Policy to Framework Traceability and Maturity Assessment: Aligning University of California Systems to NIST CSF

Objective

The goal of this self-led project is to establish policy-to-framework audit traceability between the University of California System’s information security standards and the National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF (v1.1): the ultimate goal was to create a quantifiable maturity and gap analysis.

Summary

In this robust project, I assessed UC System’s information security posture against NIST CSF utilizing National Cyber Security Review (NCSR) methodology and practices. I scoured through UC System’s extensive security policies, standards, and governance to determine if the organization had a formal policy for each of the NIST CSF subcategories across the five functions: Identify, Protect, Detect, Respond, and Recover.

For each subcategory, I performed a maturity assessment by assigning a score between (1-7) based on the NCSR’s maturity scale (found on the second tab of the spreadsheet), judging the policy’s completeness and formalization. Automated color-coded visuals were added to produce a visual and clear gap analysis, highlighting strengths, weaknesses, and areas requiring improvement across the framework.

It is worth noting that this assessment was conducted using publicly available documentation (e.g., published policies, standards, reports) from the UC Sytem and my own discretion. Because I do not have access to internal documents and evidence (e.g., audit logs, incident reports, testing results), or the ability to conduct internal interviews, the maturity scores I assigned are a reflection on the formalization of policy rather than operational control effectiveness. Therefore, the scores represent a policy-based maturity assessment, not a full operational audit.

The selection of UC System’s security posture was for good reason; their broad and established policy library provided excellent exercise for open-source intelligence skills and served as a tangible example of how each control is addressed in a large enterprise. This spreadsheet is also highly valuable for compliance to other standards and frameworks, as the mapped NIST CSF controls can be readily used to satisfy criteria across multiple frameworks. Below is a compiled list of achievements and skills honed from this experience.

Skills Developed

• Engineered a scalable GRC assessment framework capable of being cross walked to other frameworks (e.g. ISO 27001, NIST SP 800-53) by developing a reusable NIST CSF template to standardize future auditing.
• Validated University of California’s security posture against 108 NIST CSF v1.1 subcategories by authoring a comprehensive policy-to-control mapping matrix that linked the organizations policies directly to NIST CSF.
• Transformed compliance data into actionable risk prioritization by executing a quantitative maturity assessment using the NCSR (1-7) scale to measure control effectiveness beyond one-dimensional compliance check-listing.
• Created a color-coded gap analysis dashboard to facilitate a visualized critical control deficiency and policy gaps display

Deliverables

• Multi-Framework Compliance
• Risk Management
• Policy Management
• Auditing
• Quantitative Analysis
• Risk Assessment
• Gap Analysis
• Data Visualization

View the Full NCSR Project