This is a follow-up to my previous blog title, The Importance of Cybersecurity Compliance. In that article, I explain why organizations of all types and sizes should embrace good cybersecurity practices to protect their organization’s people and information assets. I also outlined three of the many cybersecurity compliance frameworks that provide best practice guidance in achieving good cyber-health (ISO, NIST, and CMMC).
In this follow-up, I provide some high-level guidance on how to ensure effective cybersecurity compliance across your organization. The end goal of performing these internal assessments (gap analysis) is to prepare your organization for the formal external audit that will grant the desired credentials confirming cybersecurity compliance.
Getting Traction toward Ensuring Compliance
The most effective tool in getting started on the road to good cyber-health is to determine the current state. A Cybersecurity Gap Assessment will provide detailed metrics on how your organization measures up to the chosen framework. If an organization has the skilled staff available, this Assessment can be done in-house.
Most of the time, however, skilled staff is already committed to internal mandates and/or the organization wants to have the Assessment performed by an external consultant who has done this many times and can offer the non-biased assessment your organization needs to properly determine its cyber-health.
General Framework Structures
A typical cybersecurity framework has this general structure:
Framework (e.g., NIST SP-800-53)
Domain – High level practice within that framework (e.g., “Access Control”)
Control – Test(s) that ensure a policy, process, or procedure is followed (e.g. “Remote Access”)
Not every domain/control combination needs to be addressed, as this depends on your organization’s business goals, compliance budget, and overall risk tolerance. The consultant performing the gap analysis will assist you in determining which framework/domain/control combinations are in-scope and make sense for the high-level goals of the organization.
It is important to remember that your organization can choose to be assessed against more than one cybersecurity compliance framework at the same time. You need not limit yourself to one. As an example, the most restrictive controls of the several chosen framework/domain/control combinations can be used to ensure you are pushing the compliance bar as high as it can go.
The deliverable to management for this phase is the “Scoping Report.” It will describe the compliance framework(s) and in-scope domains and controls that will be the subject of the Gap Assessment.
Once the scope of the analysis has been agreed upon, the consultant will be able to organize the goals and specific outcomes of the Gap Assessment.
Depending on the chosen framework, you will need to provide the consultant with one or more pieces of “objective evidence” to show that the organization is meeting each in-scope control. The evidence can be written, oral, provided via virtual meeting, or even by “shoulder surfing” where the consultant observes the relevant subject matter expert (SME) performing the task that meets the control.
The consultant will record the exact description, method, and location of each piece of objective evidence that was provided to meet each control.
Exceptions (Gaps) Summary
Once all evidence has been presented to and catalogued by the consultant, a detailed analysis is performed and exceptions (gaps) are detailed in specific reports. For an ISO 27001 Gap Analysis, the exceptions found would be detailed in a CAR (Corrective Action Report). In the NIST world, the same information would be recorded in a POA&M (Plan of Actions and Milestones) Report. The purpose of these reports is to explicitly state how and why the organization needs to perform additional work in order to be able to provide sufficient objective evidence that will satisfy a specific control.
As stated at the beginning of this article, the primary purpose of performing an internal gap analysis is to prepare the organization for a formal external assessment that will be performed either by the sanctioning body or a firm certified in providing such formal assessment services. Without performing an internal gap analysis, your organization risks having the desired certification declined by the sanctioning body.
In some cases, if an organization provides the proper documentation showing that the exceptions (gaps) discovered are being remediated, the external auditor will most likely accept that on condition that the stated timelines for remediation will be met. This is the case with a NIST POA&M Report. On the other hand, with the Cybersecurity Maturity Model Certification (CMMC), there are no exceptions allowed. The organization seeking certification either passes or fails the audit. This drives home the value of performing an internal gap analysis ahead of the formal external assessment.
Your organization will use the results of the gap analysis to remediate all discovered exceptions in advance of the formal external assessment. If your organization has the skilled staff available to perform such exception remediation, then the external consultant should be called back to review the results of their efforts. If your organization does not have the skilled staff available, then the consultant could be retained to assist in closing the compliance gaps.
The Final Summary
Regardless of whether the organization uses its in-house staff or an external consultant to close (remediate) all discovered compliance gaps, the results of such remediation should be examined by the same individual who performed the original assessment in order to determine that all exceptions have been adequately addressed and that the organization is ready for the formal external audit.
To close the engagement, the in-house staff or consultant should prepare and deliver a formal summary report stating all elements of the engagement and the final results.
How Does My Company Get Started?
The information in this article has been intentionally abbreviated and generalized so as to not go beyond the length and purpose of a typical “blog.” There are many other elements involved in the selection and performance of a formal Cybersecurity Gap Assessment to achieve compliance.
If your organization does not have the internal bandwidth to perform a thorough analysis, consider employing the services of an experienced Cybersecurity Compliance Consultant who can obtain the desired results with minimal impact to your staff and operations. Complete the form below to reach me for additional information.