Cybersecurity health is a fundamental component of an organizational cybersecurity program. All organizations should have regular cybersecurity health check-ups of their technology environment to determine
cybersecurity risks and threats. A cybersecurity health check-up will provide executive leadership and management the ability to determine the organizations cybersecurity posture, and, if needed, set a course of action to improve it.
Our process can be used to identify, estimate, and prioritize risk to organizational operations (mission, functions, image, and reputation), organizational assets, individuals, other organizations, and customers, resulting from the operations and use of information technology. The purpose of a cyber security health check-up is to inform decision makers and support risk responses by identifying gaps in the cybersecurity program. The end result is a determination of cybersecurity program health that can be used to develop a roadmap to remediate or mitigate the identified gaps, and protect your organization.
A cybersecurity health check-up should be part of an organization’s enterprise risk assessment process. Our health check-up analyzes the risks based on a standard set of cybersecurity controls. The control is either ‘in place’, ‘partially in place’, ‘not in place’, or ‘not applicable’ to your environment. Recommendations are made to either remediate or mitigate any issues discovered. Corrective action plans are created with milestones to track implementation.
Our best in class approach to assess risks and threats within an organization is to use a combination of industry standard best practices, combined with a team of subject matter experts. We have developed a cybersecurity health check-up process specific for the manufacturing industry. We use a combination of National Institute of Technology and Standards (NIST), International Organization for Standardization (ISO), and Instrumentation, Systems, and Automation Society (ISA) guidance to develop our risk assessment process.
Our phased approach is broken into three distinct phases:
Phase 1- Conduct Assessment Interviews
Interviews are conducted with key stakeholders to assess the cybersecurity posture as aligned with industry standards. We will gather and analyze the 16 cybersecurity areas as outlined below:
- Organizational Security; Regulatory; Network Security; Software/Application Development;
- Personnel Security; Physical & Environmental Security; Integrity Management; Identity/Intellectual Property Theft Prevention Programs;
- Privacy; Incident Response; Confidentiality; Cloud Usage;
- Information Management; Business Continuity; Configuration Management and Third Party Vendors.
We will analyze the data gathered during this phase to assess for any issues or gaps.
Phase 2 – Analysis of Data
Using the data gathered from key stakeholders in Phase 1, we will analyze the results to determine gaps or areas of improvement. From this analysis we will develop an executive summary, with detailed observations. This information will form the basis of a cybersecurity health roadmap, which will list the detailed observations of all control issues identified that are not in place, and suggest corrective action steps to take to remediate or mitigate the implementation of the control.
Phase 3 – Implementation of Remediation Efforts (Optional)
At a minimum, phase 3 will include the management and execution of all tasks specific to the remediation strategy and associated gaps observed. Some remediation can be performed quickly, while some will require the development of plans of actions and milestones to ensure the corrective action noted stays on track and is completed timely. Tasks may include but are not limited to: making vendor selections across various technologies, negotiating with vendors for best price, determining appropriate support strategy, developing a cybersecurity program, providing a set of options for a financial strategy related to the cybersecurity program and working with your organizations current technology staff to correctly align with the future state operating model.
Typical Project Timeline
Within most single site organizations, we can perform phases 1 and 2 over a couple of days. Phase 3 is included for illustrative purposes, and depending on the observations discovered, could extend significantly into the future.
Contact us to explore if now is the right time to conduct a check up on your organization.