Critical Business Service - Cyber Resilience Assessment
Cyber Resilience Assessment
An assessment methodology that has been developed in the United States by the Department of Homeland Security in partnership with Carnegie Mellon University's Software Engineering Institute. It is widely used in the US Critical Infrastructure.
The CRA can be performed as a self-assessment or in a guided assessment process.
Contact us for more information about how to organise and guide the CRA process.
Critical Business Service
The Cyber Resilience Assessment (CRA) focuses on a critical business service.
It covers ten domains and in each domain it indicates five maturity levels.
The goals and practices in the CRA are derived from the CERT Resilience Management Model. This model gives further guidance how to implement and perform practices.
Ten Domains
The CRA method is divided in the following ten domains:
1. Asset Management
2. Controls Management
3. Configuration and Change Management
4. Vulnerability Management
5. Incident Management
6. Service Continuity Management
7. Risk Management
8. External Dependencies Management
9. Training and Awareness
10. Situational Awareness
It looks at the goals and practices related to the domains.
Maturity Indicator Levels
The CRA distinguishes five maturity indicator levels that are assessed across all ten domains. The performance scale depicts capabilities divided into five levels:
1. Complete
2. Performed
3. Managed
4. Measured
5. Defined
These Maturity Indicator level questions examine the institutionalisation of practices within an organisation.
The CRA process
The CRA can be performed as a self-assessment or in a guided assessment process.
The process is organised in steps:
Step 1: Scope and prepare the assessment
Step 2: Perform the assessment
Step 3: Review and debrief the outcomes of the assessment.
Contact us for more information about how to organise and guide the CRA process.
Resources
More information about this resilience assessment methodology and the question set and guidance can be found on the website of the US Critical Infrastructure Security Agency (CISA):