Re: Retooling HEISC self-assessment to NIST framework

[Jeremy Rosenberg <rosey () BERKELEY EDU>]

We ran through the NIST CSF framework and generated our profile as we were trying to figure out the best way to judge 
our current state, set priorities and track progress. We then did the same thing with HEISC to see if it was a better 
fit. I started by mapping the maturity scores from the NIST profile over to the HEISC. (1-4 felt like they generally 
say the same thing)

What we found was that the mapping isn’t all that good and the scores when dropped into the corresponding HEISC didn’t 
really make sense. I think the problem is that HEISC is much more specific and prescriptive than NIST CSF. So where our 
interpretation of the NIST sub category varied too much from the corresponding HEISC question, the score was wrong.

In the end our conclusion was the the HEISC tool was too prescriptive for our purposes, it made assumptions about what 
we “should” be doing that we didn’t agree with. The NIST CSF, on the other hand, felt like it gave us the flexibility 
to apply it to our environment as we felt was appropriate.

YMMV

Jeremy

=======================================
Jeremy Rosenberg
Chief Information Security Officer
UC Berkeley

> On Jul 16, 2019, at 8:43 AM, Jim A. Bole <jbole () STEVENSON EDU> wrote:
>
> I’d be interested in comments from anyone who’s applied the NIST CyberSecurity Framewokr (CSF) to the HEISC 
> self-assessment tool.
>  
> Attached is my first attempt. Most the questions had NIST mapping in one of the tabs.
>  
> So far it seems to map fairly well.
>  
> Regards,
>  
> Jim Bole
>  
> Director of Information Security
> Stevenson University
> 1525 Greenspring Valley Road
> Stevenson, MD, 21153-0641
> jbole () stevenson edu <mailto:jbole () stevenson edu> | O: 443-334-2696
>  
>  
> <HEISCJuly2018-NIST-sample.xlsm>