21 May Increasing Federal Cybersecurity and Privacy Program Maturity: Program and Technical Baselining
By Dan Chandler, CISO
Over the past few months, we have been sharing information about how Federal Departments and Agencies (D&As) can improve the maturity of their cybersecurity and privacy programs. In May, Criterion announced CyberScale™ , its U.S. patent-pending compliance and risk management solution designed to help Federal D&As meet this challenge.
CyberScale incorporates a five-step process to help customers build, adapt, and implement a flexible roadmap to continuously improve their overall Cybersecurity and Privacy (CS&P) programs, operations, projects, or systems:
- Program and Technical Assessment
- Program and Technical Review
- Program and Technical Baselining
- Client Debriefing
By following the links for 1 and 2 above, you will find articles I have written about those steps. Today, I am going to cover step 3: Program and Technical Baselining. Based upon the review results, Federal organizational management will be able to make well-informed, risk-based decisions regarding CS&P-related activities.
Top Down and Bottom Up Approach
For effective enterprise CS&P compliance and risk management, organizations should combine a top-down and bottom-up approach. A top-down approach includes an executive and senior leadership view of organizational CS&P maturity and gaps across the enterprise. A bottom-up approach enables you to perform reviews/assessments against various targets within your enterprise to identify potential CS&P program, operations, projects, or systems-related gaps and risks.
Review Format and Objectives
The cybersecurity program and operations review format is structured to reflect Criterion’s process requirements as well as our experience of where CS&P programs and projects often run into difficulty. It also includes the review of best practices and lessons learned derived from numerous NIST Special Publications (SP), our past experience, and other applicable recommendations and guidelines, such as current (2019) FISMA, OMB, DHS, and OIG/CIGIE criteria.
One of the primary objectives of conducting a review is to get a snapshot of where the federal organizations is in their CS&P program implementation. Another objective is to identify existing program weaknesses and provide appropriate mitigation strategies to correct or remediate the findings and to strengthen the overall CS&P program.
Establishing a Baseline or Risk Level for Each Program
In order to establish a baseline or risk level for each program, Criterion pursues the following activities:
- Conduct Analysis and Evaluation – Criterion starts with a review of the most basic and core elements of the organizational mission/business and CS&P program with a focus on the CSF core areas – Identify, Protect, Detect, Respond, and Recover – and their associated category levels.
- Determine Environmental Influences & Constraints – Much of this is provided via the documentation review and interviews in step 2.
- Determine CS&P Framework Profile Levels – The CS&P Framework Profile or risk level considers and incorporates cyber threats directed at the organization; the type, the volume, the complexity of the organization’s mission, business, and operations; and the current implemented security controls.
- Determine CS&P Maturity Levels – The CS&P Maturity Level considers and incorporates the effectiveness of the organization’s CS&P program or project on a spectrum in which the foundation levels ensure that the organization develops sound CS&P policies and procedures and the advanced levels capture the extent that the organization has institutionalized those CS&P policies, processes, and procedures.
Developing and Delivering Findings and Recommendations
Once the review is complete, Criterion develops and documents the initial set of CS&P findings including mitigation strategies, options, and recommendations. These CS&P findings are defined as a potential vulnerability, weakness, or deficiency/discrepancy that could result in accidental or intentional unauthorized modification, disclosure, destruction, and denial of service to the information or information system through the entire life cycle.
- A vulnerability is defined as an omission, gap, or failing in information system security design, policies, procedures, implementation, or internal controls.
- A weakness is defined as a flaw, fault, defect, or weak point in information system security design, policies, procedures, implementation, or internal controls.
- A deficiency or discrepancy is defined as a variation or non-compliance that deviates from the stated or approved standard or norm such as a Federal organizational security baseline configuration document.
We analyze the results of the CyberScale review to develop a list of potential Federal organizational recommendations with specific remediation actions or mitigation strategies based on applicable requirements or guidance, accepted best practices, or lessons learned. We notify the Federal organizations immediately if the review reveals any critical finding or event that would require their immediate intervention.
Finally, we present our initial findings to the customer. The end goal is to provide a repeatable and measurable process to evaluate CS&P Framework Profile or risk level over time to ensure the organizational C&SP Maturity Level is properly aligned based upon its approved risk tolerance/appetite.