CYBERSECURITY MATURITY MODEL
docx
keyboard_arrow_up
School
University of Maryland Global Campus (UMGC) *
*We aren’t endorsed by this school
Course
485
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
6
Uploaded by ratarver1
CYBERSECURITY MATURITY MODEL VS
NIST CYBERSECURITY FRAMEWORK
BY:
BOB TARVER
2/11/2024
Introduction
The Department of Energy’s C2M2 cybersecurity maturity model has become a tool for determining and assessing the cybersecurity posture of many organizations, most notably the energy sector.
(U.S. Energy Association, 2023)
The main idea behind this model was to link up to the NIST Cybersecurity Framework
to the digitization of the energy sector. It will also support all utility companies as they adapt to any new technological advancements and competition within the energy sector.
(U.S. Energy Association, 2023)
The NIST Cybersecurity Framework is in use by many organizations in multiple sectors because of its ability to address cyber risks. One of the main differences of the C2M2 model is that it places a great deal of emphasis on the activities of the organization and not just the systems. It also allows an organization to compare its current profile with a target profile that it wants to achieve. In addition, it can help set the necessary priorities when it comes to security products to put
in place. The model provides important guidelines for putting cybersecurity practices in place. It provides ten model domains
and 312 best practices and is divided among three maturity models.
(U.S. Energy Association, 2023)
What approach should the organization take in developing
the Cybersecurity Management Program?
When it comes to selecting which model to recommend to PBI-
FS, I would recommend merging the C2M2 model with the NIST Cybersecurity Framework. By combining the best parts of each model, PBI-FS would get a total view of their cybersecurity posture. The C2M2 would be able to identify any potential gap in the cybersecurity abilities, the NIST framework would help implement and improve the capabilities and thereby create a robust and stronger cybersecurity strategy.
(MJOLNIR Security, 2023)
What laws and regulations must be addressed by the
Cybersecurity Management Program in a Financial Services
Firm?
On March 1, 2017, the DFS, or Department of Financial Services, enacted 23 NYCCR 500 with the plan to combat the risk of cyber threats. The regulations were recently amended in November 2023 to include how any cybersecurity incident was
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
reported, security controls and policy requirements, and the oversight of cybersecurity protocols. (Phillips Lytle LLP, 2023)
Several amendments include stronger requirements of “Class A Companies”, Clarifying the responsibilities of the Chief Information Security Officer, Requiring specific data protection measures, Expanding certification and security event notification requirements, Modifying any exemptions, and Expanding the enforcement provision.
(Phillips Lytle LLP, 2023)
Several laws that need to be addressed are EU-GDPR, UK-
GDPR, Sarbanes-Oxley Act of 2002, PCI-DSS, The Bank Secrecy Act, The Graham-Leach-Bliley Act, The Payment Services Directive 2, and the Federal Financial Institutions Examination Council. (Kost, 2023)
What are the Best Practices that Should be put into place to
Assess the Maturity of the PBI-FS’s Cybersecurity
Management Program?
Some of the best practices that should be put into place by PBI-
FS would be to Implement an Enterprise Security Framework, create a strong cybersecurity culture, Implement Threat
Monitoring, Have Third-Party Risk management, back up Data regularly, and Develop and Implement Strong Incident Response
plans. It would also be wise to obtain a SOC 2 certification to show that there is a strong Cybersecurity posture within the organization.
(RSI Security Inc, 2022)
Conclusion
It is strongly suggested that the Board of Directors of PBI-FS review and implement the suggestions within this document to create a more robust cybersecurity culture. When combining the C2M2 model along with the NIST Cybersecurity Framework will achieve the goal of creating the strongest profile possible. The need to be constantly aware of changing Laws and Regulations within the Financial Services sector is crucial as well, not only National laws but international laws.
REFERENCES
Kost, E. (2023, June 27). Top 8 Cybersecurity Regulations for Financial Services
. Retrieved from upguard.com: https://www.upguard.com/blog/cybersecurity-regulations-financial-
industry
MJOLNIR Security. (2023, April 6). Performing Maturity Assessments Using Cybersecurity Cabability Maturity Model and NIST
. Retrieved from mjolnirsecurity.com: https://mjolnirsecurity.com/performing-maturity-
assessments-using-cybersecurity-capability-maturity-model-and-nist-
mjolnir-securitys-holistic-approach/
Phillips Lytle LLP. (2023, December 6). New Cybersecurity Requirements for Financial Service Companies
. Retrieved from PhillipsLytle.com: https://phillipslytle.com/new-cybersecurity-requirements-for-financial-
service-companies/
RSI Security Inc. (2022, March 4). Financial CybersecurityBest Practices For Financial Services
. Retrieved from rsisecuriry.com: https://blog.rsisecurity.com/financial-cybersecurity-best-practices-for-
financial-services-organizations/
U.S. Energy Association. (2023). Cybersecurity Capability Maturity Model C2M2 an Introduction
. Retrieved from eightify.app: https://eightify.app/summary/technology-and-security/cybersecurity-
capability-maturity-model-c2m2-an-introduction
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help