Thursday, October 4, 2018

An Open Science Cybersecurity Program Framework

In 2014, Trusted CI published a “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects,” also known simply as “the Guide”. Since its creation, Trusted CI has received tremendous community feedback attesting to its usefulness, including half of the respondents in the most recent Community Survey adopting it as a form of guidance for shaping their cybersecurity programs. As we observed the open science community’s interaction with the original document, it became apparent that improvements and revisions could make it more maintainable and thus more readily kept up-to-date, more applicable to a wider range of science projects, and more approachable to scientists and PIs, all without losing any of its technical value.
Based on our experience interacting with engagements, lively training sessions, the Summit, and the benchmarking survey, we knew we needed to spell out the basic realities of building a cyber program in a way that addressed the variability we’ve observed in the community. During a substantial revision of the training on the Guide for PEARC’18, it became clear that what was needed was not just a guide, but a framework for establishing and maintaining an open science cybersecurity program at any project scale and stage in a project’s lifecycle. Such a framework would be useful even for projects having significant compliance requirements (e.g., FISMA, HIPAA, NIST SP 800-171) in that it provides a starting point for evolving a cybersecurity program rather than hundreds of pages dense with unprioritized requirements. Work on revising the Guide into a framework and addressing the above goals began in earnest earlier this year and builds on efforts assisting NSF in drafting a cybersecurity section for the Large Facilities Manual. The current schedule calls for a first draft to be available in November 2018, and version 0.9 to be available in January 2019, with the publication of version 1.0 in March 2019. An additional blog posting and announcement will be made at those milestones and community feedback is strongly encouraged. We need your feedback to help us get this right!

Preview of the Framework

Trusted CI’s framework is built around four pillars: Mission Alignment, Governance, Resources, and Controls. Like the pillars supporting any structure, all are vital and required for an efficient and effective cybersecurity program.

Mission Alignment:

Cybersecurity programs ultimately exist to improve productivity by protecting the interests of the project’s mission. The program must center on appropriate protection for the information assets vital to the project’s mission. The information assets that are critical will change over a project’s life cycle, so the accuracy of the information asset inventory is a basic requirement. To simplify understanding the protection requirements of the information assets, an information classification scheme allows for conceptually grouping assets by the kind of protection required. External requirements may also play a role in the level and type of protection.

Governance:

Cybersecurity is not just the responsibility of a few but involves project leadership, administrators responsible for information assets, project personnel, and external users. Policies must clearly define the roles and responsibilities for all these contributors to the cybersecurity program. Additional policies are required to address a range of issues from appropriate use to incident handling. Periodic evaluation of the cybersecurity program is necessary to validate that the allocation of resources to controls is effective and efficient for the appropriate protection of project information resources.

Resources:

People, budgets, tools, and services are all required to operate a cybersecurity program. Finding and retaining people with cybersecurity expertise can be challenging. In addition to technical skills, important traits include the abilities to teach, communicate, and negotiate. Smaller, stand-alone projects without a supporting infrastructure typically spend a higher percentage of the IT budget on cybersecurity due to economies of scale. The actual money might be in a separate cybersecurity budget, but often it is part of some other organizational budget (e.g., the IT budget). Tools and third-party services can help fill gaps in the program but have to be used with care since they can easily place additional strain on both the budget and the need for experienced personnel to effectively use them.

Controls:

Controls are the safeguards and countermeasures to ensure the appropriate protection of an information asset according to the asset’s information classification. Control selection and implementation are ongoing processes in any cybersecurity program due to technical or organizational changes and the dynamic nature of threats and vulnerabilities. The Center for Information Security (CIS) Controls are widely regarded as an authoritative, reasonable, and prioritized. The first six of these controls are the basic, minimal set that each project must either provide or ensure are provided by a supporting infrastructure. Additional controls enhance the protection for mission-critical systems and data, and systems or data requiring specialized controls (e.g., SCADA systems, software repositories, critical or high-speed scientific data flows).