How to conduct a self-assessment to find gaps in your Cybersecurity framework
Posted on Apr 2019 by Kevin Moker
The first part of any problem is knowing that there is a problem. One technique to identify problems in the information security space is with the use of a NIST CSF assessment.
What is the NIST Cybersecurity Framework?
According to the National Institute of Standards and Technology (NIST), the Cybersecurity Framework (NIST CSF) is a “voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
After the past 15 years of working on cybersecurity assessment and remediation plans for enterprise networks, I think the NIST Framework is ideal to identify gaps to comply with the NIST CSF. After gaps are identified, an organization must conduct risk analyses on those gaps to determine what needs to be done to develop a plan of action and milestones (POA&M) report.
Gap assessment definition and overview
Conducting the gap assessment involves six easy steps: Identify subject matter experts to help with the evaluation, collect the data, tie evidence to NIST CSF subcategories, review the evidence to determine preliminary gaps, conduct risk analyses on the identified gaps and create a plan of action and milestones document, and report on the risks to senior leadership. The following will discuss each step at a high level. For more information on executing a NIST CSF Gap Assessment, contact us.
1. Identify Subject Matter Experts
The first step is to identify your subject matter experts (SMEs). The SMEs can be internal employees or an external consulting firm, like TUV Rheinland OpenSky. There is no reason why you and your company can not do the gap assessment on your own, which saves money in your budget. Your internal staff knows your organization the best, so you should probably listen to them first.
However, if your organization does not have the ability to conduct the gap assessment, then an external party will definitively help. Look for an external party who wants to do a full knowledge share. What that means is that the external firm should not want to stay on your payroll. Look for teachers and not just fancy sales folks.
|At TUV Rheinland OpenSky, we actually care about our clients and want to share our knowledge with you. Trust me, there is plenty of work out there for us cyberwarriors.
My approach to cybersecurity is to teach our clients how to become more secure, and not just do it for them. I live by the following:“Give a person a fish and they eat for a day. Teach the person to fish and they eat for life.”
|“Give a person a fish and they eat for a day. Teach the person to fish and they eat for life.”|
It is with this teaching mentality that we share this information with you. After you have identified your SMEs you’ll want to use a tool to collect their data. I personally use a gap assessment spreadsheet that I share with my clients. Most of the tools I build are from opensource, so I give them back as opensource to my client.
2. Data collection techniques
Now that you have your spreadsheet, or some other tool ready to collect data, you need to determine “how” you will collect that data in order todetermine the “what.” I use three distinct techniques that are very rapid: interviews, documentation review, and potential testing.
Interviews: These are a great way to get a perception of what’s going on. Many times during interviews, the clients will tell you what they “think” is going on, but their views may not accurately reflect reality. Their intentions are fantastic, but more reviews need to be completed.
Documentation review: I review documents against the NIST CSF. Documentation is one of the best ways to illustrate compliance to the NIST CSF. However, documentation alone does not mean that the documentation is being followed. That’s where testing comes in, or as I like to say, “this is where the rubber meets the road.”
Testing (vuln scans, verbal walk-throughs): Testing has always been the best way to determine if perception of what the client thinks is being done accurately reflects what is being done. One of my favorite testing techniques is a walk-through of the control. I take one of the documented controls, find the owner of the document and those who execute the document, take a sample (if possible), and discuss the process with the client. This is where we’ll find gaps from the perceptions and reality of the control implementation.
Please note that testing is not a “I got you” and should never be that way. We are humans, and as humans we make mistakes. We are always understaffed and never have enough money to cover everything. Never use testing as a bat to beat the employee over the head. Use testing results as an opportunity to coach employees and discuss how to improve results.
3. Tie evidence to each subcategory
The NIST CSF version 1.1 breaks down into 108. subcategories, as shown in the box to the right.
A subcategory is a control under the NIST CSF. I always think it interesting how most of the controls, over half, focus on Identifying and Protecting data. These controls are the basic blocking and tackling controls that all organizations must have to put up a good defense against a wickedly strong and malicious offense.
Tie evidence to the right subcategory:
- Identify has 29 subcategories
- Protect has 39 subcategories
- Detect has 18 subcategories
- Respond has 16 subcategories
- Recover has 6 subcategories
Below is an example from my data collection tool. Yes, it’s just a spreadsheet, but it helps to collect and organize my information. You’ll notice that I have a column called “Evidence Cross Reference”. In this column I’ll document the exact document name, if there is one, in this column. For example, ID.AM-1 may have a screenshot showing the organizations Configuration Management Database (CMDB). There may be a document of the actual inventory from the system. I may have several supporting documents as evidence for the ID.AM-1 control. Click on the image to enlarge.
In addition to mapping the documents to the controls I create a Document Reference Library to help the organization identify where their document cross references to the NIST CST subcategories. Below is an example of how I capture the documents and cross reference to the document. Click on the image to enlarge.
4. Review the evidence and determine gaps
During the data collection and tying evidence, I usually start to see gaps. I document those gaps in the same spreadsheet workbook under a tab called Detailed Findings. Each gap is clearly discussed with the client to ensure that I understood and have captured a gap accurately. Communication is very important.
Below is how I document the gaps in the assessment. Click on the image to enlarge:
5. Prioritize gaps and create Plan of Action and Milestones (POA&M) document
The levels of risk documented in the Detailed Findings tab are very subjective but based on qualitative input from the client and analyst. There is not enough space in this article to discuss how to analyze each gap for risk, but we normally use the Factor Analysis of Information Risk (FAIR). FAIR, per the FAIR Institute states that FAIR “has emerged as the standard Value at Risk (VaR) framework for cybersecurity and operational risk.” To learn how to implement FAIR methodology in your Risk Program, see this white paper.
Once the gaps are evaluated for risk, the POA&M can be created to help leadership to effectively use their limited resources with more precision.
6. Executive, Management, and Technical report generation
The final step is to generate a report, but not just one report. There should be a three individual, but related, reports.
|Executive Report||Management Report||Technical Report|
|This is summary of 2-3 pages of the risks and action plans that leadership needs to take.||This report is a little bit more detailed but leaves out the actual workpapers and technical jargon.||These reports is the actual Plan of Actions and Milestones, along with instructions on how to mitigate the technical risk.|
The reporting is the capitulation of all the work completed. In addition, reporting will set direction for the identification of risk and corrective actions.
Every organization needs a Cybersecurity framework
The bottom line is that nearly every organization needs a Cybersecurity Framework to ensure information security. Without a Framework, leadership has no alternative but to shoot from the hip and potentially waste valuable resourcesto work on initiatives that do not ensure data security. A Cybersecurity Framework, regardless of the standard used, sets direction for an organization.
Conducting self-assessments ensures compliance to the Framework used. A continuous self-assessment program ensures alignment, identifies gaps, reveals unknown risks, assists with corrective actions plans, and ensures the effective use of valuable resources.
For more information about the execution of a self-assessment, contact us.