HOW TO USE IT
What is YOUR RISK PROFILE?
The first step in using the Ransomware Defense Initiative (RDI) is to assess your organization’s cyber risk profile. Your cyber risk profile refers to the level of acceptable risk your organization is willing to tolerate when it comes to ransomware attacks.
There are several ways organizations can find their current cyber risk profile. One way is to perform a cybersecurity risk assessment. This involves identifying and analyzing all internal and external risks, documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile, and prioritizing and communicating enterprise cybersecurity risk response and monitoring (https://www.nist.gov/publications/identifying-and-estimating-cybersecurity-risk-enterprise-risk-management).
RDI is designed to help you identify and mitigate risks associated with ransomware. By comparing your existing security controls with those recommended by RDI, you can quickly identify any gaps and prioritize areas for improvement.
Asses Maturity of Controls
Once an organization has identified its risk profile and inventoried its security controls, it can begin to assess the maturity of the recommended controls that have been deployed. RDI provides a list of controls for each level (Foundational, Advanced, and Elite) to guide an organization’s assesments efforts.
RDI is intended to be a living document that an organization can use to guide its ongoing security efforts. An organization should regularly monitor and update its security controls to ensure that they remain effective and aligned with the latest ransomware threat landscape.
Conducting a Quick Assessment
To conduct a quick self-assessment using RDI, allocate no more than two minutes per security control.
You can select the tab for which RDI family you would like to assess: Foundational, Advanced, or Elite.
You will then be presented with the first control of that chosen family, followed by 5 questions. You will be asked to answer the same five questions for each control, regardless of family.
The first question “Is this control deployed across my organization”, will determine if you answer the remaining questions or go to the next control. We are asking if the control is installed across the organization, and if you feel good about the deployment and status.
If the answer is “Yes”, then proceed to answer the next four questions. Each question follows CMMI Maturity framework standard as follows:
Q2: Do you have People/Processes/Procedures for maintaining these controls?
This evaluates how well the organization has organized its resources, including personnel and processes, to effectively manage the control, highlighting the presence of well-defined processes.
Q3: Do you have complete documentation for this control: configuration/network diagrams, etc.
This question checks how thoroughly the organization documents its controls processes and settings, which is critical for ensuring that procedures can be consistently replicated and managed
Q4: Do you conduct continuous performance monitoring and measurement on this control?
This looks into the organization’s regular monitoring practices for the control, key for measuring and managing the process effectively.
Q5: Do you have processes and tools in place to maintain, improve, and update the control?
This examines whether the organization has established mechanisms for regularly updating and refining the control, demonstrating ongoing process optimization.
FINALIZE ASSESSMENT
You can select a value on a scale between 0 and 10 via the slider for each question. RDI will take these values and using a proprietary algorithm presents a real-time maturity assessment of the control.
If the answer is “No”, the control will be marked as a “Gap” and you can move to the next control.
If the answer is “Not Sure”, the control will be flagged as “of interest” for you to review in more detail at a later date.
Please note it should only take less than 2 minutes of your time per control. If you find yourself having an internal debate about a specific control, it is advisable to mark it with a “Not Sure”.
Once you have completed the assessment, review the results to gain insights into your organization’s maturity posture to defend against a ransomware attack.