Cybersecurity Framework Assessments: Prioritizing Your Remediation
Authors: Mark keppler, steve foret
Cybersecurity Frameworks Series, part 11
After a cybersecurity framework assessment performed by a third-party cybersecurity consulting firm, many organizations often find themselves with a lengthy list of things to work on. Even if you have already performed your own internal framework assessment, you probably have things you can do to mature your controls and get better.
Assessing the Assessment
If the assessment was done thoroughly, the assessor has provided a prioritized list of recommended treatment plans. If the assessment includes only gaps where controls do not meet the framework requirements, you may be wondering where to start.
The assessments results should include some level of risk analysis for every gap identified. While this can be useful, every organization is different and you should consider how the gaps impact your specific organization (and, conversely, the risk reduction to be gained by addressing the gaps). This brings us to the topic of prioritization.
Prioritizing Remediation
Prioritization is the professional way of ranking goals and tasks in a productive way when there is not enough time, resources, technology, return on investment, to address all concerns. Prioritization is also about:
security (confidentiality, integrity, availability),
what you have (assets),
who has access (privileged),
how access is secured (including vendors, partners, etc), and
how defensibility is consistently enforced and monitored.
However, prioritization should always consider the organization’s business goals and objectives.
Quick Wins
Even when you have a good handle on the priority of your controls in terms of importance and risk reduction, does that mean you should strictly follow that order? Not necessarily. What’s wrong with a quick win or two? If you can improve your security posture by repairing a control quickly with limited resources (perhaps by a simple change in system settings or creating policies / procedures); it may make sense to do that.
Frameworks
Some frameworks give more information on priority or the weight of controls than others. The Center for Internet Security’s Critical Security Controls (CIS CSC) are ordered from 1 – 18 in terms of natural organization of security needs. If you have had a NIST CSF Assessment, you can map the CSF gaps to the CIS CSC controls to help prioritize.
If your remediation project lacks funding, you must make the business case for the funding. The framework assessment should support the case.
Dependencies
Obviously, remediation does not always follow a linear path in terms of importance and the amount of risk reduction to be gained. There may be dependencies on hardware or software purchases which can take time for approval and funding. There may also be dependencies of one control on another (example data classification may be a pre-requisite to data leakage prevention). You may have additional dependencies on other parts of your organization (especially IT) that you need to consider that may impact the success of any plan if there is no time afford or no compelling reason to accomplishAdditionally, the overall strategy may not have budget to include new objectives and may have to be folded into larger projects or co-funded by various departments.
Other Thoughts on Remediation
One of the most common questions we get on remediation of framework related controls is – “how long is this going to take?” Though nobody likes this answer – it is up to you and your desire to move quickly. How many controls do you have to remediate? Do you have the tools and software needed to make the remediation or do you need to acquire those? How many resources do you have to allocate to the effort? Do we have the required expertise on our team and if not - is using external resources an option?
If you have lots of gaps that would indicate a high level of effort, we recommend treating your remediation effort as a formal project identifying resources required, cost, formal milestones, and project status monitoring / reporting. This type of project needs to be converted into processes, integrated outcomes and governance tracking and ultimately new content for your cybersecurity reporting dashboard(s).
Be as granular and detailed in your plan as you can. Define what is required to remediate in terms of one or more of the following:
policy defined – if the control is important, let’s require it by policy,
procedure – support the policy by assigning responsibility, definingfrequency, source control artifact configurations, etc.
governance of the control – oversight to monitor the control is performed,
technical component of the control to enforce control systematically where possible.
The last element of remediation is tracking the effectiveness of successful enhancements. Many times, customers look at remediation as a one-time project not realizing the necessity to fold in the improvements into the operating program, including processes, reporting and oversight to monitor progress and responsibilities. It is one the most important communications points when running cybersecurity as a business service; cybersecurity is not point in time, but a continuous program.
In future articles, we will take a deeper dive into additional common security frameworks (not CSF).. In the meantime, if you are not sure or would like to discuss, please feel free to reach out to SEVN-X. Our goal is to help you Achieve Better Cybersecurity and we’re happy to help!
Previous Blog:
Cybersecurity Frameworks Series part 10: Interpreting Your Results