Cyber Security Assessment Tool (CSAT)

In light of the increasing volume and sophistication of cyber threats, the BSD Information Security Office has developed the Cyber Security Assessment Tool (CSAT) to help BSD department managers and IT managers increase awareness of cybersecurity risks, and assess and mitigate the risks facing their department.  The CSAT provides a repeatable and measurable process for BSD departments to measure their cybersecurity preparedness over time.

The CSAT is an MS Excel based survey tool used to measure the cybersecurity capabilities of BSD departments. The tool includes two (2) separate MS Excel workbooks. The first workbook is the CSAT Survey. The survey file is used by BSD departments to complete the survey and is further described below. The second workbook is the CSAT Dashboards. The BSD CSAT Dashboards workbook provides reports and metrics based on survey responses from the BSD departments.

The CSAT is based on the “Framework for Improving Critical Infrastructure Cybersecurity” (“the Cybersecurity Framework”)*. The survey questions and their corresponding results leverage the Framework Core to ensure all aspects of cybersecurity are assessed. The CSAT expands on the Cybersecurity Framework by dividing the Framework Core categories into three (3) domains of People, Process, and Technology.

*The National Institute of Technology and Standards (NIST) “Framework for Improving Critical Infrastructure Cybersecurity version 1.0”, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

 

Please use the following process for utilizing the CSAT.

Step 1 – Download and read the BSD ISO Cyber Security Assessment Tool User Guide.

Step 2 – Download the BSD ISO Cyber Security Assessment Tool and complete the survey questions.

Step 3 – E-mail the completed assessment to BSD Information Security Office at security@bsd.uchicago.edu.

Step 4 – The BSD ISO will compile the results and send a report and dashboard to the department.

 

Frequently Asked Questions

Q1:  Who should be participating in this survey?

A1:  This survey is optimally designed for the department’s IT Manager with support from a small group of IT staff that have been with the department for long enough to have an understanding of its IT practices.

Q2:  What should be done if a question doesn’t seem to directly apply to the department?

A2:  Each question must be answered in order to generate results.  If it appears that the question does not apply to your department, still select the answer you think most closely describes your department for that capability and leave a note with comments about why it does not apply to your department  If it is because another department handles the activity for you, please refer to FAQ #4.

Q3:  What if none of the ratings describe the department or if the department falls between several options?

A3:  Select the rating closest to what describes the department.  When in doubt, err on the low side.  Feel free to leave a comment in the notes column about the question justification for why you selected that option.

Q4:  What should we do if another department is handling an activity for us?

A4:  Do not automatically assume that the other department is performing the task in a complete and secure manner.  Ask yourself if you have a documented Transitional Service Agreement (TSA) with the department, and what security practices you KNOW they have in place.  When in doubt, err on the low side and leave a comment in the notes column.

Q5:  Are the questions in the People domain rating individuals or departmental people resources as a whole?

A5:  The questions in the People domain are asking if the department has the appropriate quantity of people with the appropriate skill base for completing an activity and is not meant to single individuals out.

Q6:  In the Process domain of the survey, what should be selected if the activity is consistently performed and communicated, but not documented?

A6:  When this is the case, err on the low side.  If no documentation of the process exists, even if the activity is being performed completely, select ad-hoc.  This will allow your department to show quick improvement once documentation has been created.

 

Endorsements:

“This is a very cool tool to help departments see where they stand and help them think about where to focus effort to improve their practices. I know of only one other research institution doing something like this, and it has been extremely effective for them.”

Tom Barton

Senior Director for Architecture, Integration, and Security

Chief Information Security Officer

IT Services

University of Chicago