Difference between revisions of "Journal:A security review of local government using NIST CSF: A case study"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 32: Line 32:


==Introduction==
==Introduction==
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)<ref name="NISTCyber">{{cite web |url=https://www.nist.gov/cyberframework |title=Cybersecurity Framework |author=National Institute of Standards and Technology}}</ref> is a risk-based approach to [[Risk management|manage risks]] organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53<ref name="NISTAss14">{{cite web |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf |format=PDF |title=Assessing Security and Privacy Controls in Federal Information Systems and Organizations |work=NIST Special Publication 800-53A, Revision 4 |author=National Institute of Standards and Technology |date=December 2014 |accessdate=01 February 2018}}</ref>, COBIT5<ref name="ISACA_COBIT5">{{cite web |url=https://cobitonline.isaca.org/ |title=COBIT 5 |author=ISACA |accessdate=01 February 2018}}</ref>, [[ISO/IEC 27000-series|ISO/IEC 27001:2013]]<ref name="ISO27001">{{cite web |url=https://www.iso.org/standard/54534.html |title=ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements |author=International Standards Organization |accessdate=01 February 2018}}</ref>, ISA 62443-2-1:2009<ref name="ISA62443-2-1">{{cite web |url=http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf |format=PDF |title=Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program |work=ANSI/ISA-62443-2-1 (99.02.01)-2009 |author=ISA |date=13 January 2009 |accessdate=13 March 2018}}</ref>, and ISA 62443-3-3:2013<ref name="ISA62443-3-3">{{cite web |url=http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf |format=PDF |title=Security for industrial automation and control systems, Part 3-3: System security requirements and security levels |work=ANSI/ISA-62443-3-3 (99.03.03)-2013 |author=ISA |date=12 August 2013 |accessdate=13 March 2018}}</ref> are being used to assess cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)<ref name="NISTCyber">{{cite web |url=https://www.nist.gov/cyberframework |title=Cybersecurity Framework |author=National Institute of Standards and Technology}}</ref> is a risk-based approach to [[Risk management|manage risks]] organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53<ref name="NISTAss14">{{cite web |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf |format=PDF |title=Assessing Security and Privacy Controls in Federal Information Systems and Organizations |work=NIST Special Publication 800-53A, Revision 4 |author=National Institute of Standards and Technology |date=December 2014 |accessdate=01 February 2018}}</ref>, COBIT5<ref name="ISACA_COBIT5">{{cite web |url=https://cobitonline.isaca.org/ |title=COBIT 5 |author=ISACA |accessdate=01 February 2018}}</ref>, [[ISO/IEC 27000-series|ISO/IEC 27001:2013]]<ref name="ISO27001">{{cite web |url=https://www.iso.org/standard/54534.html |title=ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements |author=International Standards Organization |accessdate=01 February 2018}}</ref>, ISA 62443-2-1:2009<ref name="ISA62443-2-1">{{cite web |url=http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf |format=PDF |title=Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program |work=ANSI/ISA-62443-2-1 (99.02.01)-2009 |author=ISA |date=13 January 2009 |accessdate=13 March 2018}}</ref>, and ISA 62443-3-3:2013<ref name="ISA62443-3-3">{{cite web |url=http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf |format=PDF |title=Security for industrial automation and control systems, Part 3-3: System security requirements and security levels |work=ANSI/ISA-62443-3-3 (99.03.03)-2013 |author=ISA |date=12 August 2013 |accessdate=13 March 2018}}</ref> are being used to [[[Risk assessment|assess]] cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.


The main goals of this paper are:
The main goals of this paper are:
Line 41: Line 41:


The next section provides a background of the NIST CSF and its components. In tandem, we recommend the reader refer to NIST<ref name="NISTCyber" /> for additional details and strategies for suitable approaches to implement, which would vary from organization to organization. From there, our focus for the paper shifts to demonstrating the application of NIST CSF in a local government organization and providing recommendations based on our findings.
The next section provides a background of the NIST CSF and its components. In tandem, we recommend the reader refer to NIST<ref name="NISTCyber" /> for additional details and strategies for suitable approaches to implement, which would vary from organization to organization. From there, our focus for the paper shifts to demonstrating the application of NIST CSF in a local government organization and providing recommendations based on our findings.
==The NIST CSF==
The NIST CSF<ref name="NISTCyber" /> consists of the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core consists of five concurrent and continuous functions: identify, protect, detect, respond, and recover. We designed an assessment tool for our investigation based on these functions, which provided a systematic approach to ascertain the organizations cybersecurity risk management practices and processes.
The Framework Implementation Tiers describe the level that an organization's cybersecurity risk management practices comply with the framework. Tiers provide the context and degree to which cybersecurity risks are managed, as well as the extent to which business needs are considered in cybersecurity risk management. The assessment tool enabled the determination of the organization's Current Tier based on various internal and external factors such as their risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should also determine the desired tier, provided it is feasible to implement, reduces cybersecurity risks, and meets organizational goals. The following are descriptions of the tier levels<ref name="NISTCyber" />:
* Tier-1 (Partial): Risk management practices are not formalized and managed in an ''ad hoc'' manner, lack awareness of cybersecurity risks organization-wide, and do not have processes in place to collaborate with external entities.
* Tier-2 (Risk Informed): Risk management practices are formalized but not integrated organization-wide. Cybersecurity activities are prioritized based on risks, with adequate means to perform related duties, and with informal means to communicate cybersecurity [[information]] internally and externally.
* Tier-3 (Repeatable): Risk management practices are formalized and policies are in-place and adaptable to cyber threats. An organization-wide approach is required to manage cybersecurity, with skilled and knowledgeable personnel required to rapidly respond, understand dependencies, and understand the role of external partners.
* Tier-4 (Adaptive): Cybersecurity practices are based on lessons learned and predictive indicators, with continuous improvement, adaptability, and timely response. An organization-wide approach is required to manage cybersecurity risks. Cybersecurity is part of the organizational culture, and the organization actively shares with external partners.
The Framework Profile represents the outcomes based on the business needs the organization characterized from the Framework Core and determined using the assessment tool. Consequently, a "current profile" (the “as is” state) and a "target profile" (the “to be” state) can be used to identify opportunities for improving the cybersecurity of the organization.<ref name="NISTCyber" /> Framework profiles can be determined based on particular implementation scenarios, and therefore, the gap between the current profile and the target profile would vary as per scenario. In this paper, a local government-specific approach to CSF was adapted. However, industry-specific tailoring may be performed for the CSF.
==Methodology==


==References==
==References==

Revision as of 18:54, 27 January 2020

Full article title A security review of local government using NIST CSF: A case study
Journal The Journal of Supercomputing
Author(s) Ibrahim, Ahmed; Valli, Craig; McAteer, Ian; Chaudhry, Junaid
Author affiliation(s) Edith Cowan University, Embry-Riddle Aeronautical University
Primary contact Email: ahmed dot ibrahim at ecu dot edu dot au
Year published 2018
Volume and issue 74(10)
Page(s) 5171–86
DOI 10.1007/s11227-019-02972-w
ISSN 1573-0484
Distribution license Creative Commons Attribution 4.0 International
Website https://link.springer.com/article/10.1007/s11227-018-2479-2
Download https://link.springer.com/content/pdf/10.1007%2Fs11227-018-2479-2.pdf (PDF)
Emblem-important-yellow.svg This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Evaluating cybersecurity risk is a challenging task regardless of an organization’s nature of business or size, yet it remains an essential activity. This paper uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to assess the cybersecurity posture of a local government organization in Western Australia. Our approach enabled the quantification of risks for specific NIST CSF core functions and respective categories and allowed making recommendations to address the gaps discovered to attain the desired level of compliance. This has led the organization to strategically target areas related to their people, processes, and technologies, thus mitigating current and future threats.

Keywords: NIST Cybersecurity Framework, local government, cybersecurity, risk assessment

Introduction

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)[1] is a risk-based approach to manage risks organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53[2], COBIT5[3], ISO/IEC 27001:2013[4], ISA 62443-2-1:2009[5], and ISA 62443-3-3:2013[6] are being used to [[[Risk assessment|assess]] cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.

The main goals of this paper are:

  • detailing the adoption of the NIST CSF as an assessment tool that targets different levels of the organization, depending on their level of expertise and job function to obtain responses to facilitate assessment;
  • quantifying the assessment to reflect severity of actual risk, which in turn enables the organization to effectively address the issues to attain the desired level of compliance; and
  • reviewing in detail similar frameworks used in the industry and relevant case studies.

The next section provides a background of the NIST CSF and its components. In tandem, we recommend the reader refer to NIST[1] for additional details and strategies for suitable approaches to implement, which would vary from organization to organization. From there, our focus for the paper shifts to demonstrating the application of NIST CSF in a local government organization and providing recommendations based on our findings.

The NIST CSF

The NIST CSF[1] consists of the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core consists of five concurrent and continuous functions: identify, protect, detect, respond, and recover. We designed an assessment tool for our investigation based on these functions, which provided a systematic approach to ascertain the organizations cybersecurity risk management practices and processes.

The Framework Implementation Tiers describe the level that an organization's cybersecurity risk management practices comply with the framework. Tiers provide the context and degree to which cybersecurity risks are managed, as well as the extent to which business needs are considered in cybersecurity risk management. The assessment tool enabled the determination of the organization's Current Tier based on various internal and external factors such as their risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should also determine the desired tier, provided it is feasible to implement, reduces cybersecurity risks, and meets organizational goals. The following are descriptions of the tier levels[1]:

  • Tier-1 (Partial): Risk management practices are not formalized and managed in an ad hoc manner, lack awareness of cybersecurity risks organization-wide, and do not have processes in place to collaborate with external entities.
  • Tier-2 (Risk Informed): Risk management practices are formalized but not integrated organization-wide. Cybersecurity activities are prioritized based on risks, with adequate means to perform related duties, and with informal means to communicate cybersecurity information internally and externally.
  • Tier-3 (Repeatable): Risk management practices are formalized and policies are in-place and adaptable to cyber threats. An organization-wide approach is required to manage cybersecurity, with skilled and knowledgeable personnel required to rapidly respond, understand dependencies, and understand the role of external partners.
  • Tier-4 (Adaptive): Cybersecurity practices are based on lessons learned and predictive indicators, with continuous improvement, adaptability, and timely response. An organization-wide approach is required to manage cybersecurity risks. Cybersecurity is part of the organizational culture, and the organization actively shares with external partners.

The Framework Profile represents the outcomes based on the business needs the organization characterized from the Framework Core and determined using the assessment tool. Consequently, a "current profile" (the “as is” state) and a "target profile" (the “to be” state) can be used to identify opportunities for improving the cybersecurity of the organization.[1] Framework profiles can be determined based on particular implementation scenarios, and therefore, the gap between the current profile and the target profile would vary as per scenario. In this paper, a local government-specific approach to CSF was adapted. However, industry-specific tailoring may be performed for the CSF.

Methodology

References

  1. 1.0 1.1 1.2 1.3 1.4 National Institute of Standards and Technology. "Cybersecurity Framework". https://www.nist.gov/cyberframework. 
  2. National Institute of Standards and Technology (December 2014). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" (PDF). NIST Special Publication 800-53A, Revision 4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf. Retrieved 01 February 2018. 
  3. ISACA. "COBIT 5". https://cobitonline.isaca.org/. Retrieved 01 February 2018. 
  4. International Standards Organization. "ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements". https://www.iso.org/standard/54534.html. Retrieved 01 February 2018. 
  5. ISA (13 January 2009). "Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program" (PDF). ANSI/ISA-62443-2-1 (99.02.01)-2009. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf. Retrieved 13 March 2018. 
  6. ISA (12 August 2013). "Security for industrial automation and control systems, Part 3-3: System security requirements and security levels" (PDF). ANSI/ISA-62443-3-3 (99.03.03)-2013. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf. Retrieved 13 March 2018. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article lists references alphabetically, but this version—by design—lists them in order of appearance. Some original references had broken URLs; this version updates them to functional URLs.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:A_security_review_of_local_government_using_NIST_CSF:_A_case_study&oldid=37662"