Cyber Security Maturity Assessment
Changing dynamics of IT landscape and fast evolving risks to data security, have necessitated the safeguard of infrastructure, application and data, against any internal and external threat vectors aiming to exploit the unmitigated system vulnerabilities. Apart from establishing robust security policies and practices, it is imperative to periodically scrutinize whether the controls are performing effectively as intended. This minimizes Cyber risks, enhances incident management, protects the corporation’s brand value, and customer confidence.
DNV-GL offers a comprehensive Cyber Security Maturity Assessment service, where your security posture can be objectively and quantitatively measured. It also provides a holistic view of the organization’s cyber resilience, highlighting existing gaps and recommending key action items towards future security roadmap, in order to mitigate any unforeseen Cyber attacks.
Assessment Methodology:
DNV-GL’s cyber security assessment framework is based on the NIST 800-53 rev 4 guidelines, and is customizable to incorporate other Cyber security standards like PCI – DSS, Hi Trust, etc.
It has an exhaustive set of questions, covering the requirements of all five domains (Identify, Protect, Detect, Respond and Recover), 18 control families, 98 sub-categories, and 240 control elements, of NIST. In addition, it has five key evaluation parameters (policy, documentation, tools, automation and accountability) across 22 categories, to measure the as-is status of organization’s Cyber security implementation and effectiveness.
The Yes / No / NA responses to over 650 questions break down the security rating across various control families, and quantitatively represent compliance as a maturity index, where weightage of the responses is proportional to their priority as classified in NIST. Various information pertaining to security practices, control implementation / effectiveness is gathered, which identifies the gaps and best practices in their security practices.
Overall, it is a comprehensive methodology to assess the Cyber related threats and risks and examine how the information assets of the organization are protected from these risks, and whether the mitigation controls are performing effectively.
The assessment addresses the important need of quickly identifying an attack if / when it occurs, recovering from it into normal operation mode again by minimizing the impact. Three pronged assessment activities:
- Collaboration session with the practitioners, where each of the function owner explains the process followed and controls implemented to achieve cyber security objectives
- Document review with team leads, where policies, procedures and standards are reviewed for adherence to compliance requirements to ensure the controls are adequately defined
- Evidence validation with team members, where actual practices and controls implemented on ground are verified for their robustness in meeting the organization’s security requirements
- Executive summary, providing the overview of the assessment findings, including the quantitative and visual consolidation of the data
- Detailed report, consisting of the business objectives, threats, gaps identified, recommendations, best practices and metrics for each of the 18 control families.