A Brief Overview of the Trusted CI Guide to Developing Cybersecurity Programs

Trusted CI's Guide to Developing Cybersecurity Programs offers a streamlined approach to developing a cybersecurity plan for NSF-funded projects, tailored to projects serving the scientific community. This overview summarizes the core tasks involved in the process of cybersecurity program development to give readers an idea of required effort allocation.

The Guide is split into 5 core tasks as described in "Section 1: The Process", with tools to assist in completing these tasks. "Section 2: Controls and Contexts" describes controls in more detail and references policy templates to help implement these controls.

The core tasks in Section 1 are as follows.

  1. Establish a Cybersecurity Program.

    • The Master Information Security Policy and Procedures Template gives a comprehensive view of a cybersecurity program. While there is no single authoritative approach or framework for developing a cybersecurity program, we suggest using the following core tools:

      • Best practices

      • Risk assessment

      • Frameworks and maturity models

  2. Identify Assets and Document the environment.

    • Identifying, understanding, and documenting assets are a critical step in linking tools and processes needed for a cybersecurity program. A lightweight method of identifying and characterizing information and information systems is shown in the Information Asset Inventory Template

  3. Select, implement, and tailor the baseline controls.

  4. Evaluate Control effectiveness (using risk assessment).

    • Use the Risk Assessment Table to record assets and risks to those assets.

    • Evaluate how selected controls mitigate inherent risk level (based on impact and likelihood of the unmitigated security incident). 

  5. Evaluate and Refine the program.

    • Evaluate using program maturity models and metrics.