In February of 2013, Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” was introduced as a means of sharing cybersecurity threat information. The goal was to build a framework around standardized security for the United States to reduce potential risks to critical infrastructure. One year later, the National Institute of Standards and Technology released version 1.0 of their Cybersecurity Framework (CSF) which served as a source of voluntary guidelines based on existing guidelines and practices, for organizations with critical infrastructure to more efficiently manage and reduce cybersecurity risk.
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” —Executive Order 13636
Since it was first released, the NIST CSF has become the standard framework for evaluating the cybersecurity practices of organizations ranging from small business to large enterprises.
Choosing the Right Assessor
Although the NIST CSF tool remains free to all organizations, it is essential to be able to demonstrate framework compliance. It is recommended that any company, regardless of size, should engage in an independent assessment completed by a Certified Information Systems Security Professional (CISSP). Assessor skills represent a crucial aspect of getting the most value from a NIST CSF assessment and preventing the aggravation of your IT department dealing with assessors with limited IT skills. Choosing the right organization with certified security professionals and standards for quality control and consistency to perform this assessment allows your business to feel confident in the assessment being provided, while also ensuring that you are meeting the proper standards designated within the Framework.
When it comes to demonstrating the effectiveness of your organization’s cybersecurity posture to your customers, completing an independent assessment offers the ability to provide relevant feedback about your current cyber practices. Having an assessment done not only offers your clients peace of mind in regards to their data but also improves the lines of internal communication within your firm. Combining relevant questions with the appropriate recommendations is one of the best ways to add value to your assessment process.
CRI is Ready to Help
The Certified Information Systems Security Professional (CISSP) credential has remained one of the most rigorous credentials to obtain and maintain for CSF assessors. Having this credential available provides a standard measure of assessor capability and can help you decide which firm is right for you. If you’re considering an independent CSF assessment, talk to a CRI CISSP to start building an assessment plan for your organization.