Many of the CEO and CFO that I talk with, when the term ‘cybersecurity’ comes up, aren’t sure what to do. Now IT Works follows the NIST CyberSecurity Framework program as it’s a standardized framework and it does a good job identifying where you want to be and where you are today. Here is a quick review of what you need to do, along with a shortened version.
1. Prioritize and Scope.
First, we need to identify the mission, the business objectives and high-level organizational priorities. Once this is identified, share this with the team – it’s good to make sure everyone keeps this in mind. This is a big undertaking, and we want to make sure we keep our eye on the prize.
Next, we need to define what we are going to attach this Framework to – the entire company, the accounting department, a specific line of business or a single process within your company.
Layman terms. Map out your business at a 60,000 ft view – write down the mission statement, what the business wants to accomplish this year and what priorities you have for the business for the next 12-18 months. Make sure everyone knows and is on the same page. Don’t move past this until everyone is.
2. Orient. Once the scope has been identified, we know what we are trying to accomplish, and we know what section of the business we are targeting – now we want to identify the physical and logical components of the business. Related systems and assets, regulatory requirements and an overall risk approach.
Layman terms. When you know what aspect of the business you want to review, doodle. Yes, doodle. Grab a Sharpie, whiteboard and map out all of the pieces – servers, computers, people, salesforce, email, printers, fax machines. Write out everything that touches the pieces you are trying to inspect.
3. Create a Current Profile. The business should develop a Current Profile by indicating which aspects of the Framework Core are currently being achieved. It’s ok if only a partial outcome is achieved, noting this will help support subsequent steps by providing baseline info.
Layman terms. Be honest, try not to fix stuff at this point. Just take inventory of where you are – it’s ok to put a star next to something that is important.
4. Conduct a Risk Assessment. Perhaps you’ve already done a risk assessment last year, use that as your starting point. What were the challenges, were they all fixed? If not, review those first.
Then, examine the ‘scoped environment’ and recognize the likelihood of a cybersecurity event and the impact it might have on the organization or department. It is important to identify emerging risks and seek information from internal and external sources to help round out the assessment.
Layman terms. Here is where you actually review the stuff – your servers, internet connections, security training, salesforce, people, process, etc.
5. Create a Target Profile. Using the Framework Categories and Subcategories, map out the desired outcome. You may create new categories if you identify ones that are unique to your organization.
Layman terms. Do you want to be 5 starts in the Response category – ok then. Note it. If your business is remote, web-based or otherwise doesn’t need to make a complicate network – you’re score for Network Segmentation is going to be much lower, and that’s ok.
6. Determine, Analyze and Prioritize Gaps. Compare the Current Profile and the Target Profile to determine gaps. Next, create a prioritized action plan to address gaps – bearing in mind our plan from #1. Determine what resources you’ll need, where the funding will come from, what resources you’ll need and what gaps you’ll be closing in on.
Layman terms. Look at your Target Profile, find out where you are on the Current Profile and identify which items are most important to resolve first and what you’ll need to close the gap.
7. Implement Action Plan. Now that we have a plan, make sure the actions to take to address the gaps are in priority to achieve the Target Profile.
Layman terms. Go – start implementing. Hint – How do you eat an elephant? One bite at a time.
Interested to know more about how to protect your organization, or want to run through a CyberSecurity Audit – Click here to schedule a time to talk with me – it’s a wild ride, and you’ll need guidance.