Cybersecurity risk can manifest in the form of financial and reputational risk and can affect your company’s bottom line. It can harm your ability to innovate and to add to and maintain your customer base. To address all the aforementioned risks, the National Institute of Standards and Technology (NIST) was tasked with developing a cybersecurity risk framework that identifies:
a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks” 15 U.S.C. § 272(e)(1)(A)(i).
There are five pillars for a successful and holistic cybersecurity program. These pillars represent the five core functions of the NIST Cybersecurity Framework (CSF). When Partners in Regulatory Compliance (PIRC) performs a cybersecurity security assessment for your organization, we’ll use the NIST CSF and NIST PRISMA maturity scale to give you a quantifiable “grade” of the state of cybersecurity within your organization.
The five cybersecurity pillars are as follows (source: https://www.nist.gov/cyberframework/online-learning/five-functions):
The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.
The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.
Cybersecurity Assessments Based on Other Frameworks
In addition to the NIST CSF, PIRC can identify gaps between your environment and these additional cybersecurity frameworks: HIPAA Security Rule, NIST SP800-171, PCI DSS, and GDPR. All of our cybersecurity assessments provide recommendations for improvement, which allows your organization to close gaps in an actionable fashion.
PIRC’s security assessments are performed by Certified Information Systems Security Professional (CISSP)-certified cybersecurity consultants, so you know you’re getting only the best and most pertinent advice.
Our security assessments are more than just a cursory review of technology. The three phases of our security assessments are:
Documentation Collection & Review
This phase is intended to give PIRC’s cybersecurity consultant a security perspective to aide in leading personnel interviews and other data collection. We will collect and review the following items.
Policies – Written information security policies such as acceptable use, backup, incident response, and access control will be collected by the client and transferred securely to the cybersecurity consultant.
Procedures – Documentation on procedures will be collected by the client and transferred securely to the cybersecurity consultant. Examples of procedures to be collected include:
Data backup procedures/steps
HR onboarding / user creation process
Process for revoking user rights upon employment termination
Processes for granting user access to various workflows and file shares
Procedures for determining the health of various systems
Diagrams and configurations – This will include collection of physical and logical networking diagrams, application-level data flow diagrams, and configurations of critical systems.
Previous assessment outputs, if they exist – Any recent security assessment, penetration testing, or vulnerability assessment output will be considered an input in this project for context and historical analysis.
Our cybersecurity consultant will work with you to determine who should be involved in interviews. It is important to gather a representative sample of the workforce population, people in different roles within the organizational hierarchy, and people using different data workflows. We’ll do the following.
Perform remote interviews of personnel to gather organizational intelligence
Map out how the organization implements specific security standards in practice
How effective are day-to-day activities when stacked against security standards?
What technologies are in use?
What controls may or may not exist?
Document current status and write remediation recommendations where cybersecurity maturity is lacking, and improvement opportunities exist
Each interview typically takes 1-2 hours to complete
Interviews may be recorded to ensure thoroughness (recordings are used for the sole purpose of conducting your project, and will be destroyed after project completion)