Key Message: The University of Pittsburgh is using the NIST Cybersecurity Framework to improve cybersecurity at the enterprise level for its large, diverse organization.
Executive Summary
In this podcast, Sean Sweeney, Information Security Officer (ISO) for the University of Pittsburgh (Pitt), discusses their use of the NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework). The University of Pittsburgh is a large, decentralized institution with a diverse population of networks and information types. The challenge of balancing academic freedom with security and protection of research data is put to the test every day.
The use of the CSF, created by NIST as a common starting point for improving the cybersecurity of critical infrastructure providers, has proven valuable to help Pitt understand its baseline security posture, prioritize gaps, and set a target profile for improvement. The flexibility of the five NIST CSF categories (Identify, Protect, Detect, Respond, Recover) provide a solid starting point from which to understand the information security practices that are already in place at Pitt and the practices that are needed to improve the overall program. The podcast is based on a presentation available here.
Pitt Background
The University of Pittsburgh is a large, educational research institution located in Pittsburgh, PA. There are approximately:
The University operates like a small city to provide services such as:
Challenges of a One Size Fits All Security Program
In Pitt’s type of organization, it is challenging to design a security program that meets all needs. This is due to:
All of these require that the University take a risk-based approach to security.
Structure of NIST CSF
The NIST CSF has five core functions: Identify, Protect, Detect, Respond, and Recover. These five core functions are broken down into categories and subcategories. An example of a category under the Identify function is Asset Management. Asset Management covers the identification of:
In addition to the five core functions, the NIST CSF describes 22 categories, 98 subcategories, and is mapped to other standard and best practices such as COBIT5, ISO/IEC 27001, NIST SP 800-53r4 and others.
The first step in using the NIST CSF is to conduct a risk assessment and document your current as-is state, or profile, using the statements in the subcategories. This assessment of the current profile prepares the organization to think about their target profile, or their future state.
Pitt used the following process:
There was a lot of value in the dialog between the information security group and the stakeholders including the identification of:
The process resulted in a prioritized list of activities that will reduce cybersecurity risks and provide value.
Early successes related to taking existing practices that Pitt was already doing and streamlining them or improving their documentation. In the case of Asset Management, this included making sure that the system of record was addressed in policy. Another example was improving the vulnerability management process to make it a more robust, repeatable, continuous program.
Although the diversity of the Pitt environment makes securing it a challenge, the framework provided a common language across the various IT departments, business functions, and administrative areas.
Pitt noted the following advantages of using the NIST CSF:
Resources
Sweeney, Sean. “NIST Cybersecurity Framework” University of Pittsburgh, May 2015.National Institute of Standards and Technology Cybersecurity Framework
U.S. Department of Homeland Security Cyber Resilience Review
Critical Infrastructure Cyber Community C3 Voluntary Program
Federal Financial Institutions Examination Council Cybersecurity Assessment Tool
COBIT 5: A business framework for the governance and management of enterprise IT
NIST Special Publication 800-53 Revision 4: Security and privacy controls for federal information systems and organizations. April 2013.