How to conduct a cyber-resilience assessment
It's a good cyber hygiene practice to periodically review your organization's cybersecurity plans and procedures. Use this checklist to guide your cyber-resilience assessment.
Periodic assessments of cybersecurity plans, policies and procedures ensure cybersecurity programs are fit for purpose and ready for use in the event of an attack.
Referred to as cyber resilience, these assessments define an organization's ability to recover and resume operations following a disruptive event. Modifying the assessment process to determine an organization's resilience, however, goes beyond a simple "do we have it" or "don't we have it" approach.
Read on to learn how to prepare and conduct a cyber-resilience assessment, and review activities that help improve an organization's cybersecurity risk posture.
Questions to ask when conducting a cyber-resilience assessment
The following questions will help guide your cyber-resilience assessment:
- What is at risk from cyber attacks? This includes employees, business systems, manufacturing systems, business processes, communications and network services, desktop systems, data storage facilities, network perimeters and facilities systems, such as fire suppression, building security, access control, HVAC systems and utilities.
- What types of cyber attacks could occur? It's a good idea to periodically perform a cybersecurity risk assessment to keep up to date on the latest risks and threats. This could include attacks such as phishing, DDoS attacks, viruses and ransomware, as well as risks to critical infrastructure, supply chains and more.
- What are the likely threat vector access points? These include access points in the network perimeter, use of remote access technologies, remote working, infected files that enter an organization's network infrastructure and even rogue employees who activate or plant software code that provides access to unauthorized users.
- How does the organization currently respond to cyber attacks? This could include cybersecurity policies that address various cyber attack scenarios, cybersecurity incident response plans that capture malignant code for analysis and cybersecurity event management plans that process the event through to its resolution and after-action report. Organizations should also have technology disaster recovery and business continuity plans to help systems and the business return to normal operations. These last two items are included to help ensure the organization's resilience following an event.
- How does the organization address the five key cyber attack response activities? Examine all relevant cybersecurity materials to ensure the following five activities are performed in the event of a cyber attack:
- Perform a risk, threat and vulnerability assessment to identify potential threat actors and attack vectors. This step also helps determine how well the company is prepared to respond to attacks.
- This step addresses how cyber attacks are prevented using technologies such as firewalls, intrusion detection and prevention systems (IDSes/IPSes), and cybersecurity analysis software.
- Even with proactive security measures, it's likely an attack can occur, so use investments in security hardware and software systems to detect possible malicious code.
- Using the systems, software and cybersecurity incident response plans, this step isolates the malware, analyzes it and neutralizes it to prevent further damage.
- This step involves activities to recover damaged systems and services, recover disrupted business activities and help the business resume operations as quickly as possible.
- How is systems, software and network cybersecurity managed? Many activities live under this heading, including the following:
- patch management;
- antivirus and other malware software updates;
- strong password management;
- strong access control;
- ensuring data, databases and applications are regularly backed up;
- limiting access to authorized personnel;
- ensuring hardware, network and facility security is maintained and established; and
- acquiring cybersecurity insurance.
- How does the organization test for cyber threats and vulnerabilities? Organizations must have procedures and systems in place to regularly test for and uncover any potential vulnerabilities to the network perimeter and within the organization's infrastructure. This includes a variety of techniques, including penetration testing.
- How often are cybersecurity plans, procedures and systems tested? This is especially important because threat actors regularly update and enhance their malicious code. Organizations must also be diligent in their preparations. Staff must know what to do when an attack is detected, management must support cybersecurity management processes and cybersecurity teams must be regularly trained on how to deal with cyber events. For example, organizations should regularly update firewalls and IDSes/IPSes to increase the likelihood of a threat actor being identified.
- Are cybersecurity team members well trained? Members of the cybersecurity or information security team must stay up to date on critical viruses, ransomware, phishing and other malware activities occurring locally and globally. Team members must also understand how to use cybersecurity applications and systems that identify suspicious code and reduce the likelihood of an attack.
- How familiar are employees and senior management with cybersecurity event procedures? In addition to the cybersecurity team, employees and senior management must be aware of the company's policy on how to deal with cyber attacks. This includes what to do if they are attacked. Regular trainings and reminders on the importance of cybersecurity diligence and the company's policies are key, as well as ensuring employees know how to respond to an attack.
- What happens in the aftermath of a cyber attack? This step takes an unbiased view of how well the organization responded to the cyber attack, including which actions were successful and which were not. The organization should launch follow-up actions to remediate any problems discovered.
Cyber-resilience assessments provide timely knowledge on the state of an organization's preparedness for a cyber attack and its ability to adapt and overcome the disruption caused by an attack. If the above questions identify areas for improvement, the organization can make those changes before the next attack occurs.
Cybersecurity resilience assessment checklist
Considering the previous recommended activities, the following checklist can be used to prepare a cyber-resilience assessment:
- Identify risks. Create a list of risks and threats that could facilitate cyber attacks and the systems that must be protected.
- Identify potential cyber attacks. Create a list of potential cyber attacks, such as phishing or ransomware.
- Examine how the organization currently responds to attacks. Create a list of current plans, policies, procedures, systems and technologies.
- Protect current systems, software and networks. Ensure current IT assets and resources are protected from attacks.
- Test for cyber threats and vulnerabilities. Conduct periodic forensic activities, such as pen tests, to identify vulnerabilities.
- Test cybersecurity plans and procedures. Validate plans and procedures to ensure they address and mitigate the impact of a cyber attack.
- Train cybersecurity team members. Ensure cybersecurity team members know how to deal with threats, as well as cybersecurity systems and software in use.
- Train employees and senior management about cybersecurity. Conduct cybersecurity awareness trainings so employees and senior managers are aware of cyber attacks and their role during an attack.
- Conduct post-cyber attack activities. Identify the activities that worked and those that didn't, and identify steps to remediate policies, plans, procedures, systems and technology in preparation for future attacks.
This is a relatively simple assessment checklist. More detailed and expansive cybersecurity assessment tools are available, including the following:
- NIST Cybersecurity Framework;
- NIST Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations;
- ISO 27001;
- National Cyber Security Centre's Cyber Assessment Framework;
- Cybersecurity and Infrastructure Security Agency (CISA) Cyber Resilience Review: Method Description and Self-Assessment User Guide;
- CISA Cyber Resilience Review: Question Set with Guidance; and
- S. Department of Homeland Security Cyber Resilience Review.