Journal:A security review of local government using NIST CSF: A case study

From LIMSWiki
Jump to navigationJump to search
Full article title A security review of local government using NIST CSF: A case study
Journal The Journal of Supercomputing
Author(s) Ibrahim, Ahmed; Valli, Craig; McAteer, Ian; Chaudhry, Junaid
Author affiliation(s) Edith Cowan University, Embry-Riddle Aeronautical University
Primary contact Email: ahmed dot ibrahim at ecu dot edu dot au
Year published 2018
Volume and issue 74(10)
Page(s) 5171–86
DOI 10.1007/s11227-019-02972-w
ISSN 1573-0484
Distribution license Creative Commons Attribution 4.0 International
Download (PDF)


Evaluating cybersecurity risk is a challenging task regardless of an organization’s nature of business or size, yet it remains an essential activity. This paper uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to assess the cybersecurity posture of a local government organization in Western Australia. Our approach enabled the quantification of risks for specific NIST CSF core functions and respective categories and allowed making recommendations to address the gaps discovered to attain the desired level of compliance. This has led the organization to strategically target areas related to their people, processes, and technologies, thus mitigating current and future threats.

Keywords: NIST Cybersecurity Framework, local government, cybersecurity, risk assessment


The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)[1] is a risk-based approach to manage risks organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53[2], COBIT5[3], ISO/IEC 27001:2013[4], ISA 62443-2-1:2009[5], and ISA 62443-3-3:2013[6] are being used to assess cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.

The main goals of this paper are:

  • detailing the adoption of the NIST CSF as an assessment tool that targets different levels of the organization, depending on their level of expertise and job function to obtain responses to facilitate assessment;
  • quantifying the assessment to reflect severity of actual risk, which in turn enables the organization to effectively address the issues to attain the desired level of compliance; and
  • reviewing in detail similar frameworks used in the industry and relevant case studies.

The next section provides a background of the NIST CSF and its components. In tandem, we recommend the reader refer to NIST[1] for additional details and strategies for suitable approaches to implement, which would vary from organization to organization. From there, our focus for the paper shifts to demonstrating the application of NIST CSF in a local government organization and providing recommendations based on our findings.


The NIST CSF[1] consists of the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core consists of five concurrent and continuous functions: identify, protect, detect, respond, and recover. We designed an assessment tool for our investigation based on these functions, which provided a systematic approach to ascertain the organizations cybersecurity risk management practices and processes.

The Framework Implementation Tiers describe the level that an organization's cybersecurity risk management practices comply with the framework. Tiers provide the context and degree to which cybersecurity risks are managed, as well as the extent to which business needs are considered in cybersecurity risk management. The assessment tool enabled the determination of the organization's Current Tier based on various internal and external factors such as their risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should also determine the desired tier, provided it is feasible to implement, reduces cybersecurity risks, and meets organizational goals. The following are descriptions of the tier levels[1]:

  • Tier-1 (Partial): Risk management practices are not formalized and managed in an ad hoc manner, lack awareness of cybersecurity risks organization-wide, and do not have processes in place to collaborate with external entities.
  • Tier-2 (Risk Informed): Risk management practices are formalized but not integrated organization-wide. Cybersecurity activities are prioritized based on risks, with adequate means to perform related duties, and with informal means to communicate cybersecurity information internally and externally.
  • Tier-3 (Repeatable): Risk management practices are formalized and policies are in-place and adaptable to cyber threats. An organization-wide approach is required to manage cybersecurity, with skilled and knowledgeable personnel required to rapidly respond, understand dependencies, and understand the role of external partners.
  • Tier-4 (Adaptive): Cybersecurity practices are based on lessons learned and predictive indicators, with continuous improvement, adaptability, and timely response. An organization-wide approach is required to manage cybersecurity risks. Cybersecurity is part of the organizational culture, and the organization actively shares with external partners.

The Framework Profile represents the outcomes based on the business needs the organization characterized from the Framework Core and determined using the assessment tool. Consequently, a "current profile" (the “as is” state) and a "target profile" (the “to be” state) can be used to identify opportunities for improving the cybersecurity of the organization.[1] Framework profiles can be determined based on particular implementation scenarios, and therefore, the gap between the current profile and the target profile would vary as per scenario. In this paper, a local government-specific approach to CSF was adapted. However, industry-specific tailoring may be performed for the CSF.


The NIST CSF allowed us to design an assessment tool targeted at three levels of participants within the organization: executive, management, and technical. The rationale was to ascertain organization-wide understanding of cybersecurity risks. Hence, the assessment tool comprised of questions addressing the requirements outlined as per the NIST CSF.

The questions were selected based on the nature and relevance to the level of the participant. This is because the NIST CSF comprised of questions that were both technical and non-technical. Therefore, it would have been unrealistic to expect deep knowledge of technical operations or implementation level details from a policy level executive.

In order to assist us determine a baseline (i.e., the desired tier), additional questions were included in the assessment tool to determine the nature of the organization and its business. This was then followed by the remaining requirements comprised in the NIST CSF.

Determining compliance

The compliance for each measure was based on the responses provided by the participants. They were graded as complaint, partially compliant, or non-compliant, and each was assigned scores of either 10, 5, or 0, respectively, for each core function’s subcategory. Any subcategory that was not applicable based on the desired tier level was excluded from the compliance score calculation.

Given the number of security requirements for each core function’s subcategory is N, then the number of applicable requirements in each subcategory given the desired tier level is N′. Therefore, the total compliance score C for each core function’s category can be defined as:

where R is the compliance score for each category of the respective core function.

Additionally, a detailed document audit was conducted on existing policies and procedures. The information technology (IT) infrastructure (internal, remote locations, and cloud) were reviewed, and a detailed internal vulnerability assessment was also conducted during our investigation.


The responses provided by the executive, management, and technical participants gave insight into the organization’s cybersecurity posture. Table 1 shows the summary of the compliance of NIST CSF assessment. The compliance scores were determined based on the previously presented equation.

Table 1. NIST CSF compliance matrix
Function Category Compliance (%) Total (%)
Identify (ID) Asset management (ID.AM) 33 36
Business environment (ID.BE) 75
Governance (ID.GV) 25
Risk assessment (ID.RA) 25
Risk management strategy (ID.RM) 0
Protect (PR) Access control (PR.AC) 60 45
Awareness and training (PR.AT) 70
Data security (PR.DS) 50
Information protection processes
and procedures (PR.IP)
Maintenance (PR.MA) 75
Protective technology (PR.PT) 38
Detect (DE) Anomalies and events (DE.AE) 0 25
Security continuous monitoring (DE.CM) 43
Governance (DE.DP) 25
Respond (RS) Response planning (RS.AM) 0 38
Communications (RS.CO) 88
Analysis (RS.AN) 0
Mitigation (RS.MI) 0
Improvements (RS.IM) 100
Recover (RC) Recovery planning (RC.RP) 100 100
Improvements (RC.IM) 100
Communications (RC.CO) 100

For the "identify" core function, the organization scored 36%. Their ability to track assets centrally, keep management informed, and understand operational risks from a cybersecurity perspective was limited, while a strategy to manage such risks did not exist. However, the organization understood its business well and was able to set priorities to support risk management decisions.

Access to physical/virtual assets were through authorization and well-defined processes. The staff were trained and informed adequately of information security-related duties and responsibilities. Certain aspects of data security related to confidentiality and availability were done reasonably well; however, assuring integrity of data needed improvement. Similarly, local maintenance and remote maintenance of IT infrastructure were carried out in a manner consistent to policies and procedures. However, relevant policies, processes, and procedures, as well as technology to assist the protection of information systems and relevant assets, were lacking. Therefore, in aggregate, the organization scored 45% compliance for the "protect" core function.

The organization scored weakest in the detection of cybersecurity incidents, with a score of 25%. Although certain monitoring activities were in place to track physical security and malicious code, timely detection of anomalous activities and detection processes were lacking or non-existent.

Despite the lack of a specific response plan to respond to cybersecurity events, the organization had measures in place to report incidents and coordinate activities to respond adequately, which resulted in a 38% compliance score for the "respond" core function. These practices are updated from time to time; however, mechanism to perform post-incident analysis or to mitigate future cybersecurity events has not been implemented presently.

Interestingly, the organization was well prepared to deal with recovery and resumption of core services after a cybersecurity event. The recovery plans in place are tested, updated, and improved periodically, thus receiving full compliance for the "recover" core functionality of the framework.


Based on the findings, the following recommendations were made with respect to each core function of the NIST CSF.


(a) Establish a central inventory of assets, including physical devices and systems, software, and external systems, with all required information, and prioritize based on classification, criticality, and business value.
(b) Identify the organizations role in the supply chain (i.e., producer-consumer model) as it captures and retains public data, collects revenue, and provides services to its stakeholders.
(c) Establish an information security policy and reference relevant federal and state policies regarding cybersecurity to ensure legal and regulatory requirements are understood and managed.
(d) Identify and prioritize threats and vulnerabilities, both internal and external, to determine cybersecurity risks to the organization's operations, assets, and individuals.
(e) Establish risk management processes that are managed and agreed to by stakeholders to support operational risk decisions.


(a) Strengthen the access control policy and procedures for organization-wide assets that require both physical and remote access.
(b) Sensitize and increase awareness about cybersecurity throughout the workforce more comprehensively, and provide adequate cybersecurity training based on roles and responsibilities. In this regard, clearly describe cybersecurity roles and responsibilities for relevant staff and external stakeholders.
(c) Enforce required provisions for data security in the policy, and implement data-at-rest and data-in-transit security, as well as integrity-checking mechanisms to ensure confidentiality, integrity, and availability of information and data.
(d) Establish required policies, processes, and procedures to manage protection of information assets. This include the establishment of lacking policies and processes, particularly for configuration management, data destruction, and physical operating environment; identification of security baselines; SDLC for system management; and formulation of vulnerability, response, and recovery plans.
(e) Strengthen processes that control and log remote access to organizational assets by external maintenance contractors.
(f) Establish a central log of organization-wide information systems and devices, establish removable media policy, and strengthen network segregation to protect communication and control networks.


(a) Determine baselines for network operations and data flows, and implement appropriate activities to detect and analyze events based on event data aggregated from multiple sources and sensors. Determine incident impact and threshold to prepare and allocate resources appropriately.
(b) Implement tools to monitor cyber and physical environments to detect unauthorized mobile code, external service provider activities, and unauthorized access. Perform organization-wide vulnerabilities regularly.
(c) Outline detection requirements in information security policy, and continuously improve these processes to ensure timely and adequate awareness of anomalous events.


(a) Establish processes and procedures to respond to cybersecurity events in a timely manner.
(b) Define cybersecurity roles and responsibilities in information security policy to ensure activities are coordinated for internal and external stakeholders, including law enforcement, in response to cybersecurity events.
(c) Implement required cybersecurity event notification and detection systems to ensure adequate information is available to analyze and understand the impact to support recovery activities.
(d) Implement required cybersecurity controls to detect, report, and contain incidents to prevent escalation of an incident, mitigate its effect, and eradicate the incidents.

Discussing the recommendations

Each of the above recommendations also had specific internal stakeholder(s) identified to indicate ownership and responsibility for addressing the issues associated. Consequently, the organization was then able to develop strategies to address the issues identified and assign specific tasks to individuals. For this purpose, the organization established an internal document using Microsoft Power BI[7] (typically referred to as a Power BI site) to track and visualize the status of the NIST CSF assessment (Fig. 1).

Fig1 Ibrahim JoSupercomp2018 74-10.png

Figure 1. Microsoft Power BI Internal Site for tracking, visualizing, and reporting NIST CSF assessment findings, courtesy of the participating local government organization

The Power BI site facilitated transparency, visibility, and central reporting throughout the organization. Intuitively, this resulted in a rapid and responsive drive for the organization to address and prioritize issues based on severity and cost, with the goal of achieving Tier-2 compliance.

Furthermore, a desire to achieve a higher compliance level such as Tier-3 was expressed. Such aspiration is encouraged, however, with caution. Even though a higher level of compliance will improve the cybersecurity posture of the organization, it will also affect other aspects such as resources and cost. For example, contrast the risk management process between Tier-2 and Tier-3 as defined in the NIST CSF[1]:

(a) Implementation of risk management practices are not mandatory in Tier-2, whereas these have to be implemented as organization-wide policies in Tier-3. Thus, Tier-3 organizations should have the procedures, processes, technology, and human resources to implement relevant policies.
(b) The cybersecurity activities’ priorities are updated in a passive nature in Tier-2 as opposed to regular active updates and constant re-evaluation of priorities for Tier-3 compliance. To acquire such capability, an organization requires adequate technology, skilled human resources, and relevant policies that would enable keeping pace with the changes in the technology and threat landscape.

In addition to the two points highlighted above, considering both the integrated risk management program and external participation[1], significant investment in resources and human skills development or acquisition is needed to make the transition from Tier-2 to Tier-3. Moreover, this should only be considered carefully based on the organization’s business requirements, strategic objectives, budget, risk appetite, and current and future threats.

Related frameworks

The diversity and complexity of information technology (IT) system components have increased significantly in recent years. Consequently, in order for businesses to adequately secure these systems, several standards and frameworks have been developed.[8] Such frameworks need to be applicable to all manner of business sectors, be they government or private, enterprise or small-business.

Since NIST CSF can be considered a high-level abstraction of related frameworks, it provides references to other related frameworks for specific implementation guidelines. These referenced frameworks include:

  • NIST SP 800-53 Rev. 4
  • Control Objectives for Information and Related Technologies (COBIT5)
  • ISO/IEC 27001:2013
  • ISA 62443-2-1:2009
  • ISA 62443-3-3:2013

These are further described below.

NIST SP 800-53 Rev. 4

NIST SP 800-53[2] revisions are made according to changes in responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. Revision 4 of this framework consists of five functions (identify, protect, detect, respond, and recover), 22 categories, and 98 subcategories. This framework utilizes a four-tier security model (partial, risk informed, repeatable, and adaptive) and a seven-step process (prioritize and scope, orient, create a current profile, conduct a risk assessment, create a target profile, determine, analyze and prioritize gaps, and implement action plan). It focuses on assessing the current situation by determining how to assess security, how to consider risk, and how to resolve the security threats.

Table 2 provides a summary of useful examples of how the NIST SP 800-53 framework has been applied in practice.

Table 2. Summary of case studies for NIST SP 800-53
Case study Description
Maroochy water services cyber attack against critical infrastructure in 2000[9] Disgruntled former employee used insider knowledge and stolen configurations and equipment to release more than one million liters of untreated sewerage water resulting in considerable environmental damage and prosecution by the Environmental Protection Agency. The case study revealed that the application of CSF controls would have mitigated the cyber attack.
Intel’s high-risk IT business units’ pilot project[10] Intel IT’s Office and Enterprise business units, considered to be high-level risk environments, were the test bed for a pilot project to test the effectiveness of the NIST SP 800-53. The benefits of using this framework were realized within a short time-frame, with coherent use of risk management technologies across the business model, improved identification of strengths and weaknesses, and more efficient assessments of security priorities. As a result of the pilot project, Intel IT planned to expand the framework’s implementation throughout their business infrastructure.
Cybersecurity framework implementation at the University of Chicago[11] The University of Chicago used the framework to establish cybersecurity protection for its Biological Services Division (BSD). The four-part implementation consisted of identifying the initial state of cybersecurity processes, assessment of the initial threat landscape, determination of the desired target status, and creation of a roadmap to establish and monitor progress. This resulted in improved identification of security requirements and target objectives, better development and maintenance of departmental processes to achieve these objectives, more long-term security solutions in a cost-effective manner, and improved information-sharing and good work practices across departments with different cybersecurity requirements.
How the University of Pittsburgh is using the NIST Cybersecurity Framework[12] The University of Pittsburgh used NIST SP 800-53 to implement an IT security package that would cater for diversified needs while enabling collaboration between different departments, accommodate a wide variety of information types and sensitivities, and encompass third-party contractors on an ad hoc basis. NIST SP 800-53 enabled these goals to be met through the streamlining of existing practices and improving documentation. The scalable nature of NIST CSF was applicable to the differing scope and IT requirements of each department within the University.
SIEM-based framework for security controls automation[13] The potential of using SIEM technology is investigated with the aim of maximizing security-control automation. For the security controls identified in NIST SP 800-53, approximately 30% of these controls were considered as having the capability of automation control. The cost of implementing a SIEM-based framework for security-control automation would be quickly recouped within a short time compared to the reduced employee hours required to monitor an infrastructure the size of a local government organization.
Recommendations for information security awareness training for college students[14] A survey largely based on NIST SP 800-50 was designed to assess information security awareness among students at the business college of a mid-sized university in New England. The survey found that less than one-quarter of the participants had undertaken any form of information security awareness training (ISAT), and only two of the 68 had enrolled in university-provided training. ISAT of employees in local government is an integral part of a well-implemented cybersecurity infrastructure. Any cybersecurity review needs to ascertain current levels of information security awareness to gauge whether existing training is effective or deficient. The training needs to be regularly updated as new vulnerabilities and threats continually develop in this field.

Control Objectives for Information and Related Technologies (COBIT5)

COBIT5[3] is a business CSF designed for the governance and maintenance of enterprise IT systems. It consists of five domains and 37 processes in-line with the responsibility areas of plan, build, run, and monitor. COBIT5 is aligned and coordinated with other recognized IT standards and good practices, such as NIST, ISO 27000, COSO, ITIL, BiSL, CMMI, TOGAF, and PMBOK. It is built around the following considerations:

  • meeting stakeholder expectations.
  • controlling enterprise process end-to-end
  • working as a single integrated framework
  • recognizing that “management” and “governance” are two different things

ISO/IEC 27001:2013

ISO/IEC 27001:2013[4] is an international information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which originated from the British Standard, BS 7799. This framework consists of 114 controls in 14 groups describing the requirements needed to design and implement an information security management system (ISMS). Version 2, released in 2013, replaces the original 2005 version. It is a standard that should be implemented by all businesses where information security is a critical factor, but in particular, applies to software development, managed service providers/hosting services providers, IT, banking and insurance, information management, government agencies and their service providers, and e-commerce merchants.[4]

Table 3 provides a summary of useful examples of how the ISO/IEC 27001:2013 framework has been applied in practice.

Table 3. Summary of case studies for ISO 27001:2013
Case study Description
Thames Security Shredding (TSS) Ltd.[15] TSS specializes in the collection and destruction of confidential documentation on a commercial scale. Maintaining information security is, therefore, a critical process to protect their clients’ identity and to ensure compliance with the UK Data Protection Act 1998. Certification to the ISO/IEC 27001 standard was seen as an integral part of the implementation and maintenance of world-class customer-centric security controls that would satisfy existing and prospective customers’ needs and allow for rapid growth in the business. ISO/IEC 27001 certification resulted in an improved attitude and awareness of their staff towards information-security-related issues. A risk-based business continuity plan was used to minimize the impact of any potential security breaches. The certification allowed documentation to be continually updated and improved as corrective actions were taken.
Fredrickson International[16] Debt collection is a sector which—like banking, finance, telecommunications, and local government—is coming under increasing scrutiny and regulation. Fredrickson International is a debt collection agency that lists a central government department, as well as several U.K. financial institutions and FTSE 100 companies, among their clients. Since attaining ISO/IEC 27001 certification, Fredrickson has achieved higher levels of security awareness throughout its departments, staff, and employees. Security audits have become more streamlined, and customers were given the confidence that Fredrickson was conducting international best practice when it came to information security.
Legal Ombudsman[17] The office of the Legal Ombudsman for England and Wales was established to simplify the process by which members of the public, small businesses, charities, clubs, trusts, etc. could resolve complaints about legal practitioners. To improve its customer service, information security practices conducted by the office needed to show that greater information security awareness had been established, diligence and compliance in handling sensitive information were in place, and that an assurance framework was aligned with global best practice. ISO/IEC 27001 certification helped the Legal Ombudsman for England and Wales to provide clients with the confidence and reassurance that it was conducting its work by the highest work standards. A better understanding of the information security among its staff led to a reduction in risk and an increase in productivity.
SVM Cards Europe[18] SVM is a leading provider of gift card, voucher, e-code, reward code, and similar promotional and benefit schemes throughout Europe. SVM required secure business processes, improved internal organization, and increased information protection. It also sought greater tender and competitive advantage. With ISO/IEC 27001 certification, SVM observed that processes became more of a lifestyle than strictly about security only, which resulted in less downtime, instigated a stronger organizational structure, improved on its ability to win new contracts, and have greater confidence that their information security processes were working properly.
InfoView Technologies[19] InfoView Technologies, a Queensland-based data analytics company, required a business model that met state government requirements, improved data security understanding, became more professional, improved its business culture, and was able to sustain and continuously improve its information security management, systems, and policies. These goals were achieved through ISO/IEC 27001 accreditation, after which InfoView Technologies were able to gain increased market access, meet compliance requirements of the Queensland state government, reduce risk, become more competitive, and streamline its practices and business culture.
Capgemini[20] Capgemini is the largest IT services company in Europe and a global leader in its multiple domains of services. Operating in more than 40 countries, and over 100 languages, Capgemini’s business model needed to transcend national and cultural boundaries. Systems were required to be robust to avoid losing business and maintain competitiveness. Protection of client assets and resources was deemed a priority to assure confidentiality, integrity, and availability. Through ISO/IEC 27001 certification, Capgemini was able to ensure improved security within its departments and for its clients, enhance security awareness in its staff and employees, and provide more efficient and streamlined documentation and reporting procedures. Standards certification needed to be applicable within the global marketplace and remain pertinent regardless of cultural differences.
Costain[21] Costain, a U.K.-based engineering and construction group, has contributed to the construction of significant projects worldwide. Obtaining standards certifications was seen as the correct path to achieve improvements in several internal processes. Such goals required the implementation of several standards, such as quality management standard (ISO 9001), environmental management (ISO 14001), health and safety (BS OHSAS 18001), collaborative business relationships (BS 11000), information security management (ISO/IEC 27001), and business continuity management (ISO 22301). Through the enactment of multiple standards, Costain was able to improve several areas of their business to the benefit of their internal and external customers.

ISA 62443-2-1:2009

ISA 62443-2-1:2009[5] is an International Standards on Auditing (ISA) standard covering the elements required to develop an industrial automation control system - security management system (IACS-SMS). It consists of three categories, three element groups, and 22 elements. The framework is the first of four ISA policy and procedure products that identifies the essentials necessary to establish an effective cybersecurity management system (CSMS). However, the step-by-step approach as to how this is achieved is company-specific and according to their own business culture. These essentials addressed by this standard include:

  • analyzing risk
  • addressing risk with the CSMS
  • monitoring and improving the CSMS

ISA 62443-3-3:2013

ISA 62443-3-3:2013[6] is an International Standards on Auditing (ISA) standard covering the elements required for cybersecurity controls of industrial control systems (ICS). It consists of seven foundation requirements and 51 system requirements.

ISA 62443-3-3:2013 is the third of three ISA systems products that outlines system security requirements and security levels.[6]

Other frameworks

In addition to the above, other frameworks used in the industry include the following:

  • The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) ​​​​​​​​​​​​Enterprise Risk Management standard is designed jointly by five leading associations, with the aim of integrating strategy and performance.[22]
  • The Council on CyberSecurity (now Center for Internet Security) CIS Controls consist of a prioritized set of actions, originally developed by the SANS Institute, to protect assets from cyber attack.[23]
  • ISF Standard of Good Practice for Information Security is a standard aimed at providing controls and guidance on all aspects of information security.[24]
  • ETSI Cyber Security Technical Committee (TC Cyber) was developed to improve standards within the European telecommunications sector.[25]
  • The Sherwood Applied Business Security Architecture (SABSA) Enhanced NIST Cybersecurity (SENC) project enhances the five core levels of the NIST CSF into a SABSA model consisting of a six-level security architecture.[26]
  • The IASME Consortium's Cyber Essentials is an information assurance standard based on ISO 27000 but aimed at small businesses.[27]
  • The IETF's RFC 2196 Site Security Handbook represents a guide on how to develop computer security policies and procedures.[28]
  • Health Information Trust Alliance's HITRUST CSF is the first IT security CSF designed specifically for the healthcare sector. It is based on existing NIST standards and is aimed at healthcare and information security professionals.[29]
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), Version 5 is a set of requirements needed to secure the assets of the North American bulk electric system.[30]
  • Open Security Architecture (OSA) is a free community-owned resource of advice on the selection, design, and integration of devices required to provide security and control of an IT network.[31]
  • Good Practice Guide 13 (GPG13) is a U.K. government CSF related to Code of Connection (CoCo) compliance for businesses to secure IT systems.[32]


In this paper we have used the NIST CSF to evaluate the cybersecurity risks of a local government organization in Western Australia. Our approach can be used to derive measurable metrics for each Framework Core function and respective categories, thus enabling the organization to ascertain the cybersecurity preparedness to actual risk.

Our findings suggest that evaluating the desired tier compliance to the NIST CSF helps identify the specific people, processes, and technology areas that require improvement (i.e., gaps), which directly influence threat mitigation. The application of CSF helped us understand the current security context of the organization while identifying the risks and future growth areas to improve. While higher tier compliance may be desired, we have also recommended that the organization’s business requirements, strategic goals, budget, risk appetite, and current and future threats be considered carefully.

Furthermore, as we have presented several related frameworks, navigating such frameworks for self-assessment can be challenging—often not intended by design—but not impossible. We have observed that the NIST CSF offers an advantage over other frameworks in this regard. However, there is still room for developing additional tools that would simplify the implementation process and speed up adoption.

Therefore, our future work will aim to improve the current assessment tool we have used, with a focus of making it adaptable and accessible to a wider audience and measurable for accurate quantification of cyber preparedness.


We would like to thank the Western Australia local government organization for sharing their case study for this research. We would also like to thank their staff for their support and cooperation during the assessment.


  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 National Institute of Standards and Technology. "Cybersecurity Framework". 
  2. 2.0 2.1 National Institute of Standards and Technology (December 2014). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" (PDF). NIST Special Publication 800-53A, Revision 4. Retrieved 01 February 2018. 
  3. 3.0 3.1 ISACA. "COBIT 5". Retrieved 01 February 2018. 
  4. 4.0 4.1 4.2 International Standards Organization. "ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements". Retrieved 01 February 2018. 
  5. 5.0 5.1 ISA (13 January 2009). "Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program" (PDF). ANSI/ISA-62443-2-1 (99.02.01)-2009. Retrieved 13 March 2018. 
  6. 6.0 6.1 6.2 ISA (12 August 2013). "Security for industrial automation and control systems, Part 3-3: System security requirements and security levels" (PDF). ANSI/ISA-62443-3-3 (99.03.03)-2013. Retrieved 13 March 2018. 
  7. Microsoft. "Microsoft Power BI". Retrieved 12 April 2018. 
  8. Angelini, M.; Lenti, S.; Santucci, G. (2017). "CRUMBS: A cyber security framework browser". Proceedings from the 2017 IEEE Symposium on Visualization for Cyber Security: 1–8. doi:10.1109/VIZSEC.2017.8062194. 
  9. Abrams, M.; Weiss, J. (23 July 2008). "Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia" (PDF). MITRE Corporation. Retrieved 29 January 2018. 
  10. Casey, T.; Fiftal, K.; Landfield, K. et al. (January 2015). "The Cybersecurity Framework in Action: An Intel Use Case" (PDF). Intel Corporation. Retrieved 30 January 2018. 
  11. Biological Sciences Division (April 2016). "Applying the Cybersecurity Framework at the University of Chicago – An Education Case Study" (PDF). University of Chicago. Retrieved 31 January 2018. 
  12. Sweeney, S., Young, L.R. (October 2015). "How the University of Pittsburgh Is Using the NIST Cybersecurity Framework". Carnegie Mellon University. Retrieved 01 february 2018. 
  13. Montesino, R.; Fenz, S.; Baluja, W. (2012). "SIEM‐based framework for security controls automation". Information Management & Computer Security 20 (4): 248–63. doi:10.1108/09685221211267639. 
  14. Kim, E.B. (2014). "Recommendations for information security awareness training for college students". Information Management & Computer Security 22 (1): 115-126. doi:10.1108/IMCS-01-2013-0005. 
  15. BSI (July 2011). "Embedding world-class information security management as the platform for rapid business growth" (PDF). Retrieved 15 February 2018. 
  16. BSI (October 2012). "How Fredrickson has reduced third party scrutiny and protected its reputation with ISO 27001 certification" (PDF). Retrieved 15 February 2018. 
  17. BSI (April 2013). "Implementing best practice and improving client confidence with ISO/IEC 27001" (PDF). Retrieved 15 February 2018. 
  18. BSI (June 2013). "Supporting business growth with ISO/IEC 27001" (PDF). Retrieved 15 February 2018. 
  19. BSI (2013). "InfoView Case Study" (PDF). Archived from Studies/BSI Infoview Case Study.pdf the original on 24 April 2016. Retrieved 15 February 2018. 
  20. BSI (May 2013). "Using ISO/IEC 27001 certification to increase resilience, reassure clients and gain a competitive edge" (PDF). Retrieved 15 February 2018. 
  21. BSI (June 2013). "Integrating management systems to improve business performance and achieve sustained competitive advantage" (PDF). Retrieved 15 February 2018. 
  22. Committee of Sponsoring Organizations of the Treadway Commission. "Guidance on Enterprise Risk Management". Retrieved 06 March 2018. 
  23. Center for Internet Security. "CIS Controls". Retrieved 06 March 2018. 
  24. Information Security Forum. "The ISF Standard of Good Practice for Information Security 2018". Retrieved 08 March 2018. 
  25. Brookson, C. (September 2017). "Cybersecurity: Overview of Cybersecurity". ETSI. Retrieved 07 March 2018. 
  26. SABSA. "SENC: SABSA Enhanced NIST Cybersecurity Framework". Retrieved 21 March 2018. 
  27. IASME. "About Cyber Essentials". Retrieved 07 March 2018. 
  28. Fraser, B., ed. (September 1997). "RFC 2196 - Site Security Handbook". IETF. Retrieved 08 March 2018. 
  29. HITRUST (September 2017). "Introduction to the HITRUST CSF, Version 9.0" (PDF). Retrieved 21 March 2018. 
  30. Vinson & Elkins (2014). "Summary of CIP Version 5 Standards" (PDF). Retrieved 12 February 2018. 
  31. OSA. "OSA Landscape". Retrieved 15 March 2018. 
  32. CYSEC. "GPG13 Executive Summary". Retrieved 13 March 2018. 


This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article lists references alphabetically, but this version—by design—lists them in order of appearance. Some original references had broken URLs; this version updates them to functional URLs. In one case, an archived version of the article had to be used.