Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====SA-1 System and services acquisition policy and procedures====
====SC-1 System and communications protection policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 69
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 69–70
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publication 800-100], pages 113–23
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====SA-2 Allocation of resources====
====SC-5 Denial of service protection====
This control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.
This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.


'''Additional resources''':
'''Additional resources''':
* [https://web.archive.org/web/20170203203450/http://www.integritymc.com/blog/2015/06/why-cpic-matters-more-than-ever-to-cybersecurity/ Integrity Matters Why CPIC Matters More than Ever to Cybersecurity]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
* No LIMSpec comp (organizational policy rather than system specification)


====SA-3 System development lifecycle====
====SC-7 Boundary protection====
This control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency "with organizational risk management and information security strategies."
This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final NIST Special Publications 800-41, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)
* [https://csrc.nist.gov/publications/detail/sp/800-77/final NIST Special Publications 800-77]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)


====SA-4 Acquisition process====
====SC-12 Cryptographic key establishment and management====
This control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.
This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.


'''Additional resources''':
'''Additional resources''':
* [https://www.niap-ccevs.org/index.cfm? National Information Assurance Partnership]
* [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publication 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2]
* No LIMSpec comp (organizational policy rather than system specification)
* [https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final NIST Special Publications 800-56C, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-4/final NIST Special Publications 800-57, Part 1, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)


====SA-4 (1) Acquisition process: Functional properties of security controls====
====SC-13 Cryptographic protection====
This control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the security controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ.  
This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.2]


====SA-4 (2) Acquisition process: Design and implementation information for security controls====
====SC-15 Collaborative computing devices====
This control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the security controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.
This control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.2 and 33.4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.6]


====SA-4 (3) Acquisition process: Development methods, techniques, and practices====
====SC-20 Secure name-address resolutions service and use of an authoritative source====
This control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.
This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.1]
* [https://csrc.nist.gov/publications/detail/sp/800-81/2/final NIST Special Publications 800-81-2]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
====SC-21 Secure name-address resolutions service and use of a recursive or caching resolver====
This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)


====SA-5 Information system documentation====
'''Additional resources''':
This control recommends the organization require of an information system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.
* [https://csrc.nist.gov/publications/detail/sp/800-81/2/final NIST Special Publications 800-81-2]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
 
====SC-22 Architecture and provision for name-address resolution service====
This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)
 
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-81/2/final NIST Special Publications 800-81-2]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
 
====SC-28 Protection of information at rest====
This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. (" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.")


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.4]
* [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final NIST Special Publications 800-56C, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-4/final NIST Special Publications 800-57, Part 1, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-111/final NIST Special Publications 800-111]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12]


====SA-9 External information system services====
====SC-28 (1) Protection of information at rest: Cryptographic protection====
This control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.
This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).


'''Additional resources''':
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.2]


====SA-16 Developer-provided training====
====SC-39 Process isolation====
This control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.
This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) "so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process."


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.6]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.16]

Revision as of 21:07, 16 February 2022

SC-1 System and communications protection policy and procedures

This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

SC-5 Denial of service protection

This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.

Additional resources:

  • No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)

SC-7 Boundary protection

This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.

Additional resources:

SC-12 Cryptographic key establishment and management

This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.

Additional resources:

SC-13 Cryptographic protection

This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.

Additional resources:

SC-15 Collaborative computing devices

This control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device.

Additional resources:

SC-20 Secure name-address resolutions service and use of an authoritative source

This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)

Additional resources:

SC-21 Secure name-address resolutions service and use of a recursive or caching resolver

This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)

Additional resources:

SC-22 Architecture and provision for name-address resolution service

This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)

Additional resources:

SC-28 Protection of information at rest

This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. (" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.")

Additional resources:

SC-28 (1) Protection of information at rest: Cryptographic protection

This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).

Additional resources:

SC-39 Process isolation

This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) "so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process."

Additional resources: