Assessing Your Organization’s Cybersecurity Practices with Homeland Security’s Cyber Resilience Review
Every time a new high-profile data breach makes the news, it’s another reminder to organizations about the need to be vigilant. With the estimated cost per lost or stolen record at $148 (according to an IBM/Ponemon study), the numbers can add up fast. For small businesses, the losses could hit hard too — Kaspersky estimates that emergency infrastructure improvements and reputational damages alone cost $15,000 each per incident.
Best practices in creating a cybersecurity strategy include starting off with a comprehensive assessment of assets, controls, vulnerability management and so on. But a common struggle for smaller organizations is lack of resources to conduct this type of assessment.
That’s where the Cyber Resilience Review from the U.S. Department of Homeland Security’s National Cybersecurity and Communication Integration Center (NCCIC) can help. The NCCIC is an arm of the Department of Homeland Security (DHS) that integrated four other agencies, including US-CERT (U.S. Computer Emergency Response Team). The free Cyber Resilience Review (CRR) assesses programs and practices in 10 different categories and provides a gap analysis that the organization can use to improve its cybersecurity posture.
What Is CRR?
DHS developed the CRR in partnership with the CERT Division of the Software Engineering Institute at Carnegie Mellon University. The CERT Division is considered a leader in cybersecurity, conducting research and developing cutting-edge resources and training. The CRR is modeled on the CERT Resilience Management Model, which the Software Engineering Institute developed to improve processes that contribute to operational resilience.
The CRR predates both the National Institute of Standards and Technology (NIST) and the NIST Cybersecurity Framework, but the principles and practices it recommends align closely with the Cybersecurity Framework.
Who Should Participate in the CRR?
The Cyber Resilience Review targets owners and operators of critical infrastructure, as well as state, local, tribal and territorial governments. DHS has a broad definition for critical infrastructure to encompass more than a dozen sectors, including healthcare, communications, food and agriculture and IT.
Since the CRR comes with a comprehensive self-assessment tool, organizations from other sectors could also use it to improve their ability to manage cyber-risk and respond in times of operational crisis.
Critical infrastructure and government organizations can opt for the self-assessment but also have the option of a six-hour onsite session facilitated by a regional cybersecurity adviser. Either option results in a report, and in the case of a self-assessment, the report is self-generated after you complete a downloadable PDF.
The 10 Domains Included in the CRR
The goal of the CRR is to provide a universal assessment and a flexible approach based on the organization’s size, maturity and type of operations. It’s also intended to benefit organizations with different levels of cyber resilience maturity. Some domains may not apply equally to all, and it’s up to the organizations to determine each domain’s relevancy to their operations.
The 10 domains are as follows:
- Asset management
- Controls management
- Configuration and change management
- Vulnerability management
- Incident management
- Service continuity management
- Risk management
- External dependency management
- Training and awareness
- Situational awareness
The domains include a series of goals and a maturity indicator section, and each goal and maturity indicator section includes “yes” or “no” questions only. The tool describes each question’s intent, along with giving guidance on how to qualify responses.
Here is an example.
In the configuration and change management domain, goal 1 is: “The life cycle of assets is managed.” To assess this goal, there are six questions:
- Is a change management process used to manage modifications to assets?
- Are resilience requirements evaluated as a result of changes to assets?
- Is capacity management and planning performed for assets?
- Are change requests tracked to closure?
- Are stakeholders notified when they are affected by changes to assets?
- Is a System Development Life Cycle implemented to manage systems supporting the critical service?
To further break this down, Question 1 explains that the intent is “to determine if a change management process is used to manage asset modifications. Change management is a continuous process of controlling and approving changes to assets that support the service.”
The tool then clarifies that the process addresses the addition of new assets, as well as changes to or elimination of assets, and lists examples of work products such as change requests, change approvals and change tracking. It also explains the criteria for a “yes” response and an “incomplete” response.
What to Expect During the CRR Process
DHS recommends the CRR to include not only staff responsible for security, but a cross-functional team from departments such as business operations, IT operations, risk management and procurement. The CRR questions are the same for self-assessments and facilitated ones, but the advantage of a facilitated one is having a person trained in using the assessment.
Whether your assessment is self-directed or facilitated, you will receive the same type of report based on your answers, along with best practices and procedures you should consider to improve your cyber-posture. DHS says it doesn’t collect any information during the assessment, and all the answers are provided confidentially.
To help you with the assessment, DHS has the following resources available as free, downloadable PDFs:
- Information sheet: A brief overview of CRR
- Method description and user guide: A 56-page guide for the internal person who will plan and facilitate the process within the organization
- Question set with guidance: A 161-page step-by-step walkthrough to evaluate the 10 domains
- Self-assessment package: A fillable form used to generate the report
- CRR NIST Framework Crosswalk: A cross-reference chart that shows how CRR aligns with the NIST Cybersecurity Framework
- Individual guides for each assessment domain (for those cases where not all domains are applicable)
Why Consider the CRR
A comprehensive cybersecurity strategy integrates three main components: people, processes and technology. The CRR’s premise is also based on those three assets, plus a fourth one: facilities.
What may make it particularly useful is the fact that it evaluates the organization’s resiliency and ability to manage cybersecurity risk not only during normal operations but also during a crisis or operational stress. As many organizations use the NIST Cybersecurity Framework (or at least parts of it), the CRR is a way to examine cybersecurity posture in a context that ties back to the NIST best practices.
- What is the cost of a data breach?, Kaspersky
- Hidden costs of data breaches increase expenses for businesses, IBM
- The CERT Division, Carnegie Mellon University Software Engineering Institute
- Cyber Resilience Review fact sheet and overview, Homeland Security
- Assessments: Cyber Resilience Review, Homeland Security