Self-assessment Questionnaires (SAQ) can be a great place to start when looking to assess and improve your cybersecurity practice maturity. There are a few important things to consider before committing time and trust to an SAQ.
Carefully consider your organization’s objectives before conducting the exercise. Most SAQs align with one or more broad cybersecurity frameworks including NIST CSF which can be helpful if just starting on a cybersecurity journey. Other SAQs, including Cyber Security Evaluation Tool (CSET), include industry-specific frameworks. SAQs can also be conducted to benchmark two or more business units or organizations.
SAQ outcomes are generally descriptive rather than prescriptive. The final report is not going to tell your organization which firewall to purchase. However, the report may indicate that network intrusion detection and prevention processes used at your organization are not at the level expected for a company of that size. This output is a kind of gap analysis between the current state of cybersecurity at the organization and the ideal state, based on the SAQ framework being used.
Generally, SAQs creators expect larger organizations will have a higher degree of cybersecurity specialization which translates into a higher overall maturity level, though this is not always the case. A higher level of maturity is a good indicator that cybersecurity practices are operating effectively and identified risks are being mitigated. The target level of maturity is up to your organization and should be part of an overall discussion around risk and benefits. For example, a high level of maturity for a very small organization that doesn’t handle any sensitive information could indicate overspending.
When considering a SAQ, consider the objectivity and independence of the assessor. Does the assessor have the necessary knowledge, experience and objectivity to ask follow up questions and evaluate the responses? This is the analogous to a patient completing a health questionnaire versus getting a physical. There is no substitute for objective, expert analysis provided by an independent third party, such as a physician.
There are many free SAQs available, and some are listed below in order of simple to complex with a brief description.
- CIS Controls v8
- Provided by the Center for Internet Security, the assessment is based on Implementation Groups (IG) or sets of controls expected to exist at organizations of different sizes. There are three IG levels (1-3), 18 Controls (Security Domains) and 153 Safeguards. https://www.cisecurity.org/controls
- AuditScripts offers a free Excel-based template for CIS v8 at https://www.auditscripts.com/free-resources/critical-security-controls/
- C2M2
- Provided by the US Department of Energy, the Cybersecurity Capability Maturity Model (C2M2) includes a more than 300-item, form-fillable PDF to collect the assessment data. Rather than IGs within CIS, C2M2 relies on Maturity Indicator Level markers from 0-3 (MIL). Each of the 10 security domains has a set of objectives and the MIL of the organization is calculated for each objective based on the responses. https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
- CSET
- Provided by the US Cybersecurity and Infrastructure Security Agency and Department of Homeland Security, the Cyber Security Evaluation Tool (CSET) is a downloadable, installable assessment tool that includes a network diagramming function. https://www.cisa.gov/downloading-and-installing-cset
There are also many third party providers offering assessment tools, including ACronis, Rapid7, Gartner and others where they will provide a summarized or complete report in hopes of engaging the organization for follow up services.
Once completed, the SAQ is a roadmap of your organization’s strengths and weaknesses. Protect the SAQ results as you would any sensitive information and avoid including notes with specific technical details of your organization, especially credentials.
To learn more about which SAQ is right for you and have one professionally facilitated for your organization, contact me at info@southlakecyber.com or call 352.936.1886.