Greater Houston Partnership (GHP)

Cybersecurity
Free Cybersecurity Guide

Infrastructure Assessment

  Increasing cybersecurity sophistication based on business need
Identify Tier 1 - Partial Tier 2 - Risk informed Tier 3 - Repeatable Tier 4 - Adaptive
Asset Management Ad hoc documentation of systems Major applications, network and high risk data identified and documented Applications, external endpoints, data sources, network diagrams, external connections, personnel (internal and contract) documented and managed The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy
Business Environment Cybersecurity management not formalized, reactive Cybersecurity risk management evaluated, but not established organization-wide Cybersecurity roles, responsibilities, and risk management decisions identified and communicated The organization’s mission,
objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions
Governance No formal cyber policies. Policies not tied to risk evaluation or enforced Policies are approved by management but may be incomplete and inconsistently enforced. Policies focus on high risk data and systems Risk-aware policies implemented, trained and enforced internally and with business associates The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk
Risk Assessment Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements Prioritization of cybersecurity
activities is directly informed by organizational risk objectives, the threat environment, or
business/mission requirements.
Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely
manner
Risk Management strategy There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. Organization may not have the processes in place to
participate in coordination or collaboration with other entities
There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally There is an organization-wide approach to manage cybersecurity risk. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to event There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs
                 
  Increasing cybersecurity sophistication based on business need
Protect Tier 1 - Partial Tier 2 - Risk informed Tier 3 - Repeatable Tier 4 - Adaptive
Access Control Access to assets is not consistently limited or logged Access to critical/sensitive systems is restricted and logged Access to all assets and facitlites is restricted to authorized users and logged Access to assets and associated facilities is limited to authorized users, processes, or devices and to authorized activities and transactions. Audit logs are analyzed at discrete intervals
Awareness and Training No consistent training of employees and partners Regular training of employees on security and use of sensitive data and systems Regular training of employees on cyber security. Trading partners aware of requirements The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures and agreements
Data Security Data security inconsistently applied internally and with business associates Sensitive data encrypted at rest and in transit Sensitive data encrypted at rest and in transit. Business associate agreements with all partners who have access to this data Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information
Information Protection Processes and Procedures No enforced security policies Security policies enforced for sensitive data and critical systems Security policies maintained and enforced internally and with business associates Security policies (that address purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities), processes and procedures are maintained and used to manage protection of information systems and assets
Maintenance No consistent maintenance and repairs of information system components Information components handling sensitive data/critical systems are maintained and up to date Information componentss are maintained and up to date Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures
Protective Technology Generic security solutions, such as anti virus, spamware and phishing monitoring tools Security solutions targeted internally based on risk Security solutions consistently applied internally and with trading partners Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements
                 
  Increasing cybersecurity sophistication based on business need
Detect Tier 1 - Partial Tier 2 - Risk informed Tier 3 - Repeatable Tier 4 - Adaptive
Anomalies and Events Issues usually identified by a problem caused from a cyber attack Anomalous activity on sensitive data and systems is detected in a timely manner Anomalous activity is detected in a timely manner Anomalous activity is detected in a timely manner and the potential impact of events is understood
Security Continuous Monitoring Monitoring, if in place, not managed High risk data/systems are monitored and managed Information systems and assets are monitored at discrete intervals to identify cyber security events The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures
Detection Processes Detection systems not consistently maintained and tested Detection systems on sensitive data and infrastructure routinely maintained Detection systems are maintained and updated based on known threats Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events
                 
  Increasing cybersecurity sophistication based on business need
Respond Tier 1 - Partial Tier 2 - Risk informed Tier 3 - Repeatable Tier 4 - Adaptive
Response Planning No predetermined response plan Response plan set for critical data and systems Organization wide response process documented and communicated Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events
Communications Reactive communications Communication performed per plan Communication coordinated with business partners Communication activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies
Analysis No formal analysis process Analysis conducted based on data sensitivity Analysis is performed across all systems Analysis is conducted to ensure adequate response and support recovery activities
Mitigation Little opportunity for mitigation Loss of and access to sensitive data and systems can be limited . Adequate documentation to demonstrate lack of negligence Early detection permits response to mitigate expansion and limit damage Activities are performed to prevent expansion of an event, mitigate its effects and eradicate the incident
Improvements Improvements not consistently made or enforced following an incident Security hardend for sensitive data and systems Gaps in security that permitted the incident identified and addressed Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities
                 
  Increasing cybersecurity sophistication based on business need
Recover Tier 1 - Partial Tier 2 - Risk informed Tier 3 - Repeatable Tier 4 - Adaptive
Recovery Planning Recovery processes dependent on third party vendors Recovery of sensitive data systems planned and coordinated Recovery of business critical systems and connections to business associates planned and coordinated Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events
Improvements Improvements based on vendor's recommendations Recovery planning for sensitive data evaluated Recovery plans evaluated to confirm they were followed Recovery planning and processes are improved by incorporating lessons learned into future activities
Communications Recovery not communicated Restoration activities coordinated internally Restoration activities coordniated with business associates Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors
                 
Count of Tier Categories Partial Risk informed Repeatable Adaptable    

Overall Score: 22 or less: Good cyber security measures in place
23-44?: Perform risk/benefit analysis
Over 44: Invest in cyber protection

Tier 1 - Partial: There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. Organization may not have the processes in place to participate in coordination or collaboration with other entities.

Tier 2 - Risk Informed: There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.

Tier 3 - Repeatable: There is an organization-wide approach to manage cybersecurity risk. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to event.

Tier 4 - Adaptive: There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distribute and consumed to improve cybersecurity before a cybersecurity event occurs.


The Greater Houston Partnership Salutes Our Executive Partners