Author: Stuart Rance
RESILIA™ Cyber Resilience Best Practice
RESILIA is part of the Axelos best management practice portfolio, which also includes best practices such as ITIL and PRINCE2.
RESILIA Cyber Resilience Best Practice describes a management system approach for improving cyber resilience. RESILIA is designed to integrate well with ITIL® and other management system approaches, to ensure that cyber resilience is built in to the way the organization works, rather than being a separate practice.
RESILIA emphasizes the need for balance in cyber resilience, especially the need to balance:
- Protect, detect and correct. However much you try to protect your information, you won’t always succeed, so you also need to invest in detecting security incidents as quickly as possible and correcting them with minimal impact on the business.
- People, process and technology. Many security publications, and many security experts, focus almost entirely on technology solutions, but cyber resilience is as much about processes and people as it is about technology.
- Risks and opportunities. The more security controls you put in place, the harder it can be to run your business. Really great security could make it absolutely impossible for the business to capitalize on new opportunities. This can lead to people working around your carefully crafted security controls, resulting in increased risk.
RESILIA is based on a similar lifecycle to ITIL, with five distinct stages.
- Cyber resilience strategy. Understanding the purpose of cyber resilience in the organization, ensuring the right capabilities and resources are available, establishing governance of cyber resilience, setting policies, managing audit and compliance.
- Cyber resilience design. Designing everything needed to turn the strategy into reality, including the management system and controls needed to protect your assets.
- Cyber resilience transition. Taking the output of cyber resilience design and moving it into operational use, ensuring that risks are managed and new or modified processes and controls deliver the expected outcomes.
- Cyber resilience operation. Managing cyber resilience on an ongoing basis, including management of events, incidents, problems and access rights, as well as managing the technology.
- Cyber resilience continual improvement. Ensuring that cyber resilience continues to be effective in the face of continual changes in the threat environment, the business environment and the technology environment.
- Managers who are responsible for staff and processes where cyber resilience practices are required
- IT service management teams, IT development and security teams, and cyber teams who manage and operate the information and information systems the organization depends on
- IT designers and architects who design information systems and security controls
- Senior management who are accountable for cyber resilience including chief information security officers (CISO) and IT directors
Scope and constraints
The publication describes the need for a holistic management system that covers cyber resilience in addition to IT service management, quality management, risk management and every other aspect. It includes a description of an asset-based approach to risk management, but is designed to work with any existing risk management approach in use within an organization.
Each chapter of RESILIA describes security controls that are relevant to that stage of the cyber resilience lifecycle, and then explains how those cyber resilience controls interact with the IT service management processes associated with that stage.
The publication also describes three fictional organizations and includes examples in every chapter showing how the cyber resilience practices can be applied in different contexts.