Developing a Model for Cybersecurity Maturity Assessment
Tariq Al-idrissi
Trent University
Currently, Tariq is Associate Vice President of IT at Trent University. In addition to his role at Trent, Tariq is the Chair of the Canadian University Council of Chief Information Officers (CUCCIO), is a member of the CUCCIO Cybersecurity Benchmarking Committee, is a member of the CANARIE CIO Advisory Group, and has recently been appointed as a member of the Compute Canada Cybersecurity Task Force. Tariq has also served as the Chair of the Ontario University Council of Chief Information Officers (OUCCIO). Tariq holds an Honours Bachelors of Commerce Degree and a Master of Science in Management Degree from Lakehead University. While for the past twenty years, Tariq's experience has been primarily based in IT and educational technologies, he has also taught as a Sessional Lecturer for the Faculty of Business at Lakehead University for ten years. As an IT leader, Tariq drives value from IT through collaboration, communication, strategy development, planning, and execution.
Ian Thomson
Trent University
Ian Thomson is the Information Security Officer at Trent University and works part time as an Adjunct Professor in the Computer Security Investigations program at Fleming College. Ian holds a Master's degree in education from Central Michigan University and is a member of the Ontario College of Teachers and a SSCP Certified Security Practitioner. Ian's interests are in security education, awareness security architecture and risk management.
Abstract
Cybersecurity has become a topic at the top of the priority list for most university IT operations across the country. CIOs have spent a lot of time, rightfully placed, on; understanding the magnitude of the cybersecurity... [ view full abstract ]
Cybersecurity has become a topic at the top of the priority list for most university IT operations across the country. CIOs have spent a lot of time, rightfully placed, on; understanding the magnitude of the cybersecurity problems that they face, educating their Boards, putting in place strategies around preventing breaches, preparing for breaches, and responding to breaches. A lot of dollars have been invested, but did it really make a difference? “I think so” is the last answer that your Board wants to hear. Did your university achieve more cybersecurity maturity in the process? Can you quantify that?
There are multiple ways to assess cybersecurity maturity at your institution:
- You can hire an external firm to assess your cybersecurity maturity. Some firms will use their own methodology while others will utilize a blend of industry standards, such as ISO 27001 or the NIST Framework for Improving Critical Infrastructure Cybersecurity. The key here is to be assessed to establish a baseline and to be assessed again at some future interval to demonstrate maturity growth. This can be expensive.
- Try to assess maturity yourself by utilizing a canned survey (InfoTech Research or Gartner) or attempting to apply an established standard yourself. The problem with self-assessment today is that there is not a set methodology on the approach. What are the key questions to ask? Who do you ask these questions of? Do you collect the data via a survey only or some other method?
This session will focus on presenting a model and tool for self-assessment based on the NIST Framework for Improving Critical Infrastructure Cybersecurity. This model will address the following questions;
- How do I organize a self-assessment?
- What questions do I ask of whom?
- What format do I ask these questions in?
- How do I analyze the responses and quantify my cyber security measures?
- What does my maturity profile look like?
- What actions do I need to focus on following an assessment?
- When should I complete my next assessment?
In addition to showcasing our efforts at developing this methodology, Trent University is happy to share what we have developed so it can be adopted at other institutions. It is our ultimate goal to use a subset of maturity scores and generalized data for benchmarking purposes across the whole university sector in Canada.
Authors
-
Tariq Al-idrissi
(Trent University)
-
Ian Thomson
(Trent University)
Topic Area
Security: Security should be a culture, not a blocker
Session
D3-S1-01 » Wednesday Session 1 - 1 (08:45 - Wednesday, 20th June, DFA)
Presentation Files
The presenter has not uploaded any presentation files.
