The The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) unveiled a first draft of a security self-assessment tool called Baldrige, designed to help enterprises evaluate the effectiveness of their cybersecurity risk management initiatives.
NIST is requesting public comments on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.
According to NIST, Baldrige offers organizations a comprehensive management approach.
- An overall management framework
- Criteria that evolve to reflect the leading edge of validated management practice
- Focus on results in all areas important to performance
- Focus on the future—a strategic view
- Focus on organizational and personal learning and knowledge sharing
- Focus on corporate governance, ethics, social responsibility, and sustainability
- The first and only Presidential Award for performance excellence
- Expert review and feedback from trained Examiners at a low cost
“The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.
Finally, an assessment rubric lets users determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can then lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the Builder should be used periodically to maintain the highest possible level of cybersecurity readiness. ”