Cyber-Risk Management Planning Using NIST CSF v1.1, NIST SP 800-53 Rev. 5, and CIS Controls v8

Abstract

With the use of information systems as a means for supporting the success of missions and objectives of organizations increased, the protection towards assets against cyber risks needs to be considered and paid more attention. Cyber-risk management planning can be carried out as a means or approach to protect assets from the risks of cyber-attacks. As a supporting unit in XYZ, the IT Unit has the responsibility to manage the information systems, information technology, and their infrastructure and services within the XYZ system. However, the IT Unit has never conducted a cybersecurity evaluation so it does not yet have a plan for cybersecurity risk management. In this study, we tailored a cyber-risk plan for the IT Unit of XYZ using NIST CSF as the main framework and CIS Controls v8 and NIST SP 800-53 Rev 5 for defining controls and action recommendations. As the results, we found 42 risk scenarios in the IT Unit in which 12 are accepted and 30 are mitigated. There are 14 actions recommendation for the IT Unit to reach tier 3 based on 18 controls of CIS and 20 controls of NIST SP 800-53 rev 5 that can be applied to control the current cyber-risk.