ITSM Hub Cyber Security Review uses the NIST Cyber Security Framework to determine an organisations capability, using best practice methods and the latest informative references.
Based on the NIST 7 Step CSI model, the accredited security consultant works with key stakeholders to determine the scope of the assessment and agree the appropriate informative references. The assessment can be based on either a specific informative reference, or a combination of the following:
Once the scope and orientation has been agreed, a Current State Profile is established based on the applicable process controls, skills and technology enablers. A SFIA (Skills Framework for the Information Age www.sfia-online.org) based skills assessment can be used to capture the skills and technical knowledge of any in scope cyber security staff, which will form the basis of a detailed training needs analysis.
A risk-based approach is then used to identify potential vulnerabilities and the likelihood and impact of cyber security events.
Lastly, a Target State Profile is established based on the requirements of the organisation. Both the Current State and Target State profiles will incorporate NIST CSF categories and subcategories; and include corresponding CIS CSC Implementation Group controls. The CIS Implementation Groups provide a simple and accessible way to help organisations of different classes focus their scarce security resources, and still leverage the value of the CIS Controls.
Cyber Security Improvement Plan
Following on from the Cyber Security Capability Assessment, the Cyber Security Improvement Plan takes a pragmatic approach to define improvement activities as part of a broader ongoing initiative. Using concepts in systems thinking and balancing loops, the improvement plan identifies specific capability improvements (people, process and technology) that will drive the holistic improvements in cyber security posture and overall resilience.
The fundamental goal of the Improvement Plan is to adopt an agreed way of working and a defined set of capabilities, adapt the cyber security approach to suit the needs of the business and embed processes, skills and knowledge in a systematic way to deliver maximum business value.