Cyber Security Resilience Review
The CRR is to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
CRR Resource Guides
The Cyber Resilience Review (CRR) resource guides were developed to help organizations implement practices identified as considerations for improvement in a CRR report. The guides were developed for organizations that have participated in a CRR, but are useful to any organization interested in implementing or maturing operational resilience capabilities for critical cyber dependent services. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and its ability to manage operational risks to critical services and their associated assets.
Each resource guide can be used and downloaded independently. Organizations using more than one resource guide will be able to make use of complementary materials and suggestions.
The CRR assessment functional areas are:
- Asset Management: The Asset Management guide focuses on the processes used to identify, document, and manage the organization’s assets.
- Controls Management: The Controls Management guide focuses on the processes used to define, analyze, assess, and manage the organization’s controls.
- Configuration and Change Management: The Configuration and Change Management Guide focuses on the processes used to ensure the integrity of an organization’s assets.
- Vulnerability Management: The Vulnerability Management Guide focuses on the processes used to identify, analyze, and manage vulnerabilities within the organization’s operating environment.
- Incident Management: The Incident Management Guide focuses on the processes used to identify and analyze events, declare incidents, determine a response and improve an organization’s incident management capability.
- Service Continuity Management: The Service Continuity Management Guide focuses on processes used to ensure the continuity of an organization’s essential services.
- Risk Management: The Risk Management Guide focuses on process used to identify, analyze, and manage risks to an organization’s critical services.
- External Dependencies Management: The External Dependencies Management Guide focuses on processes used to establish an appropriate level of controls to manage the risks that are related to the critical service’s dependence on the actions of external entities.
- Training and Awareness: The Training and Awareness Guide focuses on processes used to develop skills and promote awareness for people with roles that support the critical service.
- Situational Awareness: The Situational Awareness Guide focuses on processes used to discover and analyze information related to the immediate operational stability of the organization’s critical services and to coordinate such information across the enterprise.
Relationship to the Cybersecurity Framework
While the CRR predates the establishment of the Cybersecurity Framework, the inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. The CRR enables an organization to assess its capabilities relative to the Cybersecurity Framework and a crosswalk document that maps the CRR to the NIST Framework is included as a component of the CRR Self-Assessment Package. Though the CRR can be used to assess an organization’s capabilities, the Framework is based on a different underlying framework and as a result an organization’s self-assessment of CRR practices and capabilities may fall short of or exceed corresponding practices and capabilities in the Framework. A mapping of the CRR to the Cybersecurity Framework is available here: CRR NIST Framework Crosswalk.
One of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) in support of specific operational missions or critical services. Applying this principle, the CRR seeks to understand an organization’s capabilities in performing, planning, managing, measuring, and defining operational resilience practices and behaviors through an examination of the following ten domains:
- Asset Management
- Controls Management
- Configuration and Change Management
- Vulnerability Management
- Incident Management
- Service Continuity Management
- Risk Management
- External Dependency Management
- Training and Awareness
- Situational Awareness