Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

From LIMSWiki
Jump to navigationJump to search
(Created page with " ==1. What is a cybersecurity plan and why do you need it?== ==2. What are the major standard and regulations dictating cybersecurity action?== ==3. The NIST Cybersecurity...")
 
(Replaced content with "<div class="nonumtoc">__TOC__</div> {{ombox | type = notice | style = width: 960px; | text = This is sublevel24 of my sandbox, where I play with features and...")
Tag: Replaced
 
(180 intermediate revisions by the same user not shown)
Line 1: Line 1:
<div class="nonumtoc">__TOC__</div>
{{ombox
| type      = notice
| style    = width: 960px;
| text      = This is sublevel24 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas|my discussion page]] instead.<p></p>
}}


==1. What is a cybersecurity plan and why do you need it?==
==Sandbox begins below==
 
 
==2. What are the major standard and regulations dictating cybersecurity action?==
 
 
==3. The NIST Cybersecurity Framework and its control families==
 
 
==4. Fitting a framework or specification into a cybersecurity plan==
 
 
==5. Develop and create the cybersecurity plan==
 
===5.1. Develop strategic cybersecurity goals and define success===
====5.1.1 Broadly articulate business goals and how information technology relates====
====5.1.2 Articulate why cybersecurity is vital to achieving those goals====
====5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it====
====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
 
===5.2 Define scope and responsibilities===
====5.2.1 Define the scope and applicability through key requirements and boundaries====
====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
====5.2.3 Ensure responsibility for security risk management and other key aspects (the “who” of it) is clear====
 
===5.3 Identify cybersecurity requirements and objectives===
====5.3.1 Detail the existing system and classify its critical cyber assets====
====5.3.2 Define the contained data and classify its criticality (data maps may help)====
====5.3.3 Identify current and previous cybersecurity policy and tools; determine what has worked and what hasn’t====
====5.3.4 Identify the regulations and standards affecting your assets and data (e.g., what are the data retention requirements)====
====5.3.5 Identify and analyze system entry points and configurations (if internal resources are unavailable for this, it may require a third-party security assessment)====
====5.3.6 Identify and analyze physical entry points====
====5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)====
====5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)====
====5.3.9 Declare and describe objectives based on the outcomes of the above assessments====
====5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
====5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====
 
===5.4 Establish performance indicators and associated timeframes===
====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
 
===5.5 Identify key stakeholders===
====5.5.1 Determine what external (federal, state, local, and private) entities the business currently interacts with====
====5.5.2 Determine what internal entities or people may act as cybersecurity stakeholders====
====5.5.3 Define how those stakeholders shape the cybersecurity plan and its strategic goals====
 
===5.6 Determine resource needs===
====5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired====
====5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity====
====5.6.3 Review the budget====
 
===5.7 Develop a communications plan===
====5.7.1 Address the need for transparency in improving the cybersecurity culture====
====5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals====
====5.7.3 Determine guidelines for handling or discussing sensitive information====
====5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action====
====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
 
===5.8 Develop a recovery and continuity plan===
====5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools====
====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
 
===5.9 Establish how the overall cybersecurity plan will be implemented===
====5.9.1 Detail the specific steps regarding how all the above will be implemented====
====5.9.2 State the major implementation milestones====
====5.9.3 Determine how best to communicate progress on the plan’s implementation====
 
===5.10 Review progress===
====5.10.1 Monitor and assess the effectiveness of security controls====
====5.10.2 Review how to capture and incorporate corrective action procedures and results====
====5.10.3 Determine how often to review and update the cybersecurity plan====
====5.10.4 Determine external sources for “lessons learned” and how to incorporate them for improving cybersecurity strategy====
 
 
==6. Closing remarks==
 
 
==Appendix 1. A revised NIST Cybersecurity Framework, tied to LIMSpec==
 
===6.1 Access control===
 
===6.2 Awareness and training===
 
===6.3 Audit and accountability===
 
===6.4 Security assessment and authorization===
 
===6.5 Configuration management===
 
===6.6 Contingency planning===
 
===6.7 Identification and authentication===
 
===6.8 Incident response===
 
===6.9 Maintenance===
 
===6.10 Media protection===
 
===6.11 Physical and environmental protection===
 
===6.12 Planning===
 
===6.13 Personnel security===
 
===6.14 Risk assessment===
 
===6.15 System and services acquisition===
 
===6.16 System and communication protection===
 
===6.17 System and information integrity===

Latest revision as of 20:22, 16 August 2023

Sandbox begins below