Difference between revisions of "Journal:A security review of local government using NIST CSF: A case study"
Shawndouglas (talk | contribs) (Created stub. Saving and adding more.) |
Shawndouglas (talk | contribs) (Saving and adding more.) |
||
Line 30: | Line 30: | ||
'''Keywords''': NIST Cybersecurity Framework, local government, cybersecurity, risk assessment | '''Keywords''': NIST Cybersecurity Framework, local government, cybersecurity, risk assessment | ||
==Introduction== | |||
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)<ref name="NISTCyber">{{cite web |url=https://www.nist.gov/cyberframework |title=Cybersecurity Framework |author=National Institute of Standards and Technology}}</ref> is a risk-based approach to [[Risk management|manage risks]] organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53<ref name="NISTAss14">{{cite web |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf |format=PDF |title=Assessing Security and Privacy Controls in Federal Information Systems and Organizations |work=NIST Special Publication 800-53A, Revision 4 |author=National Institute of Standards and Technology |date=December 2014 |accessdate=01 February 2018}}</ref>, COBIT5<ref name="ISACA_COBIT5">{{cite web |url=https://cobitonline.isaca.org/ |title=COBIT 5 |author=ISACA |accessdate=01 February 2018}}</ref>, [[ISO/IEC 27000-series|ISO/IEC 27001:2013]]<ref name="ISO27001">{{cite web |url=https://www.iso.org/standard/54534.html |title=ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements |author=International Standards Organization |accessdate=01 February 2018}}</ref>, ISA 62443-2-1:2009<ref name="ISA62443-2-1">{{cite web |url=http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf |format=PDF |title=Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program |work=ANSI/ISA-62443-2-1 (99.02.01)-2009 |author=ISA |date=13 January 2009 |accessdate=13 March 2018}}</ref>, and ISA 62443-3-3:2013<ref name="ISA62443-3-3">{{cite web |url=http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf |format=PDF |title=Security for industrial automation and control systems, Part 3-3: System security requirements and security levels |work=ANSI/ISA-62443-3-3 (99.03.03)-2013 |author=ISA |date=12 August 2013 |accessdate=13 March 2018}}</ref> are being used to assess cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount. | |||
==References== | ==References== | ||
Line 35: | Line 38: | ||
==Notes== | ==Notes== | ||
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. | This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article lists references alphabetically, but this version—by design—lists them in order of appearance. Some original references had broken URLs; this version updates them to functional URLs. | ||
<!--Place all category tags here--> | <!--Place all category tags here--> |
Revision as of 18:34, 27 January 2020
Full article title | A security review of local government using NIST CSF: A case study |
---|---|
Journal | The Journal of Supercomputing |
Author(s) | Ibrahim, Ahmed; Valli, Craig; McAteer, Ian; Chaudhry, Junaid |
Author affiliation(s) | Edith Cowan University, Embry-Riddle Aeronautical University |
Primary contact | Email: ahmed dot ibrahim at ecu dot edu dot au |
Year published | 2018 |
Volume and issue | 74(10) |
Page(s) | 5171–86 |
DOI | 10.1007/s11227-019-02972-w |
ISSN | 1573-0484 |
Distribution license | Creative Commons Attribution 4.0 International |
Website | https://link.springer.com/article/10.1007/s11227-018-2479-2 |
Download | https://link.springer.com/content/pdf/10.1007%2Fs11227-018-2479-2.pdf (PDF) |
This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed. |
Abstract
Evaluating cybersecurity risk is a challenging task regardless of an organization’s nature of business or size, yet it remains an essential activity. This paper uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to assess the cybersecurity posture of a local government organization in Western Australia. Our approach enabled the quantification of risks for specific NIST CSF core functions and respective categories and allowed making recommendations to address the gaps discovered to attain the desired level of compliance. This has led the organization to strategically target areas related to their people, processes, and technologies, thus mitigating current and future threats.
Keywords: NIST Cybersecurity Framework, local government, cybersecurity, risk assessment
Introduction
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)[1] is a risk-based approach to manage risks organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53[2], COBIT5[3], ISO/IEC 27001:2013[4], ISA 62443-2-1:2009[5], and ISA 62443-3-3:2013[6] are being used to assess cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.
References
- ↑ National Institute of Standards and Technology. "Cybersecurity Framework". https://www.nist.gov/cyberframework.
- ↑ National Institute of Standards and Technology (December 2014). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" (PDF). NIST Special Publication 800-53A, Revision 4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf. Retrieved 01 February 2018.
- ↑ ISACA. "COBIT 5". https://cobitonline.isaca.org/. Retrieved 01 February 2018.
- ↑ International Standards Organization. "ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements". https://www.iso.org/standard/54534.html. Retrieved 01 February 2018.
- ↑ ISA (13 January 2009). "Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program" (PDF). ANSI/ISA-62443-2-1 (99.02.01)-2009. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf. Retrieved 13 March 2018.
- ↑ ISA (12 August 2013). "Security for industrial automation and control systems, Part 3-3: System security requirements and security levels" (PDF). ANSI/ISA-62443-3-3 (99.03.03)-2013. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf. Retrieved 13 March 2018.
Notes
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article lists references alphabetically, but this version—by design—lists them in order of appearance. Some original references had broken URLs; this version updates them to functional URLs.