IT-Security Gap Analysis: CIS-20 Critical Controls
IT Security Profile (CIS-20 Gap Assessment)
Deloitte has developed a practical approach to IT-security, based on the 20 Critical IT-Security Controls CIS-20. Our security profiles divides and conquers the challenges of IT Security.
IT Security is a struggle: Where to start, what to prioritise and how to measure and report.
An IT security programme requires a solid foundation based on recognised security practices. This involves choosing a recognised IT security framework.
We find that in most cases, the Center for Internet Security 20 Critical IT Security Controls (known as "CIS-20") is an effective starting point. This framework focuses on operational challenges.
Organisations struggle with prioritising IT security initiatives - which initiatives mitigate risks most effectively, and in what order should they be prioritised? In many cases, we see that the expected IT security enhancements associated with these activities get cannibalised, when they are not coordinated.
Most organisations struggle to develop a practical IT security programme. The challenge is simply where to start and which initiatives to prioritise.
We use a modified version of the Center for Internet Security 20 Critical Security Controls © as suggested by The Ministry of Justice and the Danish Digitization Agency in "Cyber defense that works".
The concept is called the Danish IT Security Barometer ™ and helps the organization to achieve the necessary IT Security Profile to be able to meet GDPR requirements for processing security and notification obligation.
- What is the organization's current Security Profile - expressed in%
- Delta between the current and the target Security profile
- What you need to do to reach the target profile - in practice!
20 CSC is not a standard you can become "compliant" with, but a series pragmatic controls that can be complied with / fulfilled to a greater or lesser extent degree.
We have developed a system of profiles based on 20 Critical controls (CIS-20). This enables your organisation to deep-dive into specific topics or start from the Security Profile and work from that foundation.
Would you like to know more? Contact our experts.