In our cyber resilience assessments at the CERT Division of the SEI, we often find that organizations struggle with several fundamentals of cybersecurity management. Specifically, organizations have trouble identifying what critical assets need to be protected and then implementing specific cyber architecture controls, such as network segmentation and boundary protection, to protect them. This post will be the first in a series focusing on common weaknesses in organizational cybersecurity architecture. This initial post focuses on the importance of identifying an organization's critical assets and data so it can design a cybersecurity architecture that incorporates controls to protect those systems.

Cyber resilience focuses on (1) identifying critical or high-value services and (2) putting controls in place to protect and sustain the assets that support those services to ensure their availability during times of stress and disruption. The relationship between services and assets is worth repeating: An organization deploys assets (typically people, information, technology, and facilities) to support specific services. To ensure resilience of the services, we focus on both protecting and sustaining the assets that support them.

To prioritize resilience activities, the organization should first identify and prioritize its high-value services. A high-value service is critical to the success of the organization's mission. High-value services are often reflected in the mission, vision, and values of an organization.

Let's take a look at a few examples from various sectors. Water treatment facilities usually provide two main critical services: distribution of potable water and wastewater treatment. These organizations have other functions that may be important to their operations, including internal functions such as human resources management. That said, these organizations fundamentally exist to provide for the delivery of clean water and the management and treatment of wastewater. Consequently, these organizations would likely prioritize these services.

Let's look to the financial sector for another example. Consider a bank with retail and online operations. These organizations provide multiple services that could be considered high-value and critical to their success. Some banks may prioritize their retail banking operations, while others may consider loan processing or even online banking as their most critical services.

Not identifying high-value services and their supporting assets can lead to potentially devastating consequences to an organization. In 2015, attackers penetrated the U.S. Office of Personnel Management (OPM) network and were able to successfully exfiltrate the personal information of 21.5 million individuals. One of the primary services offered by the OPM is human capital management. A 2014 report by the OPM Office of the Inspector General (OIG) stated that the OPM did not "maintain a comprehensive inventory of servers, databases, and network devices." That was prior to the data breach, so it's possible OPM may not have had a complete understanding of the critical assets that supported their high-value service.

One of the first things we attempt to understand in our cyber resilience assessments is whether the organization maintains a list of services that it provides and if those services are prioritized to identify those that warrant additional protection resources. The next step is to understand if they have a current list of assets that support the services. The result of this activity provides a view of the interconnectedness between the assets and the services they support so that an organization can more clearly understand which assets should be the focus of protection and sustainment activities and may require additional levels of cybersecurity scrutiny.

In the coming weeks, this blog series will focus on the technical cybersecurity architecture controls that organizations should put in place to protect high-value services and assets:

• system boundary
• boundary protections
• network segmentation
• system interconnections
• asset management
• configuration and change management
• identity and access management
• auditing
• system security
• software assurance
• vulnerability management
• incident management
• risk management
• contingency planning

Stay tuned for these topics, and let us know what you think by emailing info@sei.cmu.edu.