The Global Resilience Federation (GRF) has released its Operational Resilience Framework for public comment. The framework is aligned with various NIST and ISO standards.
Aimed at organizational cyber resilience leaders, the Operational Resilience Framework has been designed to help strengthen resilience and operational continuity in the face of destructive attacks or events.
The GRF’s Business Resilience Council (BRC), a group focused on mitigating systemic threats to business operations, developed the Operational Resilience Framework with a multi-sector group of security practitioners working in collaboration to develop rules and implementation aids to ensure the immutable and recoverable nature of data, systems, networks, applications, and configurations.
The Operational Resilience Framework is structured around a ‘Path to Operational Resilience’, which include seven steps:
- Implement an industry-recognized IT and cybersecurity control framework
- Understand your organization’s role in its ecosystem
- Define the minimum viable service levels for each operations and business critical service
- Establish service delivery objectives for those services
- Preserve data sets necessary to support the services
- Implement processes to enable recovery and restoration services to meet delivery objectives
- Independently evaluate design and periodically test.
Key aspects of the Operational Resilience Framework include:
- Planning for delivery of critical services in an impaired state until services can be fully restored;
- Implementing immutable backup and restoration systems for data, systems, applications, networks, and configurations; and
- Requiring executive-level sponsorship and support from the business to build a culture that achieves resilient business services.
The deadline for comments is June 30, 2022.