A year or so ago I came upon the idea of “cyber resilience”, which is a general concept of ‘hardening’ or toughing, or making more resilient, our IT/cyber systems. I started seeing the terms used a lot, and many of the times I’ve seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.
But another thing they do is prepare for things before a hurricane hit to minimize the impact, to lessen the chance of loosing power. In my area, they have been doing this by replacing old wooden poles with new, stronger concrete poles, burying power lines from the poles to the houses, trimming trees etc.
The Software Engineering Institute at Carnegie-Mellon University is probably best known for creating the Capability Maturity Model (CMM), and also the CERT Division. Within the CERT Division is the Cyber Risk and Resilience Management work area.
A big part of there work is the CERT Resilience Management Model, which is a maturity model for “Operational Resilience”, similar to the CMM being a maturity model for (original) software and system management.
V1.1 of the CERT-RMM was published as a book from Addison-Wesley, but v1.2 is available as a free download from the site.
They have other materials for cybersecurity you should check out.
Cyber Resilience Review (CRR)
Full info on the CRR is found HERE. You can find info on the CRR and download all materials.
The CRR is built around 10 domains:
- Asset Management
- Controls Management
- Configuration and Change Management
- Vulnerability Management
- Incident Management
- Service Continuity Management
- Risk Management
- External Dependency Management
- Training and Awareness
- Situational Awareness
There are other resources for the CRR, such as crosswalks to the NIST Cyberframerwork, FFIEC CAT, etc.
I recommend that you check out the US-CERT site, as they have a lot of other cybersecurity resources.
World Economic Forum
The World Economic Forum, established in 1971, is a global organization that does public-private partnership to help improve the world. They have several initiatives, and under their Digital Economy initiative, they have had a project focused on cyber resilience for several years.
They have a variety of reports and materials, all available for download:
- Advancing Cyber Resilience (most recent work and a lot of good resources here)
- Towards the Quantification of Cyber Threats
- Principles & Guidelines
- Pathways to Global Cyber Resilience (inc Cyber Risk Framework and Maturity Model)
As part of their work, they worked with xxx, whose people put out a book: Beyond Cybersecurity.
MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government: FFRDCs—federally funded research and development centers. One is focused on cybersecurity.
They have created a bit for cyber resilience. They’ve held 7 Annual Secure and Resilient Cyber Architectures Invitational & Training Event, the most recent in May of 2017.
National Forum for Public Private Collaboration
First established as the Global Forum for Advanced Cyber Resilience, it was meeting the CEO of the group that spurred me on doing this research.
They have worked up a common lexicon and the current projects appear to be developing business use cases for cyber resilience for several sectors. They also had a collaboration event in September of 2017.
Will be interesting to see where this group goes with what its doing.
Resilia is a best practice program from Axelos, who manages the ITIL certification program. It includes a couple of certifications for Foundation and Practitioner. Not sure the value of this program, as I don’t see much mention of it in the marketplace.
But do check it out.
*** This is a Security Bloggers Network syndicated blog from Michael on Security authored by Michael R. Brown. Read the original post at: http://michaelonsecurity.blogspot.com/2017/11/cyber-resilience-what-ive-found-part-1.html