Cyber Security Risk AssessmentIs your company secure?
Risk Assessment Overview
CP Cyber will assess the design and effectiveness of each category in the NIST Cyber Security framework on an executive level in an effort to get a baseline understanding of a client’s security posture. We will then identify functional areas that would reduce the client’s vulnerability to third-party cyber-attacks, information theft, and increase the client’s ability to respond to cyber threats.
Utilizing the NIST framework, our assessment approach is designed to identify, baseline, and assess any gaps your organization has in five key functional process areas of cyber security. These areas include:
- Risk Identification
- Event Protection and Prevention
- Event Detection
- Event Response
- Event Recovery
Tools, strategies, and techniques for the identification and tracking of potential risks, and the organization’s willingness to accept cyber security risk.
- Asset Management (ID.AM): The data, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
- Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Cybersecurity Protection and Prevention
Tools, strategies, and techniques used to safeguard and ensure delivery of critical information technology infrastructures and systems.
- Access Control (PR.AC): Access processes, or devices, and to authorized activities and transactions to assets and associated facilities is limited to authorized users.
- Awareness and Training (PR.AT): The organization’s employees and partners are provided cybersecurity awareness education and are adequately trained to perform their information security – related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
Tools, strategies, and techniques used to detect potential and actual occurrences of a cyber security event-taking place, or an event that has taken place.
- Anomalies and Events (DE.AE): Anomalous activity is potential impact of events is understood detected in a timely manner and the potential impact of events is understood.
- Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
Plans and actions taken in response to an identified cyber security event.
- Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
- Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
- Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
- Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
Plans and actions taken for the resilience and restoration of capabilities or services impaired by a cyber security event.
- Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
- Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
We’ve been working with CP Cyber for the past year and we’ve been exceptionally impressed with their service and speed. If you’re in the market for network/system security, this is your team.
Frequently Asked Questions
What is the NIST Cyber Security framework?
The NIST Cybersecurity framework is a standard that is widely recognized worldwide as best practices for computer security. It provides a framework for IT personnel and cybersecurity personnel to efficiently implement security controls for IT assets in a way that will address the most risk. Many companies use this Framework to develop their cybersecurity strategy and to determine the cybersecurity projects to be prioritized.
Additionally, some sectors that deal with sensitive data, such as the financial industry, are required by law to follow the standards. We can perform a gap analysis by comparing your current cybersecurity environment to the framework to ensure your IT personnel are prioritizing the cybersecurity projects that matter most.
My IT team assures me our company is secure, do I still need a cyber risk assessment?
No matter how good your IT team is, there is always the possibility of them missing something. Even a system that is 99% secure can still be vulnerable to attacks. Everyone is confident in their security until a breach happens. An external Cyber Risk Assessment minimalizes the chances of this happening. In addition, it verifies the work of the IT team so you, as an owner, can rest assured that your data is properly secured.
I own a small startup company; do we need a cyber risk assessment?
Ideally, your company would have an annual Cyber Risk Assessment, however the reality is not every company is ready for one. As a brand-new company your IT team may not have had the proper time to secure your system. At this maturity level a Cyber Risk Assessment would be an expensive way of telling you what you already know that your system is not secure. In this case it would be wise to wait until your IT team is confident in the security. On the other hand, if your company is rapidly growing and security is now a priority a Cyber Risk Assessment can help your IT team prioritize what needs to be fixed first.