Evaluating cybersecurity risk

Evaluating cybersecurity risk

With the specter of a cybersecurity incident hovering over enterprise systems, government leaders can

be more confident in their risk management programs by assessing their effectiveness with the Baldridge Cybersecurity Excellence Builder.

The self-assessment tool blends organizational performance evaluation strategies from National Institute of Standards and Technology’s Baldrige Performance Excellence Program with risk management standards, guidelines and best practices from the Cybersecurity Framework. Applying Baldrige principles to the framework lets organizations “maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole,” NIST said.

Using the builder, organizations can:

  • Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services.
  • Prioritize investments in managing cybersecurity risk. 
  • Assess the effectiveness and efficiency of cybersecurity standards, guidelines and practices.
  • Assess their cybersecurity results.
  • Identify priorities for improvement

The tool first helps users detail their organization’s unique cybersecurity characteristics and situations. Through a series of questions, the builder helps define current approaches to cybersecurity and their results. Users can then determine their organization’s cybersecurity maturity level and develop an action plan to upgrade their cybersecurity practices and management, implement improvements and measure progress and effectiveness.

Designed for use by leaders responsible for cybersecurity policy and operations, the builder is meant to be part of a continuous improvement program, used periodically to maintain high levels of cybersecurity readiness. It consists of 17 items, divided into three groups – organizational, process and results. Organizations can be assessed at a reactive, early, mature or role model level for each evaluation factor. Following the assessment of approaches, deployment, learning and integration is a self-analysis worksheet.

The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget’s Office of Electronic Government and Information Technology, with input from private sector representatives. Comments on the tool are due Dec. 15.

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group