Cybertrack Methodology
We built the Cybertrack assessment methodology by leveraging the Indiana University Center for Applied Cybersecurity Research’s (IU CACR) expertise in cybersecurity assessment methodology development and Purdue cyberTAP’s experience conducting CSET-based assessments for public-sector organizations. The methodology is designed to be standardized, highly efficient, and effective at helping public sector organizations prioritize the most doable, impactful actions and build an overarching picture of cybersecurity across the state.
At a program level, Cybertrack is built to do two things at once:
- Directly Assist the Local Communities. The results of the individual assessments will inform each local government entity's cybersecurity strategy, with a particular focus on short-term priorities.
- Inform the State's Local Government Cybersecurity Policy and Strategy. Standardized, verified, and (ultimately) longitudinal information.
Assessment Types
Cybertrack
The standard assessment is best for organizations with relatively little reliance on operational technology. The main technical focus is traditional information technology and how it enables your organization’s mission.
Cybertrack+
Recommended for OT-reliant environments
This assessment is best for organizations with a substantial and/or mission-critical operational technology footprint. It addresses both IT and OT equally well, and covers a handful of additional cybersecurity controls. This assessment requires a few more effort hours to complete, but is well worth it if OT is an important part of your technology environment.
Assessment Phases
All four phases take about 10-12 weeks to complete for standard Cybertrack assessments. Cybertrack+ assessments may require an additional 2-4 weeks to complete depending on scheduling.
Organizations can expect to devote 10 to 14 hours of effort depending on the type of assessment.
A one-hour kickoff to explain the assessment process, receive assessment written discovery material and instructions, and to address questions.
Participants complete written responses to a structured set of questions covering organizational cybersecurity fundamentals (governance, resourcing, policy) and technical safeguards.
Cybertrack+ assessments include Discovery Assistance. This is a meeting conducted two weeks after onboarding focused on assisting public sector organizations in completing the Written Discovery Requests.
A two-hour meeting with a dedicated Cybertrack Assessment Team to clarify relevant facts, validate discovery responses, and help identify/tailor recommendations for the report.
The Assessment Team produces a concise report with evaluations of organizational cybersecurity fundamentals and safeguards, actionable recommendations, and supporting rationale.
Cybertrack+ assessments include a Post Assessment Outbriefing where the Assessment Team provides a briefing of each recommendation from the report and addresses questions from participants.
The Cybertrack Standard
Supporting Evidence-Based, Cost-Conscious Cybersecurity
Cybertrack’s assessment standard is derived from two complementary sources:
-
Trusted CI Framework: an evidence-based minimum standard for cybersecurity programs. Built in Indiana, it focuses on organizational cybersecurity fundamentals such as governance, mission alignment, and resourcing. It consists of 16 “Musts,” organized under four pillars: Mission Alignment, Governance, Resources, and Controls.
-
CIS Controls: technical safeguards that are highly prioritized, updated frequently, described in sufficient detail for practitioners to implement, and developed by a collaborative and open process informed by a diverse group of cybersecurity practitioners.
Together, these sources help Cybertrack produce recommendations that are both high-impact and practical for public sector organizations.
The Organizational Level: Trusted CI Framework
Cybertrack assesses 6 of the most fundemental Musts:
| Must 5 Leadership | Organizations must involve leadership in cybersecurity decision making. |
| Must 7 Cybersecurity Lead | Organizations must establish a lead role with responsibility to advise and provide services to the organization on cybersecurity matters. |
| Must 9 Policy | Organizations must develop, adopt, explain, follow, enforce, and revise cybersecurity policies. |
| Must 12 Budget | Organizations must establish and maintain a cybersecurity budget. |
| Must 13 Personnel | Organizations must allocate personnel resources to cybersecurity. |
| Must 15 Baseline Control Set | Organizations must adopt and use a baseline control set. |
The Technical Level: CIS Controls
Cybertrack assesses up to 40 Safeguards depending on the assessment type. The Cybertrack Standard focuses on two evidence-based, highly effective subsets:
-
Transformative Twelve (T12): safeguards determined by IU CACR’s analysis and triangulation of systematic studies as the most proven—impactful security controls for organizations with limited resources.
-
OT22: safeguards that are the most proven—impactful cybersecurity controls for operational technology (OT)‑rich environments, identified using the same research methodology that discovered the T12.
Together, these form the Sturdy 30—the empirically proven controls that represent most of the Cybertrack Standard and cover both IT and OT systems ensuring that assessment outcomes are directly tied to practical, high‑impact recommendations.
From the CIS Controls v8.0. To learn more about our methodology, and all 40 Safeguards we assess, review our latest Aggregate Results Report.