PeriCertum designed its Services Suite with the Center for Internet Security (CIS) Critical Security Controls™ in mind. Our initial tailored process for Risk Identification and Quantification helps organizations rapidly create a financial cyber risk profile. We collect client data about your unique business and network environment and perform external and internal network vulnerability scans. Our initial assessment audits your external threat landscape and quantifies your organization’s unique internal vulnerabilities and financial exposure to cyber risk.
For most organizations, this is a good starting point, but the deeper analysis supports long-term security planning
When you are ready, PeriCertum can provide a deep-dive assessment of your environment to give a better, detailed picture of where your risks are, and how to mitigate them. The Deep Assessment uses all the appropriate CIS Controls™ to guide a more involved process led by our cyber experts.
PeriCertum’s assessment of your environment provides a thorough, detailed picture of exactly where your risks are found, with the necessary steps to remediate them. The Deep Assessment addresses all the appropriate CIS Controls™ in a more involved process under the leadership of cyber experts selected for the specific skills needed for your organization’s requirements. The Deep Assessment culminates in an actionable report providing specific near, mid, and long-term recommendations for technology, training, and resourcing. The result is an effective cybersecurity program capable of protecting your organization’s most valuable assets while documenting your compliance with the regulatory requirements applicable to your industry.
Understanding NIST 800-53 and the CIS Controls™
The National Institute of Standards and Technology (NIST) Special Publication 853 provides an authoritative catalog of universally available cybersecurity controls for business and government.
However, many organizations can find it difficult to navigate the 17 separate control groups and hundreds of individual controls cataloged in the NIST Special Publication 853. The Security for Internet Security analyzed the NIST 853 control catalog to create a subset of controls representing globally accepted security best-
practices. The result was the CIS Controls™. The controls were designed to focus organizations on the essential measures delivering the most relevant immediate improvements. The critical controls are useful because of their outsized effect on security and because they start with the fundamental building blocks of excellent cybersecurity. They provide an excellent tool for prioritizing security investments to fit within available resources. The unique Pericertum methodology for assessments focuses on the critical CIS Controls™ to ensure your organization obtains improvement in security posture with the least cost and effort. Focusing on the critical controls narrows your efforts to deliver the greatest return on investment and provides a reliable methodology for measuring essential improvements to your organization’s security.
An Effective Cyber Defense System
The five critical tenets of an effective cyber defense system as reflected in the CIS Controls and incorporated in the Pericertum consulting approach are:
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.
- Measurements and Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous diagnostics and mitigation: Carry out the continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
Training, Knowledge Transfer, and Validation
A third-party assessment provides independent outside eyes to look critically over your organization for any weaknesses that may escape attention. In operationally focused organizations, it is common for even the best company security practitioners inadvertently to overlook areas that may lead to increased cyber risk. Focus on the challenges of meeting quarterly and annual goals and attempting to operate within resource restraints can lead to accepting risks that may have dire consequences once the threats materialize. At the heart of the PeriCertum approach is a focus on training your staff and improving their talents through every step of the assessment. We pride ourselves on the knowledge transfer occurring during our assessments. We make every effort to validate the skills and performance of your staff while coaching and mentoring them to higher levels of performance. Our goal is to equip your team with the knowledge they need to be effective in doing their jobs.