understanding the building blocks:
All cybersecurity programs start at the same point – with a framework that helps to drive the policies and procedures in your organization.
In order to make sure that your policies and procedures are consistent, it helps to choose a consistent framework for measuring your current and future state.
If you are a state or local agency, it is likely you are already required to comply with a specific set of standards (NIST, ISO 27001, PCI-DSS, HIPAA, FINRA, GDPR, etc.). In addition, departments within your organization might already comply with a set of standards, while others may not have to. It is necessary, therefore, to choose a framework that can be compatible with those existing standards, and one that can give you insight into your entire organization.
CIS Controls and the NIST-CSF are two framework with nearly identical content that frame cybersecurity controls in different ways. Regardless of which framework you choose, it’s important to start the process of measuring yourself against a baseline and tracking progress over time.