New Technical Note Helps Prioritize Cyber Resilience Review Results into Improvement Plan
April 9, 2019—The SEI’s CERT Division developed and published the Cyber Resilience Review (CRR) on behalf of the Department of Homeland Security in 2011. Since then, hundreds of CRRs conducted across numerous critical infrastructure sectors have yielded exhaustive reports. These reports can provide overwhelming detail of resilience options for consideration; numerous references to best practices, regulations, and standards; and one common question—“OK, now what?”
The CERT Division answers that question in a new technical note: A Targeted Improvement Plan for Service Continuity. This publication provides a template for addressing service continuity management (SCM) and explains how to use CRR results to prioritize SCM-specific and supporting practices. The template employs an SCM improvement profile to develop a long-term plan for protecting and sustaining critical, cyber-dependent services during times of stress.
After completing a CRR assessment, the next logical step is to use the results to create a plan for improvement, yet the best advice on how to proceed is, “It depends.”
“It depends on your priorities, resources, and risk appetite—a truthful answer but not terribly helpful,” said Robert Vrtis, senior engineer in the CERT Division and one of the technical note’s authors. “After all, the CRR lists 167 different practices. We made the assumption that the organization wanted to improve its overall cyber resilience by focusing on service continuity management. We then took a look at all the practices within the CRR and prioritized the response. This resulted in a list of practices with recommended priorities that we called a service continuity template.”
The tech note describes a method for using the included template and results from a CRR to develop a targeted improvement plan tailored to an organization’s own priorities. The organization can identify and prioritize practices that will most improve its service continuity management activities and its overall cyber resilience. The template ranks each of the 167 practices based on the premise that limited resources demand tough choices. The practices are not ranked according to importance—they are all important—but rather according to a suggested order grouped into implementation phases.
“Faced with a huge amount of information from the CRR, the typical practitioner can easily become overwhelmed and unsure of where to start,” said Jeffrey Pinckard, information infrastructure security analyst in the CERT Division, and one of the note’s authors. “What needs the most attention first?” The targeted improvement plan pares down a massive report of gaps to a risk-based list of improvement targets unique to the individual organization. The practitioner can then use this list to build the business case for improvement funding requests and project planning.”
For more information or to download the technical note, visit https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=543718.