Advertisement

The Journal of Supercomputing

, Volume 74, Issue 10, pp 5171–5186 | Cite as

A security review of local government using NIST CSF: a case study

  • Ahmed Ibrahim
  • Craig Valli
  • Ian McAteer
  • Junaid Chaudhry
Article

Abstract

Evaluating cyber security risk is a challenging task regardless of an organisation’s nature of business or size, however, an essential activity. This paper uses the National Institute of Standards and Technology (NIST) cyber security framework (CSF) to assess the cyber security posture of a local government organisation in Western Australia. Our approach enabled the quantification of risks for specific NIST CSF core functions and respective categories and allowed making recommendations to address the gaps discovered to attain the desired level of compliance. This has led the organisation to strategically target areas related to their people, processes, and technologies, thus mitigating current and future threats.

Keywords

NIST cyber security framework Local government Cyber security Risk assessment 

Notes

Acknowledgements

We would like to thank the Western Australia local government organisation for sharing their case study for this research. We would also like to thank their staff for their support and cooperation during the assessment.

References

  1. 1.
    Abrams M, Weiss J (2008) Malicious control system cyber security attack case study: Maroochy water services, Australia. https://www.mitre.org/sites/default/files/pdf/08_1145.pdf. Accessed 29 Jan 2018
  2. 2.
    Angelini M, Lenti S, Santucci G (2017) Crumbs: a cyber security framework browser. In: 2017 IEEE Symposium on Visualization for Cyber Security (VizSec). IEEE, pp 1–8Google Scholar
  3. 3.
    BSI Group (2011) Case study Thames Security Shredding (TSS) Ltd. https://www.bsigroup.com/Documents/iso-27001/case-studies/BSI-ISO-IEC-27001-case-study-Thames-Security-UK-EN.pdf?epslanguage=en-MY. Accessed 15 Feb 2018
  4. 4.
    BSI Group (2012) How Fredrickson has reduced third party scrutiny and protected its reputation with ISO 27001 certification. https://www.bsigroup.com/Documents/iso-27001/case-studies/BSI-ISO-IEC-27001-case-study-Fredrickson-International-EN-UK.pdf?epslanguage=en-MY. Accessed 15 Feb 2018
  5. 5.
    BSI Group (2013) Implementing best practice and improving client confidence with ISO/IEC 27001. https://www.bsigroup.com/Documents/iso-27001/case-studies/BSI-ISO-IEC-27001-case-study-Legal-Ombudsman-UK-EN.pdf. Accessed 15 Feb 2018
  6. 6.
  7. 7.
    BSI Group (2013) Supporting business growth with ISO/IEC 27001. https://www.bsigroup.com/Documents/iso-27001/case-studies/BSI-ISO-IEC-27001-case-study-SVM-UK-EN.pdf. Accessed 15 Feb 2018
  8. 8.
    BSI Group (2014) Using ISO/IEC 27001 certification to increase resilience, reassure clients and gain a competitive edge. https://www.bsigroup.com/Documents/iso-27001/case-studies/BSI-ISO-IEC-27001-case-study-Capgemini-UK-EN.pdf. Accessed 15 Feb 2018
  9. 9.
    BSI Group (2015) Integrating management systems to improve business performance and achieve sustained competitive advantage. https://www.bsigroup.com/Documents/iso-22301/case-studies/Costain-case-study-UK-EN.pdf. Accessed 15 Feb 2018
  10. 10.
    Cabinet Office (2010) Gpg13: Protective monitoring controls. http://gpg13.com/executive-summary/. Accessed 13 Mar 2018
  11. 11.
    Casey T, Fiftal K, Landfield K, Miller J, Morgan D, Willis B (2015) The cybersecurity framework in action: an Intel use case. Intel Corporation, pp 1–10. https://supplier.intel.com/static/governance/documents/The-cybersecurity-framework-in-action-an-intel-use-case-brief.pdf. Accessed 30 Jan 2018
  12. 12.
    Center for Internet Security (2018) CIS controls. https://www.cisecurity.org/controls/. Accessed 6 Mar 2018
  13. 13.
    COSO (2017) Guidance on enterprise risk management. https://www.coso.org/Pages/erm.aspx. Accessed 6 Mar 2018
  14. 14.
    Elkins V (2014) Summary of CIP version 5 standards. http://www.velaw.com/uploadedfiles/vesite/resources/summarycipversion5standards2014.pdf. Accessed 12 Feb 2018
  15. 15.
    ETSI (2017) Overview of cybersecurity. https://www.enisa.europa.eu/events/enisa-cscg-2017/presentations/brookson. Accessed 7 Mar 2018
  16. 16.
    HITRUST (2017) Introduction to the HITRUST CSF. https://hitrustalliance.net/documents/csf_rmf_related/v9/CSFv9Introduction.pdf. Accessed 21 Mar 2018
  17. 17.
    IASCA (2012) Cobit 5. https://cobitonline.isaca.org/. Accessed 01 Feb 2018
  18. 18.
    IASME Consortium (2014) About cyber essentials. https://www.iasme.co.uk/cyberessentials/about-cyber-essentials/. Accessed 07 Mar 2018
  19. 19.
    IETF (1997) Rfc 2196: site security handbook. https://www.ietf.org/rfc/rfc2196.txt. Accessed 8 Mar 2018
  20. 20.
    Information Security Forum (2016) The ISF standard of good practice for information security. https://www.securityforum.org/tool/the-isf-standardrmation-security/. Accessed 8 Mar 2018
  21. 21.
  22. 22.
    ISA (2012) ANSI/ISA-62443-3-3 (99.03.03)-2013. http://www.icsdefender.ir/files/scadadefender-ir/paygahdanesh/standards/ISA-62443-3-3-Public.pdf. Accessed 13 Mar 2018
  23. 23.
    ISO (2013) ISO/IEC 27001:2013. https://www.iso.org/standard/54534.html. Accessed 1 Feb 2018
  24. 24.
    Kim EB (2014) Recommendations for information security awareness training for college students. Inf Manag Comput Secur 22(1):115–126.  https://doi.org/10.1108/IMCS-01-2013-0005 CrossRefGoogle Scholar
  25. 25.
    Microsoft (2018) Power BI. https://powerbi.microsoft.com/en-us/. Accessed 12 Apr 2018
  26. 26.
    Montesino R, Fenz S, Baluja W (2012) Siem-based framework for security controls automation. Inf Manag Comput Secur 20(4):248–263.  https://doi.org/10.1108/09685221211267639 CrossRefGoogle Scholar
  27. 27.
    NIST (2014) Assessing security and privacy controls in federal information systems and organizations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf. Accessed 1 Feb 2018
  28. 28.
    NIST (2014) Framework for improving critical infrastructure cybersecurity: Version 1.0. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf. Accessed 30 Jan 2018
  29. 29.
    OSA (2007) Osa landscape. http://www.opensecurityarchitecture.org/cms/foundations/osa-landscape. Accessed 15 Mar 2018
  30. 30.
    SABSA (2015) Project charter for the development of a SABSA enhanced nist cybersecurity framework. https://sabsa.org/sabsa-nist-framework-project/. Accessed 21 Mar 2018
  31. 31.
    Sweeney S (2015) How the University of Pittsburgh is using the NIST cybersecurity framework. https://www.sei.cmu.edu/podcasts/podcast_episode.cfm?episodeid=445056&autostarter=1&wtpodcast=howtheuniversityofpittsburghisusingthenistcybersecurityframework. Accessed 1 Feb 2018
  32. 32.
    University of Chicago (2016) Applying the cybersecurity framework at the university of Chicago: an education case study. http://security.bsd.uchicago.edu/wp-content/uploads/sites/2/2016/04/BSD-Framework-Implementation-Case-Study_final_edition.pdf. Accessed 31 Jan 2018

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Security Research Institute, School of ScienceEdith Cowan UniversityPerthAustralia
  2. 2.College of Security and IntelligenceEmbry-Riddle Aeronautical UniversityPrescottUSA

Personalised recommendations