Cyber Assessment

The CIS 18 Critical Security Controls (CIS Controls) are a prescriptive, prioritized, and simplified set of best practices that can increase your cybersecurity level. Its nature speaks directly to IT departments, outlining what should be done. The framework is operationally practical, and light on governance, risk, and compliance, as well as physical security controls. Communicating the framework to an executive level is challenging.

The NIST Cyber Security Framework (CSF) guides organizations on how to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of size, sector, or maturity — to better understand, assess, prioritize, and communicate cybersecurity efforts. The CSF does not propose how outcomes should be achieved. Rather, it refers to other resources that provide further guidance on practices and controls that could be used to achieve those outcomes. The disposition of the framework supports three different levels of detail, supporting board, executive, and technical levels across the organization.

ISO/IEC 27001 is a standard for information security management systems (ISMS) and defines the requirements an ISMS must meet to systematically manage an organization’s sensitive data. It comprises risk assessment, risk treatment, security controls, performance measurement, and continual improvement.
ISO/IEC 27001 is generic in nature and can be applied to all organizations. It is heavy on governance and risk management, but light on practical security controls and requires additional detail for the controls to be operational in an IT context. ISO/IEC 27001 provides a way for management to direct security based on the risks surrounding the organization and has the added advantage of being a framework which the organization can be certified for. Communicating the framework to an executive level is challenging.

IEC 62443 is a framework that addresses cybersecurity for Industrial Automation and Control System (IACS). It is a comprehensive framework covering operators, integration, and maintenance service providers, as well as component/system manufacturers. It is divided into four parts:

• Part 1 covers common definitions and topics.
• Part 2 addresses policies and procedures related to OT security.
• Part 3 is about the security requirements at the system level.
• Part 4 provides detailed requirements for IACS products.

Implementing IEC 62443 poses challenges concerning executive support, resource allocation, system compatibility, and operational risk management.

Identification of which business processes, IT/OT assets, and related infrastructure are key to your profits. Output is a presentation outlining your value chain and a high-level application and infrastructure map.

Workshop(s) to identify the most critical cyber risks for your business from a top-down perspective. Additional workshop(s) to find the amount of risk you are prepared to take on and the control framework that best suits your business. Output is a risk matrix with key risks, associated impacts, and likelihoods, as well as an indication of the risk appetite and a recommendation for a suitable control framework.

Assessment of the controls protecting your key assets, based on the agreed security framework. The assessment is initially based on document reviews and interviews, with the option of adding validation tests if greater assurance is required. Output is a graph showing the current maturity level across chosen controls.

A high-level overview of the steps required to reduce your cyber risks to match your risk appetite. Output is a table of ongoing, scheduled, or required new security projects. NNIT will base recommendations on the relevant requirements.