Cyber Security Audit using CIS CSC, NIST CSF and COBIT 2019 Framework

CESS Journal of Computer Engineering System and Science Pub Date : 2023-07-01 DOI:10.24114/cess.v8i2.43257

Viny Fadila, Nurul Mutiah, Renny Puspita Sari

{"title":"Cyber Security Audit using CIS CSC, NIST CSF and COBIT 2019 Framework","authors":"Viny Fadila, Nurul Mutiah, Renny Puspita Sari","doi":"10.24114/cess.v8i2.43257","DOIUrl":null,"url":null,"abstract":"Tingginya penggunaan teknologi dan informasi saat ini mengakibatkan peningkatan risiko dan ancaman keamanan data dan informasi. Dinas Komunikasi dan Informatika Kota Pontianak, dinas pemerintahan yang memanfaatkan dan menggunakan banyak teknologi informasi. Untuk mengetahui sejauh mana kemampuan Dinas Komunikasi dan Informatika Kota Pontianak dalam mengelola keamanan siber, maka diperlukan audit keamanan siber. Audit dapat dilakukan dengan menggabungkan framework CIS CSC (Center for Internet Security Critical Security Controls) untuk membatasi focus area keamanan siber aset TI serta menggunakan NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) dan COBIT 2019 (Control Objective for Information Technologies) untuk melakukan perhitungan level kapabilitas. Perhitungan level kapabilitas menggunakan metode CPM (COBIT Performance Model). Hasil perhitungan level kapabilitas keamanan siber Dinas Komunikasi dan Informatika Kota Pontianak pada Identify (ID) mencapai level 3.9, Protect (PR) mencapai level 3.4, Detect (DE) mencapai level 2.5, dan Respond (RS) mencapai level 4. Terdapat 19 rekomendasi aktivitas untuk dilakukan agar mencapai level keamanan siber yang diinginkan, kemudian dilakukan pemetaan aktivitas rekomendasi ke dalam action priority matrix, 10 aktivitas masuk ke dalam kuadran Quick Wins, dan 9 aktivitas yang masuk ke dalam kuadran Major Projects. The frequent use of technology and information today impacts the increased risk and threats to data and information security. Department of Information and Communications of Pontianak is the department that utilizes and uses a lot of information technology. To find out how far the Pontianak City Communication and Informatics Office is capable of managing cyber security, a cyber security audit is needed. Audits can be conducted by combining the CIS CSC (Center for Internet Security Critical Security Controls) framework to define the cybersecurity focus areas of IT assets and using the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and COBIT 2019 (Control Objective for Information Technologies) to calculate the capability level. Capability level calculation uses the CPM (COBIT Performance Model) method. The results of calculating the level of cyber security capability of the Pontianak City Communication and Informatics Service for Identification (ID) reaches level 3.9, Protect (PR) reaches level 3.4, Detect (DE) reaches level 2.5, and Respond (RS) reaches level 4. There are 19 activity recommendations to be carried out in order to achieve the desired level of cybersecurity, then capture recommendation activities into the action priority matrix, 10 activities included in the Quick Wins quadrant, and 9 activities entered into the Major Projects quadrant.","PeriodicalId":53361,"journal":{"name":"CESS Journal of Computer Engineering System and Science","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"CESS Journal of Computer Engineering System and Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.24114/cess.v8i2.43257","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Tingginya penggunaan teknologi dan informasi saat ini mengakibatkan peningkatan risiko dan ancaman keamanan data dan informasi. Dinas Komunikasi dan Informatika Kota Pontianak, dinas pemerintahan yang memanfaatkan dan menggunakan banyak teknologi informasi. Untuk mengetahui sejauh mana kemampuan Dinas Komunikasi dan Informatika Kota Pontianak dalam mengelola keamanan siber, maka diperlukan audit keamanan siber. Audit dapat dilakukan dengan menggabungkan framework CIS CSC (Center for Internet Security Critical Security Controls) untuk membatasi focus area keamanan siber aset TI serta menggunakan NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) dan COBIT 2019 (Control Objective for Information Technologies) untuk melakukan perhitungan level kapabilitas. Perhitungan level kapabilitas menggunakan metode CPM (COBIT Performance Model). Hasil perhitungan level kapabilitas keamanan siber Dinas Komunikasi dan Informatika Kota Pontianak pada Identify (ID) mencapai level 3.9, Protect (PR) mencapai level 3.4, Detect (DE) mencapai level 2.5, dan Respond (RS) mencapai level 4. Terdapat 19 rekomendasi aktivitas untuk dilakukan agar mencapai level keamanan siber yang diinginkan, kemudian dilakukan pemetaan aktivitas rekomendasi ke dalam action priority matrix, 10 aktivitas masuk ke dalam kuadran Quick Wins, dan 9 aktivitas yang masuk ke dalam kuadran Major Projects. The frequent use of technology and information today impacts the increased risk and threats to data and information security. Department of Information and Communications of Pontianak is the department that utilizes and uses a lot of information technology. To find out how far the Pontianak City Communication and Informatics Office is capable of managing cyber security, a cyber security audit is needed. Audits can be conducted by combining the CIS CSC (Center for Internet Security Critical Security Controls) framework to define the cybersecurity focus areas of IT assets and using the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and COBIT 2019 (Control Objective for Information Technologies) to calculate the capability level. Capability level calculation uses the CPM (COBIT Performance Model) method. The results of calculating the level of cyber security capability of the Pontianak City Communication and Informatics Service for Identification (ID) reaches level 3.9, Protect (PR) reaches level 3.4, Detect (DE) reaches level 2.5, and Respond (RS) reaches level 4. There are 19 activity recommendations to be carried out in order to achieve the desired level of cybersecurity, then capture recommendation activities into the action priority matrix, 10 activities included in the Quick Wins quadrant, and 9 activities entered into the Major Projects quadrant.

查看原文本刊更多论文

使用CIS CSC、NIST CSF和COBIT 2019框架的网络安全审计

目前技术和信息的使用会导致风险的增加，并影响数据和信息的安全性。作为Kota Pontianak的社区和信息中心，拥有和使用大量信息技术的政府。为了使社区和信息中心的管理人员能够有效地提高安全性，需要对安全性进行审计。审计可以采用CIS CSC（互联网安全关键安全控制中心）框架，以确定与TI相关的重点领域安全，并采用NIST CSF（国家标准与技术研究所网络安全框架）和COBIT 2019（信息技术控制目标）来评估能力水平。使用CPM（COBIT性能模型）来实现一级能力。识别（ID）达到3.9级，保护（PR）达到3.4级，检测（DE）达到2.5级，响应（RS）达到4级。共有19项重新启动活动，以达到预期的安全水平，其中包括将重新启动活动纳入行动优先矩阵、将10项活动纳入快速胜利计划，以及将9项活动纳入重大项目计划。如今，技术和信息的频繁使用影响了数据和信息安全的风险和威胁的增加。蓬蒂亚纳克信息和通信部是利用和使用大量信息技术的部门。为了了解蓬蒂亚纳克市通信和信息办公室管理网络安全的能力，需要进行网络安全审计。审计可以通过结合CIS CSC（互联网安全关键安全控制中心）框架来定义IT资产的网络安全重点领域，并使用NIST CSF（国家标准与技术研究所网络安全框架）和COBIT 2019（信息技术控制目标）来计算能力水平。能力水平计算采用CPM（COBIT性能模型）方法。计算蓬蒂亚纳克市通信和信息服务识别（ID）网络安全能力水平达到3.9级，保护（PR）达到3.4级，检测（DE）达到2.5级，响应（RS）达到4级。为了达到所需的网络安全水平，需要执行19项活动建议，然后将建议活动纳入行动优先级矩阵，10项活动包括在“快速获胜”象限中，9项活动进入“重大项目”象限。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

CESS Journal of Computer Engineering System and Science

自引率

0.00%

发文量

审稿时长

4 weeks