Journal:A security review of local government using NIST CSF: A case study
| Full article title | A security review of local government using NIST CSF: A case study |
|---|---|
| Journal | The Journal of Supercomputing |
| Author(s) | Ibrahim, Ahmed; Valli, Craig; McAteer, Ian; Chaudhry, Junaid |
| Author affiliation(s) | Edith Cowan University, Embry-Riddle Aeronautical University |
| Primary contact | Email: ahmed dot ibrahim at ecu dot edu dot au |
| Year published | 2018 |
| Volume and issue | 74(10) |
| Page(s) | 5171–86 |
| DOI | 10.1007/s11227-019-02972-w |
| ISSN | 1573-0484 |
| Distribution license | Creative Commons Attribution 4.0 International |
| Website | https://link.springer.com/article/10.1007/s11227-018-2479-2 |
| Download | https://link.springer.com/content/pdf/10.1007%2Fs11227-018-2479-2.pdf (PDF) |
 |
This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed. |
Abstract
Evaluating cybersecurity risk is a challenging task regardless of an organization’s nature of business or size, yet it remains an essential activity. This paper uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to assess the cybersecurity posture of a local government organization in Western Australia. Our approach enabled the quantification of risks for specific NIST CSF core functions and respective categories and allowed making recommendations to address the gaps discovered to attain the desired level of compliance. This has led the organization to strategically target areas related to their people, processes, and technologies, thus mitigating current and future threats.
Keywords: NIST Cybersecurity Framework, local government, cybersecurity, risk assessment
Introduction
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)[1] is a risk-based approach to manage risks organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53[2], COBIT5[3], ISO/IEC 27001:2013[4], ISA 62443-2-1:2009[5], and ISA 62443-3-3:2013[6] are being used to assess cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.
The main goals of this paper are:
- detailing the adoption of the NIST CSF as an assessment tool that targets different levels of the organization, depending on their level of expertise and job function to obtain responses to facilitate assessment;
- quantifying the assessment to reflect severity of actual risk, which in turn enables the organization to effectively address the issues to attain the desired level of compliance; and
- reviewing in detail similar frameworks used in the industry and relevant case studies.
The next section provides a background of the NIST CSF and its components. In tandem, we recommend the reader refer to NIST[1] for additional details and strategies for suitable approaches to implement, which would vary from organization to organization. From there, our focus for the paper shifts to demonstrating the application of NIST CSF in a local government organization and providing recommendations based on our findings.
References
- ↑ 1.0 1.1 National Institute of Standards and Technology. "Cybersecurity Framework". https://www.nist.gov/cyberframework.
- ↑ National Institute of Standards and Technology (December 2014). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" (PDF). NIST Special Publication 800-53A, Revision 4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf. Retrieved 01 February 2018.
- ↑ ISACA. "COBIT 5". https://cobitonline.isaca.org/. Retrieved 01 February 2018.
- ↑ International Standards Organization. "ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements". https://www.iso.org/standard/54534.html. Retrieved 01 February 2018.
- ↑ ISA (13 January 2009). "Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program" (PDF). ANSI/ISA-62443-2-1 (99.02.01)-2009. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf. Retrieved 13 March 2018.
- ↑ ISA (12 August 2013). "Security for industrial automation and control systems, Part 3-3: System security requirements and security levels" (PDF). ANSI/ISA-62443-3-3 (99.03.03)-2013. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf. Retrieved 13 March 2018.
Notes
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article lists references alphabetically, but this version—by design—lists them in order of appearance. Some original references had broken URLs; this version updates them to functional URLs.
