Conducting a cybersecurity assessment is a central activity in protecting a generic organization from cyber-attacks. Several methods exist in research and industry to assess the security level of an organization, from manual activities to automated attack graphs. Unfortunately, automated approaches fail in taking into account the governance aspect that still need to be evaluated manually by the assessor, introducing possible biases or problems deriving from the level of expertise. In this paper, we provide a methodology to support the assessor in the task of evaluating the coverage of cybersecurity controls coming from technical standards, regulations, internal practices. This is done by providing him/her with a multi-layer model that takes into account several organizational layers, a mapping procedure to tie the security controls to the multi-layer model, and the definition of a validation factor that can be used to possibly refine the level of coverage and to suggest possible layers where evidences should be collected to verify and assess the coverage of a security control. A usage scenario provides an initial validation of our approach based on ISO 27001. Developments of this methodology are on-going toward its application to the support of broader cyber-risk assessment activities through discounting risk factors.
Toward a Context-Aware Methodology for Information Security Governance Assessment Validation / Angelini, M.; Bonomi, S.; Ciccotelli, C.; Palma, A.. - 12618:(2021), pp. 171-187. (Intervento presentato al convegno 1st International Workshop on Cyber-Physical Security for Critical Infrastructures Protection, CPS4CIP 2020 in conjunction with the European Symposium on Research in Computer Security, ESORICS 2020 tenutosi a Virtual, Online) [10.1007/978-3-030-69781-5_12].
Toward a Context-Aware Methodology for Information Security Governance Assessment Validation
Angelini M.
;Bonomi S.;Ciccotelli C.;Palma A.
2021
Abstract
Conducting a cybersecurity assessment is a central activity in protecting a generic organization from cyber-attacks. Several methods exist in research and industry to assess the security level of an organization, from manual activities to automated attack graphs. Unfortunately, automated approaches fail in taking into account the governance aspect that still need to be evaluated manually by the assessor, introducing possible biases or problems deriving from the level of expertise. In this paper, we provide a methodology to support the assessor in the task of evaluating the coverage of cybersecurity controls coming from technical standards, regulations, internal practices. This is done by providing him/her with a multi-layer model that takes into account several organizational layers, a mapping procedure to tie the security controls to the multi-layer model, and the definition of a validation factor that can be used to possibly refine the level of coverage and to suggest possible layers where evidences should be collected to verify and assess the coverage of a security control. A usage scenario provides an initial validation of our approach based on ISO 27001. Developments of this methodology are on-going toward its application to the support of broader cyber-risk assessment activities through discounting risk factors.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
