NIST Gap Analysis at Gruner AG
This cybersecurity review, consisting of a gap analysis and recommendations based on the NIST framework, was initiated by Gruner AG to identify and address potential vulnerabilities resulting from an in-sourcing of multiple IT functions and a series of major acquisitions.
Daniel Cesar Izzat & Philipp Studer & Michèle Fille & Sebastian Hilber & Edgar Morales de Leon, 2023
Art der Arbeit Projektarbeit/Praxisprojekt
Auftraggebende Gruner AG
Betreuende Dozierende Scherb, Christopher
Keywords NIST, Cybersecurity, GAP Analysis
After recently completing a period of change characterised by stark growth with major acquisitions as well as the in-sourcing of all outsourced IT Services. Gruner AG recognized the need for an understanding of their cybersecurity risks. To facilitate that understanding the Project Team from FHNW was commissioned to produce a gap analysis using the NIST cybersecurity framework, identifying existing vulnerabilities. As well as providing recommendations on how to get to the Implementation Tier Gruner AG desired to be at.
Together with the client, the project team settled on a two-phase project approach using the NIST cybersecurity framework. In the first phase the project team would perform a gap analysis, assessing where the company stood. In the closing of the first phase, the project team would present the results to the client. The client would then decide his target level for all the subcategories involved. Thereafter, in the 2nd phase of the project, the project team would work on a recommendation report for getting to the desired Maturity Level in each Category.
The first Document, titled "NIST Gap Analysis" detailed Gruner AG's current cybersecurity posture using an adapted version of the NIST cybersecurity framework which examines both Organisational and Technical facets to provide a complete overview over the organisation's current situation. Furthermore, additional resources such as COBIT, CSC, and ISO 27001 were used to complement the NIST Framework. It included detailed information over 5 Functions, 23 Categories, and 108 Subcategories.
To facilitate the basis for the second report, we worked with the client to review the gap analysis and identify areas for improvement. These tailored targets were then used as a basis to formulate recommendations to reach the companies goals for both the organisational and technical aspects using the adapted NIST Framework.
Gruner AG will use these reports to assess their next steps and has already started implementing some of the recommendations to improve their cybersecurity posture.
Studiengang: Business Information Technology (Bachelor)