The Cyber Essentials Toolkit, developed by the Cybersecurity and Infrastructure Security Agency, provides organizations in the United States with a set of foundational cybersecurity measures. However, as cyber threats become more sophisticated, we believe that there are strategic expansions in line with global best practice that would enhance national cyber resilience.
Find out more below:
- Overview of the CISA Cyber Essentials Toolkit
- International comparisons of cybersecurity frameworks
- Weaknesses in the CISA framework
- Proposed expansions to the CISA framework
Protecht’s cyber risk management eBook is a comprehensive guide that addresses the complex challenges of cyber risk. Download your free copy now:
Overview of the CISA Cyber Essentials Toolkit
The CISA Cyber Essentials Toolkit[i] is distilled into six essential actions, each targeting a core area of cybersecurity readiness:
- Yourself (the leader) - This component emphasizes the critical role leadership plays in cybersecurity, where executives are actively knowledgeable and involved in the security posture of their organization.
- Your staff - People are both an organization's best asset and its greatest vulnerability. This action focuses on empowering staff with the knowledge and tools they need.
- Your systems - The technologies and solutions that underpin your business operations. It covers the necessity of keeping systems up to date and secure from vulnerabilities.
- Your surroundings - Understanding the digital and physical context in which your systems operate helps identify potential security blind spots, including external factors and interactions.
- Your data - The importance of knowing where your data resides, how it's protected, and who has access to it. Effective data management practices ensure that critical information is only accessible to those who genuinely need it.
- Your crisis response - No defense is impregnable. This final action involves having a clear, tested response plan that minimizes downtime and mitigates the impact of a breach.
The CISA Cyber Essentials Toolkit primarily targets SMEs, breaking cybersecurity down into manageable, actionable components that do not require deep technical knowledge to implement. However, its foundational principles are universally applicable, offering value to larger private and public sector organizations too.
International comparisons of cybersecurity frameworks
Benchmarking the CISA Cyber Essentials Toolkit against international standards provides critical insights. We’ll look at well CISA's toolkit aligns with international cybersecurity practices across five key functions: Identify, Protect, Detect, Respond, and Recover. A "Y" indicates that the category is covered within the local framework. The blue highlights represent the Protecht priority areas that we will discuss below.
Table: Comparison of cybersecurity frameworks based on NIST CSF[ii]
|
NIST CSF Category |
Subcategory |
USA |
AU[iii] |
NZ[iv] |
UK[v] |
EU[vi] |
|
Identify |
Asset Management |
Y |
Y |
Y |
||
|
Business Environment |
|
|||||
|
Governance |
Y |
Y |
||||
|
Risk Assessment |
|
Y |
||||
|
Risk Management Strategy |
|
|||||
|
Supply Chain Risk |
|
Y |
||||
|
Protect |
Identity and Access Control |
Y |
Y |
Y |
Y |
Y |
|
Awareness and Training |
Y |
Y |
Y |
Y |
||
|
Data Security |
Y |
Y |
Y |
Y |
Y |
|
|
Information Protection |
|
Y |
||||
|
System Maintenance |
Y |
Y |
Y |
Y |
Y |
|
|
Protective Technology |
Y |
Y |
Y |
Y |
Y |
|
|
Detect |
Anomalies and Events |
|
Y |
|||
|
Security Continuous Monitoring |
|
Y |
Y |
|||
|
Detection Processes |
|
|||||
|
Respond |
Response Planning |
|
||||
|
Communications |
|
|||||
|
Analysis |
|
|||||
|
Mitigation |
|
|||||
|
Continuous Improvement |
|
|||||
|
Recover |
Recovery Planning |
Y |
Y |
Y |
||
|
Recovery Testing |
Y |
Y |
Y |
Y |
Y |
|
|
Improvements |
|
|||||
|
Communications |
Y |
- Identify: CISA provides a broad foundation, while NIST offers a more detailed and structured approach to asset management, which could be beneficial for CISA to incorporate.
- Protect: CISA emphasizes the human aspect of cybersecurity, advocating for regular staff training and timely system updates. The EU ENISA and UK NCSC frameworks provide extensive coverage on protecting information systems from threats, including identity management and access controls which are more technically focused than CISA’s approach.
- Detect: CISA suggests basic monitoring systems to identify malicious activity, while other frameworks focus on advanced detection technologies and methodologies, such as continuous monitoring and sophisticated anomaly detection.
- Respond: CISA outlines general crisis response strategies, while NIST and NCSC Offer detailed response protocols, including specific actions, roles, and responsibilities during an incident.
- Recover: CISA addresses the need for recovery plans and continuity strategies. ENISA and NCSC stress the importance of resilience and robust recovery processes that not only restore operations but also learn from incidents to strengthen future responses.
Weaknesses in the CISA framework
In this section, we identify key weaknesses in the CISA standards compared to international best practices and our analysis of evolving threats:
- Asset management: CISA encourages a fundamental awareness of organizational assets, but its guidance remains high-level, focusing more on understanding than on detailed management. However, there's a lack of in-depth strategies for ongoing asset tracking, classification, and valuation that are crucial for dynamic asset management. Integrating more granular asset lifecycle management could elevate its utility.
- Supply chain risk: The toolkit touches on understanding the digital and physical environment, which indirectly relates to supply chain considerations. However, there is a critical absence of specific methodologies for assessing and mitigating risks posed by third-party vendors and service providers.
- Anomalies and events: Basic monitoring recommendations are provided, which can help in detecting anomalies. The toolkit could benefit from a more detailed approach to defining what constitutes an anomaly, how to systematically detect these events, and the steps to take when they are identified.
- Security continuous monitoring: CISA advocates for regular updates and basic monitoring. However, the toolkit lacks comprehensive guidelines on implementing advanced real-time monitoring technologies and practices that can provide a deeper, more continuous insight into system health and threat landscapes.
- Response planning: CISA includes general guidance on developing a crisis response plan. The toolkit’s approach to response planning is more reactive than proactive. It could be strengthened by incorporating scenario-based planning exercises, detailed role assignments, and quicker activation protocols to ensure swift and effective action.
- Communications: Communications are implicit in CISA’s crisis response component, but it lacks explicit strategies. There is a significant opportunity to develop a comprehensive communication strategy that includes not only internal communication flows but also protocols for external communications with stakeholders, the media, and public authorities during and after a cyber incident.
Proposed enhancements to the CISA framework
The following enhancements are not just improvements; they're necessary evolutions to bridge the gap between good practice and excellence:
- Refined asset management: Implement detailed asset tracking and assessment strategies that encompass lifecycle management from procurement to disposal. Introduce tools and techniques for real-time asset visibility and valuation, ensuring that assets are accurately cataloged, and their security posture continuously assessed. This would include the integration of automated asset discovery tools, utilization of asset management databases, and regular audits.
- Robust supply chain risk management: Develop a framework specifically for assessing and mitigating supply chain risks. This should align with global best practices, such as the establishment of base security criteria for third-party vendors and ongoing risk assessments. Introduce guidelines for regular security audits, third-party certifications, and the establishment of a supply chain risk management process that includes clear communication channels and incident response plans tailored to supply chain disruptions.
- Advanced detection of anomalies and events: Expand the toolkit to include advanced anomaly detection techniques using artificial intelligence and machine learning algorithms that can predict and detect unusual patterns indicative of cyber threats. Implement continuous monitoring protocols that utilize both signature-based and behavior-based detection techniques to provide a more comprehensive threat detection landscape.
- Continuous security monitoring: Propose the adoption of a continuous security monitoring strategy that involves the integration of next-generation security information and event management (SIEM) systems. These systems should offer automated response capabilities, real-time data analytics, and integrated threat intelligence services to ensure that monitoring is both proactive and reactive.
- Incident response and communication protocols: Establish detailed incident response protocols that include predefined communication templates, designated spokespersons, and clear guidelines for internal and external communications during various types of security incidents. Enhance the toolkit with training simulations and response drills to prepare teams for efficient action and communication under pressure.
Each of these enhancements requires not just policy adjustments but also a commitment to training, resource allocation, and ongoing evaluation to ensure they remain effective.
Conclusions and next steps for your organization
We believe enhancing the CISA Cyber Essentials is not merely an adaptation to the current landscape but a strategic move to secure a leading position in the global cybersecurity arena. By implementing these enhancements, the United States doesn’t only protect its national interests but also contributes to a safer, more secure digital world.
In the meantime, here are our recommendations for stakeholders:
- Government and regulators: Consider revising cybersecurity policies to include these expanded areas.
- Organizations and enterprises: Adopt these broader measures pre-emptively, reinforcing their cybersecurity practices in anticipation of regulatory changes.
- Cybersecurity professionals: Stay ahead of these changes, integrating new strategies and technologies into their practices to stay ahead of threats.
To find out more about cyber risk management, Protecht’s Cyber risk management: The art of prevention, detection and correction is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk in today's digital age. Equip yourself with an understanding of cyber risk management, enabling you to spearhead a proactive approach against ever-evolving digital threats:
References
[i] United States - Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials Toolkit: https://www.cisa.gov/cyber-essentials
[ii] National Institute of Standards and Technology (NIST) - NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
[iii] Australian Cyber Security Centre (ACSC) - Essential 8 Explainer and Maturity Model: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explainer
[iv] New Zealand Government - CERT NZ’s Critical Controls for Cyber Security: https://www.cert.govt.nz/it-specialists/critical-controls/
[v] United Kingdom Government - National Cyber Security Centre (NCSC) Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/overview
[vi] European Union Agency for Cybersecurity (ENISA) Cybersecurity Guide: https://www.enisa.europa.eu/