Cybersecurity and Self-Assessment Tools for Small Businesses
National Institute of Standards and Technology (NIST) projects are size neutral. While they tools are often used by large organizations, they are designed to be used by small businesses as well. In September, NIST announced a new cybersecurity self-assessment tool that can be used by any business or organization.
The tool, in draft stage, is the Baldrige Cybersecurity Excellence Builder. The tool is intended to help businesses learn more about their cybersecurity risk management efforts, in relation to the NIST Cybersecurity Framework. Used together, the Framework sets the stage for what should be implemented and the self-assessment tool helps evaluate the effectiveness. NIST has asked for feedback on the tool and plans to publish the final version in early 2017.
The intent is that after completing the self-assessment, your business will be able to:
Determine cybersecurity-related activities that are important to your business strategy and critical service delivery
Prioritize your investments in managing cybersecurity risk
Determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities
Assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices
Assess the cybersecurity results you achieve
Identify priorities for improvement
How to do the self-assessment
The self-assessment is not meant to be arduous but will require dedicated thought to answer the questions. You and your key leaders or partners can do it with input from other key employees. You should consider including your cybersecurity expert in the assessment process. Alternatively, you might plan to review the resulting information with him/her.
The tool overview suggests the tool be used in the following steps:
1. Decide on the scope of your self-assessment
2. Complete the Organizational Context
3. Answer the process questions in categories 1–6
(4) Measurement, Analysis, and Knowledge Management
4. Answer the results questions in category 7
5. Assign a descriptor to your responses to each item
6. Prioritize your actions
7. Develop an action plan, implement it, and measure and evaluate your progress
The self-assessment tool includes a template for summarizing the information gathered. Completion of this template will allow you to determine if your cybersecurity program is in a reactive, early, mature, or role model stage. You can also rank the attributes/questions in level of importance. This is valuable since each business will have different value on key factors and by ranking factors, you can customize your action plan to focus on what is most critical to your business.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.