- Cybersecurity Framework Structure
- Determining Recommended Level of Cybersecurity
- Determining Risk Level for Information Assets
- Cybersecurity Framework Structure and Values
The University of Arizona (UA) is committed to preserving the confidentiality, integrity and availability of its information resources, while preserving and nurturing the open information-sharing requirements of its academic culture.
As part of a joint Tri-U effort with Arizona State University and Northern Arizona University, UA Information Security (UAIS) is adopting the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security as the basis for a university-wide set of security guidelines, the UA Cybersecurity Framework.
The goal of this framework is to provide guidance so Units can mitigate cyber risks to their information assets based on current government and industry guidelines and best practice.
In addition to providing Unit IT Security Managers (ITSMs) with guidance about appropriate cybersecurity protocols within their environments, the Cybersecurity Framework is structured to facilitate a couple broader objectives:
- The Cybersecurity Framework provides a foundation for consistent cybersecurity maturity reporting, even if Units have different levels of risk exposure.
- The Cybersecurity Framework helps ITSMs prioritize potential areas of improvement, fostering a continuous improvement philosophy for security goals
- UA Cybersecurity Framework (Version 004) (PDF)
- UA Cybersecurity Framework Reference Guide (Version 002) (PDF)
- UA Cybersecurity Framework Risk Assessment workbook and supporting materials (requires UA NetID+. If you are accessing from off-campus, you will need to use UA's VPN Client.)
The Cybersecurity Framework is structured around five main functions. These functions reflect the various stages of a risk management lifecycle, starting with identifying the information assets to be protected, moving through the stages of protecting and defending those assets against threats, and finally responding to threats and maintaining the assets’ intended functional purpose.
Listed below are the five functions. Each function's webpage contains the full category, subcategory and informative reference information.
|Identify||Develop the understanding to manage cybersecurity risk to information assets and IT service capabilities. This includes measures such as risk assessment, asset management, and governance processes.|
|Protect||Develop and implement appropriate safeguards to ensure delivery of IT services and protect information assets. This includes measures such as access control, data security, and user awareness.|
|Detect||Develop and implement appropriate systems to quickly identify the occurrence of a cybersecurity event. This includes continuous monitoring and detection processes.|
|Respond||Develop and carry out the appropriate actions to take once a cybersecurity event is identified. This includes response planning, communication planning, incident analysis, mitigation, and other improvements.|
|Recover||Develop and carry out appropriate activities to restore any IT services that were impaired due to a cybersecurity event. The focus should be maintaining resilience for the IT environment to protect it from future attacks.|
One of the UAIS guiding principles is that “one size does NOT fit all.” Cybersecurity needs to be applied in a manner that recognizes not all information assets need the same level of protection, since not all information assets pose the same level of risk to the University or our constituents.
To incorporate this principle into the Cybersecurity Framework, UAIS has created three “Risk Level” designators that ITSMs can use to guide their cybersecurity efforts. These designators are based on two factors:
- The data classification of the information assets. This value provides a relative measure of risk should the information asset be inadvertently exposed (confidentiality risk), modified (integrity risk), or destroyed (availability risk).
- The scope of constituents who use the information assets or whose data is processed, transmitted, or stored by the information asset. This value provides a relative measure of the exposure that could result if the confidentiality, integrity, or availability of the information asset is compromised.
To determine the Risk Level that is appropriate for their environment, ITSMs should consider the data classification appropriate for their information assets as well as the potential scope of exposure should the asset be compromised.
ITSMs have two choices about how to apply this principle to their environment.
- They can choose to take a “high water mark” approach to their entire unit, based on the highest level of data classification and broadest potential scope of exposure. In this scenario, they would implement consistent security practices across their entire environment rather than separating their environment into smaller defined instances. This might be appropriate for Units that have centralized IT groups managing their servers in a single location, using similar management techniques across all the servers, and with little or no technological segmentation between their systems.
- Alternately, ITSMs could choose to segment their environment and to conduct separate self-assessments for each environment. In this scenario, they would define separate environments within their Unit, and then implement different levels of security within each environment. This might be appropriate for Units with multiple departments managing their own information assets that have different levels of risk and different approaches to cybersecurity within each department. Choosing this approach will also require strong technological separation between the different environments.
If a Unit cannot implement network-based segmentation between systems, they should use a high water mark approach and complete a single self-assessment instead of separate assessments.
The following image is provided as a guide to the value structure created for each of the Framework's 98 controls. The columns have been numbered, and are described below the image.
2. Control Description (Subcategory):
- Data Classification and Handling Standard (IS-2321)
- NIST’s Framework for Improving Critical Infrastructure Cybersecurity
- Framework for Improving Critical Infrastructure Cybersecurity (.pdf)
- NIST Cybersecurity Framework (CSF) Reference Tool
- Framework Core (Excel Workbook - .xlsx)
- Informative References: