Cyber Security Self-Assessment
Cyber Security Self-Assessment (CSSA) for an energy supplier in the CRITIS area
Abstract
During a guided self-review, potential for improvement was systematically identified and appropriate recommendations for action were made.
Initial situation and problem definition
Client: Energy supplier in the CRITIS area
Scope: Group in Austria with approx. 2,500 employees
Focus on the commercial area of the group
Current implementation of the ISO/IEC 27001 and 27002 standards
Introduction of a SIEM solution and establishment of an identity & access management planned
Objectives, project scope and benefits
Identification of potential for improvement per task field and category
Translation into suitable recommendations for action
Transparent processing and discussion of CSSA results as well as potential for improvement and recommendations for action
Procedure
Basis of the questionnaire: Cybersecurity Framework Version 1.1 of the National Institute of Standards and Technology (NIST)
Expanded to cover the requirements of ISO standard 27001:2013
Questionnaire with 5 primary task areas, 23 categories and a total of 103 questions
2-day on-site workshop: Guided completion of the questionnaire, as well as quantification of the answers on a scale from 1 to 4
Results achieved and outlook
Identification of potential improvements in four areas of the group and translation into concrete recommendations for action
Targeted strengthening and improvement of IT security
Comparability through standardization, so that the effectiveness of measures can be assessed by a subsequent CSSA