Program Overview: CR2 Login
The University of Georgia CyberArch program currently uses a 3-phase approach to conducting a cybersecurity risk review. This 3-phase approach has its origins in the model created by Dr. Larry Susskind at MIT and his course, Cybersecurity for Critical Urban Infrastructure. Dr. Susskind continues to be one of the leaders in the ‘cybersecurity clinic’ model, which includes students in the cybersecurity risk assessment/risk review process. The MIT 3-phase process includes the following: Phase 1, an Initial Questionnaire, Phase 2, an Onsite Visit with clarifying questions by the students, and Phase 3, the generation and delivery of a Final Report. The UGA CyberArch program has used this 3-phase approach in the development of the current cybersecurity risk review being conducted with partner organizations across Georgia.
The UGA CyberArch program has modified the 3-phase approach in two primary ways: First, a national benchmark of cybersecurity standards (CIS Controls, v8.0, Implementation Group 1 (IG1)) has been integrated into the UGA CyberArch program, something not used in the MIT framework. In doing so, 200+ unique questions have been developed within the UGA CyberArch program to help determine an organization’s compliance with the 56 IG1 cybersecurity safeguards (or action items). These questions produced an additional questionnaire. Thus, the UGA CyberArch approach includes the following: Phase 1, An Initial Questionnaire and a Follow-on Questionnaire, Phase 2, an Onsite Visit with the partner organization by a UGA CyberArch intern team of 4 interns and, Phase 3, the development and generation of a Final Report to the partner organization.
Second, there is ongoing work within the UGA CyberArch program to determine how best to include the University of Texas San Antonio’s (UTSA) work in their Community Cybersecurity Maturity Model (CCSMM). The UTSA CCSMM provides 3 unique elements: First, they approach community cybersecurity across four dimensions: Awareness, Information Sharing, Policy and Plans. Second, their model creates a 5-level maturity scale and community cybersecurity is then measured based on responses to questions related to those four dimensions. Third, the use of the 5-level maturity scale creates both a benchmark of maturity at a particular date and it provides a pathway for future strengthening of a community’s cybersecurity posture by illuminating action steps to move forward. This maturity scale brings with it the concept of measuring impact more accurately from one review to the next within an organization over time.
The UGA CyberArch program thus integrates elements from both the MIT model (the 3-phase approach and certain questions asked by MIT to a partner organization) and the UTSA CCSMM approach (modifying the community approach to a singular partner organization within a community, using a maturity scale to better assess impact over time, and the use of the four-dimension approach to measuring maturity based on responses). All IG1 questions now being asked within the UGA CyberArch program are now mapped to the relevant UTSA CCSMM dimension.
For organizations interested in the UGA CyberArch program, please complete the Contact Us information and someone will respond back to you as soon as possible.