The CCMM was designed to help organizations identify their cybersecurity capabilities and needs.
CORK, IRELAND – Context GRC today announced the launch of their Context Cyber Security Maturity Model Framework (CCMM).
The Context Cybersecurity Maturity Model was designed to help organizations identify their cybersecurity capabilities and needs, and to develop a pathway to achieving their cybersecurity compliance objectives.
CCMM provides a method of proactive risk measurement across People, Process and Technology, enabling organizations to make cyber risk an informed business decision.
The CCMM Framework can be used by organizations in any sector or community. The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving security and resilience.
The CCMM draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references. The framework provides a common organizing structure to cybersecurity by assembling standards, guidelines, and practices that are working effectively today. The Framework offers a flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions.
The framework can assist organizations in addressing cybersecurity as it affects the privacy of customers, employees, and other parties. Additionally, the framework’s outcomes serve as targets for workforce development and evolution activities.
The framework is not a one-size-fits-all approach to managing cybersecurity risk. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances. They also will vary in how they customize practices described in the Framework. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize their impact. Ultimately, the framework is aimed at reducing and better managing cybersecurity risks.
NIST SP 800-171 & The CCMM Framework:
NIST Special Publication 800-171 was developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA). The publication is entitled “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations,” NIST SP 800-171.
The CCMM framework adopts all of the security requirements from NIST SP 800-171 and organizes these practices into a set of 14 domains, which map directly to the NIST SP 800-171 families.
Context GRC have adapted the NIST SP 800-171 practices to broaden its applicability to all organizations irrespective of geographical location, sector, or size. Where NIST SP 800-171 considers the protection of a specific category of information, Controlled Unclassified Information or CUI, the CCMM framework broadens this scope to consider all Organization Data. Where the CCMM defines Organization Data as follows;
Information that requires safeguarding or dissemination controls pursuant to and consistent with both internal organization policies, and external laws, and regulations.
Information where the loss, misuse, or unauthorized access or modification could adversely affect the organization’s interests or the conduct of business, or the right to privacy of individuals.
CCMM was developed on the basis that security and data protection controls exist to protect an organization’s data. Requirements for asset management do not primarily exist to protect the inherent value of the asset, but the data it contains, since assets are merely data containers. Assets, such as laptops, servers and network infrastructure are commodities that can be easily replaced, but the data residing on those devices cannot. This concept of being data-centric is crucial to understand when developing, implementing, and governing a cybersecurity and privacy program and is fundamental to the principles of the CCMM.
To learn more