Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems to gain access to digital assets. CRI’s cybersecurity assessment is based on the National Institute of Standards in Technology (NIST) Cybersecurity Framework – a living document, which includes three parts.
- Framework Core (Core): This common set of activities, outcomes and references used across the IT infrastructure provide detailed guidance that serve as the roots for both the Framework Profile and Framework Implementation Tiers. The Framework Core consists of five concurrent functions described more fully herein.
- Framework Profile (Profile): The Profile is the alignment of standards, guidelines and practices in the Core to a particular scenario; this alignment provides a solid trunk based on an organizations business drivers and risk assessment. Profiles are used identify cybersecurity posture improvement opportunities through comparison of the “Current Profile” (the “as is” state) against a “Target Profile” (the “to be” state) created by the client detailing the cybersecurity posture goal. Identifying gaps in controls between these two profiles is a key result of the CRI Cybersecurity Assessment.
- Framework Implementation Tiers (Tiers): Tiers allow a company to describe the degree to which cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Tiers “branch” across a range including Partial, Adaptive, Informal, Reactive, Agile, Risk-informed, etc.
CRI uses the NIST approach to create our cybersecurity program focused on critical services provided.
|1: Define the scope of cybersecurity implementations.
|Client||Define business/mission objectives and high-level organizational priorities. Determine systems scope and assets that support the selected business line/process.
The scope can also be adapted to support the different business lines/processes, which may have different business needs and associated risk tolerance.
|2: Understand systems and processes.||CRI and client||Identify related systems and assets, regulatory requirements, and overall risk approach—and the associated threats to (and vulnerabilities of) those systems and assets.|
|3: Create a Current Profile.||CRI and client||Indicate which outcomes — Category and Subcategory —from the Core are currently being achieved.|
|4: Conduct a risk assessment.||CRI and client||Analyze the likelihood of a cybersecurity event and its potential impact, incorporating emerging risks and threats plus vulnerability data.
The risk assessment can be guided by the organization’s overall risk management process or previous risk assessment activities, or, alternatively, CRI can assist you by performing a risk assessment.
|5: Create a Target Profile.
|CRI and client||Describe the organization’s desired cybersecurity outcomes and unique organizational risks by aligning with the Framework Categories and Subcategories.
The Target Profile considers influences and requirements of external stakeholders such as sector entities, customers, and business partners.
|6. Determine, analyze, and prioritize gaps.
|CRI and client||Pinpoint gaps between the Current Profile and Target Profile. Create a prioritized action plan to address those gaps and understanding of risk to achieve the Target Profile outcomes. Organization then determines necessary actions to address the gaps.|
|7: Implement action plan.||Client||Determine which actions to implement from step 6 and monitor current cybersecurity practices against the Target Profile.|
Do You Already Have an Existing Cybersecurity Program?
Some organizations are already achieving the desired outcomes for their Core Categories and Subcategories. In those cases, CRI performs an assessment of the current cybersecurity activities with the NIST Cybersecurity Framework Core. The five high level functions are:
Our cybersecurity professionals perform the assessment of your controls based on the NIST Core Framework and deliver the independent third-party comfort needed or desired by you and your stakeholders.
Choose CRI’s Deep Cybersecurity Roots
The CRI IT team founded one of the first internet service providers in Alabama and has experienced first-hand the need for cybersecurity—and its’ evolution and effects from simple virus programs to amplified denial of service attacks. CRI leveraged the IT experience and personnel from those early internet days to create what is now the IT audit and assurance practice of the firm. Our experience has proven invaluable in providing IT and cybersecurity assessments, examinations, and controls testing for medium and large companies in industries such as insurance, financial institutions, healthcare, and governmental. IT security, cybersecurity, and testing the controls that provide protection of data assets has been part of CRI for more than 20 years and counting.