Diagnosis

In order to initiate a process to improve the management of information security and cybersecurity in any organization, one of the most important elements is to determine the current state of affairs and the level of risk that the organization is currently accepting, consciously or unconsciously.

For this purpose, the first element to determine is what will be the baseline, or audit criteria against which we will evaluate ourselves. There are various frames of reference  that apply depending on the type of organization or sector. Some examples are:

  • Cybersecurity Framework - NIST - AGESIC.
  • ISO-IEC 27001 standards (27002 and the whole set of associated specific standards).
  • PCI-DSS (for companies that process, store or transmit credit card data).
  • COBIT 2019

At this time of global pandemic other more specific frameworks may be especially relevant for the purposes of assessing Remote Work security. One example is:

  • NIST Special Publication (SP) 800-46 Revision 2, Security Guidance for Enterprise Telework, Remote Access and Use of Personal Devices (BYOD).

Based on the gaps identified under each organization's scenario, the findings can be evaluated according to the level of risk they pose to the organization, and based on that, their treatment can be prioritized.

 

Action Plan

Based on the findings of the diagnostic phase, the level of risks identified, and considering the restrictions that the organization may have, it is possible to define an action plan, which allows to identify the main actions by virtue of  the cost-benefit ratio that contribute to the information security and cybersecurity of the organization. The action plan identifies deadlines, stakeholders (RACI chart) as well as other resources that must be considered. For each case, the deliverable and expected result will be determined, based on the criteria that have been defined, either by virtue of the maturity level to be achieved or the acceptable risk level.

Implementation Support

Once the action plan has been accepted, it is necessary to take action, implementing the different controls (administrative, technical, physical), whether dissuasive, preventive, detective or of any other nature that may have been identified. Depending on the framework used, implementation may be highly tabulated and defined, or leave a certain degree of discretion to the organization.
 
Finally, this phase may conclude with an eventual audit or certification, certifying that the objectives have been achieved.