As reliance on company data and technology increases, organisations must shore up their defences to ensure their critical assets are protected.
March 29, 2022
Choosing the right cyber risk management framework
Across the world, organisations use validated cyber security risk management frameworks to help provide both credibility and assurance that they are making solid inroads towards a strong cyber posture.
Frameworks assist with communicating an immediate view of an organisation’s situation and their longer-term strategy.
While there are many different frameworks for assessing cyber security maturity, the two most common ones we see are the “Essential 8” from the Australian Government and the NIST framework from the US Government.
The NIST cyber security framework
For a complete set of control measures, many regulated organisations choose to use the NIST Cyber Security Framework from the US Department of Commerce.
This approach provides a comprehensive framework for assessing your current cyber maturity against a model which includes specific profiles for different industries.
Key InsightUnlike the Essential 8, NIST is sector or industry based rather than a more general assessment of threat.
The NIST assessment reporting provides you with a clear path to increase your information security maturity over time. To communicate this, the NIST framework refers to the following levels of maturity:
Organisations can use this maturity path to understand what is needed to improve their cyber security maturity. At Interactive, we often recommend NIST to our cyber security customers as the right framework to understand what is needed to mitigate risks in their specific information security landscape. As your maturity develops, planning for, and mitigating, the type of attacks your organisation is likely to receive becomes key to your future success.
The Essential 8
Designed to protect Microsoft Windows-based internet-connected networks, the Essential Eight is the framework of choice for organisations whose infrastructure is largely based on the Windows™ operating system. The Essential 8 framework consists of four maturity levels. With the exception of Maturity Level Zero, each is based on mitigating increasing levels of adversary tradecraft (e.g. tools, tactics, techniques, and procedures) and targeting.
The four maturity levels are:
Maturity Level Zero
Maturity Level One
Maturity Level Two
Maturity Level Three
Each organisation utilising the needs to consider its own relevance and value to an external adversary. For example, if your data is highly valuable and would be of interest to external parties (e.g. bank details, identity details, innovation or design IP etc.) you are likely to be a target for a Maturity Level Three adversary and therefore your cyber posture needs to reflect this.
Emerging reforms to protect Australians from cyber attacks will also call for ‘critical infrastructure’ organisations to have a risk management program that is signed off by the Board. So, performing this early diagnostic with a clear map of your environment will ensure compliance is achieved in the short and longer term.
Preparation is key
Having the ability to communicate your approach and status at any time to a variety of stakeholders is critical. Utilising either the Essential 8 or NIST will help prepare you these conversations, while ensuring your organisation remains compliant with requirements from regulators and your customers.