A Brief Overview of the Trusted CI Guide to Developing Cybersecurity Programs
Trusted CI's Guide to Developing Cybersecurity Programs offers a streamlined approach to developing a cybersecurity plan for NSF-funded projects, tailored to projects serving the scientific community. This overview summarizes the core tasks involved in the process of cybersecurity program development to give readers an idea of required effort allocation.
The Guide is split into 5 core tasks as described in "Section 1: The Process", with tools to assist in completing these tasks. "Section 2: Controls and Contexts" describes controls in more detail and references policy templates to help implement these controls.
The core tasks in Section 1 are as follows.
Establish a Cybersecurity Program.
The Master Information Security Policy and Procedures Template gives a comprehensive view of a cybersecurity program. While there is no single authoritative approach or framework for developing a cybersecurity program, we suggest using the following core tools:
Frameworks and maturity models
Identify Assets and Document the environment.
Identifying, understanding, and documenting assets are a critical step in linking tools and processes needed for a cybersecurity program. A lightweight method of identifying and characterizing information and information systems is shown in the Information Asset Inventory Template.
Select, implement, and tailor the baseline controls.
Selecting baseline controls relies on identifying assets and (potentially) conducting risk assessments. There are several approaches for control selection. For example:
Utilize a cybersecurity maturity model or the NIST Framework for Improving Critical Infrastructure Cybersecurity.
NIST SP 800-53 rev 4 provides an extensive catalog of controls.
Use best-practice documents for how to implement critical security controls, such as Trusted CI’s Security Commodity IT in Scientific CI Projects.
Use the results of a risk assessment to identify needed controls to mitigate threats to critical assets.
Various Policy and Procedure Templates are available as a starting point.
Evaluate Control effectiveness (using risk assessment).
Use the Risk Assessment Table to record assets and risks to those assets.
Evaluate how selected controls mitigate inherent risk level (based on impact and likelihood of the unmitigated security incident).
Evaluate and Refine the program.
Evaluate using program maturity models and metrics.