As planned, the National Cybersecurity Center (CNCS) made available the Cybersecurity Capability Assessment Framework, complementary to the National Cybersecurity Reference Framework (QNRCS), released in June 2019. The document for the organizations intends for these to be capable of assessing their cybersecurity training and meeting the five cybersecurity objectives: identifying, protecting, detecting, responding and recovering, taking into account their context and size.
Initial, intermediate and advanced are the three levels of capacity presented in the document for each of the cybersecurity measures present in the QNRCS, which aims to help guide companies in the development of detection, reaction and organization skills for their cybersecurity capabilities to reach higher levels. high maturity. We were inspired by the good practices of the NIS and ITIL directive and made the virtuous combination of these references, putting them in a single document, with contributions from partners with whom we shared the information, explained Admiral Gameiro Marques at the time to SAPO TEK.
Now, and in an interview with SAPO TEK, the CNCS coordinator, Lino Santos, explains that the new tool aims to "help public and private organizations to carry out a self-assessment of their cybersecurity capabilities", through the perception of the degree of compliance with about 120 measures that are available to mitigate the risks in this area in the QNRCS.
For example, an organization that bets only on a security policy fits into a basic level of compliance, but, if it develops a security policy accompanied by training employees on the strategy, it now passes to an intermediate parameter. In the case of this type of policy, as well as training for employees and periodic mechanisms for auditing and reviewing the policy, the organization moves to an advanced level.
However, the coordinator of the Center recalls that the parameters of the new tool depend, similarly to what happens in the Framework launched in 2019, on the specific characteristics of the organizations.
The next step, scheduled for this February, is the launch of a portal to help implement the newly published Cybersecurity Capabilities Assessment Framework and the QNRCS. Until then, the Center is working in partnership with business organizations, in order to promote the consultation of the new document, guarantees Lino Santos.
In the future, OCNCS will also work on another document that it launched in 2019, a roadmap to help small and medium-sized companies to reach the minimum levels of cybersecurity, seeking to create instances of the document for specific contexts. The next will be destined to municipalities.
CNCS acts as an operational coordinator and national authority specializing in cybersecurity matters with State entities, national critical infrastructure operators, essential service operators and digital service providers. Its objective is to ensure that cyberspace is used as a space of freedom, security and justice, for the protection of sectors of society that materialize national sovereignty and the rule of democratic law, read on its website.
In a bid to reinforce the resilience of the digital space, in June 2019 the first National Cyberspace Security Strategy was launched. Since then, the goals have been met, namely the launch of online tools such as QNRCS and the script that companies can follow to reach minimum cybersecurity levels. In addition, CNCS also created the Cybersecurity Observatory, which aims to develop and disseminate multidisciplinary knowledge about this area, with the aim of contributing to a more secure society and aware of the risks inherent in cyberspace.
Editorial note: News updated at 11:50 am with statements by Lino Santos, coordinator of CNCS