Enterprise Risk and Resilience
Created November 2017
Can your organization survive a disruptive cyber event? A comprehensive and integrated approach to cybersecurity is the only viable path to achieving predictability in uncertain times. Our experts in the CERT Division conduct cybersecurity research and create models, tools, and methods to empower organizations to gain justified confidence in their cybersecurity posture.
Cyber Disruptions Are Inevitable—Your Organization’s Survival Is Not
Your organization cannot anticipate every disruption or prevent every cyber attack. You must be able to anticipate and respond to changes in your risk environment at a moment’s notice and be ready to continue operations and meet your mission when disruptions occur.
Accomplishing this continuity of operations requires a resilience approach to cybersecurity—an integrated, holistic way to manage security risks, business continuity, disaster recovery, and IT operations—in the context of your business mission and strategy. Managing risk to critical assets by optimizing both protection and continuity strategies prepares your organization for a broad range of outcomes.
Our Tools, Your Operational Resilience
Our cybersecurity research and solutions enable your organization to apply cyber risk and resilience management models and methods to assess and improve its operational resilience, manage operational risks, define meaningful metrics, and ensure mission success.
Our research spans the planning, integration, execution, and governance of operational resilience in the ever-changing cyber and technological landscape. We leverage that research to develop best practices, resilience management models, and other methods and tools for assessing and improving enterprise security and operational resilience.
As a trusted partner, we help organizations
- identify and mitigate operational risks that could lead to service disruptions before they occur
- prepare for and respond to disruptive events (realized risks) in a way that demonstrates command and control of incident response and service continuity
- recover and restore mission-critical services and operations after an incident within acceptable time frames
- educate and train their workforces in cyber risk and resilience management
Organizations incur potential risk to their missions and key services any time they depend on external entities for information and technology. Examples include breaches due to a third party's failure to protect data, poor integrity of hardware and software deployed within an organization, or malicious use of trusted third-party relationships to gain access to or harm the organization.
Our approach to managing supply chain risk, also called third-party risk, is founded on
- a risk-based approach
- acceptance of constant change
- a well-established body of work
We offer many resources to help organizations manage their supply chain risk, from blogs and webinars to in-person assessments of organizations' external dependencies management. These resources can help your organization
- determine the maturity of its external dependencies management
- draft better contracts with third parties
- build relationships with the right third parties
- maintain awareness of changes and vulnerabilities that might affect suppliers
Evaluation Beyond Compliance and Penetration Testing
Our experienced team also develops organizational assessments based on our risk and resilience solutions. These tools and methods empower organizations to gain justified confidence in their cybersecurity posture. We draw on well-established principles of process measurement, such as the CERT® Resilience Management Model (CERT®-RMM), and leading-edge technical vulnerability assessment methods in developing solutions. Our approach takes assessment beyond the routine compliance checklist and traditional penetration testing, instead delivering measures of capability.
Our researchers, engineers, and subject-matter experts often lead the national conversation on critical infrastructure protection and supply chain risk management. And we have measured and evaluated organizations of all sizes and compositions. Deriving practical tools and methods from the best concepts that academia has to offer and best practices from private industry is at the heart of our work.
November 01, 2017 Blog Post
You've known this blog as the Insider Threat blog, and this will continue to be your go-to source as we share our findings and explore the impact insider threat has on information technology and human resources practices and policies. Our...read
February 15, 2016 Handbook
CERT-RMM, the foundation for a process improvement approach to operational resilience management, defines the practices needed to manage operational resilience.read
November 24, 2010 Book
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.read