OVERVIEW
In light of the increasing volume and sophistication of cyber threats, the University of Chicago (UoC)
Biological Sciences Division (BSD) Information Security Office (ISO) developed the Cybersecurity
Assessment Tool (CSAT) to help BSD department managers and IT managers increase awareness of
cybersecurity risks, and assess and mitigate the risks facing their department. The CSAT provides a
repeatable and measurable process for BSD departments to measure their cybersecurity preparedness
over time.
The CSAT is an Excel-based survey tool used to measure the cybersecurity capabilities of BSD
departments. The tool includes two separate MS Excel workbooks. The first workbook is the CSAT
Survey. The survey file is used by BSD departments to complete the survey and is further described
below. The second workbook is the CSAT Dashboards. The CSAT Dashboards workbook provides
reports and metrics based on survey responses from the BSD departments. This workbook will remain
blank until data/information is entered.
The CSAT is based on the NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The
survey questions and their corresponding results leverage the Framework Core to ensure all aspects of
cybersecurity are assessed. The CSAT expands on the Cybersecurity Framework by dividing the
Framework Core categories into three (3) domains of People, Process, and Technology.
INSTRUCTIONS
Please use the following process for utilizing the CSAT:
● Step 1 – Download and read the BSD ISO Cybersecurity Assessment Tool User Guide.
● Step 2 – Download the BSD ISO Cybersecurity Assessment Tool and complete the survey
questions and Excel tables.
● Step 3 – The completed assessment of your own organization or fictitious organization
(department) will be part of your Final Project results and recommendations section. Refer to the
Final Project document for details.
USING THE CSAT (FREQUENTLY ASKED QUESTIONS)
Copyright © 2020 by Thomas Edison State University. All rights reserved.
● Q1: Who should be participating in this survey? A1: This survey is optimally designed for the
department’s IT Manager with support from a small group of IT staff that have been with the
department for long enough to have an understanding of its IT practices.
● Q2: What should be done if a question doesn’t seem to directly apply to the department? A2:
Each question must be answered in order to generate results. If it appears that the question does
not apply to your department, still select the answer you think most closely describes your
department for that capability.
● Q3: What if none of the ratings describe the department or if the department falls between
several options? A3: Select the rating closest to what describes the department. When in doubt,
err on the low side. Feel free to leave a comment in the notes column about the question
justification for why you selected that option.
● Q4: What should we do if another department is handling an activity for us? A4: Do not
automatically assume that the other department is performing the task in a complete and secure
manner. Ask yourself if you have a documented Transitional Service Agreement (TSA) with the
department, and what security practices you know they have in place. When in doubt, err on the
low side.
● Q5: Are the questions in the People domain rating individuals or departmental people resources
as a whole? A5: The questions in the People domain are asking if the department has the
appropriate quantity of people with the appropriate skill base for completing an activity and is not
meant to single individuals out.
● Q6: In the Process domain of the survey, what should be selected if the activity is consistently
performed and communicated, but not documented? A6: When this is the case, err on the low
side. If no documentation of the process exists, even if the activity is being performed completely,
select ad-hoc. This will allow your department to show quick improvement once documentation
has been created.