Cybersecurity self-assessment tool for small businesses

National Institute of Standards and Technology (NIST) projects are size neutral. While their tools are often used by large organizations, they are designed to be used by small businesses as well. In September, NIST announced a new cybersecurity self-assessment tool that can be used by any business or organization.

The tool, in draft stage, is the Baldrige Cybersecurity Excellence Builder. The tool is intended to help businesses learn more about their cybersecurity risk management efforts, in relation to the NIST Cybersecurity Framework. Used together, the Framework sets the stage for what should be implemented and the self-assessment tool helps evaluate the effectiveness. NIST has asked for feedback on the tool and plans to publish the final version in early 2017.

The intent is that after completing the self-assessment, your business will be able to:

  • Determine cybersecurity-related activities that are important to your business strategy and critical service delivery

  • Prioritize your investments in managing cybersecurity risk

  • Determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities

  • Assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices

  • Assess the cybersecurity results you achieve

  • Identify priorities for improvement

How to do the self-assessment

The self-assessment is not meant to be arduous, but will require dedicated thought to answer the questions. You and your key leaders or partners can do it with input from other key employees. You should consider including your cybersecurity expert in the assessment process. Alternatively, you might plan to review the resulting information with him/her.

The tool overview suggests the tool be used in the following steps:

  1. Decide on the scope of your self-assessment

  2. Complete the Organizational Context

  3. Answer the process questions in categories 1–6

  4. Leadership

  5. Strategy

  6. Customers

  7. Measurement, Analysis, and Knowledge Management

  8. Workforce

  9. Operations

  10. Answer the results questions in category 7

  11. Assign a descriptor to your responses to each item

  12. Prioritize your actions

  13. Develop an action plan, implement it, and measure and evaluate your progress

The self-assessment tool includes a template for summarizing the information gathered. Completion of this template will allow you to determine if your cybersecurity program is in a reactive, early, mature, or role model stage. You can also rank the attributes/questions in level of importance. This is valuable since each business will have different value on key factors and by ranking factors, you can customize your action plan to focus on what is most critical to your business.

About the Author- Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.

Featured Posts
Posts are coming soon
Stay tuned...
Recent Posts
Archive
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square