 Hi and welcome to the Resilient Foundations Program. My name is Patrick Funchlag and I'm pleased that you've been able to join us to learn a little bit more about cyber resilience and how you can use these techniques to build a more cyber resilient organization. This particular course has ten main sections. This introduction and introduction to cyber resilience more broadly, a section specifically talking about risk management and risk practices, a focused section looking at enterprise approaches to cyber resilience and governance and management architecture. And then we'll take a look at five key sections looking at integrating cyber resilience practices with other aspects of the service life cycle. Service improvement activities, service strategy, service design, service transition and service operation. Finally we'll finish up by looking at how to bring all of that together to help you build a more cyber resilient organization. In the first chapter we're going to look at different aspects of how you as an organization can improve your cyber resilience. We'll talk about the structure of the materials that you have to take this course. We'll talk a little bit about how the coursework conventions enable you to not only use this video but a whole bunch of other reference materials to support your learning activities and then we'll help set an agenda for how you can go through and successfully learn this material. Let's get started. In the first lesson we're going to look at the architecture and organization of the course. We'll set some expectations, help you identify a little bit of a learning strategy for how to work your way through the course material and then establish an agenda that will help you see how we're going to teach the different aspects of the course. Welcome to the course. My name is Patrick and again one of the things I'm going to be doing with you this course is helping you think about cyber resilience in a broad way. Cyber resilience is really not just about what you do with technology but what you do with your people, your processes and not only how you try to prevent disruptions of services but ultimately how you can effectively detect when things happen and recover from them more effectively. This particular course is a foundational course and focuses on the key terminology and attributes of what it takes to build a cyber resilient organization. There is a follow one practitioner course available to this that describes more of the detailed how to activities in helping to build cyber resilience practices. As we go through the course one of the things I'm going to encourage you to do is to think about as we go through each of the sections what's important here for me and for my organization. Why do I need to know this in the context of the work that I'm being asked to do and how do we take advantage of our learning styles whether you prefer to learn by hearing videos like this, reading and reviewing the materials in either the Resilier book or your other supporting documents and where you can take advantage of your knowledge, your skills and your experience in helping to take the things that we talk about in the course and make them more practical in the context of the work that you need to get done. As we go through the course I think it's very important for you to wrestle down some of the things that we're talking about. How exactly can you use these particular activities within the context of your organization, your particular workflows and practices to drive improvements to the overall cyber resilience of your organization. And hopefully set some specific goals for yourself in terms of how to use the material in this course to drive specific improvements to your practices and to the practices of your team and your organization. Bloom's taxonomy is used by learning professionals to help describe how detailed a level of information is to be for the purpose of testing and validating your knowledge and skills. For the purpose of this particular course at the foundation's level, you're expected to know key terminology to have a basic idea of the key practices and how the key practices support an overall cyber resilient organization. So the skills will be described is that Bloom's levels one and two. In other words, I'm supposed to know the key terminology, I'm supposed to know the key structures and kind of what they do. But we're not necessarily expecting you to understand exactly how to adapt and adopt these practices in a particular organizational setting. That level of detail is left for the practitioner level program. As we go through the course together, one of the things I'm going to encourage you to do is to think about what you need this course to do for you and your teams. And how to not only use what we're doing in the course, but all of the other study materials that you will see in your reference tab in the learning program. This includes things like the course syllabus, various types of documents and links to current information and current practice issues in cyber security and cyber resilience. And so this becomes a dynamic set of practices that you can use on an ongoing basis to help drive awareness and ongoing focus on cyber resilience and cyber resilience activities. As you're working through this, take the time to work together with others through your organization, through a mentoring community or with other practitioners in your discipline who are looking at cyber resilience in a broader and more effective way. And then last and certainly not least, challenge yourself as you work through these, not to just cover the material, but to think more practically about how exactly it is that you can use this knowledge and experience to drive value back into your organization. One of the things I encourage people to do when they begin doing a course like this is to set a schedule. So even though it's a self-paced program, if you want to successfully complete the program and get all of the value you can out of it, you're going to want to set up a schedule for yourself as how you go through the program. You may do this in 30 minute or hour long segments. You may do this in longer periods of time, depending upon what's possible within your environment. But I think it's very, very important for you to create a schedule and keep to that. If you're going to do longer segments, be sure to take the time to take some breaks, stop the recording, and perhaps refer directly to the Resilient Book or to other materials. To make sure you fully understand the concepts that we're talking about, and to make sure that you can start wrestling down some of the harder or so what questions. How does this really affect your organization and what you're trying to do? As a practical matter, because you're trying to study something that is complicated and does have a lot of pieces to it, it's important to try to shield yourself wherever we can from different kinds of interruptions. From work interruptions, from your significant other, or phone calls, or email, or other things, while you're taking the time to focus on the course. At the end of each of the major chapters within the Resilient Book, there are a series of key questions that they encourage us to think through. And I'm going to ask you, at the end of each of our chapters, to take some quality time with those questions. To wrestle down and think about how exactly you may want to apply certain techniques within your organization, to be able to assess existing practices, and to look at opportunities for improvement. In addition, you're going to have access to the full sample papers associated with the Resilient exam. And we strongly encourage you, as part of your preparation, to do the practice papers. It helps you understand a little bit about how AXLOS asks exam questions. It also will help you test your knowledge and skills in being able to use the information that we've talked about in the class and adapt it to the practices that you need in your organization. So let's take a few minutes and talk about the actual examination itself. So the Resilient Foundation's examination really, again, is scoped to look at the best practices associated with cyber resilience. Very specifically around key controls that we want to apply, and key processes and practices we may want to leverage and use in terms of being able to manage those controls. The exam itself, again, is focused at Bloom's levels one and two. So it's very much focused on key terminology, key practices. And if you look in your Resilient book as well as at the beginning of the each of the chapters, you're going to see key learning objectives and terms to know. And those are the things that you really want to focus on. They highlight the key ideas in the syllabus that are going to be tested on the exam. They also reflect the key ideas and the key activities that we're going to want to engage in. To try to build a more cyber resilient organization. The examination itself is a multiple choice set of questions. You'll have 50 questions on the test. You have to get 33 of those correct in order to pass the test. Or 66%, I guess it is, it's 65%, but I guess you need 66 to pass. There are no prerequisites to this course. So this course is intended for anyone who wants to be part of a cyber resilient organization. And that would mean just about all of us. So a couple things as we get ready to get started with this. The first piece I'd like you to think through is that everybody who's going to take this course learns in a slightly different way. Some of you may learn very effectively from sitting and listening to the video and engaging with the things that we're talking about. Others of you may get more mileage from reading the Resilient guide, from looking at some of the other reference materials. Or for thinking about and writing certain kinds of notes that are going to help you capture and reinforce certain things. So be aware of your learning preferences. And as you use this course, please try to reflect that in how you take notes, in how you engage with the material long term or short term, and how much reading you do. To be able to ensure that you're getting the optimal experience for you. As you go through each of the chapters, take the time to focus on the key things that you need to know. The key learning objectives, the key terms to know. And when you're going and reviewing that, take the time to make sure that you're really comfortable with majoring on the majors. Now understand that this is a multiple choice test. You don't have to memorize everything, but you do need to be aware of what a correct definition might look like if it shows up on the test. Now, as we go through and we talk about the practices in here, you may describe some of these as inconsistent with what your organization currently does, and you might not even agree that some of the practices would be best practices for you. So it's important to understand that Resilia isn't wrong, but they have particular approaches to how they communicate certain things. They may use different terminology. They may emphasize different practices. And again, the importance for you eventually as an organization is to figure out how to adapt and adopt this in a way to drive iterative improvements to your organization's ability to improve its cyber resilient architecture. You don't have to like it. You won't always prefer the various techniques that they provide for you. Take full advantage of all the resources that you have available to you. In addition to this course, you have the access to the Resilia guide. You have the access to the full course where you also have the access to practice exams and other links and information. Having a broad awareness of how all those pieces come together is just going to deepen your awareness of cyber resilience and improve your organization's capabilities. All right, so let's take a moment to walk through the agenda for the course here. So after this initial section on the course itself, we're going to talk a little bit about cyber resilience. What we even mean when we say cyber resilience, how is that different from traditional, the conversations about things like information security. Then we're going to have a detailed conversation about risk and risk management and how to use good risk management practices to build and implement risk treatment programs that will help you drive and improve the risk profile within your organization. We'll talk at some length about managing cyber resilience as an iterative practice and using different types of control systems to not only establish your current capabilities within cyber resilience, but to be able to ensure that as your organization moves forward, that you're driving iterative improvements to how cyber resilience works within your organization. We'll then go through a series of life cycle stages to describe how cyber resilient infrastructure and capabilities are built. Talking broadly about improvement activities, talking about strategic planning, talking about service design, talking about transition planning, operational support and then eventually about how we define and align various roles and responsibilities that will be needed in order to be able to support cyber resilience practices.