Evaluating cybersecurity risk
- By Kathleen Hickey
- Nov 09, 2016
With the specter of a cybersecurity incident hovering over enterprise systems, government leaders can
be more confident in their risk management programs by assessing their effectiveness with the Baldridge Cybersecurity Excellence Builder.
The self-assessment tool blends organizational performance evaluation strategies from National Institute of Standards and Technology’s Baldrige Performance Excellence Program with risk management standards, guidelines and best practices from the Cybersecurity Framework. Applying Baldrige principles to the framework lets organizations “maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole,” NIST said.
Using the builder, organizations can:
- Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services.
- Prioritize investments in managing cybersecurity risk.
- Assess the effectiveness and efficiency of cybersecurity standards, guidelines and practices.
- Assess their cybersecurity results.
- Identify priorities for improvement
The tool first helps users detail their organization’s unique cybersecurity characteristics and situations. Through a series of questions, the builder helps define current approaches to cybersecurity and their results. Users can then determine their organization’s cybersecurity maturity level and develop an action plan to upgrade their cybersecurity practices and management, implement improvements and measure progress and effectiveness.
Designed for use by leaders responsible for cybersecurity policy and operations, the builder is meant to be part of a continuous improvement program, used periodically to maintain high levels of cybersecurity readiness. It consists of 17 items, divided into three groups – organizational, process and results. Organizations can be assessed at a reactive, early, mature or role model level for each evaluation factor. Following the assessment of approaches, deployment, learning and integration is a self-analysis worksheet.
The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget’s Office of Electronic Government and Information Technology, with input from private sector representatives. Comments on the tool are due Dec. 15.
Kathleen Hickey is a freelance writer for GCN.