A Five-Point Assessment for Information Protection
TrustedSec’s Information Security Maturity Assessment identifies core critical security programs in your organization that are focused on protecting the business’s ability to generate revenue and continue operations uninterrupted.
TrustedSec focuses on security that is important to the organization and a way to implement sound security practices that are achievable. TrustedSec utilizes the National Institute of Standards (NIST) Cyber Security Framework (CSF) as a baseline for the assessment.
TrustedSec takes a blended approach by performing a series of interviews regarding the twelve domains of security. Then we perform validation and testing to ensure that the actual maturity level is at the level of what is being communicated. The framework allows companies to be flexible regarding controls to ensure they are relevant to the organization and incorporates a capability maturity model into the standard.
This blends the binary existence of controls with the maturity model of the security program to maintain the control environment. This allows measurement of the reliability of the control environment, as well as the effectiveness of controls for preventing and detecting cybersecurity events.
TrustedSec focuses on three main ways of collecting information to align to the framework.
- Interviews with key individuals of the organization
- Documentation reviews
- Observations of the environment
Categories for Program Maturity Assessment
There are five (5) main categories that we focus on for the assessment.
Identify
One of the first steps in understanding the environment as it relates to cybersecurity is to first gain understanding of the business context, the resources that support the critical functions and the related cybersecurity risks to the organization. Only then can you start to prioritize the efforts surrounding the environment, and prioritize your resources consistent with the risk management strategy and business needs.
Subcategories
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
Protect
Once the critical assets and influences are known to the organization, you can then start to develop the controls that are designed to limit or contain cybersecurity events that would have a potential impact. This ranges from end-point controls, minimum security baselines, physical controls, and good security awareness.
Subcategories
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Maintenance
- Protective Technology
Detect
While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it not feasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.
Subcategories
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
Respond
While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it not feasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.
Subcategories
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvement
Recover
In this section, we look at the organization’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This includes plans for DDoS, ransomware, and potential compromises of systems, and should often times be included within the company’s core business continuity plan.
Subcategories
- Recovery Planning
- Improvements
- Communications
