The objective of any cybersecurity framework is to provide a methodology and common set of recommended or prescribed controls for the user to implement to protect information. Once the framework is implemented, what separates the beginners from the pros? The organizations that have been on the playing field longer are going to benefit from the gained experience.
A cybersecurity maturity model determines the level of experience through progress of the organization based on evidence. The major milestones and organization can achieve, from least mature to most mature, in a cybersecurity model are:
- Policy – Polices describe an organization’s intent. Typically, policies are general in nature, but will address each control and provide guidance on how the organization intends to fulfill the relevant requirement. Policies are particularly useful when an organization is looking to provide internal and external readers the expectations and commitments. Policies are internally enforceable and are likely to evolve as external threats evolve.
- Procedure – Procedures describe the steps an organization takes to implement and execute the policies. Procedures are reserved for internal use, written and owned by internal stakeholders, and internally enforceable. Procedures are also likely to be reviewed and changed more often than policies as technologies and processes change.
- Implementation – The “implementation” is demonstrated by providing evidence showing all control requirements are addressed, the policies are in place, and the procedures are executed per the policy. Additionally, the implementation step illustrates that the information being protected is contained within the scope of the policies and procedures.
- Measurement – In order to gauge the effectiveness of the controls and impact of events affecting the implemented controls, two variables are typically considered. Event frequency, or likelihood, and impact result in an evaluation of implemented controls and decisions on how those controls should be adjusted or realigned to address future events. Unlike Incident Response, which is an event drive activity, the measurement of controls occurs on a daily and real-time basis.
- Management – The key output of Management is corrective action. Organizations that have effective Management strategies in place, show a demonstrable record of acting on events, incidents, and lessons learned. Additionally, these organizations have clear policies and procedures that provide guidance on carrying out the corrective action.
Where is your organization on the spectrum? What are your next steps?