Journal:A security review of local government using NIST CSF: A case study

Full article title	A security review of local government using NIST CSF: A case study
Journal	The Journal of Supercomputing
Author(s)	Ibrahim, Ahmed; Valli, Craig; McAteer, Ian; Chaudhry, Junaid
Author affiliation(s)	Edith Cowan University, Embry-Riddle Aeronautical University
Primary contact	Email: ahmed dot ibrahim at ecu dot edu dot au
Year published	2018
Volume and issue	74(10)
Page(s)	5171–86
DOI	10.1007/s11227-019-02972-w
ISSN	1573-0484
Distribution license	Creative Commons Attribution 4.0 International
Website	https://link.springer.com/article/10.1007/s11227-018-2479-2
Download	https://link.springer.com/content/pdf/10.1007%2Fs11227-018-2479-2.pdf (PDF)

This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

This article contains rendered mathematical formulae. You may require the TeX All the Things plugin for Chrome or the Native MathML add-on and fonts for Firefox if they don't render properly for you.

Abstract

Evaluating cybersecurity risk is a challenging task regardless of an organization’s nature of business or size, yet it remains an essential activity. This paper uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to assess the cybersecurity posture of a local government organization in Western Australia. Our approach enabled the quantification of risks for specific NIST CSF core functions and respective categories and allowed making recommendations to address the gaps discovered to attain the desired level of compliance. This has led the organization to strategically target areas related to their people, processes, and technologies, thus mitigating current and future threats.

Keywords: NIST Cybersecurity Framework, local government, cybersecurity, risk assessment

Introduction

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)^[1] is a risk-based approach to manage risks organizations face from a cybersecurity perspective. Similarly, several frameworks such as NIST SP 800-53^[2], COBIT5^[3], ISO/IEC 27001:2013^[4], ISA 62443-2-1:2009^[5], and ISA 62443-3-3:2013^[6] are being used to [[[Risk assessment|assess]] cybersecurity risk from different perspectives, and outcomes are measured using different yardsticks. Often, navigating the various frameworks can be challenging for organizations, especially if such expertise are not present internally. Given the rapidly changing technology and threat landscape, assessing the cybersecurity posture of an organization, regardless of their business or size, is paramount.

The main goals of this paper are:

detailing the adoption of the NIST CSF as an assessment tool that targets different levels of the organization, depending on their level of expertise and job function to obtain responses to facilitate assessment;
quantifying the assessment to reflect severity of actual risk, which in turn enables the organization to effectively address the issues to attain the desired level of compliance; and
reviewing in detail similar frameworks used in the industry and relevant case studies.

The next section provides a background of the NIST CSF and its components. In tandem, we recommend the reader refer to NIST^[1] for additional details and strategies for suitable approaches to implement, which would vary from organization to organization. From there, our focus for the paper shifts to demonstrating the application of NIST CSF in a local government organization and providing recommendations based on our findings.

The NIST CSF

The NIST CSF^[1] consists of the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core consists of five concurrent and continuous functions: identify, protect, detect, respond, and recover. We designed an assessment tool for our investigation based on these functions, which provided a systematic approach to ascertain the organizations cybersecurity risk management practices and processes.

The Framework Implementation Tiers describe the level that an organization's cybersecurity risk management practices comply with the framework. Tiers provide the context and degree to which cybersecurity risks are managed, as well as the extent to which business needs are considered in cybersecurity risk management. The assessment tool enabled the determination of the organization's Current Tier based on various internal and external factors such as their risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should also determine the desired tier, provided it is feasible to implement, reduces cybersecurity risks, and meets organizational goals. The following are descriptions of the tier levels^[1]:

Tier-1 (Partial): Risk management practices are not formalized and managed in an ad hoc manner, lack awareness of cybersecurity risks organization-wide, and do not have processes in place to collaborate with external entities.
Tier-2 (Risk Informed): Risk management practices are formalized but not integrated organization-wide. Cybersecurity activities are prioritized based on risks, with adequate means to perform related duties, and with informal means to communicate cybersecurity information internally and externally.
Tier-3 (Repeatable): Risk management practices are formalized and policies are in-place and adaptable to cyber threats. An organization-wide approach is required to manage cybersecurity, with skilled and knowledgeable personnel required to rapidly respond, understand dependencies, and understand the role of external partners.
Tier-4 (Adaptive): Cybersecurity practices are based on lessons learned and predictive indicators, with continuous improvement, adaptability, and timely response. An organization-wide approach is required to manage cybersecurity risks. Cybersecurity is part of the organizational culture, and the organization actively shares with external partners.

The Framework Profile represents the outcomes based on the business needs the organization characterized from the Framework Core and determined using the assessment tool. Consequently, a "current profile" (the “as is” state) and a "target profile" (the “to be” state) can be used to identify opportunities for improving the cybersecurity of the organization.^[1] Framework profiles can be determined based on particular implementation scenarios, and therefore, the gap between the current profile and the target profile would vary as per scenario. In this paper, a local government-specific approach to CSF was adapted. However, industry-specific tailoring may be performed for the CSF.

Methodology

The NIST CSF allowed us to design an assessment tool targeted at three levels of participants within the organization: executive, management, and technical. The rationale was to ascertain organization-wide understanding of cybersecurity risks. Hence, the assessment tool comprised of questions addressing the requirements outlined as per the NIST CSF.

The questions were selected based on the nature and relevance to the level of the participant. This is because the NIST CSF comprised of questions that were both technical and non-technical. Therefore, it would have been unrealistic to expect deep knowledge of technical operations or implementation level details from a policy level executive.

In order to assist us determine a baseline (i.e., the desired tier), additional questions were included in the assessment tool to determine the nature of the organization and its business. This was then followed by the remaining requirements comprised in the NIST CSF.

Determining compliance

The compliance for each measure was based on the responses provided by the participants. They were graded as complaint, partially compliant, or non-compliant, and each was assigned scores of either 10, 5, or 0, respectively, for each core function’s subcategory. Any subcategory that was not applicable based on the desired tier level was excluded from the compliance score calculation.

Given the number of security requirements for each core function’s subcategory is N, then the number of applicable requirements in each subcategory given the desired tier level is N′. Therefore, the total compliance score C for each core function’s category can be defined as:

${\begin{array}{l}{C={\frac {\Sigma R}{\Sigma {N^{\prime }\times 10}}}}\\\end{array}}$

where R is the compliance score for each category of the respective core function.

Additionally, a detailed document audit was conducted on existing policies and procedures. The information technology (IT) infrastructure (internal, remote locations, and cloud) were reviewed, and a detailed internal vulnerability assessment was also conducted during our investigation.

Findings

The responses provided by the executive, management, and technical participants gave insight into the organization’s cybersecurity posture. Table 1 shows the summary of the compliance of NIST CSF assessment. The compliance scores were determined based on the previously presented equation.

Function	Category	Compliance (%)	Total (%)
Table 1. NIST CSF compliance matrix
Identify (ID)	Asset management (ID.AM)	33	36
	Business environment (ID.BE)	75
	Governance (ID.GV)	25
	Risk assessment (ID.RA)	25
	Risk management strategy (ID.RM)	0
Protect (PR)	Access control (PR.AC)	60	45
	Awareness and training (PR.AT)	70
	Data security (PR.DS)	50
	Information protection processes and procedures (PR.IP)	20
	Maintenance (PR.MA)	75
	Protective technology (PR.PT)	38
Detect (DE)	Anomalies and events (DE.AE)	0	25
	Security continuous monitoring (DE.CM)	43
	Governance (DE.DP)	25
Respond (RS)	Response planning (RS.AM)	0	38
	Communications (RS.CO)	88
	Analysis (RS.AN)	0
	Mitigation (RS.MI)	0
	Improvements (RS.IM)	100
Recover (RC)	Recovery planning (RC.RP)	100	100
	Improvements (RC.IM)	100
	Communications (RC.CO)	100

For the "identify" core function, the organization scored 36%. Their ability to track assets centrally, keep management informed, and understand operational risks from a cybersecurity perspective was limited, while a strategy to manage such risks did not exist. However, the organization understood its business well and was able to set priorities to support risk management decisions.

Access to physical/virtual assets were through authorization and well-defined processes. The staff were trained and informed adequately of information security-related duties and responsibilities. Certain aspects of data security related to confidentiality and availability were done reasonably well; however, assuring integrity of data needed improvement. Similarly, local maintenance and remote maintenance of IT infrastructure were carried out in a manner consistent to policies and procedures. However, relevant policies, processes, and procedures, as well as technology to assist the protection of information systems and relevant assets, were lacking. Therefore, in aggregate, the organization scored 45% compliance for the "protect" core function.

The organisation scored weakest in the detection of cybersecurity incidents, with a score of 25%. Although certain monitoring activities were in place to track physical security and malicious code, timely detection of anomalous activities and detection processes were lacking or non-existent.

Despite the lack of a specific response plan to respond to cybersecurity events, the organization had measures in place to report incidents and coordinate activities to respond adequately, which resulted in a 38% compliance score for the "respond" core function. These practices are updated from time to time; however, mechanism to perform post-incident analysis or to mitigate future cybersecurity events has not been implemented presently.

Interestingly, the organization was well prepared to deal with recovery and resumption of core services after a cybersecurity event. The recovery plans in place are tested, updated, and improved periodically, thus receiving full compliance for the "recover" core functionality of the framework.

Recommendations

Based on the findings, the following recommendations were made with respect to each core function of the NIST CSF.

Identify

(a) Establish a central inventory of assets, including physical devices and systems, software, and external systems, with all required information, and prioritize based on classification, criticality, and business value.

(b) Identify the organizations role in the supply chain (i.e., producer-consumer model) as it captures and retains public data, collects revenue, and provides services to its stakeholders.

(c) Establish an information security policy and reference relevant federal and state policies regarding cybersecurity to ensure legal and regulatory requirements are understood and managed.

(d) Identify and prioritize threats and vulnerabilities, both internal and external, to determine cybersecurity risks to the organization's operations, assets, and individuals.

(e) Establish risk management processes that are managed and agreed to by stakeholders to support operational risk decisions.

Protect

(a) Strengthen the access control policy and procedures for organization-wide assets that require both physical and remote access.

(b) Sensitize and increase awareness about cybersecurity throughout the workforce more comprehensively, and provide adequate cyber security training based on roles and responsibilities. In this regard, clearly describe cybersecurity roles and responsibilities for relevant staff and external stakeholders.

(c) Enforce required provisions for data security in the policy, and implement data-at-rest and data-in-transit security, as well as integrity-checking mechanisms to ensure confidentiality, integrity, and availability of information and data.

(d) Establish required policies, processes, and procedures to manage protection of information assets. This include the establishment of lacking policies and processes, particularly for configuration management, data destruction, and physical operating environment; identification of security baselines; SDLC for system management; and formulation of vulnerability, response, and recovery plans.

(e) Strengthen processes that control and log remote access to organizational assets by external maintenance contractors.

(f) Establish a central log of organization-wide information systems and devices, establish removable media policy, and strengthen network segregation to protect communication and control networks.

Detect

(a) Determine baselines for network operations and data flows, and implement appropriate activities to detect and analyze events based on event data aggregated from multiple sources and sensors. Determine incident impact and threshold to prepare and allocate resources appropriately.

(b) Implement tools to monitor cyber and physical environments to detect unauthorized mobile code, external service provider activities, and unauthorized access. Perform organization-wide vulnerabilities regularly.

(c) Outline detection requirements in information security policy, and continuously improve these processes to ensure timely and adequate awareness of anomalous events.

Respond

(a) Establish processes and procedures to respond to cybersecurity events in a timely manner.

(b) Define cybersecurity roles and responsibilities in information security policy to ensure activities are coordinated for internal and external stakeholders, including law enforcement, in response to cybersecurity events.

(c) Implement required cybersecurity event notification and detection systems to ensure adequate information is available to analyze and understand the impact to support recovery activities.

(d) Implement required cybersecurity controls to detect, report, and contain incidents to prevent escalation of an incident, mitigate its effect, and eradicate the incidents.

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 National Institute of Standards and Technology. "Cybersecurity Framework". https://www.nist.gov/cyberframework.
↑ National Institute of Standards and Technology (December 2014). "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" (PDF). NIST Special Publication 800-53A, Revision 4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf. Retrieved 01 February 2018.
↑ ISACA. "COBIT 5". https://cobitonline.isaca.org/. Retrieved 01 February 2018.
↑ International Standards Organization. "ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements". https://www.iso.org/standard/54534.html. Retrieved 01 February 2018.
↑ ISA (13 January 2009). "Security for industrial automation and control systems, Part 2-1: Establishing an industrial automation and control systems security program" (PDF). ANSI/ISA-62443-2-1 (99.02.01)-2009. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-2-1-Public.pdf. Retrieved 13 March 2018.
↑ ISA (12 August 2013). "Security for industrial automation and control systems, Part 3-3: System security requirements and security levels" (PDF). ANSI/ISA-62443-3-3 (99.03.03)-2013. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf. Retrieved 13 March 2018.

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article lists references alphabetically, but this version—by design—lists them in order of appearance. Some original references had broken URLs; this version updates them to functional URLs.