Cybersecurity-Framework (CSF) -based Conformance Checking Techniques and Tools

• Main Authors: Chien-Ting Lin, 林建廷
• Other Authors: Chin-Feng Fan
• Format: Others
• Language: zh-TW
• Published: 2017
• Online Access: http://ndltd.ncl.edu.tw/handle/04491641738524082914

碩士 === 元智大學 === 資訊工程學系 === 105 === Cybersecurity is critical for governments, sectors, and enterprises. Thus, US NIST published “Cybersecurity Framework, CSF” as a baseline to help improve the cybersecurity risk management for these organizations. Moreover, President Trump signed cybersecurity executive order on May 11, 2017 to require all federal agencies to adopt CSF. Thus, how to comply with CSF is becoming an important issue. However, CSF activities are detailed and not easy to follow. Furthermore, there are no clear relations between CSF tiers and core activities. Although it is not necessary to have 1-to-1 relation between tiers and core activities, a certain degree of relation makes it easier to adopt CSF. Thus, this thesis studies the methods to relate CSF tiers and core activities, as well as develops a computer-aided CSF conformance checking tool set. In relating CSF core activities with CSF tiers, we use the mapping results of C2M2 in connecting CSF tiers with C2M2, a cybersecurity maturity model of US energy department. Besides, we add extra core activities from mapping results of DHS’s CRR Q&A set with CSF. In the computer-aided tool, we first design a CSF ontology and present it in a tree view; the tool set provides such functions as CSF query, document markup, review, Q&A review, quantitative adjustment, self-assessment, and visual presentation of the resulting profile. The proposed techniques and conformance checking tools developed by our research enhance the effectiveness, objectiveness, transparency, and repeatability in the process of adopting CSF.