Assessing Your Organization’s Cybersecurity Practices with Homeland Security’s Cyber Resilience Review
Every time a new high-profile data breach makes the news, it’s another reminder to organizations about the need to be vigilant. With the estimated cost per lost or stolen record at $148 (according to an IBM/Ponemon study), the numbers can add up fast. For small businesses, the losses could hit hard too — Kaspersky estimates that emergency infrastructure improvements and reputational damages alone cost $15,000 each per incident.
Best practices in creating a cybersecurity strategy include starting off with a comprehensive assessment of assets, controls, vulnerability management and so on. But a common struggle for smaller organizations is lack of resources to conduct this type of assessment.
That’s where the Cyber Resilience Review from the U.S. Department of Homeland Security’s National Cybersecurity and Communication Integration Center (NCCIC) can help. The NCCIC is an arm of the Department of Homeland Security (DHS) that integrated four other agencies, including US-CERT (U.S. Computer Emergency Response Team). The free Cyber Resilience Review (CRR) assesses programs and practices in 10 different categories and provides a gap analysis that the organization can use to improve its cybersecurity posture.
What Is CRR?
DHS developed the CRR in partnership with the CERT Division of the Software Engineering Institute at Carnegie Mellon University. The CERT Division is considered a leader in cybersecurity, conducting research and developing cutting-edge resources and training. The CRR is modeled on the CERT Resilience Management Model, which the Software Engineering Institute developed to improve processes that contribute to operational resilience.
The CRR predates both the National Institute of Standards and Technology (NIST) and the NIST Cybersecurity Framework, but the principles and practices it recommends align closely with the Cybersecurity Framework.
Who Should Participate in the CRR?
The Cyber Resilience Review targets owners and operators of critical infrastructure, as well as state, local, tribal (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Rodika Tollefson. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/-N6yBelsMfQ/
