0

What would be good assessments of cyber resilience? I imagined something like a score on different topics e.g.:

  1. Data Protection: HIGH RISK

  2. Malware defense: MEDIUM RISK

  3. Application/System Life Cycle: No RISK

  4. Vulnerability management: EXTREM RISK

etc.

Where the risk assessment is the result of subcategories like:

1.1 Backups in place?

1.2 Data Leakage Prevention?

1.3 Assess control effective?

or

2.1 Anti virus installed everywhere?

2.2 Anti virus definitions up-to-date?

2.3 Office macros disabled?

My Question: Is there a standard for such an assessment? I looked at the ISO 27k series, the french ANSSI, the german BSI or the OWASP Project, but i could not find such a metric. These documents seem to be not technical enough to define a measurable checklist.

For example the very helpful document http://www.ssi.gouv.fr/en/guide/40-essential-measures-for-a-healthy-network/ contains 42 security measures. However, i find it difficult to create a scoring function out of it.

kiara
  • 671
  • 1
  • 6
  • 9
  • 2
    Have a look following link please. > https://www.cisecurity.org/controls/ and https://www.cisecurity.org/cis-benchmarks/ – alnbhclyn May 29 '19 at 13:48

1 Answers1

1

You are not going to find a standardised metric because that's not how risk works. Figuring out how adverse events will have an impact is the whole point of risk management.

What would present a risk to a major university will be vastly different from what would present a risk to a 3-person app development start-up.

For instance:

2.1 Anti virus installed everywhere?

For a small company that only uses Chromebooks, you can't install AV. And it doesn't matter.

For a university doing sensitive research, you could install AV on the research computers, but then the type of AV might send files to Russia, or the AV might interfere with the proper running of the analysis software. Installing AV would actually increase the risk instead of reducing it. The risk that is meant to mitigate is that malicious code could be run on a device. AV is just one control to mitigate this risk, and each control can present its own new set of risks.

I'm afraid that there are no shortcuts in risk. You need to understand the adverse events on your people, data, and technology and what impact they might have.

For broad strokes, there are frameworks that rank various controls against each other in general terms.

  • As alnbhclyn shared: CIS Top 20 Critical Security Controls has 3 broad categories of control maturity
  • Cyber Essentials presents a collection of controls in 5 broad categories that the NCSC feels are the most critical to mitigate 80% of the most common cyber risks

You might also look at the NIST CSF that breaks down 108 different activities into Identify, Protect, Detect, Respond, Recover, and you can score yourself on whether you are doing those activities and where you are weak. Be sure to go through each activity to determine how relevant they are to your organisation.

schroeder
  • 123,438
  • 55
  • 284
  • 319