AXELOS Cyber Resilience Overview
Cyber Resilience is the ability to manage the prevention, detection and to correct any impact that incidents have on the information required to conduct business. Due to the increasing requirement for organizations to be connected to cyberspace, the AXELOS Cyber Resilience Best Practice is intended for every company that operates in the digital age, and advocates a top-down approach with strong support from the C-suite.
The purpose of Cyber Resilience is to ensure that an organization can confidently continue to deliver its business strategy and desired outcomes. Cyber Resilience measures must therefore be aligned to these business outcomes, and a proven approach to achieve this is the well-established ITIL® service lifecycle.
ITIL is used by many thousands of organizations around the world to help them design and operate a management system for the creation, delivery and improvement of IT services. ITIL defines a lifecycle for IT service management that has five stages:
- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement.
At a high level, the Cyber Resilience Best Practice guide follows the structure of the ITIL lifecycle, building on the shared processes, yet building upon with specialist content:
- Strategy - understanding Cyber Resilience objectives, identifying assets, risks and vulnerabilitie
- Design - selecting Cyber Resilience controls, procedures and training. Establishing roles and responsibilities
- Transition - testing operation of controls and refine
- Operation - operating, detecting, and managing Cyber Resilience incidents and events. Continual testing of controls
- Continual Improvement - ensuring controls are up to date, adapting with the rapidly changing cyber environment.
Cyber Resilience builds upon the fundamentals of information security, namely Confidentiality, Integrity, Availability and Non-repudiation.
In order to achieve a sufficient level of Cyber Resilience, the key steps recommended include:
- Understanding which information needs to be protected
- Business and supplier-wide awareness, understanding and cooperation
- Ensuring a balance of People, Process and Technology controls.
Staff effectiveness and ability to recognize and respond to cyber incidents is a critical component and should be managed. An increasingly significant proportion of security breaches target an organization's employees and therefore security awareness training, personnel screening and third-party assessments are all highly effective, yet often overlooked controls.
In order to determine the most effective balance of controls, a risk-based approach should be adopted. The process should identify a proportionate set of countermeasures which correctly deployed will reduce the risk to with the organization's risk appetite.
Managing risks requires identifying, understanding and controlling exposure to risks which may have an impact on business objectives. A number of different methodologies, standards and frameworks have been developed for risk management including AXELOS Management of Risk (M_o_R®), ISO 31000, ISO/IEC 27001, NIST Special Publication SP800-39.
The AXLEOS M_o_R framework provides a route map of risk management, bringing together principles, an approach, a process with a set of interrelated steps and pointers to more detailed sources of advice on risk management techniques and specialisms. It also provides advice on how these principles, approach and process should be embedded, reviewed and applied differently depending on the nature of the objectives at risk. It is based on 4 core concepts: M_o_R principles, M_o_R approach, M_o_R process and embedding and reviewing M_o_R.
Four main terms are used in risk management:
- Assets - something that have value to the organization
- Threat - event or circumstance that might have an impact on an asset
- Vulnerability - a flaw/weakness in security protection that can be exploited by a threat
- Risk - an event that could cause harm or less, or affect the ability to achieve objectives.
It is essential to understand the risks being faced, make a decision about how to treat each risk, document the risk treatment plan, and verify that the plan is being followed. Failure to protect against actual risks may have a major impact on an organization's continuing existence. There are 6 distinct phases required to address risks: Establish context, Establish criteria for risk assessment and risk acceptance, Risk identification, Risk analysis and evaluation, Risk treatment, Risk monitoring and review.
Managing Cyber Resilience
An organization's management system must deliver the level of Cyber Resilience needed by the organization as well as enabling the organization to meet all its other objectives. Typically the management system will include: Governance activities, Management activities, Policies, Processes, Roles, Organization design and Metrics, Key Performance Indicators. Examples of standards and frameworks that may be relevant to organizations' planning to improve how they manage Cyber Resilience include:
- ITIL - most widely-accepted best practice framework for IT service management worldwide
- ISO 27001 - defines requirements for information security management systems
- ISO 20000-1 - defines requirements for an information technology service management system, based on the Plan-Do-Check-Act (PDCA) methodology
- ISO 9001 - is a customer focused, process based quality management system based on PDCA principles
- ISO 31000 - provides principles and generic guidelines on risk management
- ISO 22301 - provides guidance on business continuity management
- COBIT 5 - considers both governance and management of enterprise IT
- NIST 'Framework for Improving Critical Infrastructure Cybersecurity'
- M_o_R - AXELOS framework for risk management that can be incorporated into a management system.