Design of Cybersecurity Maturity Assessment Framework Using NIST CSF v1.1 and CIS Controls v8

Hafizhan Irawan, Alva Hendi Muhammad, Asro Nasiri

Abstract


Cybersecurity threats are constantly evolving, making it crucial for organizations to maintain a robust and maturing cybersecurity posture. According to the 2022 Annual Report of the Honeynet Project of the National Cyber and Crypto Agency (BSSN), there were 370,022,283 cyber attacks against Indonesia.  One of the strategies that can be implemented is to conduct a cybersecurity maturity assessment to determine the organization's current level of cybersecurity implementation. This paper proposes a design for a cybersecurity maturity assessment framework leveraging two established standards: the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v1.1 and the Center for Internet Security (CIS) Controls v8. The proposed framework utilizes a mapping between the NIST CSF v.1.1 subcategories and the CIS Controls v8 subcontrols, enabling a comprehensive assessment of an organization's cybersecurity maturity. The assessment methodology focuses on evaluating the implementation and effectiveness of controls aligned with each NIST CSF function. This approach allows organizations to identify strengths and weaknesses in their cybersecurity posture and prioritize areas for improvement. This research developed a mapping between the NIST CSF framework and CIS Controls v8. The mapping aligns 23 integrated cybersecurity categories from NIST CSF (including 64 subcategories out of a possible 108) with 124 subcontrols from CIS Controls v8 (out of a total 153). This combined framework serves as a tool to help organizations improve their cybersecurity maturity and capabilities.


Full Text:

PDF

References


Jeremy Straub. Software engineering: The first line of defense for cybersecurity. 2020 IEEE 11th International Conference on Software Engineering and Service Science (ICSESS). IEEE. 2020; p. 1-5.

BSSN. Laporan Tahunan Honeynet Project 2022. Jakarta. 2022.

CISA. Cybersecurity Framework Implementation Guide. United States of America. 2020.

K. Ruan. Chapter 3 - Cyber Risk Management: A New Era of Enterprise Risk Management. Digital Asset Valuation and Cyber Risk Measurement. K. Ruan, Ed., Academic Press. 2019: pp. 49-73.

D. Sulistyowati, F. Handayani and Y. Suryanto. Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS. International Journal on Informatics Visualization. 2020; vol. 4, no. 4: pp. 225-230.

I. Bashofi and M. Salman. Cybersecurity Maturity Assessment Design Using NISTCSF, CIS CONTROLS v8 and ISO/IEC 27002. 2022 IEEE International Conference on Cybernetics and Computational Intelligence (CyberneticsCom). 2022.

R. A. Ashari and O. C. Briliyant. Rencana Penerapan Cyber-risk Management Menggunakan NIST CSF dan COBIT 5. Jurnal Sistem Informasi. 2018; vol. 14, no. 2: pp. 83-89.

Filkins, Barbara, Doug Wylie, and A. J. Dely. Sans 2019 state of ot/ics cybersecurity survey. SANSâ„¢ Institute. 2019.

Roy P. Prameet. A High-Level Comparison between the NIST Cyber Security Framework and the ISO 27001 Information Security Standard. 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications (NCETSTEA). 2020; pp. 1-3.

Udroiu, Adriana-Meda, Mihail Dumitrache, and Ionut Sandu. Improving the cybersecurity of medical systems by applying the NIST framework. 2022 14th International Conference on Electronics, Computers and Artificial Intelligence (ECAI). IEEE. 2022.

Stjepan Groš. A Critical View on CIS Controls. 2021 16th International Conference on Telecommunications (ConTEL). 2021; pp. 122–128.

Viny Fadila, Nurul Mutiah and Renny Puspita Sari. Audit Keamanan Siber Menggunakan Kerangka Kerja CIS CSC, NIST CSF, dan COBIT 2019. CESS (Journal of Computer Engineering System and Science). 2023; vol. 8: pp 271-283.

Fatin Hanifah, Avon Budiyono and Adityas Widjajarto. Analisa Kerentanan Pada Vulnerable Docker Menggunakan Alienvault Dan Docker Bench For Security Dengan Acuan Framework CIS Control. e-Proceeding of Engineering. 2021; pp. 8880–8885.

Amin Hassanzadeh et al. A Review of Cybersecurity Incidents in the Water Sector. ASCE Journal of Environmental Engineering. 2020.

SSE Project Team. System Security Engineering Capability Maturity Model (SSE-CMM): Model Description Document Version 3.0. Technical report, SSE-CMM. 2003.

NIST. Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. 2018.

D. P. Prastika, J. Triyono, and U. Lestari. Audit dan Implementasi CIS Benchmark Pada Sistem Operasi Linux Debian Server (Studi Kasus: Server Laboratorium Jaringan Dan Komputer 6, Institut Sains & Teknologi Akprind Yogyakarta). Jurnal JARKOM. 2019; vol. 6, no. 1: pp. 1–12.

Amiruddin, Hafizh Ghozie Afiansyah, and Hernowo Adi Nugroho. Cyber-risk management planning using NIST CSF v1. 1, NIST Sp 800-53 rev. 5, and CIS controls v8. 2021 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS). IEEE. 2021.

CIS. CIS Controls CIS Controls Version 8. 2021.

M. Eko. Metode penelitian kualitatif (teori dan aplikasi disertai contoh proposal). 2020.




DOI: https://doi.org/10.35314/isi.v9i1.3973

Refbacks

  • There are currently no refbacks.




Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


This Journal has been listed and indexed in :

Crossref logo Find in a library with WorldCat

Copyright of Jurnal Inovtek Polbeng - Seri Informatika (ISSN: 2527-9866)

Creative Commons License
ISI: Inovtek Polbeng Seri Informatikan is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Editorial Office :
Pusat Penelitian dan Pengabdian kepada Masyarakat
 Politeknik Negeri Bengkalis 
Jl. Bathin alam, Sungai Alam Bengkalis-Riau 28711 
E-mail: jurnalinformatika@polbeng.ac.id
www.polbeng.ac.id

Web
Analytics
View My Stats