The CRR is a non-technical assessment to evaluate an organization’s operational resilience and cyber security practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by cyber security professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
Description
The Department of Homeland Security (DHS) partnered with the
Computer Emergency Response Team (CERT) Division of Carnegie Mellon
University’s Software Engineering Institute to create the CRR. The CRR is a
derivative of the CERT Resilience Management Model (RMM)
(http://cert.org/resilience/rmm.html) tailored to the needs of critical
infrastructure owners and operators.[1]
CRR Self-Assessment Package: This package includes the
entire CRR self-assessment, including the fillable assessment form and report
generator. All assessments will require this file to be completed.
CRR Method Description and User Guide. This guide contains
the overall description of the CRR along with detailed steps and explanations
for how to conduct a CRR self-assessment at an organization.
CRR Question Set with Guidance This document contains the
entire CRR self-assessment question set along with guidance on how to interpret
and answer each of the questions contained within the self-assessment package.
CRR NIST Framework Crosswalk. This document provides a
cross-reference chart for each of the categories in the NIST Cyber security
Framework and how they align to the CRR and other references.
Executive Guidance
Executives are advised to give serious consideration to the use
of the CRR to offer a high-level assessment of their organization’s resistance
to cyber crime. The CRR offers a series of well-documented and structured
questionnaires the offer a comprehensive reviews of the methods that should be
employed in dealing with malware. Forms are provided that offer a checklist of
actions that should be deployed in dealing with cyber criminal activities.
While the CRR predates the establishment of the
Cybersecurity Framework, the inherent principles and recommended practices
within the CRR align closely with the central tenets of the Cybersecurity
Framework. The CRR enables an organization to assess its capabilities relative
to the Cybersecurity Framework and a crosswalk document that maps the CRR to
the NIST Framework is included as a component of the CRR Self-Assessment
Package. Though the CRR can be used to assess an organization’s capabilities,
the Framework is based on a different underlying framework and as a result an
organization’s self-assessment of CRR practices and capabilities may fall short
of or exceed corresponding practices and capabilities in the Framework.
No comments:
Post a Comment
For comments please e-mail paul@strassmann.com