|
|
(180 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| | <div class="nonumtoc">__TOC__</div> |
| | {{ombox |
| | | type = notice |
| | | style = width: 960px; |
| | | text = This is sublevel24 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas|my discussion page]] instead.<p></p> |
| | }} |
|
| |
|
| ==1. What is a cybersecurity plan and why do you need it?== | | ==Sandbox begins below== |
| | |
| | |
| ==2. What are the major standard and regulations dictating cybersecurity action?==
| |
| | |
| | |
| ==3. The NIST Cybersecurity Framework and its control families==
| |
| | |
| | |
| ==4. Fitting a framework or specification into a cybersecurity plan==
| |
| | |
| | |
| ==5. Develop and create the cybersecurity plan==
| |
| | |
| ===5.1. Develop strategic cybersecurity goals and define success===
| |
| ====5.1.1 Broadly articulate business goals and how information technology relates====
| |
| ====5.1.2 Articulate why cybersecurity is vital to achieving those goals====
| |
| ====5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it====
| |
| ====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
| |
| | |
| ===5.2 Define scope and responsibilities===
| |
| ====5.2.1 Define the scope and applicability through key requirements and boundaries====
| |
| ====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
| |
| ====5.2.3 Ensure responsibility for security risk management and other key aspects (the “who” of it) is clear====
| |
| | |
| ===5.3 Identify cybersecurity requirements and objectives===
| |
| ====5.3.1 Detail the existing system and classify its critical cyber assets====
| |
| ====5.3.2 Define the contained data and classify its criticality (data maps may help)====
| |
| ====5.3.3 Identify current and previous cybersecurity policy and tools; determine what has worked and what hasn’t====
| |
| ====5.3.4 Identify the regulations and standards affecting your assets and data (e.g., what are the data retention requirements)====
| |
| ====5.3.5 Identify and analyze system entry points and configurations (if internal resources are unavailable for this, it may require a third-party security assessment)====
| |
| ====5.3.6 Identify and analyze physical entry points====
| |
| ====5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)====
| |
| ====5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)====
| |
| ====5.3.9 Declare and describe objectives based on the outcomes of the above assessments====
| |
| ====5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
| |
| ====5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====
| |
| | |
| ===5.4 Establish performance indicators and associated timeframes===
| |
| ====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
| |
| ====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
| |
| | |
| ===5.5 Identify key stakeholders===
| |
| ====5.5.1 Determine what external (federal, state, local, and private) entities the business currently interacts with====
| |
| ====5.5.2 Determine what internal entities or people may act as cybersecurity stakeholders====
| |
| ====5.5.3 Define how those stakeholders shape the cybersecurity plan and its strategic goals====
| |
| | |
| ===5.6 Determine resource needs===
| |
| ====5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired====
| |
| ====5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity====
| |
| ====5.6.3 Review the budget====
| |
| | |
| ===5.7 Develop a communications plan===
| |
| ====5.7.1 Address the need for transparency in improving the cybersecurity culture====
| |
| ====5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals====
| |
| ====5.7.3 Determine guidelines for handling or discussing sensitive information====
| |
| ====5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action====
| |
| ====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
| |
| | |
| ===5.8 Develop a recovery and continuity plan===
| |
| ====5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools====
| |
| ====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
| |
| | |
| ===5.9 Establish how the overall cybersecurity plan will be implemented===
| |
| ====5.9.1 Detail the specific steps regarding how all the above will be implemented====
| |
| ====5.9.2 State the major implementation milestones====
| |
| ====5.9.3 Determine how best to communicate progress on the plan’s implementation====
| |
| | |
| ===5.10 Review progress===
| |
| ====5.10.1 Monitor and assess the effectiveness of security controls====
| |
| ====5.10.2 Review how to capture and incorporate corrective action procedures and results====
| |
| ====5.10.3 Determine how often to review and update the cybersecurity plan====
| |
| ====5.10.4 Determine external sources for “lessons learned” and how to incorporate them for improving cybersecurity strategy====
| |
| | |
| | |
| ==6. Closing remarks==
| |
| | |
| | |
| ==Appendix 1. A revised NIST Cybersecurity Framework, tied to LIMSpec==
| |
| | |
| ===6.1 Access control===
| |
| | |
| ===6.2 Awareness and training===
| |
| | |
| ===6.3 Audit and accountability===
| |
| | |
| ===6.4 Security assessment and authorization===
| |
| | |
| ===6.5 Configuration management===
| |
| | |
| ===6.6 Contingency planning===
| |
| | |
| ===6.7 Identification and authentication===
| |
| | |
| ===6.8 Incident response===
| |
| | |
| ===6.9 Maintenance===
| |
| | |
| ===6.10 Media protection===
| |
| | |
| ===6.11 Physical and environmental protection===
| |
| | |
| ===6.12 Planning===
| |
| | |
| ===6.13 Personnel security===
| |
| | |
| ===6.14 Risk assessment===
| |
| | |
| ===6.15 System and services acquisition===
| |
| | |
| ===6.16 System and communication protection===
| |
| | |
| ===6.17 System and information integrity===
| |