|
|
(162 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| <div class="nonumtoc">__TOC__</div> | | <div class="nonumtoc">__TOC__</div> |
| ==1. What is a cybersecurity plan and why do you need it?== | | {{ombox |
| Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.<ref name="NARUCCyber18" />
| | | type = notice |
| | | style = width: 960px; |
| | | text = This is sublevel24 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas|my discussion page]] instead.<p></p> |
| | }} |
|
| |
|
| <ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
| | ==Sandbox begins below== |
| | |
| <ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="NortonSimilar18">{{cite web |url=https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=HIPAA One |date=21 June 2018 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="EwingFourWays17">{{cite web |url=https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/ |title=4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans |author=Ewing, S. |publisher=Delta Risk |date=12 July 2017 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="KrasnowCyber17">{{cite web |url=https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans |title=Cyber-Security Event Recovery Plans |author=Krasnow, M.J. |publisher=International Risk Management Institute, Inc |date=February 2017 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=29 November 2019}}</ref>
| |
| | |
| <ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/ |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=29 November 2019}}</ref>
| |
| | |
| ==2. What are the major standard and regulations dictating cybersecurity action?==
| |
| | |
| | |
| ==3. The NIST Cybersecurity Framework and its control families==
| |
| | |
| | |
| ==4. Fitting a framework or specification into a cybersecurity plan==
| |
| | |
| | |
| ==5. Develop and create the cybersecurity plan==
| |
| What follows is a template to help guide you in developing your own cybersecurity plan. Remember that this is a template and strategy for developing the cybersecurity plan for your organization, not a regulatory guidance document. This template has at its core a modified version of the template structure suggested in the late 2018 ''Cybersecurity Strategy Development Guide'' created for the National Association of Regulatory Utility Commissioners (NARUC).<ref name="NARUCCyber18" /> While their document focuses on cybersecurity for utility cooperatives and commissions, much of what NARUC suggests can still be more broadly applied to all but the tiniest of businesses. Additional resources such as AHIMA's ''AHIMA Guidelines: The Cybersecurity Plan''<ref name="DowningAHIMA17" />; National Rural Electric Cooperative Association (NRECA), Cooperative Research Network's ''Guide to Developing a Cyber Security and Risk Mitigation Plan''<ref name="LebanidzeGuide11" />; and various cybersecurity experts' articles<ref name="LagoHowTo19" /><ref name="NortonSimilar18" /><ref name="EwingFourWays17" /><ref name="KrasnowCyber17" /><ref name="CopelandHowToDev18" /><ref name="TalamantesDoesYour17" /> have been reviewed to further supplement the template. This template covers 10 main cybersecurity planning steps, each with multiple sub-steps. Additional commentary, guidance, and citation is included with those sub-steps.
| |
| | |
| Note that before development begins, you'll want to consider the knowledge resources available and key stakeholders involved. Do you have the expertise available in-house to address all 10 planning steps, or will you need to acquire help from one or more third parties? Who are the key individuals providing critical support to the business and its operations? Having the critical expertise and stakeholders involved with the plan's development process early on can enhance the overall plan and provide for more effective strategic outcomes.<ref name="NARUCCyber18" />
| |
| | |
| Also remind yourself that completing this plan will likely not require a straightforward, by-the-numbers approach. The most feasible outcome will have you jumping around a few steps and filling in blanks or revising statements in previous portions of the plan. While the ordering of these items is deliberate, completing them step by step may not make the best sense for your organization. Don't be afraid to go back and update sections you've worked on previously using new-found knowledge.
| |
| | |
| | |
| ===5.1. Develop strategic cybersecurity goals and define success===
| |
| ====5.1.1 Broadly articulate business goals and how information technology relates====
| |
| Something should drive you to want to implement a cybersecurity plan. Sometimes the impetus may be external, such as a major breach at another company that affects millions of people. But more often than not, well-formulated business goals and the resources, regulations, and motivations tied to them will propel development of the plan. Business goals have, hopefully, already been developed by the time you consider a cybersecurity plan. Now is the time to identify the technology and data that are tied to those goals. A clinical testing laboratory, for example, may have as a business goal "to provide prompt, accurate analysis of specimens submitted to the laboratory." Does the lab utilize information management systems as a means to better meet that goal? How secure are the systems? What are the consequences of having mission-critical data compromised in said systems?
| |
| | |
| ====5.1.2 Articulate why cybersecurity is vital to achieving those goals====
| |
| Looking to your business goals for the technology, data, and other resources used to achieve those goals gives you an opportunity to turn the magnifying glass towards why the technology, data, and resources need to be secure. For example, the clinical testing lab will likely be dealing with protected health information (PHI), and an electric cooperative must reliably provide service practically 100 percent of the time. Both the data and the service must be protected from physical and cyber intrusion, at risk of significant and costly consequence. Be clear about what the potential consequences actually may be, as well as how business goals could be hindered without proper cybersecurity for critical assets. Or, conversely, clearly state what will be positively achieved by addressing cybersecurity for those assets.
| |
| | |
| ====5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it====
| |
| You've stated your business goals, how technology and data plays a role in them, and why it's vital to ensure their security. Now it's time to develop your strategic mission in regards to cybersecurity. You may wish to take a few extra steps before defining the goals of that mission, however. The NARUC has this to say in that regard<ref name="NARUCCyber18" />:
| |
| | |
| <blockquote>Establishing a strategic [mission] is a critical first step that sets the tone for the entire process of drafting the strategy. Before developing [the mission], a commission may want to do an internal inventory of key stakeholders; conduct blue-sky thinking exercises; and do an environmental assessment and literature review to identify near-, mid-, and long-term drivers of change that may affect its goals.</blockquote>
| |
| | |
| Whatever cybersecurity mission goals you inevitably declare, you'll want to be sure they "provide a sense of purpose, identity, and long-term direction" and clearly communicate what's most important in regards to cybersecurity to internal and external customers. Also consider adding concise points that paint the overall mission as one dedicated to limiting vulnerabilities and keeping risks mitigated.<ref name="NARUCCyber18" />
| |
| | |
| ====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
| |
| Ensuring executive management is fully on-board with your stated cybersecurity mission is vital. If key business leaders have not been intimately involved with the process as of yet, it is now time to gain their input and full support. As NARUC notes, "with leadership buy-in, it will be easier to institutionalize the idea that cybersecurity is a priority and can result in more readily available resources."<ref name="NARUCCyber18" /> Consider what AHIMA calls a "State of the Union" approach to presenting the cybersecurity mission goals to leadership, being prepared to answer questions from them about responsible parties, communication policies, and "cyber insurance."<ref name="DowningAHIMA17" /> (Answers to such questions are addressed further into this template. You may wish to have some of what follows informally addressed before taking it to leadership. Or perhaps have an agreement to keep leadership appraised throughout cybersecurity plan development, gaining their feedback and overall acceptance of the plan as development comes to a close.)
| |
| | |
| | |
| ===5.2 Define scope and responsibilities===
| |
| ====5.2.1 Define the scope and applicability through key requirements and boundaries====
| |
| Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals.
| |
| | |
| How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.<ref name="NARUCCyber18" /> One helpful tool in determining the strategies and requirements needed to meet mission goals is to clearly define the logical and physical boundaries of your information system.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /> When considering those boundaries, remember the following<ref name="LebanidzeGuide11" />:
| |
| | |
| * An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external.
| |
| * The system is more than just hardware; the interfaces—physical and logical—as well as communication protocols also make up the system.
| |
| * The system has physical, logical, and security control boundaries, as well as data flows tied to those boundaries.
| |
| * The data housed and transmitted in the system is likely composed of varying degrees of sensitivity, further shaping boundaries.
| |
| * The information system's primary functions are directly tied to the goals of the business.
| |
| | |
| Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."<ref name="CNACyber19">{{cite web |url=https://www.cna.org/centers/ipr/safety-security/cyber-security-project |title=Cybersecurity Futures 2025 |work=Institute for Public Research |publisher=CNA |date=2019 |accessdate=29 November 2019}}</ref> Just as CNA is preparing a global initiative to shape policy on future cybersecurity challenges, so should you apply some focus to what potential technology upgrades may be made and what new cyber threats may appear.
| |
| | |
| Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned.
| |
| | |
| ====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
| |
| You'll also want to define who will fill what roles, what responsibilities they will have, and who reports to who, as part of the scope of your plan. This will include not only who's responsible for developing the cybersecurity plan (which you'll have hopefully determined early on) but also implementing, enforcing, and updating it. Having a senior manager who's able to oversee these responsibilities, make decisions, and enforce requirements will improve the plan's chance of success. Having clearly defined security-related roles and responsibilities (including security risk management) at one or more organizational levels (depending on how big your organization is) will also improve success rates.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /><ref name="CopelandHowToDev18" /><ref name="TalamantesDoesYour17" />
| |
| | |
| ====5.2.3 Ensure that roles and responsibility for security (the “who” of it) are clear====
| |
| Defining roles, responsibilities, and chain of command isn't enough. Effectively communicating these roles and responsibilities to everyone inside and outside the organization—including third parties such as contractors and cloud providers—is vital. This typically involves encouraging transparency of cybersecurity and responsibility goals of the organization, as well as addressing everyday communications and education of everyone affected by the cybersecurity plan.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /><ref name="CopelandHowToDev18" /> However, through it all, keep in mind for future communications and training that ultimately security is everyone's responsibility, from employees to contractors, not just those enacting and updating the plan.
| |
| | |
| | |
| ===5.3 Identify cybersecurity requirements and objectives===
| |
| ====5.3.1 Detail the existing system and classify its critical cyber assets====
| |
| AHIMA recommends you "create an information asset inventory as a base for risk analysis that defines where all data and information are stored across the entire organization."<ref name="DowningAHIMA17" /> Consider any applications and systems used within the periphery of your operations, including business intelligence software, mobile devices, and legacy systems. Remember that any networked application or system could potentially be compromised and turned into a vector of attack. Additionally, classify and gauge those assets' based on type, risk, and criticality. What are their essential functions? How can they be grouped? How do they communicate: internally, externally, or not at all?<ref name="LebanidzeGuide11" /> As AHIMA notes, you'll be able to use this asset inventory, in combination with a variety of additional assessments described below, as a base for your risk assessment.
| |
| | |
| ====5.3.2 Define the contained data and classify its criticality====
| |
| During the asset inventory, you'll also want to address classifying the type of data contained or transported by the cyber asset, which aids in decision making regarding the controls you'll need to adequately protect the assets.<ref name="LebanidzeGuide11" /> Use a consistent set of nomenclature to define the data. For example, if you look at universities such as the University of Illinois and Carnagie Mellon University, they provide guidance on how to classify institutional data based on characteristics such as criticality, sensitivity, and risk. The University of Illinois has a defined set of standardized terms such as "high-risk," "sensitive," "internal" and "public,"<ref name="UoIData19">{{cite web |url=https://cybersecurity.uillinois.edu/data_classification |title=Data Classification Overview |work=Cybersecurity |publisher=University of Illinois System |date=2019 |accessdate=30 November 2019}}</ref> whereas Carnagie Mellon uses "restricted," "private," and "public."<ref name="CMUGuidelines18">{{cite web |url=https://www.cmu.edu/iso/governance/guidelines/data-classification.html |title=Guidelines for Data Classification |work=Information Security Office Guidelines |publisher=Carnegie Mellon University |date=23 May 2018 |accessdate=30 November 2019}}</ref> You don't necessarily need to use anyone's classification system verbatim; however, do use a consistent set of terminology to define and classify data.<ref name="LebanidzeGuide11" /> Consider also adding additional details about whether the data is in motion, in use, or at rest.<ref name="BowieSEC19">{{cite web |url=https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/ |title=SEC Cybersecurity Guidance: Data Loss Prevention |author=Bowie, K. |publisher=Adelia Associates, LLC |date=09 April 2019}}</ref>
| |
| | |
| If you have difficulties classifying the data, pose a series of data protection questions concerning the data's characteristics. One such baseline for questions could be the European Union's definition of what constitutes personal data. For example<ref name="LebanidzeGuide11" /><ref name="KochWhatIs19">{{cite web |url=https://gdpr.eu/eu-gdpr-personal-data/ |title=What is considered personal data under the EU GDPR? |author=Koch, R. |publisher=Proton Technologies AG |date=01 February 2019 |accessdate=30 November 2019}}</ref>:
| |
| | |
| * Does the data identify an individual directly?
| |
| * Does the data relate specifically to an identifiable person?
| |
| * Could the data—when processed, lost, or misused—have an impact on an individual?
| |
| | |
| ====5.3.3 Identify current and previous cybersecurity policy and tools, as well as their effectiveness====
| |
| Unless your business is in the formative stages, some type of technology infrastructure and policy likely exists. What, if any, cybersecurity policies and tools have you implemented in the past? Review any current access control protocols (e.g., role-based and "least privilege" policies) and security policies. Have they been updated to take into consideration recent changes in threats, risks, criticality, technology, or regulation?<ref name="DowningAHIMA17" /><ref name="LagoHowTo19" /><ref name="CopelandHowToDev18" /> In the same way, identify any past security policies and why they were discontinued. It may be convenient to track all these security protocols and policies in a master sheet, rather than spread out across multiple documents. Also, now might be a good time to identify how security-aware personnel are overall.<ref name="LagoHowTo19" /> Of course, if protocols and policies aren't in place, create them, remembering to include proper communication, scheduled policy reviews, and training into the equation.
| |
| | |
| ====5.3.4 Identify the regulations, standards, and best practices affecting your assets and data====
| |
| Arguably, most business types will be impacted by regulations, standards, or best practices. Even niche professions like cinema editors are guided by best practices set forth by professional organizations.<ref name="ACEBest17">{{cite web |url=https://americancinemaeditors.org/best-practices-guide/ |title=ACE Best Practices Guide for Post Production |publisher=American Cinema Editors |date=2017 |accessdate=01 December 2019}}</ref> In the case of laboratories, multiple regulations and standards apply to operations, including information management and privacy practices. Presumably one or more executives in your business are familiar with the legal and professional aspects of how the business should be run. If not, significant research and outside consultant help may be required. Regardless, when approaching this task, ensure everyone understands the distinctions among "regulation," "standard," and "best practice."
| |
| | |
| Remember that while regulators may dictate how you manage your cybersecurity assets, setting policy that goes above and beyond regulation is occasionally detrimental to your business. Data retention requirements, for example, are important to consider, not only for regulatory purposes but also data management and security reasons. To be sure, numerous U.S. Code of Federal Regulations (e.g., 21 CFR Part 11, 40 CFR Part 141, and 45 CFR Part 164), European Union regulations (e.g., E.U. Annex 11 and E.U. Commission Directive 2003/94/EC), and even global entities (e.g., WHO Technical Report Series, #986, Annex 2) address the need for record retention. However, as AHIMA points out, records shouldn't be kept forever<ref name="DowningAHIMA17" />:
| |
| | |
| <blockquote>Healthcare organizations have been storing and maintaining records and information well beyond record retention requirements. This creates significant additional security risks as systems and records must be maintained, patched, backed up, and provisioned (access) for longer than necessary or required by law ... In the era of big data the idea of keeping “everything forever” must end. It simply is not feasible, practical, or economical to secure legacy and older systems forever.</blockquote>
| |
| | |
| This example illustrates the idea that while regulatory compliance is imperative, going well beyond compliance limits has its own costs, not only financially but also by increasing cybersecurity risk.
| |
| | |
| ====5.3.5 Identify and analyze logical system entry points and configurations====
| |
| This step is actually closely tied to the next two steps on physical security and gap analysis. As such, you may wish to address all three steps together. You've already identified your critical and non-critical assets, and performing a gap analysis on them may be a useful start in finding and analyzing the logical entry points of a system. But what are some of the most common entry points that attackers may use?<ref name="KumarDiscover16">{{cite web |url=https://resources.infosecinstitute.com/discovering-entry-points/ |title=Discovering Entry Points |author=Kumar, A.J. |publisher=InfoSec Institute |date=06 September 2016 |accessdate=01 December 2019}}</ref><ref name="AhmedIndustrial19">{{cite web |url=https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/ |title=Industrial control system (ICS) cybersecurity advice, best practices |author=Ahmed, O.; Rehman, A.; Habib, A. |work=Control Engineering |publisher=CFE Media LLC |date=12 May 2019 |accessdate=01 December 2019}}</ref><ref name="VerizonIncident19">{{cite web |url=https://enterprise.verizon.com/resources/reports/dbir/2019/incident-classification-patterns-subsets/ |title=Incident Classification Patterns and Subsets |work=2019 Data Breach Investigations Report |publisher=Verizon |date=2019 |accessdate=01 December 2019}}</ref>
| |
| | |
| * Inbound network-based attacks through software, network gateways, and online repositories
| |
| * Inbound network-based attacks through misconfigured firewalls and gateways
| |
| * Access to systems using stolen credentials (networked and physical)
| |
| * Access to peripheral systems via communication protocols, insecure credentials, etc. through lateral movement in the network
| |
| | |
| From email and enterprise resource planning (ERP) applications and servers to networking devices and tools, a wide variety of vectors for attack exist in the system, some more common than others. Analyzing these components and configurations takes significant expertise. If internal expertise is unavailable for this, it may require a third-party security assessment to gain a clearer picture of the entry points into your system. Even employees and their lack of cybersecurity knowledge may represent points of entry, via phishing schemes.<ref name="DowningAHIMA17" /><ref name="VerizonIncident19" /> This is where training and internal random testing (addressed later) come into play.<ref name="DowningAHIMA17" />
| |
| | |
| ====5.3.6 Identify and analyze physical system entry points====
| |
| ====5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)====
| |
| ====5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)====
| |
| <ref name="DowningAHIMA17" />
| |
| ====5.3.9 Declare and describe objectives based on the outcomes of the above assessments====
| |
| ====5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
| |
| <ref name="DowningAHIMA17" />
| |
| ====5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====
| |
| | |
| | |
| ===5.4 Establish performance indicators and associated time frames===
| |
| ====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
| |
| ====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
| |
| <ref name="DowningAHIMA17" />
| |
| | |
| | |
| ===5.5 Identify key stakeholders===
| |
| ====5.5.1 Determine what external (federal, state, local, and private) entities the business currently interacts with====
| |
| ====5.5.2 Determine what internal entities or people may act as cybersecurity stakeholders====
| |
| ====5.5.3 Define how those stakeholders shape the cybersecurity plan and its strategic goals====
| |
| | |
| | |
| ===5.6 Determine resource needs===
| |
| ====5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired====
| |
| ====5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity====
| |
| ====5.6.3 Review the budget====
| |
| | |
| | |
| ===5.7 Develop a communications plan===
| |
| ====5.7.1 Address the need for transparency in improving the cybersecurity culture====
| |
| ====5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals====
| |
| <ref name="DowningAHIMA17" />
| |
| ====5.7.3 Determine guidelines for handling or discussing sensitive information====
| |
| ====5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action====
| |
| ====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
| |
| <ref name="DowningAHIMA17" />
| |
| | |
| | |
| ===5.8 Develop a recovery and continuity plan===
| |
| ====5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools====
| |
| <ref name="DowningAHIMA17" />
| |
| ====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
| |
| <ref name="DowningAHIMA17" />
| |
| | |
| | |
| ===5.9 Establish how the overall cybersecurity plan will be implemented===
| |
| ====5.9.1 Detail the specific steps regarding how all the above will be implemented====
| |
| ====5.9.2 State the major implementation milestones====
| |
| ====5.9.3 Determine how best to communicate progress on the plan’s implementation====
| |
| | |
| | |
| ===5.10 Review progress===
| |
| ====5.10.1 Monitor and assess the effectiveness of security controls====
| |
| ====5.10.2 Review how to capture and incorporate corrective action procedures and results====
| |
| ====5.10.3 Determine how often to review and update the cybersecurity plan====
| |
| ====5.10.4 Determine external sources for “lessons learned” and how to incorporate them for improving cybersecurity strategy====
| |
| | |
| ==6. Closing remarks==
| |
| | |
| | |
| ==Appendix 1. A revised NIST Cybersecurity Framework, tied to LIMSpec==
| |
| | |
| ===6.1 Access control===
| |
| | |
| ===6.2 Awareness and training===
| |
| | |
| ===6.3 Audit and accountability===
| |
| | |
| ===6.4 Security assessment and authorization===
| |
| | |
| ===6.5 Configuration management===
| |
| | |
| ===6.6 Contingency planning===
| |
| | |
| ===6.7 Identification and authentication===
| |
| | |
| ===6.8 Incident response===
| |
| | |
| ===6.9 Maintenance===
| |
| | |
| ===6.10 Media protection===
| |
| | |
| ===6.11 Physical and environmental protection===
| |
| | |
| ===6.12 Planning===
| |
| | |
| ===6.13 Personnel security===
| |
| | |
| ===6.14 Risk assessment===
| |
| | |
| ===6.15 System and services acquisition===
| |
| | |
| ===6.16 System and communication protection===
| |
| | |
| ===6.17 System and information integrity===
| |
| | |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |