Cyber resilience assessments or review (CRA/CRR) is conducted to identify the existing weaknesses and vulnerabilities and then address where, how, and when cyber resiliencye techniques can be applied to improve resiliency against any adversary and/or cyber threats. The focus for cyber resilience can be varied based on the various factors, such as scope, budget, and size of organisation, and it can be conducted for a family of systems, common infrastructure, mission/business segment, or system-of-systems, or it can also be applied to individual systems, services, or components.
Also, CRA can be applied to an operational or as-is architecture, in which case the emphasis may be on the “low-hanging fruit” or opportunities for near-term and high-leverage improvements, using a few cyber resilience techniques. This will help to provide a set of general recommendations as a starting point for identifying such opportunities. A cyber resilience assessment requires a structured representation of the problem domain and solution space, so that the scope of the assessment can be clearly defined. This can be included, but not limited to
- An assessment focused on how Analytic Monitoring capabilities could be improved;
- An analysis of alternatives (AoA) with respect to the cyber resilience objectives and techniques; and
- A comprehensive analysis to support the development of a roadmap for improving cyber resilience.
Also, it is very important to choose a suitable methodology or framework so result can be trustable. Some of the well- recognised frameworks could provide you with an in-depth outcome for a cyber resilience assessment as well as a robust improvement roadmap, such as - ISO/IEC 27001:2013 - NIST – Cybersecurity Framework - SANS CIS - PCI DSS The following picture shows a set of questions which should be answered during any type of residence assessment. Cybersecurity its not something you do once but instead, it is something you develop and improve and is an ongoing journey which can be initiated with a robust cyber resilience assessment.