Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
 
(52 intermediate revisions by the same user not shown)
Line 1: Line 1:
====AU-1 Audit and accountability policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update audit and accountability policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of audit and accountability action but also to address how those policies and procedures will be implemented, reviewed, and updated.


'''Additional resources''':
==The laws themselves==
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 60
* [https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Audit_Accountability.pdf State of North Carolina Audit and Accountability Policy]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====AU-2 Audit events====
===1. Federal Telecommunications Act of 1996, Section 255 ([https://www.law.cornell.edu/uscode/text/47/255 47 U.S.C. § 255 - Access by persons with disabilities])===
This control recommends the organization scrutinize the information system to ensure it's fully capable of auditing the events the organization requires to meet its business, cybersecurity, and regulatory goals. It also recommends the organization find common ground within other areas of the organization to improve selection of auditable events, provide rationale for their selection, and implement within the information system the selected auditable events at the recommended frequency or during a specific situation. NIST SP 800-53, Rev. 4 also notes: "Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems."


'''Additional resources''':
<blockquote>'''(b) Manufacturing'''
* [https://csrc.nist.gov/publications/detail/sp/800-92/final NIST Special Publications 800-92]
A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable.
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2]


====AU-3 Content of audit reports====
'''(c) Telecommunications services'''
This control recommends the system be capable of generating audit records that, at a minimum, provide who enacted an event, when it was enacted, where it occurred, what occurred, and what the outcome was. Regulations and standards may dictate what must be recorded beyond those aspects.


'''Additional resources''':
A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable.
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2, 9.3, and 9.4]


====AU-4 Audit storage capacity====
'''(d) Compatibility'''
This control recommends the organization allocate sufficient resources to ensure the storage capacity of the system is sufficient to hold all its audit records. What that storage capacity should be will be most heavily dictated by data retention regulations and standards (see AU-11), followed by available organizational resources to commit to long-term storage. Additional safeguards such as sending warning messages to designated personnel or system roles when storage space reaches a critical minimum may be useful.
Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.</blockquote>


'''Additional resources''':
The term '''disability''' is [https://www.law.cornell.edu/uscode/text/42/12102 defined here]. You can read the full entry, but the basics are:
* No LIMSpec comp (organizational policy rather than system specification)


====AU-5 Response to audit processing failures====
<blockquote>'''(1) Disability''' The term “disability” means, with respect to an individual—
This control recommends the system be able to alert specific personnel or system roles when an audit processing failure occurs and take action as specified by the organization. This action includes shutting down the system, overwriting the oldest audit record (because storage capacity is maxed), or discontinuing the generation of audit records. The system should also allow the organization to specify action differently for various types of failures.
:'''(A)''' a physical or mental impairment that substantially limits one or more major life activities of such individual;


'''Additional resources''':
:'''(B)''' a record of such an impairment; or
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.8]


====AU-6 Audit review, analysis, and reporting====
:'''(C)''' being regarded as having such an impairment (as described in paragraph (3)).</blockquote>
This control recommends the organization, as part of policy, review, analyze, and report on the results from generated system audit records at defined frequencies, focusing on inappropriate or unusual activity that may compromise the security of the system. The finding may be reported to designated individuals within the organization, designated departments within the organization, or even regulatory bodies outside the organization.


'''Additional resources''':
The term '''readily achievable''' is [https://www.law.cornell.edu/uscode/text/42/12181 defined here]. It is defines as:
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.7]


====AU-6 (1) Audit review, analysis, and reporting: Process integration====
<blockquote>'''(9) Readily achievable''' The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include—
This control enhancement recommends the organization implement some sort of automation into their system to better integrate audit review, analysis, and reporting processes with organizational investigation processes (e.g., incident response, continuous monitoring, etc.) in order to better and more quickly respond to cyber threats.


'''Additional resources''':
:'''(A)''' the nature and cost of the action needed under this chapter;
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7]
:'''(B)''' the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility;
:'''(C)''' the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
:'''(D)''' the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.</blockquote>


====AU-8 Time stamps====
===2. Rehabilitation Act of 1973, Section 508, amended ([https://www.law.cornell.edu/uscode/text/29/794d 29 U.S.C. 794d] - Electronic and information technology)===
This control recommends the system use a reliable system clock for generating its audit records. The system clock should be able to generate time stamps in Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meet organizational requirements for granularity, all the way down to the millisecond level.


'''Additional resources''':
There's a government website dedicated to Section 508: [https://www.section508.gov/ https://www.section508.gov/] The related laws and polices can be [https://www.section508.gov/manage/laws-and-policies/ found here]. The intro states (italics emphasis mine):
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.3] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.5]


====AU-9 Protection of audit information====
<blockquote>In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) ''applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology''. Under Section 508, agencies must give ''disabled employees and members of the public'' access to information comparable to the access available to others.
This control recommends the system be capable of logically protecting audit information (records, settings, and reports) and tools from unauthorized access, modification, and deletion.


'''Additional resources''':
The [https://www.access-board.gov/ U.S. Access Board] is responsible for developing Information and Communication Technology (ICT) accessibility ''standards'' to ''incorporate into regulations that govern Federal procurement practices.'' On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018.
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.7]


====AU-11 Audit record retention====
The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines ''in response to market trends and innovations in technology.'' The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, ''and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.''</blockquote>
This control recommends the organization, in tandem with the its overall record retention policy, retain audit records for a defined period of time.  That time period may be dictated by administrative, operational, or regulatory policy.  


'''Additional resources''':
In discussing ICT, the U.S. Access Board [https://www.access-board.gov/ict/#b-summary-of-key-provisions summarized the key provisions] as such:
* [https://www.archives.gov/records-mgmt/grs.html National Archives Federal Records Management and General Records Schedules]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.4]


====AU-11 (1) Audit record retention:Long-term retrieval capability====
<blockquote>The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.</blockquote>
This control enhancement recommends the organization ensure the availability and retrievability of audit information stored long-term. This assurance can be made in several ways, including verifying the information system is correctly providing access to the information to authorized individuals; ensuring records in old, difficult-to-read formats get updated; and retaining the necessary documentation and hardware to read and interpret older record systems.


'''Additional resources''':
The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: [https://www.access-board.gov/ict/ https://www.access-board.gov/ict/]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.4]


====AU-12 Audit generation====
The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in [https://www.access-board.gov/ict/#chapter-5-software Chapter 5: Software] and [https://www.access-board.gov/ict/#chapter-6-support-documentation-and-services Chapter 6: Support Documentation and Services]. (If for some reason LLX is in the hardware domain, they'll want to also consider[https://www.access-board.gov/ict/#chapter-4-hardware Chapter 4: Hardware] If you're curious about the underlying standards, you can find them in [https://www.access-board.gov/ict/#chapter-7-%C2%A0-referenced-standards Chapter 7: Referenced Standards].
This control aligns with AU-2 and AU-3, in as much as it recommends the system be capable of generating audit records for the auditable events defined in AU-2 at various organization-defined points in the information system. This control also recommends the system to allow authorized users to assign which auditable events are to be audited by which points in the system. And of course, the system should be capable of generating the audit records with the content as defined in AU-3.


'''Additional resources''':
Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: [https://www.section508.gov/develop/ https://www.section508.gov/develop/]


* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.7]
==Additional information==
 
1. The Section 508 website and its glossary mention LIMS under "[https://www.section508.gov/art/glossary/#S scientific instrument]," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT."
2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: [https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502 https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502]
 
3. Some additional posts and guides that may be revealing:
* [https://www.levelaccess.com/how-do-i-determine-if-my-web-site-or-application-is-section-508-compliant/ How do I determine if my website or application is Section 508 compliant?]
* [https://ftp.cdc.gov/pub/Software/RegistryPlus/508%20Compliance/508softwareandos.doc GSA Guide For Making Software Applications and Operating Systems Accessible] (.doc file; NOTE: No date, so not sure if incorporates amended material, so be careful)
* [https://www.dhs.gov/publication/dhs-section-508-compliance-test-processes DHS Section 508 Compliance Test Processes]

Latest revision as of 21:23, 28 February 2022

The laws themselves

1. Federal Telecommunications Act of 1996, Section 255 (47 U.S.C. § 255 - Access by persons with disabilities)

(b) Manufacturing

A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable.

(c) Telecommunications services

A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable.

(d) Compatibility

Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.

The term disability is defined here. You can read the full entry, but the basics are:

(1) Disability The term “disability” means, with respect to an individual—

(A) a physical or mental impairment that substantially limits one or more major life activities of such individual;
(B) a record of such an impairment; or
(C) being regarded as having such an impairment (as described in paragraph (3)).

The term readily achievable is defined here. It is defines as:

(9) Readily achievable The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include—

(A) the nature and cost of the action needed under this chapter;
(B) the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility;
(C) the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
(D) the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.

2. Rehabilitation Act of 1973, Section 508, amended (29 U.S.C. 794d - Electronic and information technology)

There's a government website dedicated to Section 508: https://www.section508.gov/ The related laws and polices can be found here. The intro states (italics emphasis mine):

In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508, agencies must give disabled employees and members of the public access to information comparable to the access available to others.

The U.S. Access Board is responsible for developing Information and Communication Technology (ICT) accessibility standards to incorporate into regulations that govern Federal procurement practices. On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018.

The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines in response to market trends and innovations in technology. The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.

In discussing ICT, the U.S. Access Board summarized the key provisions as such:

The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.

The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: https://www.access-board.gov/ict/

The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in Chapter 5: Software and Chapter 6: Support Documentation and Services. (If for some reason LLX is in the hardware domain, they'll want to also considerChapter 4: Hardware If you're curious about the underlying standards, you can find them in Chapter 7: Referenced Standards.

Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: https://www.section508.gov/develop/

Additional information

1. The Section 508 website and its glossary mention LIMS under "scientific instrument," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT."

2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502

3. Some additional posts and guides that may be revealing: