UA Cybersecurity Framework


Introduction

Cybersecurity Framework

The University of Arizona (UA) is committed to preserving the confidentiality, integrity and availability of its information resources, while preserving and nurturing the open information-sharing requirements of its academic culture. 

As part of a joint Tri-U effort with Arizona State University and Northern Arizona University, UA Information Security (UAIS) is adopting the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security as the basis for a university-wide set of security guidelines, the UA Cybersecurity Framework.

The goal of this framework is to provide guidance so Units can mitigate cyber risks to their information assets based on current government and industry guidelines and best practice.

In addition to providing Unit IT Security Managers (ITSMs) with guidance about appropriate cybersecurity protocols within their environments, the Cybersecurity Framework is structured to facilitate a couple broader objectives:

  • The Cybersecurity Framework provides a foundation for consistent cybersecurity maturity reporting, even if Units have different levels of risk exposure.
  • The Cybersecurity Framework helps ITSMs prioritize potential areas of improvement, fostering a continuous improvement philosophy for security goals

UA Cybersecurity Framework Overview (presentation) (PDF)

 

Supporting Documentation

back to top


Cybersecurity Framework Structure

The Cybersecurity Framework is structured around five main functions. These functions reflect the various stages of a risk management lifecycle, starting with identifying the information assets to be protected, moving through the stages of protecting and defending those assets against threats, and finally responding to threats and maintaining the assets’ intended functional purpose. 

Framework Functions

Listed below are the five functions.  Each function's webpage contains the full category, subcategory and informative reference information.

 
Identify Develop the understanding to manage cybersecurity risk to information assets and IT service capabilities. This includes measures such as risk assessment, asset management, and governance processes.
Protect Develop and implement appropriate safeguards to ensure delivery of IT services and protect information assets. This includes measures such as access control, data security, and user awareness.
Detect Develop and implement appropriate systems to quickly identify the occurrence of a cybersecurity event. This includes continuous monitoring and detection processes.
Respond Develop and carry out the appropriate actions to take once a cybersecurity event is identified. This includes response planning, communication planning, incident analysis, mitigation, and other improvements.
Recover Develop and carry out appropriate activities to restore any IT services that were impaired due to a cybersecurity event. The focus should be maintaining resilience for the IT environment to protect it from future attacks.

back to top


Determining Recommended Level of Cybersecurity

One of the UAIS guiding principles is that “one size does NOT fit all.”  Cybersecurity needs to be applied in a manner that recognizes not all information assets need the same level of protection, since not all information assets pose the same level of risk to the University or our constituents.


To incorporate this principle into the Cybersecurity Framework, UAIS has created three “Risk Level” designators that ITSMs can use to guide their cybersecurity efforts.  These designators are based on two factors:

  • The data classification of the information assets.  This value provides a relative measure of risk should the information asset be inadvertently exposed (confidentiality risk), modified (integrity risk), or destroyed (availability risk).
  • The scope of constituents who use the information assets or whose data is processed, transmitted, or stored by the information asset.  This value provides a relative measure of the exposure that could result if the confidentiality, integrity, or availability of the information asset is compromised.

back to top


Determining Risk Level for Information Assets

To determine the Risk Level that is appropriate for their environment, ITSMs should consider the data classification appropriate for their information assets as well as the potential scope of exposure should the asset be compromised.

Risk level of information assets determined by data classification


ITSMs have two choices about how to apply this principle to their environment.

  1. They can choose to take a “high water mark” approach to their entire unit, based on the highest level of data classification and broadest potential scope of exposure.  In this scenario, they would implement consistent security practices across their entire environment rather than separating their environment into smaller defined instances.  This might be appropriate for Units that have centralized IT groups managing their servers in a single location, using similar management techniques across all the servers, and with little or no technological segmentation between their systems.
  2. Alternately, ITSMs could choose to segment their environment and to conduct separate self-assessments for each environment.  In this scenario, they would define separate environments within their Unit, and then implement different levels of security within each environment.  This might be appropriate for Units with multiple departments managing their own information assets that have different levels of risk and different approaches to cybersecurity within each department.  Choosing this approach will also require strong technological separation between the different environments. 


If a Unit cannot implement network-based segmentation between systems, they should use a high water mark approach and complete a single self-assessment instead of separate assessments.

back to top


Cybersecurity Framework Structure and Values

The following image is provided as a guide to the value structure created for each of the Framework's 98 controls.  The columns have been numbered, and are described below the image.

Cybersecurity framework sample

1.  Control Number: 
This is a reference that links back to the original NIST document structure. Each reference includes an indicator for the function, category, and subcategory.  There are a total of 98 subcategories within the framework.

2.  Control Description (Subcategory): 
This is an explanation of the activity that should be undertaken to protect the information assets.
 
3.  Cost: 
This value provides the relative financial cost to acquire processes, tools, or staff required to implement the control. Possible values are High, Medium, and Low.  The ITSM community provided feedback for these values and reached a group consensus during Fall 2015.
 
4.  Effort: 
This value provides the relative labor required to implement the control.  Possible values are High, Medium, and Low.  The ITSM community provided feedback for these values and reached a group consensus during Fall 2015.
 
5.  Impact: 
This value provides the relative risk reduction value a Unit can realize by implementing the control.  Possible values are High, Medium, and Low.  The Information Security office worked with various compliance officers and IT leaders across campus to develop these values in Summer 2015.
 
6.  Focus: 
This value identifies whether the control is relevant at the Unit level or at the Campus level.
 
7-9.  Risk Levels -- Level 1 (L1), Level 2 (L2), Level 3 (L3): 
This value indicates whether the control is considered Essential (E), Recommended (R), or Optional (O) for each Risk Level.  Units should focus initially on “Essential” items appropriate for their Risk Level, and these will be the basis for the Unit’s Risk-Based Maturity Assessment.
 
As described above, a Unit's Risk Level is determined by the data classification for their information assets. 
 
10.  Reference:
This value provides additional reference guidance linking to NIST Special Publication 800-53 Rev. 4.*
 
*All reference guidance will be found in NIST Special Publication 800-53 Rev. 4, except for two controls in the Recover Function (RC.CO-1 and RC.CO-2).  The guidance for these two controls can be found in COBIT 5
 

References

back to top