The remediation stage of cyber security improvement project or programme will fix identified problems and fill in the gaps.
You will need to identify and implement a range of controls to provide protection; there are various libraries, standards and frameworks that can support your assessment and choice of suitable controls. The prioritised risks determined during a completed risk assessment and/or gap analysis exercise will guide the sequence of control implementation.
To ensure your controls are effective, you will need to design ongoing assurance of residual risk levels. You may develop a ‘dashboard’ to demonstrate threat and risk levels and control effectiveness or use a benchmark to compare relative performance.
It is easy to assume that an international standard such as ISO 27001 gives you everything you need to be cyber secure. Whilst it goes along way towards it, there are many more options available, some more suited to cyber security. A thorough and structured assessment of the control options mapped against your prioritised risks will give you, your stakeholders and auditors the confidence that you have made well-informed choices.
Given that 80% of cyberattacks can be prevented by implementing basic controls, it makes sense to include a robust education programme covering information security best practice and organisational policies and procedures.
Ongoing effectiveness relies on accurate metrics for evidence. Metrics also help pinpoint areas for improvement by identifying vulnerabilities and trends.
Ascentor can work with you using your prioritised risk baseline to assess existing controls and augment them as appropriate. If you have used the NIST Cyber Security Framework to guide your risk assessment work suitable controls will already be identified. We typically recommend a detailed check against Centre for Internet Security (CIS) Top 20 Critical Security Controls as they are specific to the technical aspect of cyber security.
As well as technical controls, we consider procedural and policy controls and awareness training for all staff and for those with direct responsibility for cyber security.
To measure the effectiveness of controls, we advocate a maturity model approach. Cybersecurity Capability Maturity Model (C2M2) and ISACA both provide an effective method for measuring the effectiveness of your cyber security controls. Which one to choose (and there are others) should be driven by the business and ideally agreed on in a Cyber Security Strategy.