TrustedSec’s Information Security Maturity Assessment identifies core critical security programs in your organization that are focused on protecting the business’s ability to generate revenue and continue operations uninterrupted.
TrustedSec focuses on implementing sound and achievable security practices for the organization, utilizing both the National Institute of Standards (NIST 800) and ISO 27002 controls framework as a baseline for the assessment.
TrustedSec takes a blended approach by performing a series of interviews regarding the 12 domains of security. Then we perform validation and testing to ensure that the actual maturity level is at the level of what is being communicated. The framework allows companies to be flexible regarding controls to ensure that they are relevant to the organization, incorporating a capability maturity model into the standard.
This blends the binary existence of controls with the maturity model of the security program to maintain the control environment. This allows measurement of the reliability of the control environment, as well as the effectiveness of controls for preventing and detecting cybersecurity events.
TrustedSec focuses on three main ways of collecting information to align to the framework.
- Interviews with key individuals of the organization
- Documentation reviews
- Observations of the environment
Categories for Program Maturity Assessment
There are five main categories that we focus on for the assessment.
One of the first steps in understanding the environment as it relates to cybersecurity is to gain understanding of the business context, the resources that support the critical functions and the related cybersecurity risks to the organization. Only then can one start to prioritize the efforts surrounding the environment and prioritize resources consistent with the risk management strategy and business needs.
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
Once the critical assets and influences are known to the organization, you can then start to develop the controls that are designed to limit or contain cybersecurity events that would have a potential impact. This ranges from end-point controls, minimum security baselines, physical controls, and good security awareness.
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Protective Technology
While prevention is the ultimate goal for cybersecurity events, with all of the current and evolving threats, this is not always a possibility. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it unfeasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.
- Response Planning
In this section, we look at the organization’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This includes plans for DDoS, ransomware, and potential compromises of systems, and should often times be included within the company’s core business continuity plan.
- Recovery Planning
Talk with an Expert
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.