Module 9 of 25 · Foundations

Foundations capstone

25 min read 3 outcomes Interactive breach timeline + drag challenge 5 standards cited

By the end of this module you will be able to:

  • Apply risk assessment, CIA triad analysis, identity controls review, and network security concepts to a single integrated scenario
  • Map a realistic incident to the NIST CSF 2.0 functions: Identify, Protect, Detect, Respond, and Recover
  • Self-assess readiness to progress to the Applied Cybersecurity stage

With the learning outcomes established, this module begins by examining mapping the incident: a foundations framework analysis in depth.

9.1 Mapping the incident: a foundations framework analysis

Every failure in the Hartley Chambers scenario corresponds to a concept covered in the previous eight modules. Working through the mapping is the capstone exercise.

Module 1 (What cybersecurity is): The firm treated cybersecurity as an IT contractor responsibility rather than an organisational priority. No CISO or equivalent existed. The NIST CSF 2.0 Govern function was entirely absent.

Module 2 (Risk and outcomes): The document management system's single-factor authentication was a known risk that had not been formally assessed, scored, or assigned an owner. It appeared on no risk register. The firm had not completed a risk appetite exercise that would have flagged client confidentiality as a zero-tolerance area.

Module 3 (Data and integrity): Credentials stored in a shared spreadsheet on a document management platform represent a classification and handling failure. Credentials are assets that should be stored in a password manager with access controls, not in a shared file without any label or handling restriction.

Module 4 (Networks and transport): The document management system was not segregated from the finance system. A single compromised credential provided lateral movement across both. Defence in depth and network segmentation were absent.

Module 5 (CIA triad): The primary violation was confidentiality: 47 client matters were accessed by an unauthorised party. The potential secondary violation was integrity: had the attacker modified documents or financial data, the firm might not have detected it. Availability was not directly affected, which is why the breach went undetected for three months.

Module 6 (Identity and access): The document management system had no MFA despite handling highly sensitive client data. The paralegal's credentials gave access to far more than their role required, a least-privilege failure. No access review process existed.

Module 7 (Human factors and phishing): A phishing email successfully harvested credentials. The firm had no regular phishing simulation programme and no process for staff to easily report suspicious emails. No out-of-band verification process existed for the document management login.

Module 8 (Privacy and data protection): The firm failed to notify the ICO within the 72-hour window required by UK GDPR Article 33. Client matter data constitutes personal data subject to the UK GDPR. The four-day containment response extended the exposure period unnecessarily.

An organization should implement cybersecurity risk management activities to achieve the objectives set by the Govern function. Managing risk is a continuous activity that requires identifying, assessing, and responding to cybersecurity risks.

NIST Cybersecurity Framework 2.0 - Section 2.5, Overview of the Respond and Recover Functions

The NIST CSF 2.0 treats incident response and recovery as continuous programme activities, not one-off events. Hartley Chambers had no Respond function: no incident response plan, no playbook, no pre-established relationship with a specialist responder. The four-day containment delay was a direct result.

A sound security foundation requires understanding threats (what can go wrong), vulnerabilities (where weaknesses exist), and controls (how to reduce risk). No single framework captures all three; effective practitioners draw on NIST, ISO, NCSC, and vendor-specific guidance appropriate to their context.

NCSC Cyber Assessment Framework (CAF) v3.2, Objective A: Managing Security Risk, Introduction - Objective A: Managing Security Risk

With an understanding of mapping the incident: a foundations framework analysis in place, the discussion can now turn to what a csf-aligned response would have looked like, which builds directly on these foundations.

9.2 What a CSF-aligned response would have looked like

Applying the NIST CSF 2.0 functions to the Hartley Chambers scenario shows clearly which functions were absent.

Govern: a board-level risk owner for client data confidentiality would have driven MFA deployment, access reviews, and incident response planning as non-negotiable baseline controls.

Identify: a formal asset inventory would have flagged the document management system as a high-value target housing confidential client data, triggering a risk assessment and MFA requirement.

Protect: MFA on all systems handling client data, least-privilege access scoped to matter-level rather than platform-level, and credential storage in a managed password vault rather than a shared spreadsheet.

Detect: active log review with automated alerts for unusual access patterns would have detected the three-month intrusion within days rather than weeks. The security logs existed; they were simply not being monitored.

Respond: a pre-written incident response plan with a designated responder, a containment checklist, and a 72-hour ICO notification workflow would have compressed the response from four days to hours.

Recover: post-incident review of all 47 affected matters, client notifications, and a lessons-learned exercise feeding back into the Govern function to prevent recurrence.

Common misconception

Cybersecurity is primarily a technology problem. Better tools would have prevented this.

The Hartley Chambers scenario had logs. It had MFA capability on the email system. The technology existed. The failures were governance (no risk owner), process (no log review process, no incident response plan, no access review), and people (no phishing training, no MFA enforcement on the document system). This pattern, technology present but process and governance absent, is the most common root cause in reported breaches. The NIST CSF 2.0 Govern function exists to address it.

Common misconception

Compliance with a security framework (ISO 27001, Cyber Essentials Plus) means the organisation is secure.

Compliance frameworks establish a documented baseline of policies, procedures, and technical controls at a point in time. They do not guarantee that controls are operating effectively between audit cycles, that new systems introduced after certification meet the same standard, or that the controls are correctly sized for emerging threats. The WannaCry ransomware attack in 2017 exploited vulnerabilities in NHS organisations that had existing information security policies. An organisation can be compliant and breached simultaneously. Compliance is a floor, not a ceiling.

With an understanding of what a csf-aligned response would have looked like in place, the discussion can now turn to foundations self-assessment, which builds directly on these foundations.

Foundations capstone covering risk, classification, network controls, authentication, and privacy in a real breach scenario
Every concept from Foundations, risk, classification, network controls, authentication, and privacy, converges when assessing a real breach scenario.
Loading interactive component...
Loading interactive component...

9.4 Foundations self-assessment

Before progressing to the Applied Cybersecurity stage, you should be comfortable with the following. If any item feels uncertain, revisit the corresponding module.

Definitions and scope: You can explain what cybersecurity covers and does not cover, and why the NIST CSF 2.0 has six functions rather than five.

Risk: You can apply the likelihood-times-impact formula, distinguish threat from vulnerability from exploit, and explain risk appetite using a realistic example.

Data: You can classify data under HMG GSC, identify the three data states and their appropriate controls, and explain how SHA-256 provides integrity verification.

Networks: You can distinguish stateful from stateless firewalls, explain why TLS 1.3 is preferred over TLS 1.2, and describe what defence in depth means in practice.

CIA and STRIDE: You can give a real-world example of each CIA property being violated and map a given attack to a STRIDE category.

Identity: You can compare SMS OTP, TOTP, and FIDO2, explain the principle of least privilege, and describe what access creep is.

Human factors: You can classify phishing variants, identify which Cialdini principle is being exploited in a scenario, and evaluate a proposed awareness training programme.

Privacy: You can apply the six UK GDPR lawful bases, explain the 72-hour breach notification obligation, and describe data minimisation in system design terms.

Loading interactive component...
Incident response coordination across technical, legal, and communications teams in the SOC investigation hub
Incident response requires coordination across technical, legal, and communications teams. The SOC is the operational hub where investigation and containment decisions are made.

Key takeaways

  • The Hartley Chambers scenario shows that most real breaches combine multiple foundation failures: governance, risk management, access control, monitoring, and incident response.
  • Having technology is not the same as having controls. Logs that are not monitored, MFA that is not enforced, and risk registers that are not maintained provide no actual protection.
  • The NIST CSF 2.0 Govern function is the precondition for all other functions. Without accountable ownership, the other five functions lack authority and resources.
  • UK GDPR 72-hour breach notification runs from awareness, not from completion of the investigation. Initial partial notifications are acceptable.
  • Progression to Applied Cybersecurity means applying these foundations to specific attack techniques, threat modelling, and technical security design.

You have completed the Foundations stage. You can define cybersecurity, assess risk, classify data, evaluate network controls, apply the CIA triad, manage identity, understand human factors, and navigate privacy law. The Applied stage builds on this by teaching you to design security into systems: threat modelling, web application security, API security, and detection engineering. The first Applied module is Threat modelling as design.

Standards and sources cited in this module

  1. NIST Cybersecurity Framework 2.0 (February 2024)

    Section 2.5, Respond and Recover functions

    Framework reference for the capstone's NIST CSF mapping exercise. Cited in Section 9.2.

  2. UK GDPR Article 33, Notification of a personal data breach to the supervisory authority

    Article 33

    Defines the 72-hour notification obligation. Cited in Section 9.1 and the integrative quiz.

  3. NCSC UK, '10 Steps to Cyber Security' (2022)

    All 10 steps

    UK reference for the complete set of baseline controls that the Hartley Chambers scenario failed to implement. Referenced in Section 9.2.

  4. ISO/IEC 27001:2022, Information Security Management Systems

    Clause 9.1, Monitoring, measurement, analysis and evaluation

    Establishes active monitoring as a management system requirement. Referenced in Section 9.2 for the Detect function gap.

Previous: Privacy and everyday data protectionNext: Threat modelling as design

Module 9 of 25 · Cybersecurity Foundations