The scope of a Cybersecurity assessment will vary with organizational size, complexity, and industry, but the end goal of any assessment is to reduce the overall attack surface. An assessment is a great starting point for any organization that isn’t sure of their cyber strengths and weaknesses and needs a roadmap in order to address immediate and future security priorities. Understanding strengths and weaknesses is a key foundation for the improvement of any cybersecurity program.
Once you have decided to complete an assessment, the next step is to determine the scope and scale. What is the goal of your cybersecurity assessment? Are you looking to build a roadmap for improving your security posture? Are you looking to establish benchmarks for your present performance?
Many industries are required to comply with specific regulations and standards so it’s important to factor those requirements into your assessment process and framework. Because assessments and related frameworks include company policy and procedure implications, it is a process in which senior management and company leadership should be involved. This executive involvement is highlighted when you view a framework as a risk management tool, and not merely an IT issue.
While it is true that most comprehensive and battle-tested frameworks are a good starting point for developing a security roadmap, it is important to ensure that your chosen framework can accommodate regulatory and security standards requirements as directed by senior management. A list of major regulations and standards to consider is included at the end of this article.
Which assessment framework is the best starting point for you?
The two broadest cybersecurity frameworks are the NIST Cybersecurity Framework and the ISO 27000 standards. There are a number of additional frameworks that are specialized by industry or geographic region.
The NIST Cybersecurity Framework is popular among companies in the US. Developed by Executive Order and in collaboration with academia, the private sector, and governmental agencies, the Cybersecurity Framework was originally aimed at helping to shore up weaknesses in organizations considered to be part of the critical infrastructure.
The NIST Cybersecurity Framework has since been adopted for use across a wide variety of industries because of its comprehensive nature and sound guidance. The framework addresses five important aspects of cybersecurity including: identify, detect, protect, respond, and recover.
Internationally, the ISO 27000 series provides comprehensive cybersecurity guidance. In particular, 27001 specifies how to implement an information security management system while 27002 helps organizations develop "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
One of the downsides of the ISO standards is that they are not free like the NIST Cybersecurity Framework. One of the advantages, however, is that there is a corresponding accreditation process that provides confidence to partner firms.
In addition to these comprehensive frameworks there are many more specialized guidelines including but not limited to the following:
CMMC - the Cybersecurity Maturity Model Assessment is a new requirement for all members of the Defense Industrial Base that are suppliers to the DoD. All companies in the DIB will be required to get third party certification that they meet one of five maturity levels required to submit proposals on government contracts. https://www.acq.osd.mil/cmmc/
SOC 2 - developed by the AICPA to provide guidance on the security, availability, integrity, and privacy of sensitive user information. https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
HIPAA - the Health Insurance Portability and Accountability Act was passed in the US in 1996 to create standards for electronic health records and to also provide standards for the security and privacy of sensitive health information. https://www.hhs.gov/hipaa/index.html
PCI-DSS - is the US payment card industry’s set of regulations designed to protect consumer financial information when stored electronically. https://www.pcisecuritystandards.org/
GDPR - the General Data Protection Regulation is an EU regulation that addresses privacy and data control for data subjects in an effort to reduce personal data vulnerabilities. While started in the EU, it also applies to companies in the US that hold EU citizen data. https://gdpr-info.eu/
NERC-CIP - the North American Electric Reliability Corporation’s Critical Infrastructure Protection regulations provide specific guidance on cybersecurity for the North American power system. It applies to all bulk power system operators and owners. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
FFIEC Cybersecurity Assessment Tool - this tool helps organizations complete assessments of their inherent risks and gives them a process for identifying their cybersecurity maturity across each of five domains. https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf
FERPA - the Family Education Rights and Privacy Act - one of the earliest frameworks for privacy concerning the protection of student educational records. https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
There are also several more guidelines from NIST to help with cybersecurity including:
Which Assessment Tool is Best?
There is no one size fits all solution. A smart approach is to use a hybrid assessment framework -- one that has been customized to meet your organization’s specific business and compliance requirements. Work with your management team or hire an experienced consulting firm to give you objective advice.
It is critical to have a comprehensive strategy that defends against potential threats while keeping your data secure. At BlueVoyant, we developed our own proprietary Cybersecurity Maturity Assessment model based on best practices and extensive experience helping clients build their cybersecurity roadmaps.
Footnote: NIST Cyberframework https://www.nist.gov/cyberframework
Footnote: ISO 2700 Directory https://www.27000.org/
Footnote: NIST Privacy Framework: https://www.nist.gov/privacy-framework/privacy-framework