UMass Donahue Institute

In June 2019, Larry Wilson (UMass Cybersecurity Engineer) conducted a cybersecurity risk assessment for Boston College High School to provide members of the school’s leadership team with a clear understanding of the current state of security at the high school. In partnership with the University of Massachusetts, the assessment’s goal was to establish a repeatable process for designing and delivering a comprehensive cybersecurity program and conducting an annual cybersecurity risk assessment.

Results from the assessment provided the school with a current state cybersecurity profile and a roadmap to improve its security capability. UMass and the school worked collaboratively to develop a cybersecurity plan, a current scorecard, a detailed gap analysis, a plan of action and milestones, and an executive report. 

The cybersecurity assessment was based on industry best practices, including the NIST Cybersecurity Framework and the Council on Cybersecurity Critical Security Controls. The Framework and Critical Controls were assessed across BC High School’s operational areas, including on-site and cloud-based solutions.

Key information technology  and business resources from BC High School worked with the UMass security consultants to set priorities, gather information, and answer questions. Information used in the engagement included network diagrams, data flow diagrams, asset inventory, lists of users with privileged access, security technologies and tools currently utilized, etc.

This engagement began in June 2019 and lasted two weeks. A draft Security assessment was shared with the school for accuracy and completeness. A final report was presented to the school one week following the receipt of comments and questions from the draft assessment.

Cybersecurity Assessment Approach:

• Step 1: Conduct a kickoff meeting to collect information from the operation’s team (network diagrams, access diagrams, data flow diagrams, asset inventories, security tools inventories, manager names / roles, etc.).
• Step 2: Based on information gathered in Step 1, complete the draft System Security Plan (SSP) and the draft Risk Assessment.
• Step 3: Review the results of the draft System Security Plan (SSP) and draft Risk Assessment with the BC High operations team where they will validate any assumptions that are made regarding the network diagrams, access diagrams, data flow diagrams, asset inventories, security tools inventories, manager names / roles, etc. In addition, the operations team will answer questions for areas where there is a lack of understanding or lack of information.
• Step 4: Review the results of the draft System Security Plan (SSP) and draft Risk Assessment with the BC High operations team, where they will validate the relative maturity of the security controls based on the CIS Critical Security Controls.  
• Step 5: Once answers to all questions and clarification of unclear areas are resolved, the draft reports shared with the BC High management team for review and comment.
• Step 6: After final feedback is received from the BC High operations team and management team, and all critical assumptions, business, and technical solutions, controls, control gaps, etc., are documented and approved, the final documents (System Security Plan, Cybersecurity Risk Assessment, Plan of Action and Milestones, and Executive Report) will be delivered to the BC High program lead.

Cybersecurity Assessment Deliverables:

1. Assessment Scope: BC High School representatives established the scope of systems and assets that support the critical business lines and processes.  Once the scope was determined, the related user accounts, systems, networks, and information assets were identified. 
2. System Security Plan (SSP): BC High School and UMass worked collaboratively to document the desired security state (target profile) of the business in the System Security Plan (SSP). The target profile aligned with the Core Functions described in the NIST Cybersecurity Framework. These functions include: Identify, Protect, Detect, Respond, Recover.  The detailed technical controls were based on the CIS Critical Security Controls. The target profile, which consists of the NIST Cybersecurity Framework / Functions and the CIS Controls, is used to identify the desired cybersecurity outcomes delivered by the organization.   
3. Risk Assessment: Identifies the current security state of the business (current profile) based on alignment with the NIST Cybersecurity Framework and CIS Critical Security Controls. The Risk Assessment results indicate the outcomes from the SSP that are currently being achieved.
4. The Plan of Action and Milestones (POA&M): The current profile and the target profile are compared to determine gaps. Based on the gaps identified, a prioritized action plan is developed to address the gaps.
5. The Cybersecurity Maturity Report: The Cyber Maturity Report outlines key business objectives, applications, systems, user accounts, etc., that are assessed, along with current state of security, desired state of security, and recommendations for improvement. The Report highlights the current state of cybersecurity across the organization while prioritizing important cybersecurity initiatives for the next 12 months.

November 06, 2019