Journal of King Saud University: Computer and Information Sciences (Jun 2022)
GoSafe: On the practical characterization of the overall security posture of an organization information system using smart auditing and ranking
Abstract
The lack of national security standardization bodies can have adverse impact on the adoption of international security standards and best practices. To assure security confidence among various organizations and to promote systematic adoption of standards and best standards, a practical framework that can support comparative measures is needed. . This paper presents GoSafe, a novel practical cybersecurity assessment framework that is tailored to the ISO 2700x standard requirements for the development of Information Security Management System (ISMS). GoSafe can be used for both self-assessment and auditing/scoring tool by national cybersecurity authorities. Using GoSafe, organizations can evaluate their existing information security management systems against local and international standards by utilizing built-in pre-audit tools. As such, GoSafe will help organizations evaluate and enhance their readiness for evolving risks and threats. In GoSafe framework, a novel mathematical model was also designed and implemented for the scoring/rating tool, namely, the national cyber security index (aeNCI). The aeNCI employs multiple parameters to determine the maturity of existing cybersecurity programs at national organizations and generate a classification and comparison reports. The efficacy of GoSafe proposed framework is demonstrated using a practical case study. The results enabled the stakeholder to verify the security configuration of their systems and identify potential attack/risk vectors.