Executive summary

NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The
NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their
cybersecurity risk and protect their networks and data. The Framework is voluntary. It gives our business
an outline of best practices to help us decide where to focus our time and money for
cybersecurity protection.

It provides a set of cybersecurity best practices, organized into five core functions: Identify, Protect,
Detect, Respond, and Recover.

1. Protect: The Protect function is about implementing safeguards to ensure the delivery of critical
infrastructure services. It involves activities such as access control, data protection, and security
training.
2. Detect: This function involves the continuous monitoring and detection of cybersecurity events.
It helps organizations identify and respond to security incidents in a timely manner.
3. Respond: The Respond function outlines activities that should be taken when a cybersecurity
incident is detected. This includes response planning, communication, and mitigation of the
impact.
4. Recover: The Recover function addresses the restoration of capabilities and services after a
cybersecurity incident. It includes recovery planning, improvements, and communication.

MUST's structure in the context of information security:

 Governance:
1. Unknown dedicated cybersecurity body: While a dedicated department for information security
is likely, its structure, size, and responsibilities are unclear from public information.
2. Potential involvement of IT department: The Information Technology department may play a
significant role in implementing and managing security controls.
3. Leadership by Vice Chancellor and Deans: Overall responsibility for cybersecurity likely rests
with the Vice Chancellor and Deans of each faculty, ensuring alignment with university goals and
risk appetite.
 Personnel:
1. Dedicated cybersecurity staff: The presence of a dedicated BS program in Information Security
suggests the university employs staff with expertise in this field.
2. Potential IT staff involvement: IT staff may also be involved in security operations, depending on
the division of responsibilities.
3. Security awareness and training: The degree of security awareness and training among faculty,
staff, and students is unknown but should be assessed as part of a NIST CSF analysis.
 Technology:
1. Critical infrastructure:

Website, online platforms, research databases, student/faculty information systems, email, and network
infrastructure are likely critical assets.

The specific technologies used and their security configurations are unknown.
 2. Security controls:

The extent of implementation of various security controls, such as firewalls, intrusion

detection/prevention systems, data encryption, and access controls, is unclear.

 Data:

1.Sensitive data:

Student records, financial information, research data, intellectual property, and personal information of
faculty and staff are likely stored and processed.

Data classification and handling procedures are unknown.

 External relationships:

1.Vendors and third-party providers:

The university likely relies on external providers for various services, such as cloud computing, software,
and IT support.

The extent of cybersecurity risk assessments and management for these relationships is unknown.

Risk assessment findings

Risk Assessment Findings for MUST Information Security

Some potential risk assessment findings for MUST are as follows:

 High-Impact Risks:

1.Data Breach of Student Records:

Likelihood: Medium-High (due to lack of known controls and sensitive nature of data)

Impact: Very High (reputational damage, legal consequences, financial losses)

2.Ransomware Attack on Research Databases:

Likelihood: Medium (increasing due to prevalence of ransomware attacks)

Impact: Very High (data loss, research disruption, IP theft)

3.DoS Attack on University Website:

Likelihood: Medium (common attack method)

Impact: High (service disruption, reputational damage, financial losses)

 Medium-Impact Risks:

1.Insider Threat Exploiting Access to Financial Data:

Likelihood: Low-Medium (depends on access controls and training)

Impact: High (financial losses, legal repercussions)

2.Unpatched Vulnerabilities in Custom Applications:

Likelihood: Medium (unknown vulnerabilities pose a constant risk)

Impact: Medium-High (depending on exploited vulnerability and its potential)

3.Physical Security Breach of Server Room:

Likelihood: Low-Medium (depends on physical security measures)

Impact: Medium-High (data loss, disruption, potential hardware damage)

 Low-Impact Risks:

1.Phishing Attacks on Faculty and Staff:

Likelihood: Medium (depends on user awareness and training)

Impact: Low-Medium (potential data loss, malware infection)

2.Accidental Data Loss by Users:

Likelihood: Medium (common human error)

Impact: Low-Medium (depending on lost data and recovery options)

2.Inadequate Vendor Security Practices:

Likelihood: Medium (common in external dependencies)

Impact: Low-Medium (potential data exposure, service disruption)

NIST CSF alignment for MUST

Aligning MUST with NIST CSF Components

1.Identify:

 Asset Inventory:
 o Conduct a comprehensive inventory of all critical IT assets, including:
 Networks, systems, devices, software, and data
 Prioritize sensitive data: student records, research data, financial
information, and intellectual property
o Classify assets based on sensitivity and criticality to prioritize protection
efforts.
 Risk Assessment:

o Identify and assess potential cyber threats and vulnerabilities, considering:

 Common attack vectors like malware, phishing, ransomware, and
data breaches
 Insider threats, physical security risks, and supply chain
vulnerabilities
o Evaluate the likelihood and impact of potential incidents to prioritize risk
mitigation actions.
 Governance:

o Establish clear roles and responsibilities for information security within

MUST.
o Create a dedicated cybersecurity committee or team to oversee
implementation and compliance efforts.
o Integrate cybersecurity objectives into MUST's overall strategic planning
and decision-making processes.

2.Protect:

 Access Controls:

o Implement strong authentication and authorization mechanisms, such as:

 Multi-factor authentication for sensitive systems and data
 Role-based access controls (RBAC) to enforce least privilege
principles
o Regularly review and update access controls to maintain effectiveness.
 Data Security:

o Encrypt sensitive data at rest and in transit.

 o Implement data loss prevention (DLP) solutions to prevent unauthorized
data exfiltration.
o Enforce secure backup and recovery procedures to ensure data
availability in case of incidents.
 Network Security:

o Install and maintain firewalls, intrusion detection/prevention systems

(IDS/IPS), and endpoint security software.
o Segment networks to isolate sensitive systems and data.
o Regularly patch systems and applications to address vulnerabilities.

3.Detect:

 Security Monitoring:

o Establish a Security Operations Center (SOC) or implement tools for

continuous monitoring of:
 Network traffic, system logs, and user activity
 Implement anomaly detection systems to identify unusual behavior
that could indicate potential threats.
 Vulnerability Management:

o Regularly scan systems and applications for vulnerabilities.

o Prioritize patching based on risk assessment findings.
o Implement vulnerability management processes to track and remediate
identified vulnerabilities.

4.Respond:

 Incident Response Plan:

o Develop and test a comprehensive incident response plan that outlines:

 Roles and responsibilities for incident response team members
 Communication protocols for internal and external stakeholders
 Containment and eradication procedures for different types of
incidents
 Recovery and restoration processes to resume normal operations
  Incident Handling:

o Establish procedures for:

 Identifying and reporting security incidents
 Investigating incidents to determine root cause and scope
 Containing and mitigating the impact of incidents
 Recovering from incidents and restoring systems and data

5.Recover:

 Business Continuity and Disaster Recovery (BCDR):

o Develop and test BCDR plans to ensure:
 Critical university functions can be restored quickly and efficiently
after a cyberattack or other disruptive event
 Data backups are available and can be restored quickly
 Communication strategies are in place to keep stakeholders
informed during outages

Implementation plan
This plan outlines a phased approach for aligning MUST's information security posture
with the NIST Cybersecurity Framework (CSF) across the five functions: Identify,
Protect, Detect, Respond, and Recover.

Phase 1: Foundation Building

 1.1 Establish Governance:

o Form a dedicated cybersecurity committee with representatives from
IT, faculty, legal, and administration.
o Define roles and responsibilities for information security within the
university.
o Develop a cybersecurity policy outlining objectives, strategies, and
compliance requirements.
 1.2 Conduct Comprehensive Assessment:
 o Inventory all critical IT assets, including hardware, software, data, and
network infrastructure.
o Classify assets based on sensitivity and criticality to prioritize protection
efforts.
o Conduct a comprehensive risk assessment using the NIST CSF
framework, identifying threats, vulnerabilities, and potential impacts.
o Prioritize risks based on likelihood and impact, focusing on high-impact
risks first.

Phase 2: Implementing Core Controls

 2.1 Access Control:

o Implement multi-factor authentication (MFA) for all high-risk systems and
services, including student portals, research databases, and
administrative systems.
o Enforce role-based access controls (RBAC) to grant least privilege access
based on user roles and responsibilities.
o Regularly review and update access controls to ensure continued
effectiveness.
 2.2 Data Security:
o Implement data encryption at rest and in transit for sensitive data such as
student records, financial information, and research data.
o Deploy data loss prevention (DLP) solutions to prevent unauthorized data
exfiltration.
o Establish secure backup and recovery procedures to ensure data
availability in case of incidents.
 2.3 Network Security:
o Install and maintain firewalls to control inbound and outbound network
traffic.
o Implement intrusion detection/prevention systems (IDS/IPS) to monitor
network activity for suspicious behavior.
o Regularly patch systems and applications to address known
vulnerabilities.
o Segment networks to isolate critical systems and data from less sensitive
areas.

Phase 3: Enhancing Detection and Response

  3.1 Security Monitoring:
o Establish a Security Operations Center (SOC) or implement tools for
continuous monitoring of:
 Network traffic logs
 System logs
 User activity logs
 Security event information
o Implement anomaly detection systems to identify unusual behavior that
could indicate potential threats.
 3.2 Vulnerability Management:
o Establish a formal vulnerability management program to:
 Regularly scan systems and applications for vulnerabilities.
 Prioritize patching based on risk assessment findings.
 Track and remediate identified vulnerabilities promptly.
 3.3 Incident Response:
o Develop and test a comprehensive incident response plan outlining:
 Roles and responsibilities for team members
 Communication protocols for internal and external stakeholders
 Containment and eradication procedures for different types of
incidents
 Recovery and restoration processes to resume normal operations
o Conduct regular incident response drills and exercises to test and refine
the plan.

Phase 4: Continuous Improvement

 4.1 Security Awareness and Training:

o Develop and implement ongoing security awareness and training
programs for faculty, staff, and students.
o Cover topics such as phishing scams, password hygiene, social
engineering, and reporting suspicious activity.
o Conduct regular awareness campaigns and training sessions to maintain
a culture of security.
 4.2 Independent Audits and Assessments:
 o Conduct regular independent audits and assessments to:
 Validate the effectiveness of implemented controls.
 Identify areas for improvement in MUST's cybersecurity posture.
 Ensure compliance with relevant regulations and standards.
 4.3 Collaboration and Sharing:
o Collaborate with external partners, industry organizations, and
government agencies to share information and best practices.
o Participate in relevant cyberthreat information sharing communities.
o Stay informed about evolving threats and vulnerabilities to adapt security
measures accordingly.
Legal and ethical considerations in each aspect of implementation plan

Integrating Legal and Ethical Measures into MUST's NIST

CSF Implementation Plan
By seamlessly integrating legal and ethical considerations into each stage of the
implementation plan, MUST can build a robust information security posture that not only
protects its data and systems but also upholds its ethical obligations and complies with
relevant regulations. Here's how legal and ethical measures can be integrated into the
existing plan:

Phase 1: Foundation Building

 1.1 Governance:

o Legal: Ensure the cybersecurity policy complies with applicable data

privacy laws like FERPA and GDPR, outlining appropriate data handling
procedures and breach notification requirements.
o Ethical: Include an ethics statement emphasizing responsible research
conduct, data sharing principles, and intellectual property protections.
 1.2 Comprehensive Assessment:

o Legal: Identify legal ramifications of potential risks, such as financial

penalties for data breaches or intellectual property infringement.
o Ethical: Evaluate the ethical implications of identified vulnerabilities, such
as potential harm to research participants or reputational damage from
biased algorithms.
Phase 2: Implementing Core Controls

 2.1 Access Control:

o Legal: Implement access controls in accordance with data privacy

regulations, ensuring the principle of least privilege and proper justification
for granted access.
o Ethical: Limit access to research data based on ethical considerations of
consent, confidentiality, and responsible data sharing practices.
 2.2 Data Security:

o Legal: Choose encryption methods compliant with relevant data security

regulations, particularly for sensitive data categories like student records
and financial information.
o Ethical: Adopt ethical data storage and retention practices, considering the
purpose of data collection, user consent, and responsible disposal of no
longer needed data.
 2.3 Network Security:

o Legal: Regularly update firewalls and IDS/IPS to meet legal requirements

for network security measures.
o Ethical: Implement network security controls that respect user privacy and
avoid infringing on academic freedom, while ensuring adequate protection
against cyber threats.

Phase 3: Enhancing Detection and Response

 3.1 Security Monitoring:

o Legal: Ensure monitoring protocols comply with data privacy regulations

and avoid unauthorized data collection or surveillance.
o Ethical: Establish clear ethical guidelines for incident response
procedures, balancing security needs with individual privacy rights and
responsible data handling.
 3.2 Vulnerability Management:

o Legal: Prioritize patching vulnerabilities based on legal

severity, addressing critical vulnerabilities with immediate impact on data
security or compliance.
 o Ethical: Consider the ethical implications of vulnerabilities related to
research data or algorithmic bias, prioritizing their remediation to avoid
potential harm.
 3.3 Incident Response:

o Legal: Develop incident response plans compliant with data breach

notification laws, outlining proper communication protocols for affected
individuals and legal authorities.
o Ethical: Include ethical considerations in incident response
training, emphasizing responsible data handling, transparency, and
minimizing harm to stakeholders.

Phase 4: Continuous Improvement

 4.1 Security Awareness and Training:

o Legal: Include legal education on data privacy regulations and responsible

data handling practices in security awareness training.
o Ethical: Train faculty, staff, and students on ethical considerations in
research, data sharing, and online behavior to promote responsible digital
citizenship.
 4.2 Independent Audits and Assessments:

o Legal: Conduct independent audits to ensure ongoing compliance with

legal requirements and address any legal vulnerabilities in security
practices.
o Ethical: Include ethical considerations in audit evaluation
criteria, assessing responsible data handling, research ethics, and
transparency in information security practices.
 4.3 Collaboration and Sharing:

o Legal: Collaborate with legal experts and industry partners to stay updated
on evolving data privacy regulations and best practices for ethical
compliance.
o Ethical: Share cyberthreat information and best practices through ethical
collaboration channels, protecting sensitive data while fostering a
collective effort against cyber threats.

By integrating these legal and ethical measures throughout the implementation plan,
MUST can establish a comprehensive information security framework that safeguards
its data, complies with regulations, and upholds its ethical obligations for responsible
research, data handling, and digital citizenship within the university community.