Cybersecurity, made operational
The Runbook
Boring controls beat clever attacks.
Most boards approve cybersecurity spending without ever seeing what the spend is for. They get acronyms, fear, and vendor pitches. This module is the plain-language version — what the six questions on every cyber-insurance worksheet really mean, and the operational hygiene those questions are actually measuring. Built for non-profits and schools, vendor-neutral, no upsell.
01
The keys to the building
MFA, admin separation, joiner/mover/leaver, quarterly access review. Identity is where most attacks succeed and most defenses fail.
02
The records room
PII, PHI, PCI, donor records. What you have, where it lives, how long it stays. The data you don't have can't be stolen.
03
The endpoint census
AV vs EDR, patching cadence, full-disk encryption, lost-device protocol. Every device on the network is a copy of your data.
04
The spare set
Offline, immutable, tested. The 3-2-1 rule and why "we have backups" rarely means what people think it means.
05
The contractor's badge
Vendor MFA, scoped access, security review, expiry on contract end. Your vendor's security posture is yours.
06
The two-person rule
Dual-control on funds transfer, the call-back rule, the incident chain of command. Workflow rules catch what technical tools don't.