Assessing Cyber Risk Readiness
One lesson of the past 20 years is that organizations cannot expect to prevent every cyber attack. Instead, they must be ready to continue operations and meet their missions when disruption occurs.
The SEI's CERT Division tools for cyber risk and resilience promote a structured approach to managing security risks, business continuity, and information technology operations in the context of business objectives.
Created by the CERT Division of the SEI for the U.S. Department of Homeland Security (DHS) in 2011, the Cyber Resilience Review (CRR) is a no-cost, voluntary, non-technical assessment to evaluate an organization's operational resilience and cybersecurity practices. The CRR assesses enterprise programs and practices across a range of 10 domains based on the CERT Resilience Management Model (CERT-RMM), including asset management, vulnerability management, incident management, risk management, and situational awareness. In 2014, DHS released a CRR self-assessment guide to allow organizations to conduct a CRR without outside facilitation. In 2015 alone, the CERT Division conducted 48 CRRs in 10 critical infrastructure sectors.
In 2012, the SEI's CERT Division developed the Risk and Vulnerability Assessment (RVA) to aggregate vulnerability data in support of informed decisions about the security and safety of information systems. An RVA combines national-level threat and vulnerability information with assessment data to provide specific risk analysis reporting and remediation steps. An RVA provides information on network mapping, penetration testing, wireless networks, databases, and other areas. During 2015, the CERT Division worked with DHS to conduct 46 RVAs.
In 2015, the SEI's CERT Division and DHS launched the External Dependencies Management (EDM) Assessment. This in-person, DHS-facilitated evaluation measures how well an organization can handle cyber disruptions in key services provided by third parties. Any external dependency presents a risk, from service agreements for cloud computing to business relationships that depend on a third party's computing infrastructure and security.