TrustedSec’s Information Security Maturity Assessment identifies core critical security programs in your organization that are focused on protecting the business’s ability to generate revenue and continue operations uninterrupted.

TrustedSec focuses on security that is important to the organization and a way to implement sound security practices that are achievable. TrustedSec utilizes both the National Institute of Standards (NIST 800) and ISO 27002 controls framework as a baseline for the assessment.

TrustedSec takes a blended approach by performing a series of interviews regarding the twelve domains of security. Then we perform validation and testing to ensure that the actual maturity level is at the level of what is being communicated. The framework allows companies to be flexible regarding controls to ensure they are relevant to the organization and incorporates a capability maturity model into the standard.

This blends the binary existence of controls with the maturity model of the security program to maintain the control environment. This allows measurement of the reliability of the control environment, as well as the effectiveness of controls for preventing and detecting cybersecurity events.

TrustedSec focuses on three main ways of collecting information to align to the framework.

  • Interviews with key individuals of the organization
  • Documentation reviews
  • Observations of the environment

Categories for Program Maturity Assessment

There are five (5) main categories that we focus on for the assessment.

Identify

One of the first steps in understanding the environment as it relates to cybersecurity is to first gain understanding of the business context, the resources that support the critical functions and the related cybersecurity risks to the organization. Only then can you start to prioritize the efforts surrounding the environment, and prioritize your resources consistent with the risk management strategy and business needs.

Subcategories

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy

Protect

Once the critical assets and influences are known to the organization, you can then start to develop the controls that are designed to limit or contain cybersecurity events that would have a potential impact. This ranges from end-point controls, minimum security baselines, physical controls, and good security awareness.

Subcategories

  • Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology

Detect

While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it unfeasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.

Subcategories

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes

Respond

While prevention is the ultimate goal for cybersecurity events, the current environment with all the evolving threats makes it unfeasible. To combat this, we need to ensure that good, timely detection mechanisms exist within the company to alert on potential issues before they turn into major incidents.

Subcategories

  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements

Recover

In this section, we look at the organization’s ability to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This includes plans for DDoS, ransomware, and potential compromises of systems, and should often times be included within the company’s core business continuity plan.

Subcategories

  • Recovery Planning
  • Improvements
  • Communications

Featured Content

Why Penetration Testing Needs Continual Evolution: Going Purple

Download

Talk with an Expert

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.