Cyber Maturity Self Assessment
Disclaimer: The Cyber Maturity Self-Assessment tool is only available internally to Government of Canada.
Contents
Objective
- To provide departments and agencies with an easy to use tool to enable a better understanding of their cyber security maturity posture.
- A repeatable and uniform self-assessment based on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF).
Departmental Benefits & Outcomes
BENEFITS
Risk Management
- Ensure that enterprise cyber risks are being adequately managed
Response Time
- Increase response time to potential risks by ensuring a secure and resilient enterprise infrastructure that enables the trusted delivery of programs and services
Cost and Time Saving
- Reducing the cost and time spent in assessing cyber security maturity through other means (e.g., third party assessors). The CSM self-assessment is expected to take a few hours to complete and will be at no additional cost to departments and agencies.
OUTCOMES
Prioritize Actions
- Identify areas that require improvement and prioritize future actions
Continual assessment
- Continually reassess maturity using departmental results as a baseline
Ongoing dialogue
- Continue the open dialogue to foster greater collaboration across the GC and to ensure that best practices within the security community are being leveraged.
Framework Overview
Identify
"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."
- Asset Management (ID.AM)
- Business Environment (ID.BE)
- Governance (ID.GV)
- Risk Assessment (ID.RA)
- Risk Management Strategy (ID.RM)
- Supply Chain Risk Management (ID.SC)
Protect
"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."
- Access Control (PR.AC)
- Awareness and Training (PR.AT)
- Data Security (PR.DS)
- Information Protection Processes and Procedures (PR.IP)
- Maintenance (PR.MA)
- Protective Technology (PR.PT)
Detect
"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."
- Anomalies and Events (DE.AE)
- Security Continuous Monitoring (DE.CM)
- Detection Processes (DE.DP)
Respond
"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event."
- Response Planning (RS.RP)
- Communications (RS.CO)
- Analysis (RS.AN)
- Mitigation (RS.MI)
- Improvements (RS.IM)
Recover
"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event."
- Recovery Planning (RC.RP)
- Improvements (RC.IM)
- Communications (RC.CO)
