How Do I Ensure My Business Is CMMC Compliant?
May 2, 2023
Gray Analytics Named an Authorized C3PAO
February 13, 2024
Everyone is talking about cybersecurity risk management (CRM) plans, but are they important, or are they just another ploy designed to deplete your resources and increase your stress? As it happens, they are important. They’re vital, actually. A well-designed plan will help ensure that an organization can focus on operations and achieving business resilience in a time of emergency rather than expending unnecessary energy on what ifs.
That’s why CRM plans are not only a topic at every industry and organization meeting everywhere these days, but whole conferences, like the Gartner Security & Risk Summit, focus on them. Do you have one? Who helped you build it? Why don’t you have one? When will you have one? How did your team decide what to include? It’s enough to drive a person mad. But it doesn’t have to be maddening. A plan is just that, created in steps and parts and executed the same way, in an orderly fashion.
The plan your brother-in-law’s bank uses will differ in detail from the one the city’s utilities has, but it will build on the same framework. That framework has been established by The National Institute of Standards and Technology, or NIST as it is more commonly known. NIST develops standards and guidelines for technology, communications, engineering and myriad other fields, including cybersecurity, which touches every other industry and field of study. It is a well-respected body staffed with experts. The framework it recommends is the gold standard and is implemented from school districts to manufacturing plants to IT companies.
Like any well developed, measurable, scalable plan, NIST’s Risk Management Framework identifies 7 key steps organizations should follow to ensure their cybersecurity plan includes a strong risk management component. Although the specifics of each step vary depending on the specifics of an organization, the steps are:
| STEP | PURPOSE |
|---|---|
| PREPARE | Essential activities to prepare the organization to manage security and privacy risks |
| CATEGORIZE | Categorize the system and information processed, stored, and transmitted based on an impact analysis |
| SELECT | Select, tailor, and document the controls to protect the system based on risk assessment(s) |
| IMPLEMENT | Implement the controls and document how they are deployed |
| ASSESS | Assess to determine if the controls are in place, operating as intended, and producing the desired results |
| AUTHORIZE | Senior official makes a risk-based decision to authorize the system to operate |
| MONITOR | Continuously monitor control implementation and risks to the system |
Let’s break each of the steps down into plain language:
- Prepare—Identify the most valuable digital assets, which are things like computers, networks, company systems, data, and other digital assets that cybercriminals might target. Accurate inventories are vital to effective protection and are a key component in risk assessments. You have to know what you have in order to know what needs protection.
- Categorize—Use the FIPS 199 categorization method to rate Confidentiality, Integrity, and Availability as either Low, Moderate, or High. The entire system assumes the highest rating for the select section. NIST has provided a handy “cheat sheet” for categorization based on types of information or functions. Find it here: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v2r1.pdf
- Select—Every organization has different needs, even those in the same field. Control selection follows either the “Whack-A-Mole” approach—trying to predict EVERY risk and putting in a control to stop that risk—or a structured approach—the adoption of a framework based on your company’s regulatory, contractual, insurance, and other organizational risk components. We help clients take the structured approach.
A risk assessment is the best way to determine which controls are right for you. Supply chain firms have different vulnerabilities than universities. Cybersecurity regulations vary based on industry or service. Hundreds of frameworks exist, with more than 25 regularly used throughout industry. We can help you choose the most appropriate one and tailor it to your organization to reduce blind spots and move more quickly from risk discovery to management and mitigation. It is essential to have a team who understands cybersecurity compliance creating or assisting in the creation of your plan to ensure you choose the correct controls. - Implement—In an ideal world, plans are wholly created and then fully implemented in one step, from an idea to a secure fortress in one fell swoop. In the realities that have budgets and constraints, controls are selected based on necessity and implemented in phases, from initial to defined, and ultimately to optimized. Each stage of the plan takes time, effort, and buy in. Commonly, reaching stage three takes about three years. Documenting when and how each control is deployed is key to eliminating confusion and ensuring replicability.
The first three stages are key to maturing a plan. The initial phase is just that, the beginning. The process is reactive and unpredictable. The initial phase involves identifying what we aren’t doing, and then developing an approach to work toward a mature plan. The repeatable phase is still often reactive, but the process has been characterized for projects. The third phase, the defined phase, is the year three maturity target. The process is proactive now and characterized for the organization. Fewer people lose less sleep when the plan reaches phase three. Two more steps remain, but they are the downside of the hill: managing and optimizing the plan.
Your cybersecurity is only as strong as its weakest link. Ensure coverage and knowledge of missing controls first and then build out an implementation schedule to mature to the desired end state over time. - Assess—Determine whether the controls ARE in place, their maturity, and if they are producing the desired results. Penetration testing, simulating a ransomware response, even phishing exercises can help measure the efficacy of the plan.
- Authorize—An executive or person in senior leadership signs off on the plans, policies, and procedures. Different firms will make different choices about varying aspects of their plan, and some risk always remains, no matter the strength of the plan and the expertise of the team.
- Monitor—The cybersecurity risk management plan is a changing entity. As threats change and companies evolve, the plan needs to change and evolve, too. What was successful for a six-month old start-up needs to be revamped to protect a 5-year-old growing concern. Many aspects of monitoring can be automated, but some of them, like regulatory changes, require hands-on efforts. Monitoring takes two forms. Security threat monitoring is just that. We look for precursors or indicators of compromise, something that is now possible because controls are in place. Policy monitoring ensures that your people are following policies, plans, and procedures.
A complete cybersecurity program includes a thorough, tested cybersecurity risk management plan to minimize what-ifs and provide peace of mind. Knowing that there are steps in place in case of emergency allows your organization to focus on operations and growth. Gray Analytics, a trusted cybersecurity firm, can test, assess, and mature your current plan or help you create one. If you haven’t yet begun to formulate a plan, we can help you create one and train you to use it effectively.
Depending on your needs, the steps are more or less involved, but they are all necessary. The NIST framework is the basis for the specifications each industry requires. Following them means following a proven plan, developed with the cyber safety of every system in the country in mind.
Sources: https://csrc.nist.gov/Projects/risk-management
