Cyber Security Assessment
MS CyRIGo uses the NIST Cybersecurity Framework which provides organizations with a risk-based compilation of guidelines that can help them identify, implement, and improve cybersecurity practices. Our goal is to identify security gaps that will link the divide between the current security architecture and a more vigorous information security program. The Framework does not introduce new standards or concepts; rather, it leverages and integrates cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO).
The five functions signify the key elements of effective cybersecurity. Identify helps organizations gain an understanding of how to manage cybersecurity risks in systems, assets, data, and capabilities. Protect helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats. Detect are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events. Respond helps organizations develop effective incident response activities. And Recover is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.
Developing and supporting an information security program is a continual that is revised over time. Our approach begins with evaluating the current IS program, identifying gaps, determining mitigations, implementing improvements, and creating the ongoing continuous management process. "Core" Framework practices are composed of five concurrent and continuous functions—Identify, Protect, Detect, Respond, and Recover—that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Each function is further divided into categories tied to programmatic needs and particular activities. In addition, each category is broken down into subcategories that point to informative references.
The Framework breaks down each of these functions into additional categories and then provides helpful guidance. For example, as the chart above shows, the Identify function has five categories: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. Under Governance, one of the four subcategories is that an organization should establish an organizational security policy. The subcategory points organizations to standards such as COBIT, ISA, ISO/IEC, and NIST SP 800-53 Rev. 4 for information on how to implement a policy.
As the Framework recognizes, there’s no one-size-fits-all approach to managing cybersecurity risk. There are unique risks, different threats, different vulnerabilities, different risk tolerances and the approach to risk management will vary for each organization. But that’s the benefit of the Framework: It’s not a checklist, but rather a compilation of industry-leading cybersecurity practices. For most organizations, critical infrastructure or not, the Framework may be well worth using solely for its stated goal of improving risk-based security. But it also can deliver additional benefits—for example, encouraging effective collaboration and communication with company executives and industry organizations. That’s because the Core provides a common language regarding cybersecurity issues that can help facilitate important discussions between an organization’s IT staff and its business people, some of whom may tune out when they hear technical terminology.