If you’re responsible for maintaining cybersecurity controls, it's important to know where your gaps are, and which ones need your attention. Finding security controls that should be in place but aren’t is a key part of a cybersecurity program. There are many ways to perform this challenging task.
If you don’t have the bandwidth or internal skill-set to take on this activity, I suggest you work with a cybersecurity services firm, like Revolutionary Security. If you’re prepared to tackle it internally, here are six steps to identify cybersecurity gaps and protect your company and its data from threatening adversaries.
1. Select a Framework
Using a security framework ensures that all key areas of a cybersecurity program are covered. Start by selecting a high-level framework such as NIST’s Cybersecurity Framework, ISO 27001, Cobit, CIS Critical Security Controls, or industry specific requirements such as PCI, HIPAA, or NERC CIP. They all cover similar requirements, but some may emphasize select areas more than others. Document your rationale for selecting a particular framework should you need to defend your reasoning to auditors.
2. Map Polices to Your Framework
Next, map your policies/controls to each of the framework requirements. Policy reference numbers will work, but if your policies are renumbered the mapping is lost. I bet you will find items that don’t match, but don’t panic. Some parts of the framework may not apply to you, so document your rationale for omitting them. You may also need to add or modify policies for areas that don’t map.
Mapping can be laborious, so give yourself plenty of time to complete this task.
3. Classify the Control Maturity
Your framework should now be covered with policies/controls or omits. However, just because you have a control doesn’t mean it’s working. Therefore, it’s important to rate the maturity level for each control. I have found the following simple maturity scale helpful.
0 – No control
1 – Considering a control
2 – Selecting a control
3 – Control designed and implemented with limited scope
4 – Control implemented across the whole environment
5 – Control is tested and working effectively
4. Filter the Controls
Your control document (spreadsheet works well) should start to look something like the below image. Review your maturity column and filter known gaps by selecting policies with a maturity level of 3 and lower. Since controls with a level 4 have not been tested, they may or may not be considered gaps. Only by testing these controls will you verify their effectiveness.
5. Assess the Risk of the Gaps
A risk assessment should be performed for each gap to help prioritize remediation. I use NIST 800-30 as a guide to performing risk assessments; however, a simple risk statement, likelihood, and impact is all that is needed. A collection of risk statements can be found in the NIST Special Publication 800-30 R1 Guide for Conducting Risk Assessments.
The heat map illustrated below relates the likelihood and impact to an overall risk level. The likelihood of an attack goes up exponentially based on the degree of internet exposure, and humans aren’t typically great at estimating likelihood, so err on the side of assigning a higher likelihood if in doubt. Factors that affect impact are the criticality of the business process, data classification (credit card data, bank account, etc.), and asset value.
6. Remediate the Prioritized Gaps
Now what to do with those critical and high-risk gaps? Bring your team together (both business and IT) to brainstorm solutions, allocate resources, and set target dates for remediation. Track your progress as you would any other project.
Having a cybersecurity plan that continually finds and remediates security gaps strengthens your position to fend off attacks. It also assures your executives, board members, auditors, and clients that you take cybersecurity seriously. But, finding gaps can be a daunting process. Revolutionary Security can help you perform this task and add value by providing solid remediation solutions. Request a consult today.