51 lines
4.9 KiB
TypeScript
51 lines
4.9 KiB
TypeScript
export interface WarmupParagraph {
|
|
id: string;
|
|
text: string;
|
|
goldCategory: string;
|
|
goldSpecificity: number;
|
|
explanation: string;
|
|
}
|
|
|
|
export const WARMUP_PARAGRAPHS: WarmupParagraph[] = [
|
|
{
|
|
id: "warmup-1",
|
|
text: "The Board of Directors oversees the Company's management of cybersecurity risks. The Board has delegated oversight of cybersecurity and data privacy matters to the Audit Committee, which receives quarterly reports from management on the Company's cybersecurity risk management program, recent threats, and any incidents.",
|
|
goldCategory: "Board Governance",
|
|
goldSpecificity: 3,
|
|
explanation:
|
|
"Board Governance because the Board of Directors and Audit Committee are the grammatical subjects performing the primary actions (overseeing, delegating, receiving reports). Specificity 3 (Firm-Specific) because the paragraph describes a specific delegation structure (to the Audit Committee) with a defined briefing cadence. While 'Audit Committee' alone is generic (NOT list), the delegation of cybersecurity oversight to it is a firm-specific organizational choice. No QV-eligible facts present (no specific numbers, dates, named entities, or tools).",
|
|
},
|
|
{
|
|
id: "warmup-2",
|
|
text: "On January 15, 2024, we detected unauthorized access to our customer support portal. The threat actor exploited a known vulnerability in a third-party software component. Upon detection, we activated our incident response plan, contained the intrusion within four hours, and engaged Mandiant for forensic investigation. Approximately 12,000 customer records were potentially accessed.",
|
|
goldCategory: "Incident Disclosure",
|
|
goldSpecificity: 4,
|
|
explanation:
|
|
"Incident Disclosure because the paragraph describes what happened in a cybersecurity incident: the timeline, attack vector, response actions, and scope. Specificity 4 (Quantified-Verifiable) because it contains QV-eligible facts: a specific date (January 15, 2024), a specific containment time (four hours), a named forensic firm (Mandiant), and a quantified impact (12,000 customer records). Any one of these would be sufficient for Level 4.",
|
|
},
|
|
{
|
|
id: "warmup-3",
|
|
text: "We maintain a cybersecurity risk management program that is designed to identify, assess, and manage material cybersecurity risks to our business. Our program is based on recognized industry frameworks and best practices.",
|
|
goldCategory: "Risk Management Process",
|
|
goldSpecificity: 1,
|
|
explanation:
|
|
"Risk Management Process because the paragraph describes the company's internal cybersecurity program and its purpose (identify, assess, manage risks). Specificity 1 (Generic Boilerplate) because this language could appear in any company's filing unchanged — 'identify, assess, and manage' is generic ERM language, 'recognized industry frameworks' names no specific standard, and 'best practices' is boilerplate. No cybersecurity domain terminology, no firm-specific facts, no QV-eligible facts.",
|
|
},
|
|
{
|
|
id: "warmup-4",
|
|
text: "We increased our cybersecurity budget by 28% to $38M in fiscal 2024, representing approximately 0.6% of annual revenue. We maintain cyber liability insurance with $75M in aggregate coverage. Management believes these investments appropriately balance the Company's cybersecurity risk profile with its available resources.",
|
|
goldCategory: "Strategy Integration",
|
|
goldSpecificity: 4,
|
|
explanation:
|
|
"Strategy Integration because the paragraph discusses financial resource allocation (budget increase, insurance) and strategic judgment about cybersecurity investment — business/financial consequences of cyber risk. Specificity 4 (Quantified-Verifiable) because it contains multiple QV-eligible facts: budget percentage (28%), dollar amount ($38M), revenue percentage (0.6%), insurance coverage ($75M), and time period with cybersecurity fact (fiscal 2024). Any one would suffice for Level 4.",
|
|
},
|
|
{
|
|
id: "warmup-5",
|
|
text: "Our vendor risk management program requires all third-party service providers with access to sensitive data to meet minimum security standards, including SOC 2 Type II certification or equivalent third-party attestation. We conduct initial security assessments of new vendors and perform annual reassessments of existing relationships.",
|
|
goldCategory: "Third-Party Risk",
|
|
goldSpecificity: 2,
|
|
explanation:
|
|
"Third-Party Risk because the central topic is oversight of external parties' cybersecurity: vendor requirements, security assessments, and ongoing monitoring of third-party relationships. Specificity 2 (Domain-Adapted) because it names a recognized standard (SOC 2 Type II) — cybersecurity domain terminology that wouldn't appear in a generic enterprise risk document. However, no firm-specific facts are present: no specific vendor counts, no named vendors, no dollar amounts. The assessment cadences ('initial' and 'annual') are generic. Domain terminology present but nothing firm-specific = Level 2.",
|
|
},
|
|
];
|