kickoff meeting
The CRO team meets with appropriate customer staff at their office (or virtually as needed) to initiate the project. The goals of this 2-hour meeting is to:
- Review objectives, scope and deliverables.
- Review CRO methodology.
- Set target scores.
- Tailor the measurements we will make.
- Determine what documents and other information needs to be collected.
- Identify the customer staff members to be interviewed, and develop a tentative interview schedule.
- Plan and confirm schedules for the remainder of the project.
- Address any other open issues and concerns.
Task 1.2: Conduct Interviews to Gather Actual Scores
We interview customer experts identified in Task 1.1 and collect actual scores. Each interview uses structured scoring and a subset of our library of 145 standard questions. Each interviewee is prepared by watching a 3-minute video hosted on our website.
The interviews are conducted either in-person or by phone/video. Interviewee availability usually determines the critical path and duration of Task 1.2. Thus, we request that a customer staff member schedule all the interviews using their ability to see each interviewee’s free/busy calendar information.
Task 1.3: Analyze Data
After all scores are collected, we calculate the gaps and perform statistical analysis to better understand the data.
Task 1.4: Deliver Phase 1 Report
The final task of Phase 1 is the in-person delivery of the preliminary Scorecard, along with supporting details.
Phase 2: Create Cyber Risk Mitigation Plan with Business Value Analysis
Task 2.1: Produce Preliminary Cyber Risk Mitigation Plan
During this task, we produce a draft Cyber Risk Mitigation Plan designed to manage the top risks discovered in Phase 1.
Task 2.2: Deliver Preliminary Cyber Risk Mitigation Plan
For Task 2.2, we deliver and discuss the preliminary Cyber Risk Mitigation Plan during a 2-hour stakeholder meeting. The goal of this Task is to solicit, receive, and incorporate our customer’s feedback about the plan before we move on to Task 2.3.
Task 2.3: Conduct Business Value Analysis
At the conclusion of this task, each item in the Mitigation Plan is rank-ordered by both 3-year total cost of ownership and expected Business Value. Costs are determined using rough estimates and are subject to revision as more information becomes available.
We will calculate the Business Value for each item by evaluating each one against our four-dimension Business Value Model:
- Risk Reduction
- Increased Reliability of Operations
- Return on Investment
The deliverable will be a prioritized list of actions that can be scheduled based on the risk management cadence our customer would like to achieve.
Task 2.4: Deliver Phase 2 Report
Upon Task 2.4 completion, we deliver the final Scorecard, Cyber Risk Mitigation Plan, and all supporting details, at the 2-hour project wrap-up meeting.
Phase 3—Perform Ongoing Maintenance & Updates
CRO assists with organizing and sequencing a year-long implementation plan and identifies qualified vendors. For example, at the customer’s request, CRO can provide sample policies, tutorials on encryption key management, and specifications for recurring cyber risk management reports. These examples are illustrative and not exhaustive.
In Phase 3, CRO and our customer participate in two recurring meetings over the remaining ten months of their MP membership: Monthly Check-ins and Quarterly Executive Sponsor Updates.
The Monthly Check-In is a 1-hour meeting designed to support implementation of the customer’s Cyber Risk Mitigation Plan. During this time, we focus on removing blockers, celebrating successes, and exploring how recent and expected changes in the cyber risk landscape affect their scores.
As an example, a project to activate whole disk encryption stalled due to lack of hardware support among the majority of the customer’s laptop fleet. To remove this blocker, we facilitated an analysis of several options and assisted the customer in making a good decision that pushed the project forward despite the delay and additional cost.
CRO also alerts our customers to new and relevant developments involving cyber risks. Examples include: (a) explanation of standard-setting FTC consent decrees and/or court rulings involving cybersecurity and cyber insurance; (b) trends in cyber-criminal behavior and tactics; (c) news events, such as the spread of NotPetya and Wanna Cry, that directly impact customer cyber risk management; and (d) noteworthy geo-political events that may impact customer cyber risk, such as cyberwar in eastern Europe.
Quarterly Executive Sponsor Update
This is a 2-hour meeting for the executive sponsor. CRO works with our customer to revise their Scorecard to reflect progress made over the last 90-days. We also review a list of actions planned for the next 90-day period.
Term and Renewal
The customer’s Managed Program commences on the day that CRO begins performing the services and will automatically renew for successive one-year terms at CRO’s applicable rates until terminated. The MP may be terminated by the customer or CRO for any reason by providing the other party no less than thirty (30) days’ written notice. As of the effective date of such termination, neither party shall have any further liability with respect to Work Products not yet delivered; however, any in-progress Work Products provided by CRO pursuant to the MP will be invoiced and payable on a pro rata basis until termination becomes effective. In addition, all reasonable expenses incurred by CRO through the effective date of termination will be reimbursed.
In the event of such termination by CRO, all unused pre-paid fees will be returned to the customer on a pro-rated basis within 30 days after the termination date.
For the avoidance of doubt in determining the amounts owed in the event of termination, 25% of the annual Managed Program fee is considered consumed by services rendered by CRO in the first month of the applicable one-year term; an additional 25% of the annual Managed Program fee is considered consumed by services rendered by CRO in the second month of said term; and 5% of the annual Managed Program fee is considered consumed by services rendered by CRO in each of the third through twelfth months of the applicable term. For a standalone CRA, 50% of the fee is considered consumed in each of the two months of CRA services.
Updates to the Program
CRO reserves the right to modify details of the Managed Program from time to time to reflect changes in the way we do business or to address developments in the general cyber risk environment. Such modifications will not detrimentally affect the value provided by the program.