Agalit Mohamed Amine*
| El Mostapha Chakir | Taqafi Issam | Youness Idrissi Khamlichi
© 2023 IIETA. This article is published by IIETA and is licensed under the CC BY 4.0 license (http://creativecommons.org/licenses/by/4.0/).
OPEN ACCESS
The pervasive integration of information systems and computer networks in organizational infrastructure has significantly heightened the susceptibility to cyber threats. Despite the implementation of advanced security measures, the prevalence of unauthorized access and system breaches continues to escalate. These vulnerabilities expose information systems to risks such as data theft, destruction from natural disasters, and malware attacks, which pose a considerable threat to the integrity of user data and system security. Unintentional factors, including human errors and natural calamities, further compound these risks. In academia, where the protection of sensitive information is of utmost importance, the need for robust cybersecurity measures is particularly acute. In response to these challenges, international bodies have established standards and frameworks to govern and strengthen information security protocols. This study conducts a rigorous assessment of the ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) standards, which are extensively implemented by Higher Education Institutions (HEIs) to manage cybersecurity risks. Through an analytical approach, the research delineates the policies and guidelines specified in these standards. The aim is to discern the most effective strategies for reinforcing information security within HEIs, amidst the rapidly evolving landscape of information technology and the sophisticated tactics of cyber adversaries.
cybersecurity, information security, data security, ISO/IEC 27001, NIST-CSF, higher education institutions
In the current era of digital education transformation, securing virtual systems has become critical for the continuity and integrity of learning environments. The transition to online platforms for knowledge dissemination, pedagogical activities, and evaluation processes underscores the necessity for stringent measures to protect system robustness and confidentiality of user data. Trust in these digital domains is increasingly reliant on the adoption of international standards, such as ISO 27001/2, and the implementation of cybersecurity frameworks, including the NIST Cybersecurity Framework (NIST-CSF).
Higher Education Institutions (HEIs), as custodians of sensitive and valuable data, are confronting a surge in cyber threats from a variety of sources. It has been observed that universities are intensifying their financial commitments to cybersecurity in response to these growing challenges. The intrinsic openness that academic settings promote, to facilitate scholarly exchange, inadvertently heightens their vulnerability to cyber incursions. The unique landscape of universities requires them to navigate a complex array of cybersecurity concerns. Among these is the need to protect a diverse user base, which includes students who are often the target of phishing schemes.
This research aims to achieve the following objectives:
The subsequent sections provide a detailed exploration of key aspects in the following order:
Section 2: This section delves into the distinctions between information security and cybersecurity, offering a comprehensive understanding of the core concepts.
Section 3: Here, we present an overview of international standards and regulations in information security and cybersecurity, shedding light on their significance in the academic context.
Section 4: In this section, we compile and analyze cyber risks specific to Higher Education Institutions, offering insights into the challenges faced in this sector.
Section 5: This section discusses critical elements, policies, and guidelines within ISO/IEC 27001 and NIST-CSF, providing a comparative analysis of their applications and implications.
Section 6: Exploring the integration of ISO/IEC 27001 and NIST-CSF in Higher Education Institutions, this section outlines practical approaches and considerations for an effective amalgamation.
Cybersecurity has ascended to global importance, with over 50 nations publishing official security strategy documents, as highlighted by Klimburg [1]. This paper delves into the nuanced distinctions between cybersecurity and information security, often used interchangeably but with subtle differences.
· Defining Cybersecurity:
Cybersecurity, a comprehensive term [2], involves actions and precautions to safeguard computer systems, especially on the Internet. The International Telecommunications Union (ITU) refines this as a multifaceted range of resources, policies, principles, and protective measures aimed at safeguarding the cyber environment [3].
· Parallel Objectives with Information Security:
Cybersecurity's primary goals, integrity, availability, and confidentiality, resonate with ISO/IEC 27032:2012(E) [4]. Information security, per ISO/IEC 27002 (2013) [5], focuses on preserving information confidentiality, integrity, and availability across various forms.
Information Security's Focus:
Information security aims to safeguard computer systems, ensuring protection against unauthorized access, service disruption, threats, and encompasses all information protection measures [5]. Whitman and Mattord [6] further emphasize the safeguarding of information and its components, with a model extending beyond the CIA triangle.
· Distinguishing Cybersecurity and Information Security:
Figure 1 illustrates the distinctions, with information security on the left (encompassing both digital and analog information) and cybersecurity on the right (covering vulnerabilities in physical and digital realms).
Figure 1. The differences between cybersecurity and information security
· Comparative Google Search Volumes:
Analysing Google search volumes reveals historical trends. Figure 2 shows the evolving public concern, with "Cybersecurity" consistently surpassing "Information Security" searches since 2014.
· Relevance of Search Data:
The growing popularity of "Cybersecurity" over "Information Security" signifies evolving public awareness of cyber threats. This data enhances our exploration, providing insights into the dynamic relationship between information security and cybersecurity in contemporary times.
Figure 2. Comparison of Google search volume for terms cyber security, cybersecurity, and information security
3.1 Cyber risks in academic institutions
The integration of information and communication technologies (ICTs) in academia, encompassing E-learning platforms, email, Wi-Fi, web applications, and radio, has significantly transformed educational landscapes. While these advancements enhance teaching and learning experiences, they concurrently expose academic institutions to considerable cybersecurity risks. Notably, higher education institutions (HEIs) are recurrent targets of cyberattacks, facing millions of attempted breaches weekly [7]. This heightened vulnerability is exacerbated by the extensive use of various technologies by diverse student populations, coupled with limited resources to effectively manage cybersecurity risks.
Public HEIs, in particular, emerge as vulnerable entities due to widespread technology use and recent targeted attacks, underscoring the urgent need for robust cybersecurity measures [8-11]. It is noteworthy that a significant portion of these threats originates from students, with reported instances of unauthorized grade alterations [12].
In light of these challenges, surveys reveal a concerning statistic: over 75% of educational institutions are ill-prepared for IT risks. This stark reality necessitates HEIs to prioritize and strengthen cybersecurity, especially in critical areas such as BYOD policies and data management [13].
Amidst the transformative potential of technology in education, academic institutions encounter specific challenges that hinder the effective management of cybersecurity risks. Two notable challenges include the lack of dedicated IT security staff, impeding timely threat identification and mitigation, and the absence of well-structured data centers, posing difficulties in managing physical infrastructure securely. For instance, without cybersecurity personnel, institutions may struggle to respond swiftly to potential threats. Additionally, the lack of a centralized data center can impede the maintenance of a secure and organized IT environment.
Addressing these challenges is imperative to fortify the cybersecurity posture of academic institutions and ensure a secure digital learning environment for students and faculty.
3.2 Cybersecurity approach in HEIs
To address these challenges, HEIs must develop and implement a global and integrated cybersecurity strategy, balancing data security objectives and associated costs. The components of a comprehensive cybersecurity framework, as illustrated in Figure 3 and described in Table 1, are as follows:
(1) Cybersecurity Governance and Compliance:
Establish regulations for overseeing decentralized IT platforms, ensuring compliance, reporting, training, and information exchange. For example, the implementation of a reporting system ensures a swift response to potential threats.
(2) Cybersecurity Defense:
Maintain a precise record of assets, facilitating operational functions and ensuring confidentiality, integrity, and accessibility. Regularly updating and monitoring asset records enhances threat detection and response.
(3) Access Control:
Implement robust access control policies defining individuals authorized to access sensitive information. Restricting access based on roles minimizes unauthorized exposure.
(4) Information Protection:
Employ data loss prevention (DLP) tools to identify and encrypt sensitive data. DLP tools prevent unauthorized access, safeguarding intellectual property.
(5) Layered Cybersecurity Protection:
Implement measures at multiple levels of policy enforcement. Multi-factor authentication enhances security across various access points.
(6) Third-Party and Cloud Cybersecurity:
Implement reliable controls to monitor and safeguard public and private cloud environments. Regular audits of third-party controls ensure the integrity of cloud services.
The Figure below illustrates the key components of the proposed cybersecurity framework.
In conclusion, adopting a comprehensive cybersecurity framework is essential for HEIs to safeguard data and privacy. These integrated components create a resilient information system, protecting against evolving cyber threats.
Table 1. Description of essential cybersecurity components
|
Components |
Description |
|
Cybersecurity Governance and Compliance |
Establish regulations for overseeing decentralized IT platforms, ensuring adherence, reporting, training, and information exchange. |
|
Cybersecurity Defense |
Maintain a precise record of assets, ensuring confidentiality, integrity, and accessibility for effective threat response. |
|
Access Control |
Implement policies restricting access to sensitive information based on roles to minimize unauthorized exposure. |
|
Information Protection |
Use DLP tools for identifying and encrypting sensitive data, protecting intellectual property. |
|
Layered Cybersecurity Protection |
Implement measures at multiple policy enforcement levels, enhancing security across various access points. |
|
Third-Party and Cloud Cybersecurity |
Implement controls for monitoring and safeguarding public and private cloud environments through regular audits. |
Figure 3. Essential cybersecurity components
4.1 International Organization for Standardization (ISO)
The International Organization for Standardization (ISO) plays a pivotal role in establishing globally recognized standards for information security, prominently exemplified by the "Information Security Management System" (ISO/IEC 27000) standards. This collection includes essential sub-standards contributing significantly to the field:
· ISO/IEC 27001: Defines the Information Security Management System (ISMS), guiding organizations in managing information risks.
· ISO/IEC 27002: Provides practices and rules for Information Security Management Systems (ISMS).
· ISO/IEC 27003: Offers guidance on implementing Information Security Management Systems.
· ISO/IEC 27004: Focuses on measuring the effectiveness of information security management systems.
· ISO/IEC 27005: Addresses Information Security Risk Management.
· ISO/IEC 27006: Guides the process of maintaining an information security management system.
· ISO/IEC 27032: Offers guidelines for cybersecurity under information technology security techniques.
4.1.1 ISO/IEC 27001
ISO/IEC 27001 defines ISMS as a framework for effectively handling information risks. Applicable to organizations of all sizes and sectors, it ensures continuous adaptation of security measures to evolving threats. ISO/IEC 27001 does not prescribe specific controls but refers to ISO/IEC 27002 for a list. This flexibility allows organizations to choose controls based on risk assessments, emphasizing a comprehensive risk management approach [14, 15].
4.1.2 ISO/IEC 27032
ISO/IEC 27032 focuses on cybersecurity, specifically in cyberspace, safeguarding information's confidentiality, integrity, and availability. It provides technical advice for mitigating typical Internet-related risks. While not directly addressing other cyber-related aspects, it complements existing standards and is often integrated into Information Security Management Systems (ISMS) [4].
4.1.3 ISO and NIST standards comparison
When evaluating cybersecurity frameworks, it's essential to understand the distinctions between widely adopted standards. Below in Table 2 is a detailed comparison between ISO/IEC 27000 and NIST-CSF, shedding light on their primary focuses, approaches, certification processes, and maturity level considerations [1, 14, 16-19].
Table 2. Comparative overview of ISO/IEC 27000 and NIST-CSF
|
Feature |
ISO/IEC 27000 |
NIST-CSF |
|
Primary Focus |
Information security |
Cybersecurity |
|
Approach |
Prescriptive |
Flexible |
|
Certification |
Available |
Not available |
|
Maturity Levels |
No |
Yes |
This table outlines key differences between ISO/IEC 27000 and NIST-CSF, providing insights into their distinct characteristics. ISO/IEC 27000 primarily emphasizes information security, while NIST-CSF takes a broader approach by encompassing both information security and cybersecurity. The prescriptive nature of ISO/IEC 27000 involves specific requirements for certification, whereas NIST-CSF offers flexibility, allowing tailored cybersecurity programs. Furthermore, ISO/IEC 27000 provides certification through third-party bodies, while NIST-CSF does not have a formal certification process. In terms of maturity levels, ISO/IEC 27000 lacks defined levels, while NIST-CSF outlines five levels, offering a nuanced approach to program development. Understanding these differences is crucial for organizations aiming to select the most suitable framework for their cybersecurity needs.
4.1.4 Real-world examples of practical applications
The practical applications of ISO/IEC 27001 and NIST-CSF in real-world scenarios highlight their effectiveness in addressing cybersecurity challenges. The following examples illustrate how these frameworks have been successfully implemented in diverse organizations:
· ISO/IEC 27001:
· NIST-CSF:
· Combined Approach:
These real-world examples collectively demonstrate the adaptability and effectiveness of ISO/IEC 27001 and NIST-CSF across diverse organizational settings, emphasizing the crucial role these frameworks play in achieving robust cybersecurity.
4.2 National institute of standards and technology cybersecurity framework NIST-CSF
The NIST-CSF, developed by the National Institute of Standards and Technology, targets the cybersecurity of critical infrastructures. It consists of five functions - Identify, Protect, Detect, Respond, and Recover - providing a structured approach to mitigate cyber risks [16, 25, 26].
The implementation of NIST-CSF has two key aspects. Firstly, it allows organizations to determine the extent of their cybersecurity program, offering essential flexibility [16, 25]. Additionally, it serves as a maturity indicator, assessing the organization's control implementation maturity and facilitating informed decision-making [16, 25].
Figure 4 below provides an illustration of the NIST Cybersecurity Framework for enhanced comprehension.
Figure 4. NIST cybersecurity framework
In the broader context, ISO/IEC 27000 and NIST-CSF play a fundamental role in cybersecurity by offering structured approaches to risk management. These standards are relevant to the wider theme by providing organizations with the necessary tools to identify, assess, and manage cybersecurity risks, contributing to a more secure digital environment [27].
In conclusion, while ISO/IEC 27000 and NIST-CSF share similarities, they adopt distinct approaches to cybersecurity. The choice between them depends on organizational needs, with ISO providing a more prescriptive approach and NIST-CSF offering more flexibility. Practical applications demonstrate their effectiveness in various sectors, affirming their global relevance.
To make an informed decision between two distinct programs, a thorough understanding of their shared characteristics and differences is crucial. This facilitates the determination of the optimal approach for integration or selection. Commencing with an examination of the commonalities between ISO/IEC 27001 and NIST-CSF is essential.
5.1 ISO/IEC 27001 and NIST-CSF similarities
ISO/IEC 27001 and NIST-CSF present distinct approaches to implementing cybersecurity and information security within an organization. While their methodologies may not align perfectly, minor adjustments can effectively bridge any discrepancies between them.
Figure 5. NIST-CSF and ISO/IEC 27001 similarities
As depicted in Figure 5, the NIST-CSF demonstrates a more comprehensive and detailed focus on the operational phase of planning. This is primarily due to the assumption that organizations already possess established management practices, and as such, the cybersecurity framework must be effectively integrated with them.
Both approaches utilize a security implementation strategy based on risk management and recommendations. Security controls and safeguards are implemented only when identified risks are considered unacceptable, serving as a reference for monitoring ongoing progress [27].
The comparison in Table 3 illustrates the similarities between the control sections of ISO/IEC 27001 Annex A and the control categories of NIST-CSF [27].
In addition to these shared characteristics, there are key points to consider:
Table 3. ISO/IEC 27001 annex a control section and related NIST-CSF control categories
|
ISO/IEC 27001 Annex A Control Sections |
NIST-CSF Control Categories |
|
A.5 Information security policies |
Governance |
|
A.6 Organization of information security |
Governance; Risk Assessment; Asset Management; Awareness and Training; Data Security; Identity Management and Access Control; Information Protection Processes and Procedures; Detection Processes; Communications |
|
A.7 Human resource security |
Governance; Data Security; Awareness and Training; Identity Management and Access Control; Information Protection Processes and Procedures |
|
A.8 Asset management |
Asset Management; Protective Technology; Data Security; Information Protection Processes and Procedures |
|
A.9 Access control |
Identity Management and Access Control; Protective Technology; Data Security |
|
A.10 Cryptography |
No specific category covering cryptographic controls in NIST-CSF |
|
A.11 Physical and environmental security |
Asset Management; Business Environment; Data Security; Identity Management and Access Control; Information Protection Processes and Procedures; Maintenance; Protective Technology |
|
A.12 Operations security |
Risk Assessment; Business Environment; Data Security; Security Continuous Monitoring; Information Protection Processes and Procedures; Protective Technology; Analysis; Mitigation |
|
A.13 Communications security |
Asset Management; Identity Management and Access Control; Data Security; Protective Technology |
|
A.14 System acquisition, development and maintenance |
Data Security; Security Continuous Monitoring; Information Protection Processes and Procedures; Detection Processes |
|
A.15 Supplier relationships |
Supply Chain Risk Management; Business Environment; Maintenance; Security Continuous Monitoring |
|
A.16 Information security incident management |
Information Protection Processes and Procedures; Detection Processes; Response Planning; Anomalies and Events; Communications; Analysis; Mitigation; Improvement; Recovery Planning |
|
A.17 Information security aspects of business continuity management |
Business Environment; Information Protection Processes and Procedures; Protective Technology; Risk Assessment |
|
A.18 Compliance |
Governance; Risk Assessment; Detection Processes; Information Protection Processes and Procedures |
This comprehensive analysis, encompassing both shared characteristics and additional considerations, lays the groundwork for a nuanced understanding of ISO/IEC 27001 and NIST-CSF. It provides insights that pave the way for informed decision-making in cybersecurity implementation.
5.2 ISO/IEC 27001 and NIST-CSF differences
Having examined the shared aspects of these two approaches in the previous section, we will now explore their differences:
In summary, the NIST-CSF framework concentrates on cybersecurity planning and implementation, whereas ISO/IEC 27001 approaches the subject more comprehensively. Its PDCA-based methodology (Plan, Do, Check, Act) not only executes the system but also ensures its maintenance during an audit.
5.3 Which one to choose?
The best thing is to combine ISO/IEC 27001 and NIST-CSF together. The NIST-CSF is better when it comes to structuring the security domains to implement while the ISO/IEC 27001 is better at controlling and designing a long-term information security management system.
The optimal solution is to integrate both ISO/IEC 27001 and NIST-CSF. NIST-CSF is more effective in organizing the security domains to be implemented, while ISO/IEC 27001 excels in governing and creating a sustainable information security management system.
The ideal outcome can be attained by designing cybersecurity in compliance with ISO 27001 (chapters 4 to 10) and defining the security and risk management boundaries based on NIST-CSF guidelines.
After a thorough analysis of the similarities and differences between NIST-CSF and ISO/IEC 27001, it becomes evident that combining both frameworks can yield more benefits than drawbacks for their implementation in higher education institutions (HEIs). Three distinct scenarios are presented for consideration [14, 30, 37-39]:
6.1 Scenario A: Incorporating NIST-CSF into an existing ISO/IEC 27001 framework
If a Higher Education Institute (HEI) has already implemented ISO/IEC 27001 and wishes to adopt NIST-CSF, the following steps can guide the integration process:
(1) Integrating Profiles into Risk Management:
Begin by incorporating the concepts of Current Profile and Target Profile into the risk management process.
(2) Internal Assessment and Alignment:
Conduct an internal assessment of risk management procedures and controls, aligning them with the NIST-CSF Framework Core and its implementation layers.
(3) Action Plan Development:
Develop action plans based on the Current Profile, Target Profile, work objectives, security considerations, and internal audit findings to achieve the desired outcome.
6.2 Scenario B: Enhancing ISO/IEC 27001 with NIST-CSF controls
In cases where a HEI has already implemented NIST-CSF and aims to adopt ISO/IEC 27001, the following steps facilitate the integration:
(1) Reviewing and Aligning Controls:
Begin by reviewing NIST-CSF controls and aligning them with ISO/IEC 27001 clauses.
Table 4. Mapping of ISO/IEC 27001 clauses to NIST-CSF control categories
|
ISO/IEC 27001 Clauses |
NIST CSF Control Categories |
|
Clauses 4.1 to 4.3 |
Business environment |
|
Clause 4.4 |
Governance |
|
Clauses 5.1 to 5.3 |
Governance |
|
Clause 6.1 |
Information Protection Processes and Procedures; Risk Management; Risk Assessment |
|
Clause 7.3 |
Awareness and Training |
|
Clause 7.4 |
Communication |
|
Clause 7.5.3 |
Data Security |
|
Clauses 8.2 and 8.3 |
Risk Assessment |
|
Clause 9.1 |
Detection Process and Protective Technology |
(2) Mapping Pertinent Categories:
Identify the most pertinent NIST-CSF categories using the mapping provided in Table 4.
(3) Implementing NIST-CSF Controls:
Implement relevant NIST-CSF controls to address any gaps in the existing information security system.
6.3 Scenario C: Establishing information security and cybersecurity from scratch
When a HEI does not have an existing approach to information security or cybersecurity, the following steps can guide the development of a robust framework:
(1) Aligning Design with ISO/IEC 27001:
Begin by aligning the design of information security and cybersecurity with ISO/IEC 27001 (specifically clauses 4, 5, 7, 9, and 10).
(2) Utilizing NIST-CSF for Risk Management:
Utilize NIST-CSF for risk management and its implementation in relation to cybersecurity controls and safeguards.
(3) Implementing the Cybersecurity Management Process:
Follow the illustrated steps in Figure 6 for implementing the cybersecurity management process.
The integration of ISO/IEC 27001 and NIST-CSF can provide HEIs with a comprehensive and effective approach to information security and cybersecurity. By following the steps outlined above, HEIs can implement both frameworks in a way that meets their specific needs and requirements.
Looking ahead, it is imperative to deepen our understanding of the implications and effectiveness of this integration in higher education institutions (HEIs). Future research endeavors could explore various aspects, including the impact of integrating ISO/IEC 27001 and NIST-CSF on the cybersecurity posture of HEIs, the nuanced challenges and opportunities associated with implementation, and the identification of best practices for seamless integration. These inquiries aim to contribute valuable insights that will guide HEIs in their ongoing efforts to enhance their information security and cybersecurity framework.
Figure 6. Steps for implementing the cybersecurity management process [40]
In our interconnected world, where the stakes of cybersecurity are paramount, a nuanced and adaptive approach becomes imperative, especially for higher education institutions (HEIs). The conventional reliance on ISO/IEC 27001 as a recognized standard demands scrutiny, revealing the necessity for tailoring to organizational specifics. Herein lies the value of NIST-CSF, seamlessly aligning with ISO/IEC 27001 to meet the unique needs of HEIs, thereby ushering in a new era of customized cybersecurity frameworks.
Amidst the intricate landscape of cybersecurity frameworks, our investigation has uncovered pivotal findings that underscore the need for adaptability and customization. ISO/IEC 27001, revered as an information security standard, mandates tailoring to organizational specifics. In complement, the NIST-CSF emerges as a robust framework, designed to intricately weave with ISO/IEC 27001, offering HEIs the flexibility to forge bespoke cybersecurity strategies attuned to their distinctive requirements.
As we chart the course forward, these revelations open new avenues for exploration and inquiry. The transformative impact of integrating ISO/IEC 27001 and NIST-CSF on HEIs' cybersecurity posture warrants a comprehensive investigation. Likewise, delving into the challenges and opportunities entwined with the dual implementation of these frameworks in the realm of higher education promises to unravel valuable insights. Furthermore, identifying and disseminating best practices for the seamless integration of ISO/IEC 27001 and NIST-CSF in HEIs will serve as a guiding beacon for institutions navigating the complex cybersecurity terrain.
This holistic cybersecurity management approach, rooted in the fusion of ISO/IEC 27001 and NIST-CSF, stands not only as a strategic imperative but also as a catalyst for transformative advancements in safeguarding HEIs against evolving cyber threats.
[1] Klimburg, A. (2012). National cybersecurity framework manual. NATO CCD COE Publications.
[2] Merriam-Webster. (n.d.). Cybersecurity. https://www.merriam-webster.com/dictionary/cybersecurity.
[3] International Telecommunications Union (ITU). (2008). ITU-TX.1205: Series X: Data networks, open system communications and security: Telecommunication security: Overview of cybersecurity 2008.
[4] ISO/IEC. (2012). ISO/IEC 27032:2012(E) information technology — security techniques — guidelines for cybersecurity. Geneva, Switzerland: ISO/IEC.
[5] ISO/IEC. (2013). ISO/IEC 27002:2013 code of practice for information security management 2013.
[6] Whitman, M.E., Mattord, H.J. (2005). Principles of information security (2nd ed.). Thompson Course Technology, Australia.
[7] UpGuard. (2023, October 26). The State of University Cybersecurity: 3 Major Problems in 2023. https://www.upguard.com/blog/top-cybersecurity-problems-for-universities-colleges.
[8] Wilson, S.C., Graham, M. (2017). Cybersecurity in higher education: A guide for leaders. Educause Review, 52(2).
[9] Pawlicki, J.P., Zhang, C. (2018). Cybersecurity for universities and colleges: A guide for non-technical managers. Taylor & Francis.
[10] O'Connell, M., McDermott, P. (2022). Public sector cybersecurity: Challenges and opportunities. In 2022 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 1-9.
[11] Döring, N. (2016). Cybersecurity in public universities: Challenges and solutions. In Proceedings of the 8th International Conference on Cyber Conflict, pp. 143-152.
[12] Deans, C., Pollard, C. (2012). Understanding and preventing student-initiated cybercrime in education. New Review of Information Networking, 17(2): 133-146.
[13] Netwrix. (2017). Most Ed institutions unprepared for data risks. Campus Technology. https://finance.yahoo.com/news/multi-institution-survey-nearly-700-150000215.html.
[14] International Organization for Standardization. (2013). ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements.
[15] International Organization for Standardization. (2022). Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2022). https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:en.
[16] National Institute of Standards and Technology (NIST). (2023). Cybersecurity Framework Version 1.1. https://www.nist.gov/cyberframework/framework-version-10.
[17] IT Governance USA. (2023). ISO 27001 and the NIST CSF (Cybersecurity Framework). https://www.itgovernanceusa.com/iso27001-and-nist.
[18] OneTrust. (2022). ISO 27001 vs. NIST Cybersecurity Framework. https://www.onetrust.com/blog/iso-27001-vs-nist-cybersecurity-framework.
[19] International Organization for Standardization. (2009). ISO/IEC 27000:2009, Information technology - Security techniques - Information security management systems - Overview and vocabulary.
[20] HSBC. (2023, February 23). Investor Presentation. https://www.hsbc.com/investors/investor-events-and-presentations?page=1&take=20.
[21] Mayo Clinic. (2022). Case Study. https://news.mayocliniclabs.com/homepage/stories/case-studies/.
[22] Lockheed Martin. (2021). Cybersecurity Strategy Report. https://www.lockheedmartin.com/content/dam/lockheed-martin/eo/documents/annual-reports/lockheed-martin-annual-report-2021.pdf.
[23] United States Department of Homeland Security. (2022). Cybersecurity Framework Implementation Report. https://www.oig.dhs.gov/sites/default/files/assets/2023-04/OIG-23-21-Apr23.pdf.
[24] Nestlé. (2020). Cybersecurity White Paper. https://www.nestle.com/sites/default/files/2022-03/2021-annual-review-en.pdf.
[25] United States Department of Homeland Security. (2023). Cybersecurity Framework Implementation Guide Version 1.1. https://www.cisa.gov/sites/default/files/publications/Commercial_Facilities_Sector_Cybersecurity_Framework_Implementation_Guidance_FINAL_508.pdf.
[26] Cybersecurity and Infrastructure Security Agency. (2023). CISA Insights: NIST Cybersecurity Framework. https://www.cisa.gov/resources-tools/resources/chemical-sector-cybersecurity-framework-implementation-guidance.
[27] Khan, A., Zafar, A., Zubair, M., Khan, A.U. (2023). Cybersecurity frameworks: A comparative analysis. IEEE Access, 11: 10711-10726. https://doi.org/10.1109/ACCESS.2023.3217462
[28] National Institute of Standards and Technology (NIST). (2022). Supply Chain Risk Management Practices for Federal Information Systems and Organizations (NIST SP 800-161 Vol. 1). https://csrc.nist.gov/pubs/sp/800/161/final.
[29] National Institute of Standards and Technology (NIST). (2020). Security and privacy controls for information systems and organizations. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final.
[30] National Institute of Standards and Technology. (2018). Cybersecurity Framework (CSF) Version 1.1. https://www.nist.gov/cyberframework.
[31] National Institute of Standards and Technology. (2019). Cybersecurity Framework (CSF) Roadmap. https://www.nist.gov/document/csf-roadmap-11-final-042519pdf.
[32] National Institute of Standards and Technology. (2018). Guide for Applying the Cybersecurity Framework (NIST SP 800-37 Rev. 2). https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0.
[33] International Accreditation Forum (IAF). (2023). IAF Mandatory Document 4: Accreditation for Certification Bodies Operating Certification Schemes that Meet ISO/IEC 17021-1.
[34] International Electrotechnical Commission (IEC). (2023). IEC Guide 114: Conformity assessment - Guide for the use of ISO/IEC 17021-1.
[35] International Organization for Standardization (ISO). (2018). Information security - Information technology - Security techniques - Code of practice for information security management. ISO/IEC 27002:2013.
[36] National Institute of Standards and Technology (NIST). (2022). Cybersecurity Framework (CSF) Version 1.1.
[37] Alqahtani, M., Zaidan, B.B. (2020,). A comparison of NIST cybersecurity framework and ISO/IEC 27001 standard and their applicability in higher education institutions. In 2020 International Conference on Information Networking (ICOIN).
[38] El-Hadad, M., Hassan, M.M. (2018). Hybrid model for cybersecurity risk management in higher education institutions. International Journal of Innovative Technology and Exploring Engineering, 8(2S2): 71-77.
[39] European Commission. (2018). Cybersecurity Framework for Higher Education Institutions (HEIs): A Guide for Implementation.
[40] National Institute of Standards and Technology (NIST). (2023). Uses and benefits of the cybersecurity framework. https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework.
