Breach Defense Playbook, Part 4: Reviewing Your Cybersecurity Program
June 18, 2015
How does your cybersecurity program compare to your industry peers?
Most organizations are involved in a cyclical process of enhancing their cybersecurity posture focused around their sensitive data and processes. While enhancement involves roadmaps and milestones, a key element should also be evaluating your cybersecurity people, processes, and technology with the purpose of making transitional changes from a current state to a more secure future state.
To begin, you should leverage the NIST Framework for Improving Critical Infrastructure Cybersecurity, as well as defense-in-depth methodologies, as foundations for your assessment. Accompanying this foundation, you should include intelligence and information from other organizations within your industry that may have suffered a breach.
The goal of reviewing your cybersecurity program is to quantitatively ensure that a secure enterprise network exists within your business environment. To do so, you should perform a gap analysis of your security framework that results in a roadmap for enhancements.
Program Gap Analysis
Your gap analysis should include assessing your current security infrastructure with the goal of developing a roadmap for implementing enhancements. The first step is a questionnaire that you should use to help define and understand the physical and virtual location of critical data assets. Never assume that you know everything about your own organization. In fact, the best practice when performing assessments is to assume you know nothing. Therefore, you should spend time reviewing the pre-assessment questionnaire prior to conducting the actual assessment and interviews. Examples of data you will want to review include network drawings, security devices, firewall configurations, security policies, planned security enhancements, and any existing cybersecurity roadmaps.
Leverage your questionnaire to define and understand the network architecture, design, systems, and software used, and how and what data is stored and manipulated. Identify the systems on which the data resides, how the data is transported, and the security and controls around those systems. Encourage respondents to provide complete and detailed answers whenever possible, which will greatly facilitate the entire process. Then use the results of the initial questionnaire to focus the gap analysis.
While your goal is only to understand the security associated with the systems that are identified as containing critical data elements, interconnectivity between systems holding critical data and other resources and security measures is also likely. When performing your analysis, keep in mind that you are going to be collecting and analyzing sensitive information that could place your organization at risk. So keep the data secure, communicate only in encrypted channels, and ensure that you properly dispose of all sensitive data at the conclusion of your assessment.
The Interview Phase
After the questionnaire review, you should conduct a round of in-person or virtual interviews that include security personnel and IT management. The interviews will allow you to gain an understanding of your security practices, culture, and network and cybersecurity capabilities. The on- and off-site interviews and results will help drive the rest of the assessment and ensure that you identify potential gaps.
When performing your assessment, you should leverage the NIST Framework for Improving Critical Infrastructure Cybersecurity (2014) as a basis for assessing gaps. You should focus on the five areas listed below, but not all areas are applicable to all organizations. Since you would be using the NIST Framework, note in your analysis the areas that are not applicable; in the future, if they do become applicable, you have a paper trail describing why they weren’t assessed prior.