Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====MA-1 System maintenance policy and procedures====
====MP-1 Media protection policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 50
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 65
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====MA-2 Controlled maintenance====
====MP-2 Media access====
This control recommends the organization apply a "controlled maintenance" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.
This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.
 
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.7, 10.10, and 10.15]
 
====MA-2 (2) Controlled maintenance: Automated maintenance activities====
This control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.7, 10.10, and 10.15]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7]


====MA-4 Non-local maintenance====
====MP-6 Media sanitization====
This control recommends the organization place strong controls on non-local maintenance and diagnostics of the system or its components. "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.
This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.15],  [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.25], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
* [https://www.nsa.gov/resources/everyone/media-destruction/ NSA/CSS Media Destruction Guidance]
* No LIMSpec comp (organizational policy rather than system specification)


====MA-5 Maintenance personnel====
====MP-7 Media use====
This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site.
This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
 
====MA-6 Timely maintenance====
This control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals.  


'''Additional resources''':
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)
====MA-6 (1) Timely maintenance: Preventative maintenance====
This control enhancement recommends the organization take a preventative maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.10]
====MA-6 (2) Timely maintenance: Predictive maintenance====
This control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using "principles of statistical process control to determine at what point in the future maintenance activities will be appropriate," particularly "when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.5]

Revision as of 20:54, 16 February 2022

MP-1 Media protection policy and procedures

This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

MP-2 Media access

This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.

Additional resources:

MP-6 Media sanitization

This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.

Additional resources:

MP-7 Media use

This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)