IT-Security Gap Analysis: CIS-20 Critical controls

Controls Profile: Make IT Security Measurable

Deloitte has developed a simple measurement approach based on the CIS guidelines for effective controls for IT Security. This will enable you to connect security objectives/goals with measurements for tracking and reporting purposes.

Challenges

How are you managing your IT security risks?

Most organisations either cannot answer this question or is not managing IT security risk with a measurable approach. It is critical that the organisation is able to put a number to the level of IT security. This way, it is possible to break down the different areas of improvement and allocate specific measures and metrics.

Having a quantitative approach that continues measurement on progress ensures transparency in process and resource allocation.

Most organisations struggle to develop a practical IT security program. The challenge is simply where to start and which initiatives to prioritize.

Our approach

We have developed an approach, based on the Center for Internet Security CIS-20 framework, which ensures that organisations can conquer this task in a simple and practical manner.

The purpose of the Deloitte Controls Profile is to ensure that all IT-security measurements in scope are performed regularly, and that the results are aligned. A simple dashboard will provide the insights to improve processes, controls and understand any incident root causes. We will hand over our methods and templates to you and ensure the process is carried.

This profile supports specific compliance requirements (e.g. ISO27001) and requirements from the IT Audit.

We have developed a system of profiles based on 20 Critical controls (CIS-20). This enables your organisation to deep-dive into specific topics or start from the Security Profile and work from that foundation.

  1. Prerequisite: The IT Security Profile

    As a foundation for the Controls Profile, we recommend the Deloitte Security Profile (The gap assessment). The Security Profile gives an overview of security ‘soft spots’ and where improvements need to be materialised. The gaps identified within this profile are the once getting tracked through the controls profile.

    Make sure that a fit-for-purpose IT security framework is chosen for your journey.

  2. Step 1: Understand what to measure and what is possible for your organisation

    We cover the different controls which need to be adjusted to your IT landscape. We will ensure to consider not only the best-practice advises but also what is practically doable.

  3. Step 2: Design and measure controls fit for purpose and aligned with CIS-20

    Based on an agreed scope from step 1, we design the specific measures and metrics to be included in the controls profile. We cover how to update the profile in order to achieve support of the new requirement from the organisation’s involved employees and help them see the value.

  4. Step 3: Update progress of implementation and rate of success/failure and report

    As the controls are updated and conformities and none-conformities are identified, the organisation learns from the experience and are able to take corrective actions.

  5. Step 4: Report on progress and status

    The profile comes with an intuitive dashboard where relevant stakeholders get a simple overview of implementation progress. This not only tracks the maturity journey, but also gives Management a reason to invest.

  1. Prerequisite: The IT Security Profile
  2. Step 1: Understand what to measure and what is possible for your organisation
  3. Step 2: Design and measure controls fit for purpose and aligned with CIS-20
  4. Step 3: Update progress of implementation and rate of success/failure and report
  5. Step 4: Report on progress and status

As a foundation for the Controls Profile, we recommend the Deloitte Security Profile (The gap assessment). The Security Profile gives an overview of security ‘soft spots’ and where improvements need to be materialised. The gaps identified within this profile are the once getting tracked through the controls profile.

Make sure that a fit-for-purpose IT security framework is chosen for your journey.

We cover the different controls which need to be adjusted to your IT landscape. We will ensure to consider not only the best-practice advises but also what is practically doable.

Based on an agreed scope from step 1, we design the specific measures and metrics to be included in the controls profile. We cover how to update the profile in order to achieve support of the new requirement from the organisation’s involved employees and help them see the value.

As the controls are updated and conformities and none-conformities are identified, the organisation learns from the experience and are able to take corrective actions.

The profile comes with an intuitive dashboard where relevant stakeholders get a simple overview of implementation progress. This not only tracks the maturity journey, but also gives Management a reason to invest.

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.

Reach out

Would you like to know more? Contact our experts.

Christian Schmidt

Director