Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
[[File:Cybersecurity training (37345726182).jpg|right|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.
[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed<ref name="MillerOMB19">{{cite web |url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ |title=OMB’s regulatory review is creating a backlog of cyber standards |author=Miller, J. |work=Federal News Network - Reporter's Notebook |publisher=Hubbard Radio Washington DC, LLC |date=03 September 2019 |accessdate=23 July 2020}}</ref> but in the works.<ref name="NISTSecandPrivRev5Draft20">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft |title=Security and Privacy Controls for Information Systems and Organizations (Final Public Draft) |work=Computer Security Resource Center |author=National Institute of Standards and Technology |date=28 April 2020 |accessdate=23 July 2020}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=23 July 2020}}</ref>


The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security_control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=23 July 2020}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.
The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.  


Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:
The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.


<blockquote>Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended.</blockquote>
You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final NIST Special Publication 800-171, Revision 2]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.  


This wording essentially indicates that when you make your plan, there should be a high-level connection between what the organization needs to implement in regards to cybersecurity and how to go about doing it using best practices (e.g., using framework controls and guidance). It also means that, if developed, implemented, and maintained correctly, the plan should empower the organization to have an information system that is clearly compliant with the intent and purpose of the organization's goals, operations, and risk determinations. In other words, the organization first needs a clear picture of what it wants to achieve and the risks associated with operating an information system to meet those goals before it can develop its cybersecurity plan; afterwards, cybersecurity standards frameworks and controls can assist with plan development.
This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.
 
<blockquote>Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.</blockquote>
 
The rest of NIST's wording indicates that a plan isn't necessarily a single, comprehensive document that attacks everything. Rather, it will make reference to other important policies and procedures that will further drive the overall success of your cybersecurity plan. You may even choose to have a separate document dedicated to the security controls you select for your organization. (Note that in the actual plan development section of this guide, recommendations for creating the additional "policies, procedures, and additional documents" you'll need will be given. Despite those recommendations, NIST's guidance still holds true: your actual plan document should make reference to them and provide sufficient description of what those external plans intend to accomplish within the scope of the cybersecurity plan. In the end, though, this decision to have one lengthy document or branched documents linked to the overall plan is a matter of organizational choice.)
 
The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan.
 
Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include<ref name="NiliUnderstand14">{{cite web |url=https://corpgov.law.harvard.edu/2014/08/25/understanding-and-implementing-the-nist-cybersecurity-framework/ |title=Understanding and Implementing the NIST Cybersecurity Framework |author=Nili, T. |work=Harvard Law School Forum on Corporate Governance and Financial Regulation |publisher=Harvard |date=25 August 2014 |accessdate=23 July 2020}}</ref><ref name="NISTAnIntro19">{{cite web |url=https://www.nist.gov/cyberframework/online-learning/components-framework |title=An Introduction to the Components of the Framework |publisher=National Institute of Standards and Technology |date=08 October 2019 |accessdate=23 July 2020}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=23 July 2020}}</ref><ref name="CorneliusUnder18">{{cite web |url=https://www.linkedin.com/pulse/understanding-cybersecurity-privacy-best-practices-tom-cornelius/ |title=Understanding Cybersecurity & Privacy Best Practices |author=Cornelius, T. |work=LinkedIn Pulse |date=31 July 2018 |accessdate=23 July 2020}}</ref>:
 
* After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development.
* Map cybersecurity requirements, organizational objectives, and planned process and procedure to security controls, and then compare the results to your current operating state to understand what gaps exist, if any.
* Don't be afraid to customize controls and other framework elements in order for your organization to get the maximum benefit out of them. Do keep relevant regulations affecting your organization in mind, however, when customizing.
* Think of the framework as the defining sauce or crust base of a pizza: it allows you to bake security and privacy principles into your overall cybersecurity strategy, with an end result of being more naturally prepared to address regulatory and contractual obligations.
* Don't forget to look for additional implementation resources created by the developer of the framework, e.g., from [https://www.isa.org/technical-topics/cybersecurity/cybersecurity-resources/ ISA], [https://www.sans.org/critical-security-controls/ SANS], and [https://www.cisecurity.org/controls/cis-controls-list/ CIS].
* If expertise isn't available in-house, you may want to turn to a cybersecurity services provider to assist with integrating a framework into your plan.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:16, 11 February 2022

National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg

Originally released in 2005, NIST's Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations has since gone through four revisions, with a fifth delayed[1] but in the works.[2] The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."[3]

The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.

The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family Access control has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.

This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

References

  1. Miller, J. (3 September 2019). "OMB’s regulatory review is creating a backlog of cyber standards". Federal News Network - Reporter's Notebook. Hubbard Radio Washington DC, LLC. https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/. Retrieved 23 July 2020. 
  2. National Institute of Standards and Technology (28 April 2020). "Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)". Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft. Retrieved 23 July 2020. 
  3. "NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 22 January 2015. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. Retrieved 23 July 2020.