Digitisation has transformed our lives by providing boundless economic and social benefits through improved efficiency and productivity. Yet within critical infrastructure organisations, technological innovation has accelerated faster than our ability to secure it.
New thinking in Cyber Resilience
The frequency and scale of recent cyber security breaches, harsher penalties from regulators and increased accountability for board members, has resulted in greater assurance being sought that cyber resilience capability exists within organisations.
Coupled with these challenges is the rapidly evolving cyber insurance market and the need for insurers, and organisations seeking to be insured, to be able to measure, monitor and minimise their cyber exposures.
A holistic approach to cyber resilience is achieved by intelligently fusing the key areas of Risk, Readiness, Response and Assurance. The Cyber Resilience Framework draws upon and is aligned with, the Organisational Resilience Framework that is used by organisations operating in high-risk industries and owners and operators of critical infrastructure.
If you can measure it, you can build it
Defining and measuring cyber resilience is essential to prioritising cyber resilience investments and providing assurance to boards, shareholders, insurance providers and other key stakeholders. The Janellis Cyber Resilience Scorecard incorporates core components of the NIST Cybersecurity Framework, ISO/IEC 27001, ISO3100:2018, industry specific standards and board level guidelines including the AICD Cyber Security Governance Principles.
The scorecard is used to meet regulatory requirements and provide executive and board level visibility of how cyber security investments are aligned and integrated within an organisation’s broader cyber resilience capability. The scorecard is used to align, measure, embed and maintain capability.
Why use the Cyber Resilience Scorecard?
The Cyber Resilience Scorecard is used to:
- Ensure the cyber security investments are aligned with the broader risk and resilience capability.
- Identify gaps in design or capability for cyber resilience, that need immediate action.
- Validate and prioritise cyber resilience investments.
- Identify areas of excellence that should be applied more broadly.
- Ensure adequate cyber insurance cover and third-party support.
- Provide assurance of current capability to key stakeholders internally and externally.
- Ensure that ‘all reasonable steps’ have been taken to prevent, prepare and respond to a cyber incident.
- Support the development of a cyber resilience capability uplift roadmap.
The scorecard can be completed online as a self-assessment, or it can be completed through a Janellis-led independent assessment.
How does the Janellis-led Scorecard Assessment work?
The Janellis-led Cyber Resilience Scorecard Assessment is completed by following 4-Step Assessment process as detailed below.
Step 1 involves: initiating the project; establishing the ‘drivers for the project’; confirming stakeholders; and determining the key reporting outputs. Step 2 is: identifying key systems and documents; designing the customised survey; and engaging with key stakeholders. Step 3 involves reviewing information gathered and selecting interviews or critical thinking labs to validate information. Step 4 includes reviewing the data and developing the scorecard report.
- Nominate assessment lead
- Agree in scope out of scope
- Agree on key stakeholders
- Agree on recipients of report
- Identify key systems to review
- Identify key documents to review
- Customise existing survey
- Engage with key stakeholders
- Review systems
- Review documents & processes
- Review survey results
- Conduct select interviews
- Collate and analyse all data
- Identify areas of concern
- Identify areas of excellence
- Present scorecard report
This 4-Step Approach: draws on expertise within the business; existing technology ensures the review can be completed quickly and efficiently; provides a targeted and efficient assessment of capability; highlights existing and current investments and capability.
The Scorecard Assessment can be completed on-line, in-person or hybrid. Customised surveys are used to gather information and digital technologies can facilitate online meetings and critical thinking labs, as required.
How does the online self-assessment Scorecard work?
The online Cyber Resilience Scorecard Assessment is completed by answering a series of questions in the key areas of Risk, Readiness, Response and Assurance. The system will automatically evaluate the answers and provide an assessment report which will be sent via email. The report will include a summary of capability and an overall rating in each of the four sections, and highlight areas that may require immediate action, continued investments, and areas of excellence to monitor.
Who should conduct the review?
- The person/s nominated to conduct the assessment should have visibility and access to cyber resilience activities across the organisation and access to relevant documents, processes, systems, frameworks and tools.
- The nominated person/s may be member/s of the risk, resilience, insurance, technology, security, cyber, crisis, incident or audit teams.
- The online assessment is designed to provide a targeted and efficient assessment of capability. The accuracy of the report will be reliant on the visibility, knowledge and experience of the nominated person/s who complete the assessment.
Cyber Resilience Framework
Uplifting capability and providing assurance
The Scorecard Assessment is completed using the Janellis Cyber Resilience Framework.
The Janellis Cyber Resilience Framework draws upon and is aligned with, the Janellis Organisational Resilience Framework that is used by organisations operating in high-risk industries and those managing critical infrastructure.
The Cyber Resilience Framework combines technical cyber security requirements and board and executive level assurance requirements by intelligently fusing cyber resilience capabilities into four areas of assessment: Risk, Readiness, Response and Assurance. The framework is aligned with NIST Cybersecurity Framework, ISO/IEC 27001 Information Security Management, industry specific standards and board level guidelines including AICD Cyber Security Governance Principles.