The National Institute of Standards (NIST) Cyber Security Framework (CSF) Program Maturity Assessment is designed to provide a view into the current state of the Information Security Program and provide a prioritized roadmap for improvement.
TrustedSec focuses on implementing sound and achievable security practices for the organization, utilizing the NIST CSF as a baseline for the assessment. The framework allows companies flexibility over controls, ensuring that recommendations are relevant to the organization. TrustedSec will incorporate a capability maturity model into the standard, based on the needs of the organization.
The Program Maturity Assessment blends the binary existence of controls with the maturity model of the security program to maintain the control environment. This allows measurement of the reliability of the control environment, as well as the effectiveness of controls for preventing and detecting cybersecurity events.
An effective Information Security program has many elements, with many dependencies between them. Some elements can be difficult or impossible to implement without others being in place first, and as such, a holistic assessment that considers the entire program provides an effective approach.
TrustedSec focuses on three main ways of collecting information to align to the framework.
- Interviews with key individuals of the organization
- Documentation reviews
- Observations of the environment
Categories for Program Maturity Assessment
There are five main categories that we focus on for the assessment.
The controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a broad community of government and industry practitioners. The key to the continued value is that the controls are updated based on new attacks that are identified, and then analyzed so the controls can stop or mitigate those attacks.
Talk with an Expert
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.