Updated: Nov 13, 2020
This blog post is a continuation in our series on Cyber Safety. In this article we explore several guidelines, standards, and frameworks available to help organizations realize their cyber safety goals.
We will begin with a framework from The Canadian Centre for Cyber Security followed by three from the US, and one from the International Standards Organization (ISO).
Let’s start with the Canadian program.
CyberSecure Canada Program
The Canadian Centre for Cybersecurity is a valuable source for companies of any size who want to strengthen their defenses.
On their site you will find a Cyber Secure Canada Program which is a federal cyber certification program that aims to raise the cyber security baseline among small and medium enterprises (SMEs) in Canada.
The desired outcome of this program is to increase overall confidence in the digital economy, and promote international standardization that better positions organizations to compete globally, and I would add locally as well.
Certification requires an implementation of a set of baseline controls (v1.2) . These provide an excellent set of initial risk measures specifically designed for small and medium sized operations.
You will also need to develop a management framework to advance your cybersecurity capabilities beyond the baseline, but otherwise this an excellent place to learn and get started with cybersecurity,
Next we will consider what I call, the triple threat against cyber risk:
Cyber Resilience Review (CRR)
The Cybersecurity & Infrastructure Security Agency (CISA) created what is called the Cyber Resilience Review (CRR) assessment.
This assessment is a no cost, voluntary, non-technical review to evaluate an organization’s operational resilience and cybersecurity practices. The assessment covers 10 activity areas or what you might call capabilities and is available as a self-assessment tool. It is also designed to measure existing organizational resilience and provide a gap analysis for improvement based on recognized best practices. The self-assessment tool and practice guidelines are available for free on-line.
A CRR will help organizations scope out what is needed to create a roadmap for improvements along with a determination if more detailed assessments should be conducted. It is compatible with other frameworks from NIST discussed below.
Next we will look at what is probably the most common framework used to manage cybersecurity.
NIST Cybesecurity Framework
In response to a presidential executive order issued in 2013, the National Institute of Standards and Technology in collaboration with government and private sectors developed a cybersecurity framework that focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s overall risk management process.
NIST CF consists of three parts, the core, the profiles, and implementation tiers covering 5 functions: Identify, protect, detect, respond, and recover.
This is a very popular framework, particularly if you are a technology and information sectors. It is risk-based and not a one-size fits all strategy intended to be adapted by organizations based on their level of risk and safety obligations.
Cybersecurity Capability Maturity Model (C2M2) Program
The Department of Energy (DOE) developed what is known as C2M2 which is becoming one the most important tools in assessing the cybersecurity posture of organizations in the energy sector and organizations in highly-regulated, high risk industries.
C2M2 focuses on the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) which are often managed separately within these industries.
C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high enough level, so that it can be interpreted by organizations of various types, structures, sizes, and industries.
C2M2 differentiates between technical and management objectives across 10 domains which provides organizations with a holistic perspective and assessment of their cybersecurity program.
The overall intent of C2M2 is to help organizations assess and advance their cyber safety capabilities over time. Self assessment tools and practice guidelines are also available online.
Lastly, we look at what the International Standards Organization (ISO) has to offer.
ISO / IEC 27001
If you already have adopted other ISO programs than this one may align better to your existing management practices.
This management standard is widely known, providing requirements for an information security management system (ISMS) along with supporting standards in the 27000 family providing guidance on individual capabilities and practice domains.
This standard provides the ability to leverage your existing management structure (assuming that it already aligns with other ISO standards) to support technical processes needed to address cybersecurity risk.
Third party certification is attractive to companies as it provides some evidence that they are treating their cybersecurity seriously.
We have looked at various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives.
Now, which one should you use and if you are already are using one, how do you improve your effectiveness and improve your cybersecurity performance?
Answering these questions will the topic of our next blog post on cyber safety so stay tuned.