CyberArch Risk Reviews

Data and Technology

CyberArch Risk Reviews

UGA CyberArch provides a cybersecurity risk review service for partner organizations in Georgia, such as K-12 school districts, local governments, rural hospitals, and small businesses. The cybersecurity risk review engagement consists of three phases: Initial Assessment, Site Visit, and Final Report.

About Our Risk Review Process

The UGA CyberArch program currently uses a 3-phase approach to conducting a cybersecurity risk review. This 3-phase approach has its origins in the model created by Larry Susskind at MIT and his course Cybersecurity for Critical Urban Infrastructure. Susskind continues to be one of the leaders in the ‘cybersecurity clinic’ model, which includes students in the cybersecurity risk assessment/risk review process.

The MIT 3-phase process includes the following: Phase 1, an Initial Questionnaire, Phase 2, an Onsite Visit with clarifying questions by the students, and Phase 3, the generation and delivery of a Final Report. The UGA CyberArch program has used this 3-phase approach in the development of the current cybersecurity risk review being conducted with partner organizations across Georgia.

The UGA CyberArch program has modified the 3-phase approach in two ways.

First, a national benchmark of cybersecurity standards (CIS Controls, v8.0, Implementation Group 1 (IG1)) has been integrated into the UGA CyberArch program. More than 200 unique questions have been developed to help determine an organization’s compliance with the 56 IG1 cybersecurity safeguards (or action items). These questions produced an additional questionnaire. Thus, the UGA CyberArch approach includes the following: Phase 1, An Initial Questionnaire and a Follow-up Questionnaire; Phase 2, an Onsite Visit with the partner organization by a UGA CyberArch intern team of 4 interns; and Phase 3, the development and generation of a Final Report for the partner organization.

Second, we also are working with the University of Texas San Antonio’s (UTSA) Community Cybersecurity Maturity Model (CCSMM). The UTSA CCSMM provides three unique elements:

First, it approaches community cybersecurity across four dimensions: Awareness, Information Sharing, Policy and Plans.
Second, the CCSMM creates a 5-level maturity scale and community cybersecurity is then measured based on responses to questions related to the four dimensions.
Third, the use of the 5-level maturity scale creates both a benchmark of maturity at a particular date and it provides a pathway for future strengthening of a community’s cybersecurity posture by illuminating action steps to move forward. This maturity scale brings with it the concept of measuring impact more accurately from one review to the next within an organization over time.

The UGA CyberArch program integrates elements from both the MIT model (the 3-phase approach and certain questions) and the UTSA CCSMM approach (modifying the community approach to a single partner organization within a community, using a maturity scale to better assess impact over time, and the use of the four-dimension approach to measuring maturity based on responses). All IG1 questions asked within the UGA CyberArch program are now mapped to the relevant UTSA CCSMM dimension.

For organizations interested in the UGA CyberArch program, please complete our Contact form and someone will respond back to you as soon as possible.