After you’ve conducted a Risk Assessment, you’ll have a “heat map” of risk hotspots in your organization, and also enough information to select a set of cybersecurity requirements, aka “controls”, to build your IT system to. Some industries—such as DoD contractors and health care providers—already have their IT system security controls selected for them by the Federal government. In the case of the DoD, those controls are the National Institutes of Standards and Technology (NIST) 800-171 controls. Health Care Providers need to use the Centers for Medicare and Medicaid (CMS) Acceptable Risk Safeguards (ARS) controls. But no matter what your industry, if you are concerned about cybersecurity of your organization’s intellectual property or customer data, or are just trying to make sure your system doesn’t get compromised by ransomware, you’ll need to select a set of controls and asses the system against those controls.
The security control assessment determines any gaps your organization and IT system has with respect to the requirements, the controls. During an assessment, a qualified auditor validates that the selected controls are applicable to the organization and IT system, and verifies that the organization builds, operates, and maintains the IT system in compliance with the requirements. The auditor verifies compliance by looking for “compelling evidence” as provided by the organization. Compelling evidence varies according to the control, and comes in many forms, including:
reviewing “artifacts” provided by the organization, for instance, a system security plan
interviews with relevant organizational personnel, such as the IT system administrator
tests of the system, such as ensuring password policy is enforced
inspection of the system, including configuration management policies
If the organization provides compelling evidence that they meet the control, the auditor marks the control as compliant. If not, it is marked non-compliant. Simple as that. The organization then needs to develop Corrective Action Plans (CAP) to address the non-compliant controls. The CAPs are part of the “get well plan” for the organization, to close the gaps. Most organizations aren’t 100% compliant (because the controls and/or how the organization does business change over time), and therefore will have some CAPs. The important thing for an organization is to conduct periodic security assessments, and actively work the CAPs. We recommend a security control assessment at least annually, and certainly whenever the organization IT system changes.
Many small businesses can’t afford to hire an outside auditor for an annual security controls assessment. This is understandable. In this case, self-assessment is stop-gap alternative. The organization should form a team of the most qualified internal personnel to perform the self-assessment, for example, the CEO and IT vendors. Totem Tech can help train those individuals to perform the self-assessment, and equip and empower the team to perform continuous monitoring of the controls over time.
Additionally, for small businesses DoD contractors, health care providers, and subjects of the European Union GDPR, Totem Technologies provides a security control assessment tool—Totem™. Totem has the NIST 800-171 and CMS ARS Privacy controls built in, and includes instructions for how to assess the organization against each control. In fact, Totem Technologies recommends Totem for use by any small business in any sector, as the NIST 800-171 is a great “starter set” of controls.