A novel Cybersecurity Maturity Assessment Framework (CMAF)
As organizations, and especially Critical National Infrastructures (CNI), are becoming more vulnerable to cyber-attacks, their protection becomes essential and a lifecycle model of prediction, protection, detection and reaction is considered necessary. Towards this target, assessments help identify the strengths and weaknesses of an organization’s processes and procedures and examine how closely these relate to identified best practices and guidelines.
Defining a set of minimum requirements and providing guidelines, covering areas like Risk Management, Access Control, Physical and Environmental Controls is already recommended by most relevant European law such as the NIS Directive, the GDPR, the Telecom Framework, etc [1]. These guidelines do not provide specifications regarding the implementation phase, so the task of compliance is subject to mis-interpretations.
In the context of CONCORDIA’s effort to address how the relevant EU legal obligations influence organizational practices on their actual implementation, a recent study [2] revealed that different organizations may have a quite different cybersecurity maturity level in place. This study also revealed that a “one size fits all” approach may turn out as an overburden for smooth and fast adaptation to the desired level. In order to standardize the evaluation of the cybersecurity posture of organizations and to facilitate cybersecurity assessment and audits according to different maturity levels, a novel “Cybersecurity Maturity Assessment Framework” (CMAF) was designed and tested by the National Cyber Security Authority of Greece (NCSA).
The CMAF consists of a set of security controls against which the processes are appraised and classified based on a CMMI-based maturity scale. The security controls, proposed by the CMAF, consist of 20 baseline security requirements, while the resulting structure includes three major categories: A. IDENTIFICATION, B. PROTECTION, C. DEFENSE. The maturity scale includes 6 separate levels (Figure 1).
The CMAF is designed with a scalar approach in mind, so to be adapted to new possible emerging requirements such as Cloud Services, Operational Technology (OT), Internet of Things (IoT), new legislative requirements or other organization’s aspects and needs. The proposed framework can be used both as a self-assessment and as an external audit tool. The information can be used by National Cybersecurity Authorities and an organization itself, to identify security gaps, best practices and prioritize future security programs and funding actions.
Overall, the CMAF tries to add to CONCORDIA’s aim to examine the economic and legal considerations relevant to the cybersecurity sector and to foster competence building in relation to privacy and security matters.
(By National Cyber Security Authority of Greece (GSDP))
Full publication:
G. Drivas, A. Chatzopoulou, L. Maglaras, C. Lambrinoudakis, A. Cook and H. Janicke, “A NIS Directive Compliant Cybersecurity Maturity Assessment Framework,” 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain, 2020, pp. 1641-1646, doi: 10.1109/COMPSAC48688.2020.00-20.
References:
[1] Najmudin Saqib, Vasileios Germanos, Wen Zeng, Leandros Maglaras, “Mapping of the Security Requirements of GDPR and NISD”, EAI Transactions on Security and Safety, Accepted, September 2020, DOI: 0.4108/eai.30-6-2020.166283
[2] George Drivas, Leandros Maglaras, Helge Janicke, Sotiris Ioannidis, “Assessing Cyber Security Threats and Risks in the Public Sector of Greece”, Journal of Information Warfare, Vol. 19, Issue 1, 2020