Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

From LIMSWiki
Jump to navigationJump to search
(Replaced content with "<div class="nonumtoc">__TOC__</div> {{ombox | type = notice | style = width: 960px; | text = This is sublevel24 of my sandbox, where I play with features and...")
Tag: Replaced
 
(177 intermediate revisions by the same user not shown)
Line 1: Line 1:
<div class="nonumtoc">__TOC__</div>
{{ombox
| type      = notice
| style    = width: 960px;
| text      = This is sublevel24 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas|my discussion page]] instead.<p></p>
}}


==1. What is a cybersecurity plan and why do you need it?==
==Sandbox begins below==
 
 
<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
 
<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=29 November 2019}}</ref>
 
<ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=29 November 2019}}</ref>
 
<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=29 November 2019}}</ref>
 
<ref name="NortonSimilar18">{{cite web |url=https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=HIPAA One |date=21 June 2018 |accessdate=29 November 2019}}</ref>
 
<ref name="EwingFourWays17">{{cite web |url=https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/ |title=4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans |author=Ewing, S. |publisher=Delta Risk |date=12 July 2017 |accessdate=29 November 2019}}</ref>
 
<ref name="KrasnowCyber17">{{cite web |url=https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans |title=Cyber-Security Event Recovery Plans |author=Krasnow, M.J. |publisher=International Risk Management Institute, Inc |date=February 2017 |accessdate=29 November 2019}}</ref>
 
<ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=29 November 2019}}</ref>
 
<ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/ |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=29 November 2019}}</ref>
 
==2. What are the major standard and regulations dictating cybersecurity action?==
 
 
==3. The NIST Cybersecurity Framework and its control families==
 
 
==4. Fitting a framework or specification into a cybersecurity plan==
 
 
==5. Develop and create the cybersecurity plan==
 
===5.1. Develop strategic cybersecurity goals and define success===
====5.1.1 Broadly articulate business goals and how information technology relates====
====5.1.2 Articulate why cybersecurity is vital to achieving those goals====
====5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it====
====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
<ref name="DowningAHIMA17" />
 
===5.2 Define scope and responsibilities===
====5.2.1 Define the scope and applicability through key requirements and boundaries====
====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
<ref name="DowningAHIMA17" />
====5.2.3 Ensure responsibility for security risk management and other key aspects (the “who” of it) is clear====
 
===5.3 Identify cybersecurity requirements and objectives===
====5.3.1 Detail the existing system and classify its critical cyber assets====
<ref name="DowningAHIMA17" />
====5.3.2 Define the contained data and classify its criticality (data maps may help)====
====5.3.3 Identify current and previous cybersecurity policy and tools; determine what has worked and what hasn’t====
<ref name="DowningAHIMA17" />
====5.3.4 Identify the regulations and standards affecting your assets and data (e.g., what are the data retention requirements)====
<ref name="DowningAHIMA17" />
====5.3.5 Identify and analyze system entry points and configurations (if internal resources are unavailable for this, it may require a third-party security assessment)====
<ref name="DowningAHIMA17" />
====5.3.6 Identify and analyze physical entry points====
====5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)====
====5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)====
<ref name="DowningAHIMA17" />
====5.3.9 Declare and describe objectives based on the outcomes of the above assessments====
====5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
<ref name="DowningAHIMA17" />
====5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====
 
===5.4 Establish performance indicators and associated time frames===
====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
<ref name="DowningAHIMA17" />
 
===5.5 Identify key stakeholders===
====5.5.1 Determine what external (federal, state, local, and private) entities the business currently interacts with====
====5.5.2 Determine what internal entities or people may act as cybersecurity stakeholders====
====5.5.3 Define how those stakeholders shape the cybersecurity plan and its strategic goals====
 
===5.6 Determine resource needs===
====5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired====
====5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity====
====5.6.3 Review the budget====
 
===5.7 Develop a communications plan===
====5.7.1 Address the need for transparency in improving the cybersecurity culture====
====5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals====
<ref name="DowningAHIMA17" />
====5.7.3 Determine guidelines for handling or discussing sensitive information====
====5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action====
====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
<ref name="DowningAHIMA17" />
 
===5.8 Develop a recovery and continuity plan===
====5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools====
<ref name="DowningAHIMA17" />
====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
<ref name="DowningAHIMA17" />
 
===5.9 Establish how the overall cybersecurity plan will be implemented===
====5.9.1 Detail the specific steps regarding how all the above will be implemented====
====5.9.2 State the major implementation milestones====
====5.9.3 Determine how best to communicate progress on the plan’s implementation====
 
===5.10 Review progress===
====5.10.1 Monitor and assess the effectiveness of security controls====
====5.10.2 Review how to capture and incorporate corrective action procedures and results====
====5.10.3 Determine how often to review and update the cybersecurity plan====
====5.10.4 Determine external sources for “lessons learned” and how to incorporate them for improving cybersecurity strategy====
 
 
==6. Closing remarks==
 
 
==Appendix 1. A revised NIST Cybersecurity Framework, tied to LIMSpec==
 
===6.1 Access control===
 
===6.2 Awareness and training===
 
===6.3 Audit and accountability===
 
===6.4 Security assessment and authorization===
 
===6.5 Configuration management===
 
===6.6 Contingency planning===
 
===6.7 Identification and authentication===
 
===6.8 Incident response===
 
===6.9 Maintenance===
 
===6.10 Media protection===
 
===6.11 Physical and environmental protection===
 
===6.12 Planning===
 
===6.13 Personnel security===
 
===6.14 Risk assessment===
 
===6.15 System and services acquisition===
 
===6.16 System and communication protection===
 
===6.17 System and information integrity===
 
 
==References==
{{Reflist|colwidth=30em}}

Latest revision as of 20:22, 16 August 2023

Sandbox begins below