Achieve compliance. Improve security posture. Demonstrate organizational maturity.
Many organizations are required to achieve certain levels of compliance in order to conduct business in certain industries, retain or share certain data, work with certain organizations, and a plethora of other criteria. Some examples include Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST) 800-53 or 800-171, Cybersecurity Maturity Model Certification (CMMC), and others.
Some organizations have no compliance requirements. However, every organization should set a goal to establish a comprehensive security program. A comprehensive security program is continuously evaluated, tested, and maintained to ensure that the organization has the proper policies, administrative, and technical security controls in place to sufficiently protect data and keep systems available.
The first step to building a cybersecurity program involves assessment of the organization with business leaders to gain an understanding of business function and any regulatory or compliance requirements. Next requires establishing the current state of the organization’s security controls via a cybersecurity assessment. This establishes strengths and weaknesses to build upon or improve.
A timeline and goals will be established based on needs of the organization; examples may include “Achieve CMMC ML 1 by August 2021” or “Immediately implement protections to limit phishing attacks” or “Improve the top three weaknesses by Q3 2020”.
Work will then be conducted to implement various program requirements. Finally, the organization may elect to revisit and review the program on a periodic basis.