How to conduct a cyber-resilience assessment

Periodic assessments of cybersecurity plans, policies and procedures ensure cybersecurity programs are fit for purpose and ready for use in the event of an attack.

Referred to as cyber resilience, these assessments define an organization’s ability to recover and resume operations following a disruptive event. Modifying the assessment process to determine an organization’s resilience, however, goes beyond a simple “do we have it” or “don’t we have it” approach.

Read on to learn how to prepare and conduct a cyber-resilience assessment, and review activities that help improve an organization’s cybersecurity risk posture.

Questions to ask when conducting a cyber-resilience assessment

The following questions will help guide your cyber-resilience assessment:

  • How is systems, software and network cybersecurity managed? Many activities live under this heading, including the following:
    • patch management;
    • antivirus and other malware software updates;
    • strong password management;
    • strong access control;
    • ensuring data, databases and applications are regularly backed up;
    • limiting access to authorized personnel;
    • ensuring hardware, network and facility security is maintained and established; and
    • acquiring cybersecurity insurance.
  • How does the organization test for cyber threats and vulnerabilities? Organizations must have procedures and systems in place to regularly test for and uncover any potential vulnerabilities to the network perimeter and within the organization’s infrastructure. This includes a variety of techniques, including penetration testing.
  • How often are cybersecurity plans, procedures and systems tested? This is especially important because threat actors regularly update and enhance their malicious code. Organizations must also be diligent in their preparations. Staff must know what to do when an attack is detected, management must support cybersecurity management processes and cybersecurity teams must be regularly trained on how to deal with cyber events. For example, organizations should regularly update firewalls and IDSes/IPSes to increase the likelihood of a threat actor being identified.
  • Are cybersecurity team members well trained? Members of the cybersecurity or information security team must stay up to date on critical viruses, ransomware, phishing and other malware activities occurring locally and globally. Team members must also understand how to use cybersecurity applications and systems that identify suspicious code and reduce the likelihood of an attack.
  • How familiar are employees and senior management with cybersecurity event procedures? In addition to the cybersecurity team, employees and senior management must be aware of the company’s policy on how to deal with cyber attacks. This includes what to do if they are attacked. Regular trainings and reminders on the importance of cybersecurity diligence and the company’s policies are key, as well as ensuring employees know how to respond to an attack.
  • What happens in the aftermath of a cyber attack? This step takes an unbiased view of how well the organization responded to the cyber attack, including which actions were successful and which were not. The organization should launch follow-up actions to remediate any problems discovered.

Cyber-resilience assessments provide timely knowledge on the state of an organization’s preparedness for a cyber attack and its ability to adapt and overcome the disruption caused by an attack. If the above questions identify areas for improvement, the organization can make those changes before the next attack occurs.

Cybersecurity resilience assessment checklist

Considering the previous recommended activities, the following checklist can be used to prepare a cyber-resilience assessment:

  1. Identify risks. Create a list of risks and threats that could facilitate cyber attacks and the systems that must be protected.
  2. Identify potential cyber attacks. Create a list of potential cyber attacks, such as phishing or ransomware.
  3. Examine how the organization currently responds to attacks. Create a list of current plans, policies, procedures, systems and technologies.
  4. Protect current systems, software and networks. Ensure current IT assets and resources are protected from attacks.
  5. Test for cyber threats and vulnerabilities. Conduct periodic forensic activities, such as pen tests, to identify vulnerabilities.
  6. Test cybersecurity plans and procedures. Validate plans and procedures to ensure they address and mitigate the impact of a cyber attack.
  7. Train cybersecurity team members. Ensure cybersecurity team members know how to deal with threats, as well as cybersecurity systems and software in use.
  8. Train employees and senior management about cybersecurity. Conduct cybersecurity awareness trainings so employees and senior managers are aware of cyber attacks and their role during an attack.
  9. Conduct post-cyber attack activities. Identify the activities that worked and those that didn’t, and identify steps to remediate policies, plans, procedures, systems and technology in preparation for future attacks.

This is a relatively simple assessment checklist. More detailed and expansive cybersecurity assessment tools are available, including the following:

This was last published in June 2022

Dig Deeper on Compliance