How to use this
Practical, not perfection- Pick the tier you are studying and copy the template into your notes.
- Complete it for one real example (work, a side project, or a safe fictional scenario).
- Use the rubric to tighten it until it is defensible.
- Paste a short reflection into your CPD record: what you assumed, what evidence you would keep, and what you would do next.
Foundations. Personal Security Baseline
Template + rubric + exampleRubric (what "good enough" looks like)
- MFA choice is justified (risk vs friction).
- Backup plan includes a restore test.
- Evidence is identified (what you would log/measure/keep).
- Next actions are concrete and realistic.
Worked example (short)
Example (short):
MFA: hardware key for email and password manager.
Backups: weekly + monthly restore test.
Applied. Feature Security Review Pack
Template + rubric + exampleRubric (what "good enough" looks like)
- Threats include abuse cases, not only vulnerabilities.
- Verification is testable (not “we will be careful”).
- Evidence is identified (what you would log/measure/keep).
- Trade-offs are stated, not implied.
Worked example (short)
Example (short):
Threat: IDOR, control: object-level auth checks, evidence: access logs + tests.
Practice. Operational Security Pack
Template + rubric + exampleRubric (what "good enough" looks like)
- Detection includes response steps (playbooks).
- Evidence is operational (logs/alerts/runbooks), not just policy text.
- Next actions are concrete and realistic.
Worked example (short)
Example (short):
Signal: unusual admin actions; runbook: contain + preserve evidence + notify.
