CS4782 - Information Security Framework Master

Git Repo for UMSL Spring 2017 'Introduction to Cyber Security' class project

Problem Statement:

There exists many information security frameworks and standards (e.g. best practices enumerated by infosec practitioners, private regulations, public regulations, ISACs, etc). These different frameworks and standards ultimately cover a common set of best practice controls (people, process, technology) but simply reorganize the controls in different ways or apply them to different organizational scopes (e.g. risk-based models, compliance mandates, Client requirements).

Most organizations must meet the requirements of multiple security frameworks or standards in order to continue business operations. For example, a public healthcare organization that accepts credit card transactions may need to comply with SOX, HIPAA, HITRUST, and PCI DSS control requirements to reduce the risk of financial loss (e.g. impacts to sales revenue or margin erosion through operational overhead).

This project is intended for Corporate Information Security Professionals that seek to more efficiently manage their information security policy and associated controls. The utility of this project includes:

• A visual breakdown of multiple information security frameworks all in one view
• The ability to hierarchically view the detailed control structure and descriptions of each supported framework
• A cross-walk view of multiple information security frameworks maintained through manual pruning and AI-driven insights
• The ability to map framework controls to custom organizational models in order to assign and track control owners to a specific organization
• Commonly accepted success criteria (qualitative) and metrics (quantitative) to assess control effectiveness
• Dashboards views for each control
• All features run on a MEAN (Mongo.Express.Angular.Node) stack and a fully functional instance of the project can be easily set up for private use
• Ability to export/import/edit objects and custom configurations through JSON

This file will contain additional details on the different discrete components to complete in Spring 2017.

Proposed milestones to achieve the above requirements --

Week 2 and 3: // start now! (Jan 25, 2017)
Create an HTML/JavaScript application that lists out the NIST CyberSecurity Framework (CSF) hierarchically; in the case of NIST CSF, this is (function->category->subcategory->informative_references). You should be able to expand and collapse each parent and child element. Use a JSON (.json) file to store the data.
Hints:

• NIST CSF documentation can be found here: https://www.nist.gov/cyberframework/csf-reference-tool
• JSON: http://www.json.org/
• Use this site to learn more about each language/technology: http://www.w3schools.com/
• Example of hierarchical view: https://drive.google.com/open?id=0B98llBjblu-tUUxBRzBEeHVBWTQ

Week 4:

Detailed Features that probably need to go in to the backlog:

// These high-level requirements should be the starting point for the features that will be implemented for the project

• Visual and interactive display of common risk management frameworks and their structure
• Cross-walk between various frameworks and controls
• Ability to customize a a pre-defined security framework
• Ability to create 'current' v. 'target' maturity profiles for organizations that want to report against a specific framework, or combination of frameworks
• Ability to compare frameworks side-by-side
• Data Structure (e.g. JSON) that can incorporate additional frameworks and revisions to current frameworks
• Ability to create a view of the IT functional organization
• Ability to map framework controls to IT functional organizations/departments

// These are a few suggested modules that you can break the work down into

Module #1: Front end design (AngularJS)

• create the UI layer, what are functional requirements?
• create layout and style

Module #2: InfoSec framework data schema

• create framework data classes and objects (stored in DB like Mongo and/or in JSON)