Cybersecurity Risk and Control Maturity Assessment Methodology

In this article I explain a useful method to link a Cyber Risk Assessment with a Control Maturity Assessment, which directly affects the Cyber Risk rating for your organization using the Critical Security Control (CSC) Framework. There are no 100% perfect, silver bullet solutions to this modern challenge - but hopefully this will empower you to begin a Cyber Risk Management journey of your own.

Introduction

Depending on your organization's industry, you may be expected or required to conduct appropriate risk assessments in line with the organization’s Size and Complexity. The government (FFIEC) has produced a Cyber Assessment Tool (FCAT) that is broad, and suitable for organizations without the requisite experience or expertise to conduct their own, tailored risk assessments – but the following is a method developed to provide greater detail and alignment with an Industry best practice framework.

Two Key Ingredients

A Risk Assessment: the determination of quantitative and qualitative estimates of the impact of an event, related to a well-defined situation, and a recognized threat.

Impact + Likelihood = Inherent Risk

Risk Assessments are a bottom up approach to identifying controls that help reduce risk. You express the details around each risk scenario (Threat and Vulnerability rationale), assign a Likelihood and Impact rating, and document the final Inherent Risk Score. You then identify controls that can either reduce the Likelihood or reduce the Impact. These control effectiveness scores should reduce the Risk - expressed as Residual Risk.

The other critical thing to validate is the rating scale you will be using, and make sure whatever you decide on is repeatable, and transparent.

The other ingredient is the Control Maturity Assessment: the process designed to provide reasonable assurance of the achievement of control objectives (control effectiveness). 

Inherent Risk + Control Effectiveness = Residual Risk

In the Information Security and Cyber space – these expected controls are well defined by numerous frameworks, (ISO, FFIEC, COBIT, NIST etc) – and most organizations take a Top Down approach to the implementation and enforcement of security controls. Access Management, for example: requiring long passwords, multi-factor authentication for remote (and privileged) access - is a well defined control. Audit and InfoSec Personnel tell organizations these are the controls that should be in place without respect to the potential risk.

How effectively have you deployed those controls? Do they actually reduce the risk? If you only have the controls, and no risk assessment – how you do you know your residual risk exposure or control gaps?

In my estimation – these two assessments are most effective when combined.

Some may say that you should conduct the Risk Assessment first, but most of your InfoSec folks are going to say – We KNOW what controls we need to implement – we don’t need to make up basic controls on our own. By the time we finish a risk assessment – the bad guys are gonna be in our network. Let’s use the controls we know we need. Classic Chicken and Egg debate.

In identifying a specific Cybersecurity Control Framework from which to use. We selected the CIS Critical Security Control Framework, which has 20 distinct Control Families, and 149 controls. These range from basic concepts like “Maintain an asset inventory of all systems connected to the network” to more complex User Behavior Analytics, or “anti-exploitation features such as Data Execution Protection (DEP) etc. During my research; I came across an open source document where the controls had been listed, with a rough rating system, so I built upon that, and merged this new rating system with the risk assessment. 

Below are the final outcomes displaying the Risk Dashboard, and the Control Maturity Dashboard.

You should determine your organization's overall Residual Cyber Risk Appetite, to determine if you are within acceptable levels. This view helps show the higher risk areas where attention should be focused. For all of these dashboards - YOU determine the target state, and an appropriate governance body should codify that Risk Appetite.

The upper left of the Maturity Dashboard gives you an overall Maturity Rating index which aggregates 4 primary rating elements across the 149 controls, and further increases the rating for efforts spent on Controls 1 - 5 - as those have the greatest impact to reducing risk to the organization.

The bar charts show the maturity of each control family, and cleanly shows the areas that need improvement, and where resources should be deployed. As you perform the annual assessment, you will be able to overlay previous assessments to show your progress.

The dashboards pull from 1 risk assessment tab, and 20 different control assessment tabs within a single Excel workbook. The below shows the maturity rating for CSC #1. There are 4 levels of maturity across 4 dimensions for each control. There is a point value assigned the higher the rating. The 4 dimensions are Control Definition, Control Implementation, Control Automation, and Control Reporting.

The next image shows more information gathered to the right of each rating. This is where you will see the Control Owner assigned, the Control Description is given - explaining what you do today in your organization that meets the CSC Control Detail, as well as what more needs to be done to improve the maturity of the control.

After you do this assessment across all 149 controls, you are able to express to your Board, and management a statement like this:

The Organization’s overall level of Inherent Risk has been rated at High.The Company has implemented 130 of the 149 Critical Security Controls (87%). This is a XX% improvement from 2017. Of the 130 Controls implemented, 80% have a Maturity rating of equal to or greater than Generally Effective. This brings the Overall Cybersecurity Residual Risk to Moderate; which is within the Board's defined Risk Appetite.

As a CISO, and Information Security Risk Professional – our job is to educate, advise, and empower the business on all manner of Information Security Risk. To identify the risks, suggest ways to manage and reduce that risk, and give the Board, Committees, and Management options to do the same.

As Peter Drucker famously quoted - "You can't manage what you can't measure."

While this tool is imperfect - it should help you to empower Control Owners to make real change to the overall Risk Posture of your organization. Tools like these make your life much easier as a security professional, and brings focus to your security efforts. The Return on Investment for Security is not bottom line revenue – it is reduced Financial Loss Exposure, Improved compliance, peace of mind, and the trust of your stakeholders.

You can download the tool here, make your own - or buy a commercial solution.

Good Luck out there!

-Brian Fricke, CISSP, CISM, CCSP, CSSLP

Brian is a business-centric technology professional, specializing in strategic Enterprise Information Operations, Security Policy, and Risk Management. He is currently the Chief Information Security Officer of Bank of the Ozarks. Nothing in this article represents the opinions, policy position, or activities of my employer, or any member institutions. LinkedIn: LinkedIn.com/in/brianrfricke

This tool is provided as-is, without warranty. You should consult with an Information Security professional before making specific investments or control implementation decisions.