Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News

Australian CISC enhances organizational resilience tools and framework, complements refreshed HealthCheck Tool

March 18, 2024
Australian CISC enhances organizational resilience tools and framework, complements refreshed HealthCheck Tool

The Australian Cyber and Infrastructure Security Centre (CISC) unveiled an enhanced self-assessment tool, the Organisational Resilience HealthCheck Tool, on Monday. The tool is designed based on modern organizational resilience methodologies to strengthen organizational resilience against various threats. Users can evaluate and rate their organization across 13 resilience indicators using this tool.

Furthermore, the agency launched a refreshed ‘Organisational Resilience: Good Practice Guide’ to complement the use of the refreshed HealthCheck Tool, providing users with access to contemporary guidance using real-world examples. The guide introduces an Organizational Resilience Maturity Framework. This is a modified version of the United Nations’ Organizational Resilience Maturity Model that has four levels of organizational maturity from developing to generative.

The four stages of an organization’s resilience journey include developing, establishing, advancing, and generative. Under the ‘developing’ stage, an organization has commenced the organizational resilience journey. They have some systems and processes in place to manage key aspects of resilience but don’t necessarily recognize it as such. These organizations may have experienced disruption that has led them to explore opportunities to improve.

When it comes to the ‘establishing’ stage,’ key functionalities that support organizational resilience are implemented in a formal, structured, and documented manner, with stable processes, standards, and guiding principles. The ‘advancing’ stage is when organizations have recognized that standard processes alone will not effectively support the organization with future uncertainties. These organizations are socializing and extending the internal engagement of organizational resilience to identify improvements in capability, adaptability, and agility.

Under the ‘generative’ stage, organizational resilience is embedded in the culture of the organization and frames everything the organization does. It is a key ‘lens’ through which the organization views the world. This level of maturity produces new outcomes, opportunities, and ways of thinking for the organization to manage an uncertain future.

On completing the tool, organizations will automatically receive a HealthCheck Tool Results Report. The report will give the overall organizational resilience stage rating of either Developing, Establishing, Advancing, or Generative (as per the Organizational Resilience Maturity Framework); a spider graph image to indicate how the organization scored against each resilience indicator (a score out of 6); and the stage rating for each resilience indicator, with specific recommendations for continual improvement in resilience scores.

Finally, organizations should review the assessments of each indicator and analyze the reasons for any variations. Additionally, they should contemplate how they can implement the recommendations provided in the Results Report for all 13 indicators. Embracing this guidance has the potential to strengthen the organization’s resilience against various threats.

Updating the HealthCheck Tool is a key initiative of the Australian Government’s 2023 Critical Infrastructure Resilience Strategy. It calls for continually striving to access, review, and understand existing federal, state, and territory government plans and legislation about owning and operating critical infrastructure; and information and intelligence products to inform risk management strategies. 

The HealthCheck Tool invites participants to assess and rate their organization across 13 resilience indicators, including leadership, decision-making, situational awareness, creativity and innovation, employee engagement, collaboration, resource management, knowledge management, silo mentality, exercise management, foresight, unity of purpose, and proactive posture. 

These resilience indicators are the foundation for ‘business-as-usual’ effectiveness, as they contribute to robust and agile response and recovery capabilities. They have been updated based on contemporary thinking and best evidence-based practice. 

The guide focuses on combining an organizational resilience framework with an organizational resilience maturity model and offers specific guidance for each indicator on how to enhance an organization’s resilience that is tailored to the organization’s current level of organizational resilience maturity. 

Additionally, the Good Practice Guide can be used to assess perceptions of organizational resilience. There are many ways to assess organizational resilience and the soundest methods compare multiple sources of information. There are also several approaches to using this Guide. It could be used to assess the perceptions of a team, such as the cyber team, human resources team, finance team, business unit or department, or a combination of these. Further, it could be used strategically by the executive to identify key gaps in the organization’s resilience.

Any assessment needs to recognize its limitations. The guide is not designed in its current approach for an organization-wide survey due to the challenges in disseminating and collating the responses. Finally, it is important to remember that any assessment is a snapshot in time and perceptions are likely to change over time and in response to internal and external contexts. 

The guide provides an overview of each of the thirteen indicators in the organizational resilience framework, with a brief description of the indicator. It also provides a case study that explores how the indicator has been used in practice and includes a series of statements that will help consider how that specific indicator is applied in the organization. Lastly, the document includes some advice on how the organization may wish to enhance its capability for that specific indicator based on the level of organizational resilience maturity.

Advice is provided for the first three levels of organizational resilience maturity to assist organizations in developing, establishing, and advancing their level of organizational resilience. No advice is provided for the ‘Generative’ level of organizational maturity as this type of organization is likely to understand how to further their level of organizational resilience for that particular indicator. To produce a tailored assessment of the organization’s resilience and receive specific advice based on the level of organizational resilience maturity, organizations need to complete the online version of the assessment using the Organisational Resilience HealthCheck Tool. 

Last week, the CISC updated guidance materials aimed at bolstering cyber security measures for Systems of National Significance (SoNS), which represent the country’s most critical infrastructure assets. The comprehensive guidance includes specific instructions for SoNS on fulfilling the Incident Response Planning obligation and detailed guidelines for meeting the Cyber Security Exercise obligation. These enhanced obligations are part of Australia’s ongoing efforts to strengthen the resilience and security of its vital infrastructure against cyber threats.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings