NIST - Cyber Security Framework Consulting Services Readiness, Implementation, Audit and Program Management

Phase I - Understanding Business and Cyber Security Objectives

• Every client is unique with its business model, customers, and cyber security requirements
• In this phase, we determine and document the client’s business requirements for cybersecurity.
• This is where we identify, key outcomes expected as part of the whole journey
• Applicable sector from the list of 16 critical sectors

Phase II - Gap Analysis and Risk Assessment

Based on the outcome of phase I, a combination of approaches is applied by Coral NIST CSF consultants to conduct the gap analysis.

• A session with each individual organization team to asses their current scope of work and their cyber security challenges
• A Penetration test against their applications and network reveals their current state of controls
• A threat model approach is applied to determine their current systems and their current controls
• Depending on the network environment (on-prem, on-cloud or hybrid) Coral conducts a deep dive into the applicability and relevance of each NIST CSF, and comes out with the status of each control, to ascertain the current maturity level.
• NIST CSF Gap analysis will reveal gaps in all applicable domains such as governance, Application development, IT operations, Cloud Operations, Supply Chain security etc.
• Coral consultants will end this phase by providing gaps and their detail recommendations.

Phase III - Control - Design, Documentation, Training, Brainstorming Sessions and Risk Management

• Design involves control allocation responsibility to organization stakeholders.
• Documentation involves drafting, discussing and brainstorming 20+ policies and procedures across domains involving 6 domains.
• Awareness Training involves bringing stakeholders on common issues.
• Risks identified in the gap analysis are discussed and tracked toward decision-making and closure. Some risks are quick wins, whereas others may take longer to close.
• Each documentation or risk undergoes brainstorming with staff to derive at a ‘best-fit’ solution for the organization.

Phase IV - Control - Measurement, and Scoring

• Control Measurement involves testing the control effectiveness and providing stakeholders with an objective scoring.
• Control Measurements are conducted for a duration of period which could be monthly for say a period of 3 to 6 months
• The ideal score is 100%. If the score is less than 100% Coral consultants will provide justification and recommendations to close the identified weakness.

Phase V - Internal Audit and Management Review

• Finally Coral conducts an Internal Audit that involves verifying the effectiveness of the implemented lifecycle controls through interviews with system verification of applicable controls,
• A formal compliance report is published and shared with the management.

Summary

• As a result of undergoing these phases, at this stage, Coral has assisted the client in setting up a successful NIST CSF program that included people, processes, technology and ongoing measurements.
• Each of the NIST CSF requirements has been completed by a combination of one or more of policy, responsibilities, reports, records, technology, and automation.
• The organization now has a plan that demonstrates its continued commitment like any other business function