USA: +1(669)289-8683 
Sign in
Introduction
Establishingand keeping up an enterprise cybersecurity program provides management and strategic planning for the organization’s cybersecurity activities that support the organization’s key objectives. The NIST Cybersecurity Framework and Department of Energy’s Cybersecurity Maturity Model (Cybersecurity Capability Maturity Model or C2M2) are both effective strategies in assessing the cybersecurity program for PBI-FS. Although the NIST framework and C2M2 are both created to help support cybersecurity of critical infrastructures, they can be used as a tool for any organizations regardless of size, type, or industry (COMPARING THE NIST, n.d.). However, NIST does not provide a cybersecurity measurement process when compared to C2M2 (What is a Cybersecurity, n.d.). Because C2M2 offers an assessment process that helps the organization to self-assess the security capabilities, PBI-FS should employ C2M2 to assess its cybersecurity program.
Analysis
Before taking a step in developing a cybersecurity management program, it is essential to identify the current state (i.e., asset, stakeholders, IT system, security measures, legal and regulatory requirements, etc.) and an end goal. Since the PBI-FS has been just acquired, the organization needs a framework that has a measuring process that evaluates the current level of practices, procedures, and strategies and set objectives, or maturity model (DOE, 2014). Any security framework that can be used for this need two most utilized maturity models can be found in NIST or C2M2. For PBI-FS, C2M2 should be used to achieve better assessment and strengthening the organization’s cybersecurity capabilities.
C2M2 provides a framework that an organization can measure its maturity level and help identify and improve areas of weakness and strength. C2M2 uses a scale of maturity indicator levels (MILs) 0-3 that are individually applied to each domain in the model. There are ten domains in C2M2, and to just to name a few, they are ‘Risk Management, Asset, Change, and Configuration Management, Identity and Access Management, Threat and Vulnerability Management, and more (DOE, 2014).’ The organization could apply defined MILs in each domain to perform an assessment. MIL 0 means the domain control is not established, and MIL 3 indicates the high-level practice of domain is established. Once an evaluation has been accomplished, based on the result, the organization can build strategies that align with the overall organization’s strategy.
Implementing C2M2 in an organization helps meet the regal and regulatory requirements. The financial institutions must comply with the Bank Secrecy Act (BSA), and it requires filing suspicious activity reports (SAR). The organization must provide various incident information such as source and destination, file information, subject usernames, system information, and involved account information to properly filing SAR (Soniat, 2017). Gathering all the required data is crucial for law enforcement to develop a compelling case. C2M2 provides cybersecurity objectives that an organization could use to strengthen their incident response, gathering adequate information, performing logging and monitoring, from the domain ‘Event and Incident Response, Continuity of Operations’, and ‘Situation Awareness (DOE, 2014).’
Best Practices
Although the organization can apply self-assessment of the organization’s cybersecurity management program using the C2M2 or NIST cybersecurity framework, hiring an external assessor would provide the best result. The external assessor will give a nonbiased evaluation of an organization’s security controls, processes, and policies. Another best practice is to combine the use of NIST and C2M2 to effectively assess the current cybersecurity management program better to meet the organization’s unique objectives and operational structure. Lastly, it is recommended to conduct an assessment on an annual basis to discover the benchmark of current cybersecurity capabilities, which could be used to develop a strategy for improvements and plan budgets.
References
COMPARING THE NIST CYBER SECURITY FRAMEWORK AND ES-C2M2. (n.d.). Retrieved from
DOE. (2014, February). CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2). Retrieved April 14, 2020, from
https://www.energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
Soniat, J. (2017, June 9). Cybersecurity and BSA/AML. Retrieved April 15, 2020, from
https://www.acamstoday.org/cybersecurity-and-bsaam…
What is a Cybersecurity Maturity Model? (2019, June 10). Retrieved from
https://www.ashersecurity.com/what-is-a-cybersecur…
