Scribd
Upload
83 views50 pages

Cybersecurity Standards Scorecard 2022 Edition

The document summarizes a study that evaluates and compares the most popular cybersecurity standards according to a set of criteria. It finds that the Collective Control Catalog, which aggregates controls from over 35 standards, provides the most comprehensive baseline. The Center for Internet Security Controls versions 7.1 and 8.0 received overall scores of B and C+ respectively, while the NIST Cybersecurity Framework version 1.1 received a lower overall score. The study aims to help organizations choose standards by providing an objective methodology for comparison.

Uploaded by

biasilarissa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
83 views50 pages

Cybersecurity Standards Scorecard 2022 Edition

The document summarizes a study that evaluates and compares the most popular cybersecurity standards according to a set of criteria. It finds that the Collective Control Catalog, which aggregates controls from over 35 standards, provides the most comprehensive baseline. The Center for Internet Security Controls versions 7.1 and 8.0 received overall scores of B and C+ respectively, while the NIST Cybersecurity Framework version 1.1 received a lower overall score. The study aims to help organizations choose standards by providing an objective methodology for comparison.

Uploaded by

biasilarissa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Cybersecurity Standards Scorecard (2022 Edition)

Cybersecurity Standards
Scorecard (2022 Edition)

© 2022 Enclave Security, LLC | All Rights Reserved


Problem Statement – Cybersecurity Standards

• At the present time there are dozens of cybersecurity standards and


regulations around the world
• There is a general belief that all standards are basically the same – this
could not be further from the truth

• Organizations tend to choose a cybersecurity standard based on popularity


or experience with a given standard
• Very few organizations have an objective methodology for comparing or
evaluating the standards themselves

Cybersecurity Standards Scorecard (2022 Edition) 2


Goal for this Webcast Series

• The goal for this webcast is for this to be an annual research study
• Each year we will evaluate the most popular cybersecurity standards
• Each year we will reconsider the evaluation criteria based on community
feedback and suggestions

• The goal is also to present a potential methodology for evaluating standards


• Different organizations may have different goals and may want to score
according to their organizational needs

• Ultimately, we want to help organizations to make an intelligent decision


regarding how to choose how to defend themselves

Cybersecurity Standards Scorecard (2022 Edition) 3


Cybersecurity Standards Evaluated

• Dozens of standards could have been considered for this study


• However, only the following were considered in the 2022 study:
− CIS Controls (v7.1)
− CIS Controls (v8.0)
− NIST CyberSecurity Framework (v1.1)
− Cybersecurity Maturity Model Certification (v1.02)
− NIST SP 800-171 (rev2)
− ISO 27002:2013 & 27002:2022
− PCI DSS (v3.2 & v4.0)
− HIPAA
− COBIT (v5)
− MITRE Enterprise Mitigations
− Collective Control Catalog (v2022)

Cybersecurity Standards Scorecard (2022 Edition) 4


Criteria Used to Compare Standards

• Each standard was evaluated on against a set of characteristics determined


to be the baseline for a well-rounded cybersecurity standard
• The criteria used to evaluate each standard includes:
− Operational Controls Addressed
− Privacy Controls Addressed
− Technical Controls Addressed
− Controls Updated Recently
− Community Driven / Open Development
− Popularity of Standard (Google Trends)
− Maps Threats to Controls
− Specifically Addresses Modern Threats
− Maps Detailed Controls to Other Control Standards
− Tagged for Applicability (Cloud, ICS, IoT, etc)
− International Applicability / Implementation
− Prioritizes Controls
− Corresponding Measures / Metrics Guide

Cybersecurity Standards Scorecard (2022 Edition) 5


Cybersecurity Control Baseline – Collective Control Catalog

• Developed by the same consortium of security practitioners that


developed the CRM and CTM
• Open-source research project freely available to the community

• Started as a research project to normalize and compare


existing cybersecurity standards and regulations
• Presently aggregates and analyzes control libraries from 35+ standards
• Normalizes roughly 2200 control statements to about 400 statements

• Also categorizes, tags, and prioritizes control statements to facilitate


project planning and implementation efforts

Cybersecurity Standards Scorecard (2022 Edition) 6


Project Contributors / Reviewers

• There have been numerous contributors to this project over


the last few years

• Some of the key contributors to this project include


representatives from:
− The SANS Institute
− The Institute of Applied Network Security (IANS)
− Enclave Security / AuditScripts
− Black Hills Information Security (BHIS)
− Individuals from a diverse set of international
organizations (public and private)

Cybersecurity Standards Scorecard (2022 Edition) 7


Collective Control Catalog: Inventory

Cybersecurity Standards Scorecard (2022 Edition) 8


Collective Control Catalog: Normalizing and Mapping

Cybersecurity Standards Scorecard (2022 Edition) 9


Collective Control Catalog Coverage (CIS v7.1)

Center for Internet Security (CIS) Controls v7.1

Cybersecurity Standards Scorecard (2022 Edition) 10


Google Trends – Past 5 Years (CIS v7.1)

Cybersecurity Standards Scorecard (2022 Edition) 11


Cybersecurity Scorecard – CIS Controls v7.1
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed D
Privacy Controls Addressed F
Technical Controls Addressed B
Controls Updated Recently C
Community Driven / Open Development A
Popularity of Standard (Google Trends) B
Maps Threats to Controls F
Specifically Addresses Modern Threats B
Maps Detailed Controls to Other Control Standards B
Tagged for Applicability (Cloud, ICS, IoT, etc) C
International Applicability / Implementation A
Prioritizes Controls A
Corresponding Measures / Metrics Guide A
Overall Score B

Cybersecurity Standards Scorecard (2022 Edition) 12


Collective Control Catalog Coverage (CIS v8.0)

Center for Internet Security (CIS) Controls v8.0

Cybersecurity Standards Scorecard (2022 Edition) 13


Google Trends – Past 5 Years (CIS v8.0)

Cybersecurity Standards Scorecard (2022 Edition) 14


Cybersecurity Scorecard – CIS Controls v8.0
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed D
Privacy Controls Addressed F
Technical Controls Addressed C
Controls Updated Recently B
Community Driven / Open Development B
Popularity of Standard (Google Trends) B
Maps Threats to Controls F
Specifically Addresses Modern Threats B
Maps Detailed Controls to Other Control Standards C
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation A
Prioritizes Controls B
Corresponding Measures / Metrics Guide F
Overall Score C+

Cybersecurity Standards Scorecard (2022 Edition) 15


Collective Control Catalog Coverage (NIST CSF)

NIST Cybersecurity Framework (CSF v1.1)

Cybersecurity Standards Scorecard (2022 Edition) 16


Google Trends – Past 5 Years (NIST CSF)

Cybersecurity Standards Scorecard (2022 Edition) 17


Cybersecurity Scorecard – NIST CSF (v1.1)
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed C
Privacy Controls Addressed F
Technical Controls Addressed D
Controls Updated Recently D
Community Driven / Open Development D
Popularity of Standard (Google Trends) C
Maps Threats to Controls F
Specifically Addresses Modern Threats F
Maps Detailed Controls to Other Control Standards C
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation D
Prioritizes Controls F
Corresponding Measures / Metrics Guide F
Overall Score D+

Cybersecurity Standards Scorecard (2022 Edition) 18


Collective Control Catalog Coverage (CMMC)

Cybersecurity Maturity Model Certification (v1.02)

Cybersecurity Standards Scorecard (2022 Edition) 19


Google Trends – Past 5 Years (CMMC)

Cybersecurity Standards Scorecard (2022 Edition) 20


Cybersecurity Scorecard – CMMC (v1.02)
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed C
Privacy Controls Addressed F
Technical Controls Addressed B
Controls Updated Recently B
Community Driven / Open Development D
Popularity of Standard (Google Trends) C
Maps Threats to Controls F
Specifically Addresses Modern Threats B
Maps Detailed Controls to Other Control Standards C
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation D
Prioritizes Controls F
Corresponding Measures / Metrics Guide F
Overall Score C

Cybersecurity Standards Scorecard (2022 Edition) 21


Collective Control Catalog Coverage (NIST 800-171)

NIST 800-171 (rev2)

Cybersecurity Standards Scorecard (2022 Edition) 22


Google Trends – Past 5 Years (NIST 800-171)

Cybersecurity Standards Scorecard (2022 Edition) 23


Cybersecurity Scorecard – NIST 800-171 (rev2)
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed D
Privacy Controls Addressed F
Technical Controls Addressed C
Controls Updated Recently B
Community Driven / Open Development D
Popularity of Standard (Google Trends) C
Maps Threats to Controls F
Specifically Addresses Modern Threats C
Maps Detailed Controls to Other Control Standards D
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation D
Prioritizes Controls F
Corresponding Measures / Metrics Guide F
Overall Score C-

Cybersecurity Standards Scorecard (2022 Edition) 24


Collective Control Catalog Coverage (ISO 27002)

ISO 27002:2013

Cybersecurity Standards Scorecard (2022 Edition) 25


Collective Control Catalog Coverage (ISO 27002)

ISO 27002:2022
Security Program Governance

Auditing and Reporting

Security Program Operations

Asset Inventory and Control

System Protection

System Monitoring

Identity and Access Management

Network Device Protection

Boundary Protection

Internal Network Protection

Secure Software Development

Data Privacy

Cybersecurity Standards Scorecard (2022 Edition) 26


Google Trends – Past 5 Years (ISO 27002)

Cybersecurity Standards Scorecard (2022 Edition) 27


Cybersecurity Scorecard – ISO 27002:2022
Cybersecurity Standard Characteristic Score
Governance Controls Addressed C
Operational Controls Addressed B
Privacy Controls Addressed F
Technical Controls Addressed C
Controls Updated Recently A
Community Driven / Open Development D
Popularity of Standard (Google Trends) C
Maps Threats to Controls F
Specifically Addresses Modern Threats F
Maps Detailed Controls to Other Control Standards D
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation A
Prioritizes Controls F
Corresponding Measures / Metrics Guide C
Overall Score C-

Cybersecurity Standards Scorecard (2022 Edition) 28


Collective Control Catalog Coverage (PCI DSS)

Payment Card International (PCI) Data Security Standard (v3.2)

Cybersecurity Standards Scorecard (2022 Edition) 29


Collective Control Catalog Coverage (PCI DSS)

Payment Card International (PCI) Data Security Standard (v4.0)


Security Program Governance

Auditing and Reporting

Security Program Operations

Asset Inventory and Control

System Protection

System Monitoring

Identity and Access Management

Network Device Protection

Boundary Protection

Internal Network Protection

Secure Software Development

Data Privacy

Cybersecurity Standards Scorecard (2022 Edition) 30


Google Trends – Past 5 Years (PCI DSS)

Cybersecurity Standards Scorecard (2022 Edition) 31


Cybersecurity Scorecard – PCI DSS (v4.0)
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed D
Privacy Controls Addressed F
Technical Controls Addressed C
Controls Updated Recently A
Community Driven / Open Development D
Popularity of Standard (Google Trends) C
Maps Threats to Controls F
Specifically Addresses Modern Threats D
Maps Detailed Controls to Other Control Standards D
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation B
Prioritizes Controls F
Corresponding Measures / Metrics Guide F
Overall Score C-

Cybersecurity Standards Scorecard (2022 Edition) 32


Collective Control Catalog Coverage (HIPAA)

HIPAA Security Rule

Cybersecurity Standards Scorecard (2022 Edition) 33


Google Trends – Past 5 Years (HIPAA)

Cybersecurity Standards Scorecard (2022 Edition) 34


Cybersecurity Scorecard – HIPAA
Cybersecurity Standard Characteristic Score
Governance Controls Addressed D
Operational Controls Addressed D
Privacy Controls Addressed F
Technical Controls Addressed D
Controls Updated Recently F
Community Driven / Open Development F
Popularity of Standard (Google Trends) D
Maps Threats to Controls F
Specifically Addresses Modern Threats F
Maps Detailed Controls to Other Control Standards D
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation D
Prioritizes Controls F
Corresponding Measures / Metrics Guide F
Overall Score D

Cybersecurity Standards Scorecard (2022 Edition) 35


Collective Control Catalog Coverage (COBIT)

COBIT (v5)

Cybersecurity Standards Scorecard (2022 Edition) 36


Google Trends – Past 5 Years (COBIT)

Cybersecurity Standards Scorecard (2022 Edition) 37


Cybersecurity Scorecard – COBIT
Cybersecurity Standard Characteristic Score
Governance Controls Addressed C
Operational Controls Addressed D
Privacy Controls Addressed F
Technical Controls Addressed F
Controls Updated Recently F
Community Driven / Open Development D
Popularity of Standard (Google Trends) D
Maps Threats to Controls F
Specifically Addresses Modern Threats F
Maps Detailed Controls to Other Control Standards F
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation C
Prioritizes Controls F
Corresponding Measures / Metrics Guide F
Overall Score D

Cybersecurity Standards Scorecard (2022 Edition) 38


Collective Control Catalog Coverage (MITRE)

MITRE Enterprise Mitigations

Cybersecurity Standards Scorecard (2022 Edition) 39


Google Trends – Past 5 Years (MITRE)

Cybersecurity Standards Scorecard (2022 Edition) 40


Cybersecurity Scorecard – MITRE Enterprise Mitigations
Cybersecurity Standard Characteristic Score
Governance Controls Addressed F
Operational Controls Addressed F
Privacy Controls Addressed F
Technical Controls Addressed C
Controls Updated Recently B
Community Driven / Open Development C
Popularity of Standard (Google Trends) F
Maps Threats to Controls A
Specifically Addresses Modern Threats A
Maps Detailed Controls to Other Control Standards F
Tagged for Applicability (Cloud, ICS, IoT, etc) F
International Applicability / Implementation C
Prioritizes Controls D
Corresponding Measures / Metrics Guide F
Overall Score C-

Cybersecurity Standards Scorecard (2022 Edition) 41


Collective Control Catalog Coverage (CCC)

Collective Control Catalog (v2021)

Cybersecurity Standards Scorecard (2022 Edition) 42


Google Trends – Past 5 Years (CCC)

Cybersecurity Standards Scorecard (2022 Edition) 43


Cybersecurity Scorecard – CCC (v2021)
Cybersecurity Standard Characteristic Score
Governance Controls Addressed A
Operational Controls Addressed B
Privacy Controls Addressed B
Technical Controls Addressed A
Controls Updated Recently A
Community Driven / Open Development B
Popularity of Standard (Google Trends) D
Maps Threats to Controls F
Specifically Addresses Modern Threats A
Maps Detailed Controls to Other Control Standards A
Tagged for Applicability (Cloud, ICS, IoT, etc) B
International Applicability / Implementation C
Prioritizes Controls A
Corresponding Measures / Metrics Guide A
Overall Score A-

Cybersecurity Standards Scorecard (2022 Edition) 44


2021 Overall Cybersecurity Standards Scorecard
Cybersecurity Standard Score (2021)
CIS Controls (v7.1) B
CIS Controls (v8.0) C+
NIST CyberSecurity Framework (v1.1) D+
Cybersecurity Maturity Model Certification (v1.02) C
NIST SP 800-171 (rev2) C-
ISO 27002:2022 C-
PCI DSS (v4.0) C-
HIPAA D
COBIT (v5) D
MITRE Enterprise Mitigations C-
Collective Control Catalog (v2022) A-

Cybersecurity Standards Scorecard (2022 Edition) 45


Collective Control Catalog: Prioritization and Tagging

Cybersecurity Standards Scorecard (2022 Edition) 46


Simple Sample Reporting Tool

• Microsoft Excel is still the most popular risk


management tool available to cybersecurity
practitioners
• Sometimes it is better not to be complicated

• The tool to the right is an example of using


Microsoft Excel to score risk against an
agreed upon set of controls

• In this case, using the free AuditScripts.com


tool to measure against the Collective
Controls Catalog (CCC)
Cybersecurity Standards Scorecard (2022 Edition) 47
Future of the Project

• The goal is to continue to develop this framework, with collective


community support

• At least annually a new version of this framework, with supporting


resources, will be released to the community for their consideration

• Specific Project Goals for 2023:

− Include additional standards / mappings (ISO 27002, PCI, etc)


− Include additional content for DevOps and serverless architectures
− Document audit framework and template audit plan

Cybersecurity Standards Scorecard (2022 Edition) 48


Next Steps - Call for Action

As a cybersecurity professional, what comes next?

Learning from presentations such as this is wonderful, but action is better:


1. Has your organization’s leadership formally chartered a program to address these
issues?
2. Has your organization formally agreed on a common set of cybersecurity controls to
help ensure you achieve your business objectives?
3. Has your organization been assessed against a common set of cybersecurity controls
to better understand their present state?
4. Has your organization defined a plan to address the most critical cybersecurity
control gaps that were identified in the assessment?

Cybersecurity Standards Scorecard (2022 Edition) 49


COURSE RESOURCES AND CONTACT INFORMATION

JAMES TARALA RESOURCES FOR FURTHER STUDY:

Principal Consultant at Enclave Security SANS Webcasts

[email protected] AuditScripts.com Risk Resources

SANS MGT415: A Practical Introduction to


Cyber Security Risk Management

SANS SEC566: Implementing and Auditing CIS


Critical Controls

Cybersecurity Standards Scorecard (2022 Edition) 50

You might also like