The framework complements, and does not replace, an organisation’s risk management process and cybersecurity program. The organisation can use its current processes and leverage the framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.
Additionally, the US Computer Security Response Team (US-CERT) which is part of Department of Home Security (DHS) has developed freely available tools to help implement CSF using the NIST controls defined in their publication Security and Privacy Controls for Federal Information Systems and Organizations.
The easiest tool to get started with is the Cyber Resilience Review (CRR) tool. This tool is a pdf document which provides an assessment that is designed to measure existing organisational resilience as well as provide a gap analysis for improvement based on recognised best practices.
A more comprehensive tool is the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is also part of DHS. They offer a tool called Cyber Security Evaluation Tool (CSET), which is also free and can be downloaded on to a personal computer and will do a more comprehensive assessment.
The main benefit of CSET over CRR is that CSET allows assessment reports to be compared, so organisations can track progress over time as improvements are made to their security posture. However, for those organisations that have not done this type of assessment before CRR is the recommended starting point.
Although management must ultimately perform these assessments, the implementation of the frameworks can take a significant effort and be distraction for business. Therefore it is worth considering if a consultant should be engaged to assist in the first cut implementation and initial board presentations.
One thing you can be sure of is that at some point in the future every organisation must do some type of cyber security assessment so you may as well start now.
Sign up for CIO Asia eNewsletters.