Periodic assessments of cybersecurity plans, policies and procedures ensure cybersecurity programs meet their objectives and are ready for use in the event of an attack.
Referred to as cyber resilience, these assessments define an organization's ability to recover and resume operations following a disruptive event. Modifying the assessment process to determine an organization's resilience, however, goes beyond a simple "do we have it" or "don't we have it" approach.
Read on to learn how to prepare and conduct a cyber-resilience assessment, and review activities that help improve an organization's cybersecurity risk posture.
Questions to ask when conducting a cyber-resilience assessment
The following questions help guide a cyber-resilience assessment:
- What is at risk from cyber attacks? Risk factors include employees, business systems, manufacturing systems, business processes, communications and network services, desktop systems, data storage facilities, network perimeters and facilities systems, such as fire suppression, building security, access control, HVAC systems and utilities.
- What types of cyber attacks could occur? It's a good idea to periodically perform a cybersecurity risk assessment to keep up to date on the latest risks and threats. This could include attacks such as phishing, DDoS, viruses and ransomware, as well as risks to critical infrastructure, supply chains and more.
- What are the likely threat vector access points? Probabilities include access points in the network perimeter, use of remote access technologies, remote working, infected files that enter an organization's network infrastructure and even rogue employees who activate or plant software code that provides access to unauthorized users.
- How does the organization currently respond to cyber attacks? An organization's response could include cybersecurity policies that address various cyber-attack scenarios, cybersecurity incident response plans that capture malignant code for analysis and cybersecurity event management plans that process the event through to its resolution and after-action reports. Organizations should also have disaster recovery and business continuity plans to help systems and the business return to normal operations. These last two items are included to help ensure the organization's resilience following an event.
- How does the organization address the five key cyber-attack response activities? Examine all relevant cybersecurity materials to ensure the following five activities are performed in the event of a cyber attack:
- Identify. Perform a risk, threat and vulnerability assessment to identify potential threat actors and attack vectors. This step also helps determine how well the company is prepared to respond to attacks.
- Protect. This step addresses how cyber attacks are prevented by using technologies such as firewalls, intrusion detection and prevention systems (IDSes/IPSes), and cybersecurity analysis software.
- Detect. Even with proactive security measures, an attack can occur, so use investments in security hardware and software systems to detect possible malicious code.
- Respond. Using the systems, software and cybersecurity incident response plans, this step isolates the malware, analyzes it and neutralizes it to prevent further damage.
- Recover. This step involves activities to recover damaged systems and services, recover disrupted business activities and help the business resume operations as quickly as possible.
- How are systems, software and network cybersecurity managed? Address the following:
- How does the organization test for cyberthreats and vulnerabilities? Organizations must have procedures and systems in place to regularly test for and uncover any potential vulnerabilities to the network perimeter and within the organization's infrastructure. This includes a variety of techniques, including penetration testing.
- How often are cybersecurity plans, procedures and systems tested? This is especially important because threat actors regularly update and enhance their malicious code. Organizations must also be diligent in their preparations. Staff must know what to do when an attack is detected. Management must support cybersecurity management processes, and cybersecurity teams must be regularly trained on how to deal with cyber events. For example, organizations should regularly update firewalls and IDSes/IPSes to increase the likelihood of a threat actor being identified.
- Are cybersecurity team members well trained? Members of the cybersecurity or information security team must stay up to date on critical viruses, ransomware, phishing and other malware activities occurring locally and globally. Team members must also understand how to use cybersecurity applications and systems that identify suspicious code and reduce the likelihood of an attack.
- How familiar are employees and senior management with cybersecurity event procedures? In addition to the cybersecurity team, employees and senior management must be aware of the company's policy on how to deal with cyber attacks. This includes what to do if they are attacked. Regular security awareness trainings and reminders on the importance of cybersecurity diligence and the company's policies are key, as well as ensuring employees know how to respond to an attack.
- What happens in the aftermath of a cyber attack? This step takes an unbiased view of how well the organization responded to the cyber attack, including which actions were successful and which were not. The organization should launch follow-up actions to remediate any problems discovered during the process.
Cyber-resilience assessments provide timely knowledge on the state of an organization's preparedness for a cyber attack, as well as its ability to adapt and overcome the disruption caused by an attack. If the above questions identify areas for improvement, the organization can make those changes before the next attack occurs.
Cybersecurity resilience assessment checklist
Considering the previous recommended activities, the following checklist can be used to prepare a cyber-resilience assessment:
- Identify risks. Create a list of risks and threats that could facilitate cyber attacks and the systems that must be protected.
- Identify potential cyber attacks. Create a list of potential cyber attacks, such as phishing or ransomware.
- Examine how the organization currently responds to attacks. Create a list of current plans, policies, procedures, systems and technologies.
- Protect current systems, software and networks. Ensure current IT assets and resources are protected from attacks.
- Test for cyberthreats and vulnerabilities. Conduct periodic forensic activities, such as pen tests, to identify vulnerabilities.
- Test cybersecurity plans and procedures. Validate plans and procedures to ensure they address and mitigate the impact of a cyber attack.
- Train cybersecurity team members. Ensure cybersecurity team members know how to deal with threats, as well as cybersecurity systems and software in use.
- Train employees and senior management about cybersecurity. Conduct security awareness trainings so employees and senior managers are aware of cyber attacks and their roles during an attack.
- Conduct post-cyber attack activities. Identify the activities that worked and those that didn't, and then identify steps to remediate policies, plans, procedures, systems and technology in preparation for future attacks.
This is a relatively simple assessment checklist. More detailed cybersecurity assessment tools are available, including the following:
- NIST Cybersecurity Framework.
- NIST Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations.
- ISO 27001.
- National Cyber Security Centre Cyber Assessment Framework.
- CISA Cyber Resilience Review: Method Description and Self-Assessment User Guide.
- CISA Cyber Resilience Review: Question Set with Guidance.
- U.S. Department of Homeland Security Cyber Resilience Review.