GoSafe: On the practical characterization of the overall security posture of an organization information system using smart auditing and ranking

Abstract The lack of national security standardization bodies can have adverse impact on the adoption of international security standards and best practices. To assure security confidence among various organizations and to promote systematic adoption of standards and best standards, a practical framework that can support comparative measures is needed. . This paper presents GoSafe, a novel practical cybersecurity assessment framework that is tailored to the ISO 2700x standard requirements for the development of Information Security Management System (ISMS). GoSafe can be used for both self-assessment and auditing/scoring tool by national cybersecurity authorities. Using GoSafe, organizations can evaluate their existing information security management systems against local and international standards by utilizing built-in pre-audit tools. As such, GoSafe will help organizations evaluate and enhance their readiness for evolving risks and threats. In GoSafe framework, a novel mathematical model was also designed and implemented for the scoring/rating tool, namely, the national cyber security index (aeNCI). The aeNCI employs multiple parameters to determine the maturity of existing cybersecurity programs at national organizations and generate a classification and comparison reports. The efficacy of GoSafe proposed framework is demonstrated using a practical case study. The results enabled the stakeholder to verify the security configuration of their systems and identify potential attack/risk vectors.

[1]  Timothy P. Layton Information security - design, implementation, measurement, and compliance , 2006 .

[2]  Vladimir Stantchev,et al.  Security Management Standards: A Mapping , 2016 .

[3]  Knut Blind,et al.  Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001: A Web Mining-Based Analysis , 2021, IEEE Transactions on Engineering Management.

[4]  Isabelle Comyn-Wattiau,et al.  Reusable knowledge in security requirements engineering: a systematic mapping study , 2015, Requirements Engineering.

[5]  Izak Benbasat,et al.  Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources , 2015, Inf. Manag..

[6]  Vladimir Stantchev,et al.  Governance of Cloud Computing Services for the Life Sciences , 2014, IT Professional.

[7]  Solange Ghernaouti,et al.  Cybersecurity Capacity Building: A Swiss Approach , 2018 .

[8]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[9]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[10]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[11]  A. Noah,et al.  Risk governance and cybercrime: the hierarchical regression approach , 2020, Future Business Journal.

[12]  Olga Gadyatskaya,et al.  Bridging Two Worlds: Reconciling Practical Risk Assessment Methodologies with Theory of Attack Trees , 2016, GraMSec@CSF.

[13]  Sebastian Pape,et al.  LiSRA: Lightweight Security Risk Assessment for decision support in information security , 2020, Comput. Secur..

[14]  Madiha Shah,et al.  Impact of Management Information Systems (MIS) on School Administration: What the Literature Says☆ , 2014 .

[15]  Susan P. Williams,et al.  Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective , 2013, Electronic Markets.