The best way to meet that goal is to organize your cybersecurity program so resilience is a top priority.
I suggest you do that by following these steps:
- Select a suitable high-level model or framework;
- Select controls that explicitly support cyber resilience and satisfy your customer’s information security requirements, your compliance mandates, and supports executive decision making;
- Then, measure how well you’ve implemented these controls as a basis for operating and improving your cyber risk management program.
Let’s walk through the first step now. I’ll cover steps two and three in later posts.
Two Useful Frameworks
For the rest of this post, let’s look at two specific frameworks that emphasize cyber resilience.
As you’ll see, there are a lot of similarities between the two.
NIST Cybersecurity Framework
Previously, I’ve written about the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). talk over with blog posts, you need to be Cyber Resilient and where to get Your Cybersecurity Controls. To recap, it has five high level functions:
- Identify, means to develop the organizational understanding to manage cybersecurity risk
- Prevent, means to develop and implement the appropriate controls to stop cyber-attacks from happening
- To Detect is to know when a cybersecurity event happens
- Respond means to take action on a detected cybersecurity event
- And Recover means to restore all capabilities and services that were impaired due to a cybersecurity event.
This CSF has a lot going for it and would make an excellent choice for almost anyone:
- It’s free to use.
- It’s popular in the U.S.
- It was created by a cross-functional team of experts from private industry.
- It gets regular updates.
- You can tailor it to fit your unique needs.
- The framework is useful across a wide range of industries and organizational sizes.
The Gartner Model
Now, let’s consider another Cyber Resilience Model.
This one is from Gartner, the international IT research firm.
It has four high level functions:
- Gartner defines Predict as proactively learning regarding attacks and failures and exploitation that info to inform the work of following 3 functions.
- The prevent function consists of belongings you do to stop cyber-attacks and failures from inflicting damage to your organization.
- Detect means that finding attacks that have evaded your preventative measures; and
- Response means that to contain and take away the threat so pass through it.
If you’re a Gartner subscriber, adopting their model would build a lot of sense:
- You would inherit the credibility of this independent analysis company
- And the remainder of the Gartner tools and resources are already aligned thereto
- Their model encompasses a second level of classes that you simply will use to arrange and guide selection of the specific controls you wish
- And for that you simply might use nist 800-53, ISO 27001, or one in all the opposite sources we checked out earlier.
If you’re not a Gartner subscriber, it’s in all probability not worth the value to become one simply to realize access to their model.
Instead, you’ll adopt the nist Cybersecurity Framework then choose from all the 98 enclosed controls.
Note, with the nist possibility, you’ll map every CSF outcome to the particular alliance for Standardization (ISO) 27001 controls. So, with a bit a lot of work, you’ll also pursue ISO 27001 compliance, if you needed.