![]() “ Approved written policy.” In turn these responses roll up into some nice reporting and a dashboard that does a really nice job of illustrating an organization’s maturity and currently accepted risk level. All of these responses have varying degrees of “completeness” that you can choose from such as “ Informal policy” vs. Image credit: Center for Internet Securityįor each group, you have a set of recommended actions or “to-do’s.” Using the tool you can report on whether the control is implemented, whether there is a policy backing the control, and you may indicate whether you have this control automated and reported to the business. The workbook goes into good detail on each of the 20 critical controls laid out by CIS, in three separate “Implementation Groups” (IGs). It’s wonderful, and I encourage you to check it out. One extremely valuable resource that I like to use is a free “Initial Assessment” tool published by AuditScripts. The best way to do this is to perform an initial assessment against a standardized and reputable security control framework such as the NIST Cyber Security Framework (CSF) or the Center for Internet Security (CIS). In other words, you want to be able to highlight the risks that they are choosing to accept by not spending that extra money. Besides being able to paint a picture of “what good looks like” for stakeholders on a conceptual level, you also need to clearly illustrate the risks that their business faces. ![]() Please see this post for more details.Įspecially in the small and mid-sized enterprise space, it can be very difficult to persuade customers to spend additional money on their technology investments “because security.” Therefore, education is an important part of your job as an advisor in this area. Note: I have updated this workbook to reflect changes in v8 of the CIS Controls framework. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |