How many times have you had an IT “expert” tell you that a good firewall is all you need to protect your business? Or maybe it was multi-factor authentication, encrypted back-ups…
Cybersecurity and cyber resilience are broad concepts but they have very specific, actionable tactics that should be employed by every organization and technology user. The best source of information for assessing the state of your cyber environment and determine a plan for improvements is the published frameworks that are used by organizations all around the world to address their cybersecurity needs.
Why use a Framework?
Your IT service provider is an expert in day-to-day technology management, but cybersecurity includes people, behaviour, policies and yes, technology. Managing your cyber exposure is a risk management exercise. While someone with decades of experience in IT support is going to be very knowledgeable, organizations that publish frameworks are dedicated to developing and updating those frameworks to continuously reflect evolving trends in cybersecurity. The largest organizations in the world rely on frameworks to ensure they don’t miss anything and most of those frameworks are published and available at no cost.
Choosing a Framework for your Organization
NIST
The National Institute of Standards and Technology publishes information across a wide-reaching spectrum of scientific and technical subjects, including numerous cybersecurity standards from the detailed 800-53 internal controls standard (the standard required by US Federal Agencies) to Cybersecurity Framework 1.1 (“NIST CSF”).
NIST Cybersecurity Framework (CSF) is a comprehensive lifecycle framework that measures cyber risk across five major categories and 108 underlying controls. Identify your risk, Protect against attack, Detect attacks, Respond to those attacks and Recover to re-establish operations.
ISO/IEC 27000 Series
Based in Geneve, Switzerland, the International Organization for Standardization publishes standards across all aspects of technology, management and manufacturing and are considered leaders in quality and safety standards around the world.
ISO 27001 is comparable in detail to NIST 800-53, with detailed guidelines around assessment of controls. The ISO standards are built around third party audit and certification processes.
NERC CIP – The North American Electric Reliability Corporation published the NERC CIP standard specifically addressing requirements in the bulk power system in North America.
COBIT (published by ISACA) – includes compliance with Sarbanes-Oxley requirements and offers training as well as credentials for cybersecurity professionals.
HITRUST Common Security Framework – specifically adapted to the healthcare industry, heavy on documentation and processes. Can be time consuming and costly to implement but certification option adds to the perception of external validity.
PCI DSS – focused on controls around handling branded credit cards.
CIS Controls – focuses on technical security and operational controls but does not address risk analysis or risk management.
Depending on your available resources and budget, along with your compliance requirements and risk profile, there is a framework suited to your organization’s needs. When in doubt, start with a digestible framework like NIST CSF and graduate from there as needed.
Conducting an Assessment
Once you have selected the most appropriate framework, look for tools or consultants who have experience running assessments against that framework. Make sure the entire framework is addressed in the assessment to ensure there are no gaps. Some solution providers will mix frameworks or “cherry-pick” a subset of controls to make the assessment shorter or easier to implement and that can lead to catastrophic gaps in the assessment results.
Set a deadline for completion of the original assessment, commit to periodic or continuous updates to measure progress and involve the entire organization in the exercise. Too often cybersecurity is seen as an IT problem, when in reality, it is a risk issue that involves every person in an organization. According to multiple studies from around the world, successful cyber attacks involve a human element at minimum 75% of the time.
Taking Action
Assessments should generate a summary report that highlights strengths, weaknesses and recommendations for improvement.
Some recommendations will be easy to implement and inexpensive or addressable by internal resources. These are great opportunities to improve cyber risk exposure in the immediate term. In other cases, some of the gaps identified may be deemed critical and should be addressed as soon as possible, even if they come with an external cost.
Determine a roadmap for improvement over a six to twelve month period and dedicated an explicit budget, time and money, to ensure the remediation items are addressed.
The final step in your action plan needs to include reassessments or continuous updates based on remediated items and other changes in the organization. Wash, rinse and repeat.
The MEARIE Group and Cybersecurity Compliance Corp. currently offer cybersecurity assessments using standalone or multiple-framework assessments (ie. NERC CIP or OSFI guidance for operations and NIST CSF for corporate and overall governance) and provide the option to store supporting documentation in order to facilitate audit and certification, where required.