Benchmark – Framework Compliance Assessment Report


Framework Compliance Assessment Report Guide

Directions: Throughout the course students will work on applying a cybersecurity framework to a small to medium-sized business. Each assignment will build upon the next and will be compiled into a Framework Compliance Assessment Report that helps their proposed business identify, assess, and manage cybersecurity risk. When developing this report, students are encouraged to refer to the "Framework for Improving Critical Infrastructure Cybersecurity," located within the Course Materials.

The formal report must include the following components:

I. Executive Summary

Briefly summarize the scope and results of the framework compliance assessment. Highlight high-risk findings and comment on required management actions. Present an action plan to address and prioritize compliance gaps. Present a cost/benefit analysis. Explain the risks involved in trying to achieve the necessary outcomes and the resources required to address the gaps.

II. Organizational Objectives and Priorities

This section should include an Organizational Data Flow Diagram.

Current Framework Compliance Status: Describe the current cybersecurity environment, such as processes, information, and systems directly involved in the delivery of services. Describe the current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints using the framework identified in the "Organizational Objectives and Priorities" assignment. Include a diagram related to the common flow of information and decisions at the major levels within the organization.

Future Cybersecurity Policy Implementations: Describe the critical cybersecurity needs that should be in place to ensure compliance with ISO/IEC 27001 Cybersecurity Framework and then prioritize outcomes.

III. Operational Compliance and Risk Assessment

This section should include a Portal Diagram and Organizational Risk Assessment Chart.

Cybersecurity Risk Assessment: Describe the likelihood of risks occurring and the resulting impact. Identify threats to, and vulnerabilities of, those systems and assets. Express risks both internally and externally. Determine the acceptable level of risk (risk tolerance). Describe the response to the risk. Describe how identified risks are managed and resolved.

Privacy Risk Management: Describe how the business is integrating privacy laws and regulations, prioritizing, and measuring progress.

Compliance Gaps: Describe the type of audits that should be performed in order to keep a consistent measure of risk. Determine what type of gap analysis should be performed in order to properly identify the security elements and variables within the environment that pose the most risk. Develop a compliance management plan based on the findings using the aforementioned information gathered for reference.

IV. Response and Recovery Planning

Contingency Planning Process: Define the roles, responsibilities, and procedures associated with restoring IT systems following any kind of disruption.

The Data Backup Planning Process: Briefly describe the data to be backed up, the backup method, and the backup frequency that best meets the business requirements.

The Disaster Recovery Planning Process: Briefly describe the recovery of data specific to your operating environment.

The Emergency Operations Mode Planning: Briefly describe how your organization would carry out operations between the onset of restoration activity and when system functions return.

Testing and Revision Procedures: Briefly describe the frequency and sophistication of the testing and revision procedures.

V. Improvements and Recommendations

Opportunities for Improvement: Identify and prioritize improvement opportunities within the context of a continuous and repeatable process, identifying opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. Identify opportunities to address an organizations emerging needs.

Organizational Impact: Describe the impact to the organization in the case that improvements to security are made, whilst also describing what may occur if the improvements are not made.

Monitoring: Describe how the organization would assess their progress towards accurately monitoring and analyzing future cybersecurity threats.