User:Shawndouglas/sandbox/sublevel30 - Revision history

Shawndouglas: Replaced content with "
TOC
{{ombox | type = notice | style = width: 960px; | text = This is sublevel30 of my sandbox, where I play with features and..."

2023-08-16T20:34:26Z

Replaced content with "<div class="nonumtoc">__TOC__</div> {{ombox | type = notice | style = width: 960px; | text = This is sublevel30 of my sandbox, where I play with features and..."

← Older revision		Revision as of 20:34, 16 August 2023
Line 1:		Line 1:
	~~===6.4 What questions should be asked of a cloud provider?===~~		<div class="nonumtoc">__TOC__</div>
	Here we provide a concise listing of 18 questions your organization should be asking any cloud providers being considered for your cloud project. (A broader list of questions is discussed in the next subsection about RFIs.) As part of the discovery phase of your formal cloud project, some of these questions may have been asked prior, but many of them will likely not have been addressed in prior discussions. Most of these questions have already been addressed in prior sections of this guide, but a "shopping list" is always handy, yes? Like the prior list, the ordering here means little, aside from perhaps an attempt at semi-logical progression from introduction to the provider to wrapping up agreements.<~~ref name~~="~~APHLBreaking17~~">{{cite web \|url=https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf \|format=PDF \|title=Breaking Through the Cloud: A Laboratory Guide to Cloud Computing \|author=Association of Public Health Laboratories \|publisher=Association of Public Health Laboratories \|date=2017 \|accessdate=28 July 2023}}</~~ref><ref name="IFAhelp20"~~>{{~~cite web~~ \|~~url~~=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ \|title=A Helpful Guide to Cloud Computing in a Laboratory \|work=InterFocus Blog \|publisher=InterFocus Ltd \|date=05 October 2020 \|accessdate=28 July 2023}}</ref><ref name="EusticeUnder18">{{cite web \|~~url~~=~~https~~:~~//legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing~~ \|~~title~~=~~Understand the intersection between data privacy laws and cloud computing \|author=Eustice, J.C. \|work=Legal Technology, Products~~, and ~~Services \|publisher=Thomson Reuters \|date=2018 \|accessdate=28 July 2023}}</ref><ref name="WardCloud19">{{cite web \|url=https://www~~.~~labmanager.com/cloud-computing-~~for~~-the-laboratory-736 \|title=Cloud Computing for the Laboratory~~: ~~Using data in the cloud - What it means for data security~~ \|~~author=Ward, S~~. ~~\|work=Lab Manager \|date=09 October 2019 \|accessdate=28 July 2023}}</ref>~~<~~ref name="LBMCNine21"~~>{{cite web \|url=https://www.lbmc.com/blog/questions-cloud-service-providers/ \|title=Nine Due Diligence Questions to Ask Cloud Service Providers \|author=LBMC \|work=LBMC Blog \|date=24 February 2021 \|accessdate=28 July 2023}}</~~ref~~><ref name="TRThree21">{{cite web \|url=https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ \|archiveurl=https://web.archive.org/web/20210304141517/https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ \|title=Three questions you need to ask your cloud vendors \|author=Thomson Reuters \|work=Thomson Reuters Legal Blog \|date=03 March 2021 \|archivedate=04 March 2021 \|accessdate=28 July 2023}}~~</ref>~~		{{ombox
			\| type = notice
			\| style = width: 960px;
			\| text = This is sublevel30 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas\|my discussion page]] instead.<p></p>
			}}

	~~# What experience do you have working with laboratory customers in our specific industry?~~		==Sandbox begins below==
	~~# Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?~~
	~~# What is the average total historical downtime for the service(s) we're interested in?~~
	~~# Do we receive comprehensive downtime support in the case of downtime?~~
	~~# Where are your servers located, and how is data securely transferred to and from those servers?~~
	~~# Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?~~
	~~# Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?~~
	# How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
	~~# Do you have documented data security policies?~~
	~~# How do you test your platform's security?~~
	~~# What are your policies for security audits, intrusion detection, and intrusion reporting?~~
	~~# What data logging information is kept and acted upon in relation to our data?~~
	~~# How thorough are those logs and can we audit them on-demand?~~
	~~# For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?~~
	~~# What happens to our data should the contract expire or be terminated?~~
	~~# What happens to our data should you go out of business or suffer a catastrophic event?~~
	~~# Can we use your interface to extract our data when we want, and in what format will it be?~~
	~~# Are your support services native or outsourced/offshored?~~

	====~~6.4.1 Using a request for information (RFI) process====~~
	We've already talked about the RFI process in the previous chapter, so we won't rehash the specifics here. However, note that the 18 critical questions prior are also addressed, along with many others, in the cloud computing RFI questions posed in Appendix 3. Like the list of RFI questions to ask of MSSPs, the cloud computing RFI questions represent a thorough list of potential questions to ask of a cloud provider. Your lab will still want to keep any RFI derived from those questions succinct in order to get the most responses, keeping in mind that it doesn't need to address every question but rather have enough critical questions to narrow down your search to a few quality candidates. From there, you can return to the RFI questions and ask more pointed ones of those candidates you narrowed your list down to.

	~~The format of the questions is the same as those found in the MSSP RFI, and there's even some crossover in several cases.~~

Shawndouglas at 22:57, 27 July 2023

2023-07-27T22:57:07Z

← Older revision	Revision as of 22:57, 27 July 2023
Line 1:	Line 1:
		===6.4 What questions should be asked of a cloud provider?===
		Here we provide a concise listing of 18 questions your organization should be asking any cloud providers being considered for your cloud project. (A broader list of questions is discussed in the next subsection about RFIs.) As part of the discovery phase of your formal cloud project, some of these questions may have been asked prior, but many of them will likely not have been addressed in prior discussions. Most of these questions have already been addressed in prior sections of this guide, but a "shopping list" is always handy, yes? Like the prior list, the ordering here means little, aside from perhaps an attempt at semi-logical progression from introduction to the provider to wrapping up agreements.<ref name="APHLBreaking17">{{cite web \|url=https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf \|format=PDF \|title=Breaking Through the Cloud: A Laboratory Guide to Cloud Computing \|author=Association of Public Health Laboratories \|publisher=Association of Public Health Laboratories \|date=2017 \|accessdate=28 July 2023}}</ref><ref name="IFAhelp20">{{cite web \|url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ \|title=A Helpful Guide to Cloud Computing in a Laboratory \|work=InterFocus Blog \|publisher=InterFocus Ltd \|date=05 October 2020 \|accessdate=28 July 2023}}</ref><ref name="EusticeUnder18">{{cite web \|url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing \|title=Understand the intersection between data privacy laws and cloud computing \|author=Eustice, J.C. \|work=Legal Technology, Products, and Services \|publisher=Thomson Reuters \|date=2018 \|accessdate=28 July 2023}}</ref><ref name="WardCloud19">{{cite web \|url=https://www.labmanager.com/cloud-computing-for-the-laboratory-736 \|title=Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security \|author=Ward, S. \|work=Lab Manager \|date=09 October 2019 \|accessdate=28 July 2023}}</ref><ref name="LBMCNine21">{{cite web \|url=https://www.lbmc.com/blog/questions-cloud-service-providers/ \|title=Nine Due Diligence Questions to Ask Cloud Service Providers \|author=LBMC \|work=LBMC Blog \|date=24 February 2021 \|accessdate=28 July 2023}}</ref><ref name="TRThree21">{{cite web \|url=https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ \|archiveurl=https://web.archive.org/web/20210304141517/https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ \|title=Three questions you need to ask your cloud vendors \|author=Thomson Reuters \|work=Thomson Reuters Legal Blog \|date=03 March 2021 \|archivedate=04 March 2021 \|accessdate=28 July 2023}}</ref>

		# What experience do you have working with laboratory customers in our specific industry?
		# Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
		# What is the average total historical downtime for the service(s) we're interested in?
		# Do we receive comprehensive downtime support in the case of downtime?
		# Where are your servers located, and how is data securely transferred to and from those servers?
		# Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
		# Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
		# How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
		# Do you have documented data security policies?
		# How do you test your platform's security?
		# What are your policies for security audits, intrusion detection, and intrusion reporting?
		# What data logging information is kept and acted upon in relation to our data?
		# How thorough are those logs and can we audit them on-demand?
		# For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
		# What happens to our data should the contract expire or be terminated?
		# What happens to our data should you go out of business or suffer a catastrophic event?
		# Can we use your interface to extract our data when we want, and in what format will it be?
		# Are your support services native or outsourced/offshored?

		====6.4.1 Using a request for information (RFI) process====
		We've already talked about the RFI process in the previous chapter, so we won't rehash the specifics here. However, note that the 18 critical questions prior are also addressed, along with many others, in the cloud computing RFI questions posed in Appendix 3. Like the list of RFI questions to ask of MSSPs, the cloud computing RFI questions represent a thorough list of potential questions to ask of a cloud provider. Your lab will still want to keep any RFI derived from those questions succinct in order to get the most responses, keeping in mind that it doesn't need to address every question but rather have enough critical questions to narrow down your search to a few quality candidates. From there, you can return to the RFI questions and ask more pointed ones of those candidates you narrowed your list down to.

		The format of the questions is the same as those found in the MSSP RFI, and there's even some crossover in several cases.

Shawndouglas: Blanked the page

2021-09-06T13:12:20Z

Blanked the page

← Older revision		Revision as of 13:12, 6 September 2021
Line 1:		Line 1:
	~~<div class="nonumtoc">__TOC__</div>~~
	~~==Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec==~~
	What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations''. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."<ref name="ISO27001_19">{{cite web \|url=https://www.iso.org/standard/54534.html \|title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements \|publisher=International Organization for Standardization \|date=03 June 2019 \|accessdate=07 December 2019}}</ref> For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the [https://www.nist.gov/cyberframework/framework NIST Cybersecurity Framework], which is suitable for those without a technical background.

	The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.

	Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to [[Book:LIMSpec 2019 R1\|LIMSpec]] in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."

	In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand ''aids the organization'' in conforming to the NIST controls specifying policies be created and managed.

	'''NOTE''': Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post ''should not'' be considered an endorsement for the company that published it.

	~~===Appendix 1.1 Access control===~~
	~~{{Template:Cybersecurity/Access control}}~~


	~~===Appendix 1.2 Awareness and training===~~
	~~{{Template:Cybersecurity/Awareness and training}}~~


	~~===Appendix 1.3 Audit and accountability===~~
	~~{{Template:Cybersecurity/Audit and accountability}}~~


	~~===Appendix 1.4 Security assessment and authorization===~~
	~~{{Template:Cybersecurity/Security assessment and authorization}}~~


	~~===Appendix 1.5 Configuration management===~~
	~~{{Template:Cybersecurity/Configuration management}}~~


	~~===Appendix 1.6 Contingency planning===~~
	~~{{Template:Cybersecurity/Contingency planning}}~~


	~~===Appendix 1.7 Identification and authentication===~~
	~~{{Template:Cybersecurity/Identification and authentication}}~~


	~~===Appendix 1.8 Incident response===~~
	~~{{Template:Cybersecurity/Incident response}}~~


	~~===Appendix 1.9 Maintenance===~~
	~~{{Template:Cybersecurity/Maintenance}}~~


	~~===Appendix 1.10 Media protection===~~
	~~{{Template:Cybersecurity/Media protection}}~~


	~~===Appendix 1.11 Physical and environmental protection===~~
	~~{{Template:Cybersecurity/Physical and environmental protection}}~~


	~~===Appendix 1.12 Planning===~~
	~~{{Template:Cybersecurity/Planning}}~~


	~~===Appendix 1.13 Personnel security===~~
	~~{{Template:Cybersecurity/Personnel security}}~~


	~~===Appendix 1.14 Risk assessment===~~
	~~{{Template:Cybersecurity/Risk assessment}}~~


	~~===Appendix 1.15 System and services acquisition===~~
	~~{{Template:Cybersecurity/System and services acquisition}}~~


	~~===Appendix 1.16 System and communications protection===~~
	~~{{Template:Cybersecurity/System and communications protection}}~~


	~~===Appendix 1.17 System and information integrity===~~
	~~{{Template:Cybersecurity/System and information integrity}}~~

	~~==References==~~
	~~{{Reflist\|colwidth=30em}}~~

Shawndouglas: /* Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec */

2020-07-17T16:54:38Z

Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec

← Older revision		Revision as of 16:54, 17 July 2020
Line 7:		Line 7:
	Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to [[Book:LIMSpec 2019 R1\|LIMSpec]] in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."		Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to [[Book:LIMSpec 2019 R1\|LIMSpec]] in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."

	In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand aids the organization in conforming to the NIST controls specifying policies be created and managed.		In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand ''aids the organization'' in conforming to the NIST controls specifying policies be created and managed.

	'''NOTE''': Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post ''should not'' be considered an endorsement for the company that published it.		'''NOTE''': Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post ''should not'' be considered an endorsement for the company that published it.

Shawndouglas: /* Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec */

2020-07-17T16:38:06Z

Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec

← Older revision		Revision as of 16:38, 17 July 2020
Line 5:		Line 5:
	The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.		The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.

	Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to LIMSpec in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."		Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to [[Book:LIMSpec 2019 R1\|LIMSpec]] in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."

	In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand aids the organization in conforming to the NIST controls specifying policies be created and managed.		In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand aids the organization in conforming to the NIST controls specifying policies be created and managed.

Shawndouglas: /* Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec */

2019-12-20T19:29:28Z

Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec

← Older revision		Revision as of 19:29, 20 December 2019
Line 1:		Line 1:
	<div class="nonumtoc">__TOC__</div>		<div class="nonumtoc">__TOC__</div>
	==Appendix 1. A simplified description of NIST ~~Cybersecurity Framework~~ controls, with ties to LIMSpec==		==Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec==
	What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations''. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."<ref name="ISO27001_19">{{cite web \|url=https://www.iso.org/standard/54534.html \|title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements \|publisher=International Organization for Standardization \|date=03 June 2019 \|accessdate=07 December 2019}}</ref> For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the [https://www.nist.gov/cyberframework/framework NIST Cybersecurity Framework], which is suitable for those without a technical background.		What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations''. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."<ref name="ISO27001_19">{{cite web \|url=https://www.iso.org/standard/54534.html \|title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements \|publisher=International Organization for Standardization \|date=03 June 2019 \|accessdate=07 December 2019}}</ref> For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the [https://www.nist.gov/cyberframework/framework NIST Cybersecurity Framework], which is suitable for those without a technical background.

Shawndouglas: /* Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec */

2019-12-19T18:56:58Z

Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec

← Older revision		Revision as of 18:56, 19 December 2019
Line 1:		Line 1:
	<div class="nonumtoc">__TOC__</div>		<div class="nonumtoc">__TOC__</div>
	==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec==		==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec==
	What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations''. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."<ref name="ISO27001_19">{{cite web \|url=https://www.iso.org/standard/54534.html \|title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements \|publisher=International Organization for Standardization \|date=03 June 2019 \|accessdate=07 December 2019}}</ref>		What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations''. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."<ref name="ISO27001_19">{{cite web \|url=https://www.iso.org/standard/54534.html \|title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements \|publisher=International Organization for Standardization \|date=03 June 2019 \|accessdate=07 December 2019}}</ref> For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the [https://www.nist.gov/cyberframework/framework NIST Cybersecurity Framework], which is suitable for those without a technical background.

	The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.		The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.
Line 77:		Line 77:
	===Appendix 1.17 System and information integrity===		===Appendix 1.17 System and information integrity===
	{{Template:Cybersecurity/System and information integrity}}		{{Template:Cybersecurity/System and information integrity}}


	==References==		==References==
	{{Reflist\|colwidth=30em}}		{{Reflist\|colwidth=30em}}

Shawndouglas at 23:36, 13 December 2019

2019-12-13T23:36:10Z

Show changes

Shawndouglas: Created page with "
TOC
==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec== What follows is essentially a simpl..."

2019-12-13T22:42:43Z

Created page with "<div class="nonumtoc">__TOC__</div> ==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec== What follows is essentially a simpl..."

Show changes

User:Shawndouglas/sandbox/sublevel30 - Revision history

Shawndouglas: Replaced content with "__TOC__ {{ombox | type = notice | style = width: 960px; | text = This is sublevel30 of my sandbox, where I play with features and..."

Shawndouglas at 22:57, 27 July 2023

Shawndouglas: Blanked the page

Shawndouglas: /* Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec */

Shawndouglas: /* Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec */

Shawndouglas: /* Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec */

Shawndouglas: /* Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec */

Shawndouglas at 23:36, 13 December 2019

Shawndouglas: Created page with "__TOC__ ==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec== What follows is essentially a simpl..."

Shawndouglas: Replaced content with "
TOC
{{ombox | type = notice | style = width: 960px; | text = This is sublevel30 of my sandbox, where I play with features and..."

Shawndouglas: Created page with "
TOC
==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec== What follows is essentially a simpl..."