TÜV Rheinland Blog - Insights from Asia and Africa

How To Conduct a Self-Assessment to Find Gaps in Your Cybersecurity Framework

Posted by TUV Rheinland on Jun 15, 2019 12:00:00 PM
TUV Rheinland

Blog-TUV-21June-Cybersecurity FrameworkThe first part of any problem is knowing that there is a problem. One technique to identify problems in the information security space is with the use of a NIST CSF assessment.


What is the NIST Cybersecurity Framework?

According to the National Institute of Standards and Technology (NIST), the Cybersecurity Framework (NIST CSF) is a “voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risk”.

The Cybersecurity Framework’s prioritised, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. The NIST Framework is ideal to identify gaps to comply with the NIST CSF.  

After gaps are identified, an organisation must conduct risk analyses on those gaps to determine what needs to be done to develop a plan of action and milestones (POA&M) report.


Gap assessment definition and overview

Conducting the gap assessment involves six easy steps:

1.  Identify Subject Matter Experts

The first step is to identify your subject matter experts (SMEs).  The SMEs can be internal employees or an external consulting firm. There is no reason why you and your company can not do the gap assessment on your own, which saves money in your budget.  Your internal staff knows your organisation the best, so you should probably listen to them first.

However, if your organisation does not have the ability to conduct the gap assessment, then an external party will definitively help. Look for an external party who wants to do a full knowledge share. What that means is that the external firm should not want to stay on your payroll.  Look for teachers and not just fancy sales folks.

2.  Collect Data

Now that you have your spreadsheet, or some other tool ready to collect data, you need to determine “how” you will collect that data in order to determine the “what.”

You can use three distinct techniques that are very rapid: interviews, documentation review, and potential testing.

  • Interviews: These are a great way to get a perception of what’s going on.  Many times during interviews, the clients will tell you what they “think” is going on, but their views may not accurately reflect reality.  Their intentions are fantastic, but more reviews need to be completed.

  • Documentation review: Review documents against the NIST CSF.  Documentation is one of the best ways to illustrate compliance with the NIST CSF.  However, documentation alone does not mean that the documentation is being followed. That’s where testing comes in.

  • Testing (vuln scans, verbal walk-throughs): Testing has always been the best way to determine if perception of what the client thinks is being done accurately reflects what is being done. A favourite testing technique is a walk-through of the control – you take one of the documented controls, find the owner of the document and those who execute the document, take a sample (if possible), and discuss the process with the client.  This is where we’ll find gaps from the perceptions and reality of the control implementation.

Please note that testing is not an “I got you” and should never be that way. We are humans, and as humans we make mistakes. We are always understaffed and never have enough money to cover everything. Never use testing as a bat to beat the employee over the head. Use testing results as an opportunity to coach employees and discuss how to improve results.

3. Tie Evidence to Each Subcategory

The NIST CSF version 1.1 breaks down into 108 subcategories. It is important to tie evidence to the right subcategory:

  • Identify has 29 subcategories

  • Protect has 39 subcategories

  • Detect has 18 subcategories

  • Respond has 16 subcategorie

  • Recover has 6 subcategories

A subcategory is a control under the NIST CSF. It is interesting to note how most of the controls, over half, focus on Identifying and Protecting data. These controls are the basic blocking and tackling controls that all organisations must have to put up a good defense against a wickedly strong and malicious offense.

4.  Review the Evidence and Determine Gaps

During the data collection and tying evidence, you will usually start to see gaps. Each of those gaps should be documented and clearly discussed.

5.  Prioritise Gaps and Create Plan of Action and Milestones (POA&M) Document

The levels of risk documented are very subjective but based on qualitative input. Use the Factor Analysis of Information Risk(FAIR) to determine cybersecurity and operational risk. To learn how to implement FAIR methodology in your Risk Program, see this white paper.

Once the gaps are evaluated for risk, the POA&M can be created to help leadership to effectively use their limited resources with more precision.

6.  Executive, Management, and Technical report generation

The final step is to generate a report, but not just one report.  There should be a three individual, but related, reports.

Executive Report

Management Report

Technical Report

This is summary of 2-3 pages of the risks and action plans that leadership needs to take.

This report is a little bit more detailed but leaves out the actual workpapers and technical jargon.

These reports is the actual Plan of Actions and Milestones, along with instructions on how to mitigate the technical risk.

The reporting is the capitulation of all the work completed.  In addition, reporting will set direction for the identification of risk and corrective actions.


Every organisation needs a Cybersecurity framework

The bottom line is that nearly every organisation needs a Cybersecurity Framework to ensure information security. Without a Framework, leadership has no alternative but to shoot from the hip and potentially waste valuable resources to work on initiatives that do not ensure data security. A Cybersecurity Framework, regardless of the standard used, sets direction for an organisation.

Conducting self-assessments ensures compliance with the Framework used.  A continuous self-assessment program ensures alignment, identifies gaps, reveals unknown risks, assists with corrective actions plans, and ensures the effective use of valuable resources.

Read the full article on OpenSky.


For more information about the execution of a self-assessment, or to know more about how you can strengthen your Cybersecurity framework, contact us today:

Contact us now

Topics: cybersecurity, ICT, AA19_D01_CST