ABSTRACT
STEP 5 – Current and Target State Assessments present the assessment cycle that consists of planning for an assessment, assessing the risks, responding to the risks and the assessment, and monitoring the risks on an ongoing basis. This chapter discusses the different types of assessments, the types of assessment vehicles available, and the differences between them. Also explained is the difference between a current state assessment, a target state assessment, and how to use the products of a gap analysis from the two assessments. The response phase is how management responds to the assessment – in the format of a formal response, creating new initiatives, and prioritizing projects. The monitoring phase is about awareness, readiness, and project management to achieve the target state, and identifying and preparing any additional assessments that may need to be completed in the future.
Current state assessments are an “as-is” or “point-in-time” assessment of the organization's current capabilities, current processes, and current controls. Types of assessments include self-assessments, external/third-party assessments, and audits (internal and external).
Frequently used for assessments are the following frameworks, industry standards, regulations, and models: COBIT 5, ISO/IEC 27001, NIST CSF (Cybersecurity Framework), NIST Risk Management Framework, FIPS 199 Categorization (Standards for Security Categorization of Federal Information and Information Systems), the NIST 800-53 Control Catalog, CERT-CRR (Cyber Resilience Review), the COSO Enterprise Risk Management Framework, Payment Card Industry Data Security Standard (PCI-DSS), The Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO), NYDFS Cyber Regulation, Capability Maturity Model Integration Capability Maturity Model Integration (CMMI), The Project Management Body of Knowledge (PMBOK®), CERT©-RMM (Resilience Management Model), FAIR (Factor Analysis of Information Risk), and CM RQM (The Carnegie Mellon Risk Quantification Method).
This chapter concentrates on using the NIST Cybersecurity Framework Core Identifiers and Categories by mapping each initiative documented in Chapter 2 (STEP 1) to a NIST CSF Category. By closely examining the more specific allocation of initiatives and arriving at some general conclusions regarding areas of initiative concentration, a full picture of the current Cybersecurity Program will be evident. Not all initiatives can be directly mapped to individual CSF capabilities. Some initiatives are too broad, some are basic management goals, or some are preparatory in nature for future projects.
The Target State assessment is the end goal of where the organization aspires to be. Outlined are the steps to the target state and subsequent gap analysis. In order to rate the target state, the NIST Cybersecurity Framework current vs. target states Tier Maturity Ratings are calculated. The Tiers are 1-Partial, 2-Risk Informed, 3-Repeatable, and 4-Adaptive.
