LAB DIGITAL ASSIGNMENT-4

Information Security Analysis and Audit

Name- Varun Goel Reg. No- 19BCE2296

Slot- L5+L6 Faculty- Mr. Aju D

NIST Cybersecurity Framework for VIT University

• The NIST Cybersecurity Framework (NIST CSF) provides guidance on

how to manage and reduce IT infrastructure security risk. The CSF is
made up of standards, guidelines and practices that can be used to prevent,
detect and respond to cyberattacks.

• The NIST Cybersecurity Framework organizes its core material into five
functions which are subdivided into a total of 23 categories.

• The National Institute of Standards and Technology (NIST) created the

CSF for private sector organizations in the United States to create a
roadmap for critical infrastructure cybersecurity.

• In VIT University, SDC deals with critical cybersecurity infrastructure.

• Functions and subcategories of NIST framework are as follows:

§ Identify (ID)
o Asset Management
o Governance
o Risk Assessment
o Risk Management Strategy
o Business Environment
 o Supply Chain Risk Management

§ Protect (PR)
o Access Control
o Data Security
o Information Protection Processes and Procedures
o Awareness and Training
o Maintenance
o Protective Technology

§ Detect (DE)
o Anomalies and Events
o Security Continuous Monitoring
o Detection Processes

§ Respond (RS)
o Response Planning
o Mitigation
o Communications
o Analysis
o Improvements

§ Recover (RC)
o Recovery Planning
o Communications
o Improvements

1.)Identify:

à Asset Management (ID.AM)

The physical devices, systems, software platforms, applications of VIT University are
inventoried.
University’s communication and data flows are mapped. External information systems are
catalogued. Resources are prioritized based on their classification.
Then finally, cybersecurity roles and responsibilities for Codetantra, Moodle, Schoology and
other partners are established.

à Governance (ID.GV)
 University’s cybersecurity policy is established and communicated.
Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and
external partners.
Legal and regulatory requirements regarding cybersecurity, including privacy and civil
liberties obligations, are understood and managed. Governance and risk management
processes address cybersecurity risks

à Risk Assessment (ID.RA)

Cyber threat intelligence is received from information sharing forums and sources. Threats,
both internal and external, are identified and documented. Potential business impacts and
likelihoods are identified.
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

à Risk Management Strategy (ID.RM)

Risk management processes are established, managed. University’s risk tolerance is
determined and clearly expressed. The determination of risk tolerance is informed by its role
in critical infrastructure and sector specific risk analysis

à Business Environment (ID.BE)

VIT University’s role in the supply chain is identified, communicated and its place in critical
infrastructure are also communicated.
Resilience requirements to supply delivery of critical services are established for all operating
states.

à Supply Chain Risk Management (ID.SC)

University’s cyber supply chain risk management processes are identified, established,
assessed, managed, and agreed to by organizational stakeholders. Suppliers and third-party
partners of information systems, components, and services are identified, prioritized, and
assessed using a cyber supply chain risk assessment process.
2.)Protect:

à Access Control (PR.AC)

Identities and credentials are issued, managed, verified, revoked, and audited for authorized
devices, users and processes. Users, devices, and other assets are authenticated commensurate
with the risk of the transaction (e.g., students’ security and privacy risks).

à Data Security (PR.DS)

Data-at-rest and Data-in-transit of the students, faculties and staffs are protected. Assets are
formally managed throughout removal, transfers, and disposition. Adequate capacity to
ensure availability is maintained.
Protections against data leaks are implemented. Integrity checking mechanisms are used to
verify software, firmware, and information integrity.

à Information Protection Processes and Procedures (PR.IP)

A System Development Life Cycle to manage systems is implemented. Backups of all the
staffs and students’ information are conducted, maintained, and tested. Policy and regulations
regarding the physical operating environment for university’s assets are met. Data is
destroyed according to policy. Protection processes are improved.

à Awareness and Training (PR.AT)

All the users of the University are informed and the privileged users understand their roles.
Partners such as Codetantra, moodle and schoology understand their responsibilities.

à Maintenance (PR.MA)
University’s assets maintenance is performed and repair is logged, with approved and
controlled tools. Remote maintenance of University’s assets is also approved, logged, and
performed in a manner that prevents unauthorized access.
 à Protective Technology (PR.PT)
University’s technical security solutions are managed to ensure the security and resilience of
assets. The principle of least functionality is incorporated by configuring systems to provide
only essential capabilities. Communications and control networks are protected.

3.)Detect:

à Security Continuous Monitoring (DE.CM)

Consider implementing correlation rules within university’s log management solutions to
automate threat detection and log analysis. Consider acquiring a SIEM solution.
The University’s network, physical environment is monitored to detect potential
cybersecurity events. External service provider activity is monitored to detect potential
cybersecurity events. Monitoring for unauthorized personnel, connections, devices, software
and vulnerability scans are also performed.

à Anomalies and Events (DE.AE)

Unusual activities in the University’s network are detected and the potential impact of the
events are understood. Implement automated mechanisms that help the University maintain
consistent baseline configurations for information systems include, for example: - hardware
and software inventory tools, configuration management tools, network management tools.
Such tools can be deployed and allocated as common controls, at the information system
level, or at the operating system or component level.

à Detection Processes (DE.DP)

The University’s SDC team attempts to cover 100% assets and eliminate vulnerabilities.
Detection processes are continuously improved. Continuous service improvement established
within Vulnerability Management Process.
Incorporate improvements derived from the monitoring, measurements, assessments, and
lessons learned into detection process revisions. Ensure the security plan for the production
system provides for the review, testing, and continual improvement of the security detection
processes.
4.)Response:

à Response Planning (RS.RP)

VIT University adopts policies which regulates roles, responsibilities and procedures in terms
of the incident management process. Policies include Incident management and Incident
Response processes.
SDC team implements separate Incident Management and Problem Management processes.
Response plans is executed during or after an incident.

à Mitigation (RS.MI)
University performs various activities to prevent expansion of an event, mitigate its effects,
and resolve the incident.

à Communications (RS.CO)
Share cybersecurity event information voluntarily, as appropriate to achieve broader
cybersecurity awareness. Based on risk assessment decide whether cooperation and
information sharing with Cyber Police and CERT-UA are needed.

à Analysis (RS.AN)
Conduct quantitative and qualitative risks analysis of impacted assets. Correlate detected
event information and incident responses with risk assessment outcomes to achieve
perspective on incident impact across the University.

à Improvements (RS.IM)
University’s response activities are improved by incorporating lessons learned from current
and previous detection/response activities.

5.)Recovery:

à Recovery Planning (RC.RP)

 University executes various recovery processes and maintains the procedures to ensure
restoration of systems or assets affected by cybersecurity incidents.

à Improvements (RC.IM)
The University’s Disaster Recovery Plan (DRP) should be reviewed for accuracy and
completeness at least annually, as well as upon significant changes to any element of the DRP
system. Elements of the plan should be reviewed and updated more frequently. Update
schedules should be stated in the DRP.

à Communications (RC.CO)
University repairs the reputation after an incident. Recovery activities are communicated to
executive and management teams. Implement crisis response strategies which will include
actions to change perceptions of the university in crisis, and reduce the negative effect
generated by the crisis.

MY OPINION
From the above-mentioned cyber security framework, it seems that aligning cybersecurity
framework to out university objectives and making cybersecurity framework as a part of our
culture will helps us in a greater way to be prepared for the upcoming incidents.