What Makes CiSACS Different   

 

---

 

Comprehensive Approach

CiSACS takes a comprehensive approach to industrial risk management and compliance. Meaning, it focuses on much more than just cyber security and its methods go far beyond just the typical SVA or gap analysis. (Most industry "SVA's" are usually geared more toward the cyber elements and typically leave gaps in both security and compliance.) CiSACS focuses on all areas of security including physical and operational as well as cyber. Why? Because through penetrating testing we have shown that each of these other areas can provide additional attack vectors to process control systems and networks. Below is a brief overview of the CiSACS Model:

The CiSACS Model was developed as a result of years of research and field work in the industry, It was developed for achieving security and regulatory compliance in the most effective manner possible, what at the same time minimizing liability from legal action and broad auditor interpretation. This is achieved by using cross-standard, industry proven methodologies aimed specifically at critical infrastructure and Industrial environments. (NOTE: "cross-standard" means that it can take into account any and every industrial standard available as well as your own internal standards when considering compliance.)

Each phase of CiSACS builds on the other as an integral part of a complete lifecycle, designed to create seamless due diligence. Proper due diligence is extremely important not only for compliance but in minimizing liability as well. CiSACS includes a process for proper standards/ guidelines/ best practices selection, security assessments (physical, facility, cyber, and operational), gap analyses (gauge compliance with multiple standards at one time), risk analyses, organizational threat modeling, mitigation /remediation strategies and integration, legal support, and management/maintenance programs.    

 

 

Vulnerability Focused Vs. Controls Focused

Some organizations take a vulnerability focused approach to risk assessment, while others take a controls focused approach. The difference is that in a vulnerability focused approach, the assessment is carried out by searching directly for vulnerabilities, whereas, in a controls focused approach, the assessment is carried out by inspecting each of the systems controls, or lack thereof. There are advantages and disadvantages to both approaches. In a vulnerability focused approach, you get a very clear picture of all possible vulnerabilities a system may have, but you may lose site of what controls are in place. This, in turn, could cause you to miss a vulnerability or two, as it is more indirect. On the other hand, with a controls focused approach, you get a very clear picture of what controls are in place but you are likely to miss those vulnerabilities that are not necessarily a result of a missing control but, rather, from something such as a software flaw. CiSACS utilizes both a vulnerability focused approach as well as a controls focused approach to give you maximum coverage from our vulnerability assessments.