Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====PS-1 Personnel security policy and procedures====
====RA-1 Risk assessment policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk asssessment action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12], page 68
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 68–69
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publication 800-100], pages 84–95
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====PS-2 Position risk designation====
====RA-2 Security categorization====
This control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations "can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems." Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be "determined by the position's potential for adverse impact to the efficiency or integrity of the service."<ref name="LII5CFR">{{cite web |url=https://www.law.cornell.edu/cfr/text/5/731.106 |title=5 CFR § 731.106 - Designation of public trust positions and investigative requirements |work=Legal Information Institute |publisher=Cornell |accessdate=23 July 2020}}</ref> Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.
This control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon "the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability." Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.


'''Additional resources''':
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
 
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publication 800-39]
====PS-3 Personnel screening====
This control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.
 
'''Additional resources''':
* [https://www.law.cornell.edu/cfr/text/5/731.106 5 CFR 731.106]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====PS-4 Personnel termination====
====RA-3 Risk assessment====
This control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.
This control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized "access, use, disclosure, disruption, modification, or destruction" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.28] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4]
 
====PS-5 Personnel transfer====
This control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.4]
 
====PS-6 Access agreements====
This control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publication 800-39]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====PS-7 Third-part personnel security====
====RA-5 Vulnerability scanning====
This control recommends the organization establish a set of security requirements for third-party personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.
This control recommends the organization conduct vulnerability scanning of its system. "Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms." These scans should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system.


'''Additional resources''':
'''Additional resources''':
* [https://nvd.nist.gov/ NIST National Vulnerability Database]
* [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publication 800-40, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publication 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publication 800-115]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)
====PS-8 Personnel sanctions====
This control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
==References==
{{Reflist}}

Revision as of 21:04, 16 February 2022

RA-1 Risk assessment policy and procedures

This control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk asssessment action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

RA-2 Security categorization

This control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon "the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability." Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.

Additional resources:

RA-3 Risk assessment

This control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized "access, use, disclosure, disruption, modification, or destruction" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.

Additional resources:

RA-5 Vulnerability scanning

This control recommends the organization conduct vulnerability scanning of its system. "Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms." These scans should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system.

Additional resources: