Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS

— Data or Information security in today's digital era is crucial in every organization that needs to pay attention. Management of organizational information is one of the components in realizing Good Corporate Governance. The measure of an adequate level of protection is an indicator of the cybersecurity awareness aspects of an organization's business processes in the short, medium, and long term, especially in the field that deals with information and communication technology (ICT). To make this happen, it requires a security standard that is appropriate and follows its needs to help organizations know the maturity level of cybersecurity in protecting its information security. The ABC organization is one of the Government agencies that manage the critical infrastructure and Indonesian digital economies. The organization has currently implemented several international security standards through its planning, implementation, evaluation document, and ICT activities. However, based on the national information security readiness assessment, information security management readiness results are still not optimal. In this study, an analysis of the NIST, ISO 27002, COBIT, and PCI DSS security standards has been carried out, which are ABC organizational security standards in managing ICT by assigned tasks and functions. Furthermore, the analysis result is used as materials for drafting a cybersecurity maturity framework through the four standard approaches that have become the basis for ICT management. The proposed concept of twenty-one integrated cybersecurity categories is expected to be a capital in measure ICT management performance in ABC organizations.


I. INTRODUCTION
In the current digital transformation, cybercrime activity has become a form of crime that has grown and impacts the emergence of increasingly varied and relatively complex cyber incidents. Cybercriminals carry out some attacks in hacking/ stealing large amounts of data and money from companies around worldwide. Indonesia is one of the countries with a record of cybercrime cases, which in 2019 became the country with the highest malware attack rate in the Asia Pacific region. The potential economic losses in Indonesia resulting from cybersecurity incidents can reach the US $ 34.2 billion. This figure is equivalent to 3.7 percent of Indonesia's total Gross Domestic Product of US $ 932 billion. It is based that large-scale organizations in Indonesia may experience economic losses of US $ 16.3 million, 200 times greater than the average financial losses of a mediumscale organization [1]. Meanwhile, based on the annual report of the National Cyber and Crypto Agency (BSSN) in 2019, there were around 290 million cyberattacks identified, with the highest number of attacks being 137.4 million attempts to leak data, followed by 117.9 million trojan attacks, 12.5 million attacks on port 80 as well as 6.4 million attacks on name servers [2].
Cybersecurity is a part of information security that protects information assets from threats to information that is processed, stored, transmitted by interconnected information systems. Efforts to protect cybersecurity are to prevent, overcome and reduce the impact of damage or harm to the system [3]. To improve cybersecurity in Indonesia, one of the strategies that need to be formulated is preparing a cybersecurity maturity model that can measure an organization's cybersecurity capabilities and place its position on a scale appropriate to actual conditions. An Organization's cybersecurity maturity level becomes an indicator and evaluation material to improve or increase compliance at a certain level as initiated by the Software Engineering Institute (SEI) with Mitre Corporation in November 1986. The development of a maturity framework process that has been prepared aims to improve existing software processes and other processes [4]. At present, there are various other international cybersecurity maturities framework standards such as NIST, ISO, COBIT, PCI DSS, and others referred to by other countries/organizations as controls in improving cybersecurity implementation of the ABC organization, which has also implemented them. This study aims to analyze the four standards used by the ABC organization and develop an integrated framework concept that can be used to improve performance in ICT management.

A. Maturity Cybersecurity Model
Referring to Cybersecurity Capability Maturity Model (C2M2) Program that released by the Department of Energy (DOE) of the US (2019), the Maturity Model is a set of characteristics, indicators, or patterns representing capabilities and development in a particular science field. Maturity models can be prepared by adopting existing standards or combining several best practice standards. The cybersecurity maturity model will assist in providing direction for the Organization to undertake independent assessments. Implementing the maturity model will provide benchmarks that can help organizations evaluate improvement organizational aspects [5]. C2M2 is on adopting and managing cybersecurity practices related to information assets, information and operating technology, and the environments. Usability model is [6]: 1) Strengthening the organization's cybersecurity capabilities; 2) Allows organizations to consistently and effectively evaluate and measure cybersecurity capabilities; 3) Sharing knowledge, best practices, and relevant references across the organization; 4) Allows organizations to prioritize actions and investments to enhance cybersecurity. C2M2 assists organizations to evaluate and identify areas of weakness and strength that can guide the development of a cybersecurity program. This cybersecurity maturity model can be a scalable tool for implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

B. NIST
Originally named the Bureau of Standards, NIST's goal was to ensure a consistent standard of size and function as laboratory standards. NIST was used extensively in the cybersecurity sector in the 1970s [7]. One of NIST's best practices for cybersecurity management, NIST Cybersecurity Framework (NIST CSF). NIST CSF components are more appropriate for technology organizations to use because of their scope of technical control, log analysis, and incidents (8). The latest update was published on April 16, 2018, through version 1.1. The current framework provides a comprehensive assessment consisting of three essential components, namely [7]:

1) Core
This component is divided into five risk management functions to provide a high-level overview of the organization's cybersecurity situation. a) Identification: Development of complete knowledge about the cyber environment, particularly systems, assets, data, and capabilities. b) Protect: Appropriate deployment and development to limit potential cybersecurity crash events. c) Detection: Developing and implementing appropriate activities to identify cybersecurity events quickly. d) Respond: Develop and implement appropriate activities to avoid the unwanted impact of cybersecurity events. e) Recovery: Development and recovery activities to maintain resilience plans and restore capabilities that may be compromised by a cybersecurity incident. These five functions are divided into 23 categories and 108 sub-categories, with each sub-category, is a list of external reference materials.

2) Profile
The framework profile represents the adjustments and priorities of activities and results for various industries and organizations according to their needs. Profiling is expected to increase cybersecurity readiness and help organizations analyse existing gaps. Furthermore, we can create a profile by looking for the categories/ subcategories most important to them from mapping.

3) Implementation Level
The implementation level is a feature that can help an organization measure where it is positioned within the framework: aware of risks and threats, recurring, and adaptable.

C. ISO/IEC 27002
The International Standards Organization (ISO) has adopted an information security management system from BS 7799 to ISO/IEC 27000. This system is a systematic approach to managing and controlling organizational information systems to maintain three main aspects, namely confidentiality, integrity, and availability of information. ISO/IEC 27002 is one of the derivatives of ISO/IEC 27000, which serves as a guide to explain the implementation of information security implementation using controls to achieve the stated goals [9]. The structure of power presented covers all 11 security areas, as defined in ISO/IEC 27001. ISO/IEC 27002 does not require a particular form of control but leaves it up to the user to select and implement the right control according to their needs, taking into account the results of the risk assessment he has done [10]. Power from ISO 27002 2013 has 18 sections, according to Figure 2. The section contains 14 security control clauses, 35 security categories, and 114 controls, which are expected to assure information security by implementing these controls. COBIT is a governance framework and information and technology management that is managed as a whole company. It contains the components and design factors for building and maintaining the governance system that the organization needs [11]. COBIT 5 was published in 2012, and to keep it relevant, 2019 saw an update to ensure more effective version control. Become the COBIT 2019 Framework: Governance and Management Objectives or also known as the COBIT 2019 Core Model. COBIT 2019 makes a clear distinction between management and governance processes in which it describes comprehensively 40 governance and management objectives. The 2019 COBIT product range is open-ended. The development of new guidelines, training, and resources to support the 2019 COBIT product range is continuously assessed based on market demand and managed through the ISACA product roadmap [9]. In COBIT 5, there are seven enablers as the main component to achieve governance objectives to create value from information technology. COBIT 2019 uses the same grouping consisting of one governance domain and four management domains. An environment main has a name with a verb that describes the primary purpose/ and the field of activity contained therein. COBIT 5, the division of 5 domains into the organization's IT processes into two main process areas, namely [12]: 1) Governance contains five governance processes determined by practice in each evaluation process, direct, and monitor (EDM). 2) Management, containing four domains, aligning with the area of responsibility of plan, build, run, and monitor, and provide a comprehensive IT scope from end-to-end, including: a) Align, Plan, and Organize (APO), including alignment, planning, and setting so that IT can contribute to achieving business goals, b) Build, Acquire, and Implement (BAI), including the process of building, acquiring, and implementing systems that support business processes, c) Delivery, Service, and Support (DSS), including delivering, service, support, or providing business process, d) Monitoring, Evaluation, and Assessment (MEA), includes monitoring, evaluating, and managing processes/ by independent monitoring agencies from both inside and outside the organization. At COBIT 2019, there are seven enablers as components of governance.

E. Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a global data security standard on payment cards (credit, debit, ATM) for all entities that process, store, or transmit cardholder data and/or sensitive authentication data transmitted online [13]. The PCI DSS consists of technical and operational requirements that process payment transactions, software developers, application manufacturers, and devices used in these transactions to improve payment card account data security [14]. PCI DSS provides basic security requirements that can help businesses build security programs and determining what steps to take. There are three (3) steps to follow the PCI DSS standard: 1) Assess, identify card owner data, record Information Technology asset inventory along with the business process in processing payment cards, and analyze vulnerabilities that could potentially reveal cardholder data. 2) Remediate, make improvements to the identified vulnerabilities. In this case, by not storing unnecessary cardholder data and implementing a secure business process. 3) Report, perform the two-stage documentation above/ and send a corrective note. The next process is to send a compliance report to the bank concerned to secure the card used.
The PCI DSS certification requirements also cover thirdparty data centre facility providers as a means of storing or backing up cardholder customer data. PCI DSS issues more than 250 (two hundred and fifty) sub-requirements, which are grouped into 6 (six) objectives and 12 (twelve) main requirements to get certification that an organization has implemented the PCI DSS security standard [15].

A. Comparison Analysis
The following comparisons analysis have been made: The next analysis process is to do the coding process, based on table II the variables used as the basis for drafting the framework integration concept are to use each framework's categories. Each variety of the four frameworks is codified with the provision that A is the category code for the NIST model, B is the ISO 27002 model code, C is the COBIT model category code, and D is the PCI DSS model. The following is an example of coding in the ID column in the following table: The next step is to analysing the categories of each framework, referring to the table II results then one of the necessary frameworks used is the NIST model, is by seeing that the framework has the same business process as the ABC Organization, so the next step is to conduct content analysis. The meaning contained in the activities of each category is generated with the following examples.  Management identifies organizational assets, including optimal personnel, data, devices, systems, and facilities to achieve organizational goals and are part of its risk strategy.

Business Environment
A series of strengths that affect the organization's business in the form of mission, objectives, stakeholders, and its activities ranging from the aspects of strategy setting, performance management, and monitoring of its suitability to be subsequently used in the direction of shared roles, responsibilities, and cybersecurity risk management. 3 Governance The stages in organizational decision making by considering a set of policies, procedures, and processes used to manage and monitor regulatory, legal, risk, environmental, operational, and organizational renewal requirements to be understood and informed on the scope of cybersecurity risk management. 4 Risk Assessment Management of the organization's business continuity through cybersecurity risk management, which includes mission, functions, assets, both personnel and infrastructure, business processes, and reputation 5 Risk Management Strategy Determination and management of priority scales, constraints, risk tolerance, and organizational assumptions are then used to support operational risk decision making. 6 Supply Chain Risk Management Determination of priority scales, constraints, risk tolerance, and organizational assumptions is then used to support risk-making decisions by going through the supply chain risk management process. 7 Identify Management and Access Control The management stages of identification and restriction and monitoring of access to physical and logical assets and facilities for legitimate users, processes, and devices are following the

No
Categories Description assessed risks of unauthorized access to permitted activities and transactions. 8 Awareness and Training Management of organizational information security knowledge through personnel and partners provided cybersecurity awareness education and training in carrying out cybersecurity-related duties and responsibilities consistently through established policies, procedures, and agreements. 9 Data Security Management of the Information and technology framework following the organization's risk strategy in protecting the confidentiality, integrity, and availability of information. 10 Information Protection Processes & Procedures The process of maintaining the scope of resource management and procedures to protect information systems and organizational assets 11 Maintenance Maintenance, development, and repair of industrial information and control system components are carried out following policies and procedures to ensure security. 12 Protective Technology "Efforts to ensure the security and resilience of systems and assets, through technical security management are carried out by related policies, procedures, and agreements.

Anomalies and Events
The process of detecting anomalies and the potential impact of an incident / determining an early warning system of an event that is likely to occur 14 Security Continuous Monitoring Monitoring implementation information systems and assets to identify cybersecurity vulnerabilities and verify and take effective action as a form of protection.

Detection Processes
Maintenance of the detection process and the implementation of periodic testing to detect abnormal events. 16 Response Planning The planning stages of maintenance of processes and procedures to ensure the response to a detected cybersecurity incident. 17 Communications A form of coordination activity for both internal and external stakeholders to maintain and manage incident management.

Analysis
The analysis process is undertaken to ensure an effective response in support of recovery activities.

Mitigations
A series of activities carried out to prevent, reduce their effects, and resolve incidents. 20 Improvement Efforts to improve from the learning process in the period obtained from current and previous detection/response activities to improve in the future period 21 Recovery Planning A rational recovery planning process to ensure the recovery of systems or assets due to cybersecurity incidents.

IV. CONCLUSIONS
Based on the content analysis carried out on the four NIST frameworks, ISO 27002, COBIT, and PCI DSS, a new framework is formed that can be used by ABC organizations in measuring the maturity level of its cybersecurity. The framework consists of 21 categories that can be the basis for mapping the improvement of ABC's organizational maturity capabilities. In further research, a validation process can be carried out against the framework that has been produced. Besides, subcategory mapping can also be done to obtain a more comprehensive conceptual framework.