Assurance Techniques for Industrial Control Systems (ICS)

Assurance techniques generate evidence that allow us to make claims of assurance about security. For the purpose of certification to an assurance scheme, this evidence enables us to answer the question: are the implemented security controls consistent with organisational risk posture? This paper uses interviews with security practitioners to assess how ICS security assessments are conducted in practice, before introducing the five "PASIV" principles to ensure the safe use of assurance techniques. PASIV is then applied to three phases of the system development life cycle (development; procurement; operational), to determine when and when not, these assurance techniques can be used to generate evidence. Focusing then on the operational phase, this study assesses how assurances techniques generate evidence for the 35 security control families of ISO/IEC 27001:2013

The security of information and the risks associated with its use, a model for its implementation

To assess whether the management of information security and the risks associated with its use, through computer networks, at the Peninsula State University of Santa Elena, is effective, it is proposed to implement a model that establishes the goals to achieve to advance through the different levels that make up the rating scale. To evaluate the management of information security and the risks associated with its use, it is necessary to have a maturity model that not only allows evaluating the processes involved in the management of information security, but also those associated with the management of the risks linked to the processing of information in all its phases, since an adequate information security plan depends on it. Based on the aforementioned, the objective of this paper is to propose a model for the management of information security and the risks associated with its use, in computer networks

An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration

Information security threats and their associated breaches are exponentially growing, with millions of records containing personally identified information released to the public each year. Cyber incidents targeting businesses nearly doubled in US past 6 years, with more than 130 large-scale targeted breaches per year in U.S. In the first half of 2020, 36 billion records were exfiltrated by external hackers, with the average cost to recover from a cyber-attack averaging $21.00 per record. While Small and Mid-sized Businesses (SMBs) attempt to stay ahead of this growing trend and protect organizational data, they have specific behaviors that do not affect larger organizations. The four behaviors (non-strategic executive-level sponsorship, apathetic risk management procedures, constrained resources, and non-existent technical skills) are identified in the literature and recognized within the small to midsized industry. If not correctly identified and remediated, these behaviors may impede the businesses from protecting information assets and achieve a mature level of information security governance. To assist organizations in achieving information security governance, the literature identifies five domains that all organizations should possess for organizational alignment and governance maturity. These governance domains are Strategic Alignment, Value Delivery, Risk Management, Performance Measurement, and Resource Management. However, extant literature does not align the five governance domains with the small to midsized business behaviors, nor provide a solution to assist SMBs in achieving information security governance. The literature review focused on four main aspects that are relevant to the study: SMB Characteristics, Virtual Leadership, Information Security Governance, and Information Security program. Previous research identified how similar organizations utilized virtual leadership positions to overcome SMB behaviors to attain organizational business requirements but did not identify virtual positions that can assist SMBs with information security governance. To bridge this gap, this study explored a recent phenomenon, identified as a virtual Chief Information Security Officer (vCISO), that can align the SMB behaviors with the five governance domains and provide a viable solution for SMBs to achieve Information Security Governance within the identified behaviors. Specifically, this qualitative exploratory study interviewed six vCISOs and 14 companies to examine the role the vCISO provided in bridging SMB’s organizational behaviors with the five Information Security Governance domains

Enhancing Cybersecurity Content in Undergraduate Information Systems Programs: A Way Forward

The ongoing barrage of data and infrastructure breaches is a constant reminder of the critical need to enhance the cybersecurity component of modern undergraduate information systems (IS) education. Although the most recent undergraduate information systems curricular guidelines (IS2010) highlight security in the context of data, enterprise architecture, and risk management, much more needs to be done. The IS education community needs to identify cybersecurity competencies and curricular content that further integrates cybersecurity principles and practices into IS curricular guidelines. Until this is completed at the IS community level, IS programs will need to fulfill this role individually. This paper contributes to both these efforts by reviewing relevant literature and initiatives – highlighting two primary paths of curricular development: (1) the evolution of IS curricular guidelines, and (2) the development of Cybersecurity as a standalone discipline. Using these resources, the paper summarizes best practices for integrating cybersecurity into curricula and explores the integration of IS into cybersecurity programs

Assessing the effectiveness of defensive cyber operations

Enormous amounts of resources are being allocated for defensive cyber programs. The White House’s Cyber Security National Action Plan proposes a 35% increase in federal spending on cyber security during Fiscal Year 2017. Without an appropriate understanding of how well the people, processes, defenses, and risk are measured, there will naturally be unproductive tasking, inefficient spending and ineffective reporting. In 2016, the White House established the Commission on enhancing National Cybersecurity to assess the state of our nation’s cybersecurity posture. The report recognized both the difficulty and the need to develop meaningful metrics for cybersecurity in order to better secure the cyber landscape as it pertained to the broader digital ecosystem and its connection to our economy, government, and defense. The commission focused on both the private sector as well as the government and suggested the need to perfect policies, practices and technologies. Additionally, the Marine Corps University recently released research topics addressing some of the most important concerns affecting warfighters. One of the concerns was the lack of a methodology for determining the performance of Defensive Cyber Operations (DCO). Specifically addressed was a need to better understand how actions taken by network defenders facilitate network protection. Previous analysis of this topic led to a reactive and un-actionable approach which was tied to negative events such as the quantity and category of incident reports. As there is currently no framework or scorecard built to evaluate DCO as a whole effort, a methodical approach was taken to scope the problem, compare existing frameworks, develop a framework, and present a scorecard. The first phase of research required scoping exactly what is involved in DCO at the most basic level and understanding how the DoD evaluates performance. This resulted in an understanding of the actionability of metrics, the levels of warfare, and the counterbalance of cyber asymmetry. Also identified was the military doctrine for assessments, which frames evaluations in terms of Measures of Effectiveness and Measures of Performance and supports continuous assessments that provide actionable information to decision makers. The second phase required a detailed analysis of existing frameworks that measured related functions of cybersecurity. Specifically utilized were industry accepted compliance, incident handling, governance, and risk management frameworks. The outcome identified four functional areas common to most frameworks; people, processes, defenses, and risk. The third phase involved developing a framework that evaluated the four functional areas of DCO identified in the problem-framing phase, utilizing the most appropriate features of the already established frameworks. A key facet of this evaluation was that assessments should be weighed over time to demonstrate progress but also be measured against standards, peers, and the adversary. The final phase identified the continuous reporting criteria and the tangible mechanism for evaluating an organization in terms of a scorecard. The framework is not a static list of measurements but rather supports tailoring metrics to the organization’s specific requirements. The fundamentals of the framework are organized into elements, levels, categories, ends/ways, and measures. These metrics should be documented utilizing a standardized rubric that assesses the capability and performance of the metrics. The results should be reviewed and analyzed to determine trends, areas for improvement or investment and actionable information to support decision making. Additionally, a modified Delphi analysis with expert consensus validated the major concepts put forward in this paper. Overall, this research provides a comprehensive framework to evaluate the performance of Defensive Cyber Operations in terms of people, processes, defenses, and risk, filling a knowledge gap that is increasingly vital

System Security Assurance: A Systematic Literature Review

System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions

AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity

In today’s world, private and government organizations are legally obligated to prioritize their information security. They need to provide proof that they are continually improving their cybersecurity compliance. One approach that can help organizations achieve this goal is implementing information security maturity models. These models provide a structured framework for measuring performance and implementing best practices. However, choosing a suitable model can be challenging, requiring cultural, process, and work practice changes. Implementing multiple models can be overwhelming, if possible. This article proposes a prioritization strategy for public institutions that want to improve their information security maturity. We thoroughly analyzed various sources through systematic mapping to identify critical similarities in information security maturity models. Our research led us to create the AIM (Awareness, Infrastructure, and Management) Triad. This triad is a practical guide for organizations to achieve maturity in information security practices.This work received partial support from Proyecto DIUFRO DI21-0079 and Proyecto DIUFRO DI22-0043, Universidad de La Frontera, Temuco. Chile

Assessing the cyber-security status of the metropolitan municipalities in South Africa.

Doctoral Degree. University of KwaZulu-Natal, Durban.The intention of this enquiry was to assess the status of cyber-security in the metropolitan municipalities in South Africa. The focus on this level of local government was driven by the fact that metropolitan municipalities are the economic hubs with a variety of industrial facilities and are the places with high population densities. The metropolitan municipalities have adopted information infrastructures to support the daily administrative processes and, equally important, to support the delivery of essential services such as the distribution of electricity and clean water to the local citizens and communities. Entrenched in the adoption of information infrastructures are the cyber ills which if left unattended could have devastating consequences on people and industrial facilities. Failures or interruptions to information infrastructures have cascading effects due to interconnectedness of these infrastructures. The study used the Constructivist Grounded Theory Methodology to explore the activities that are performed by the metropolitan municipalities with the intention to determine what needs to be in place to safeguard their information infrastructures from cyber ills. Cyber-security is a serious concern in all types of businesses that are largely supported by information infrastructures in pursuit of the business objectives. Information infrastructures are susceptible to cyber-security threats, which if left unattended can shut the municipality operations down with disastrous consequences. A substantive theory of integrated development cyber-security emerged from the Constructivist Grounded Theory Methodology processes of data collecting through comprehensive interviews, initial coding, focused coding, memoing, and theoretical coding. A municipal cyber-security conceptual framework was developed from the integrated development cyber-security theory constructs of integrated development cyber-security which are the core category, cyber-security governance category, cyber-security technical operations category, and human issues in cyber-security category. The conceptual framework was used to formulate the cyber-security status assessment survey questionnaire that was adopted as an instrument to assess the cyber-security status in the metropolitan municipalities. The cyber-security status assessment instrument was deployed in metropolitan municipalities, wherein data was collected and statistically analysed to test and confirm its validity. The assessment results were analysed and showed the as is posture of cyber-security, the gaps in the current implemented cyber-security controls were identified together with the risks associated with those gaps, corrective actions to address the identified deficiencies were identified and recommended/communicated to the management of relevant municipalities