Cybertrack Methodology

The Cybertrack assessment methodology is designed to evaluate and improve cybersecurity practices among Indiana’s local government entities. The approach leverages expertise from Indiana University’s Center for Applied Cybersecurity Research (IU CACR) and Purdue University’s cyberTAP. The methodology is influenced by the US Navy’s PACT cybersecurity assessment methodology and Purdue’s experience with CSET-based assessments.

Assessment Scope and Standards:

The Cybertrack assessments focus on organizational cybersecurity governance, resourcing, and security controls supporting IT and operational technology systems. The assessments emphasize "Musts" from the Trusted CI Framework and Safeguards from CIS Controls v8, prioritizing practical, high-impact recommendations.

The Trusted CI Framework is a standard for cybersecurity programs that defines 16 core requirements (six of which were assessed in this study), emphasizing governance, resources, and security controls.

The CIS Controls v8 include a prioritized set of safeguards grouped into Implementation Groups (IGs). Cybertrack focused on 27 of the 153 CIS Safeguards, with special emphasis on Implementation Group 1 (IG1) controls, which serve as a minimum baseline for cybersecurity.

The Transformative Twelve

Cybertrack identified 12 high-impact CIS Safeguards, labeled the "Transformative Twelve", based on empirical research from sources like the CIS Community Defense Model, Microsoft Digital Defense Report, and Australia’s Essential Eight. These safeguards were identified as having the greatest impact on reducing cybersecurity risks. However, Cybertrack found low adoption rates among Indiana local governments.