Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====SC-1 System and communications protection policy and procedures====
====SI-1 System and information integrity policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 69–70
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 70
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====SC-5 Denial of service protection====
====SI-2 Flaw remediation====
This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.
This control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software of firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws withing an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.


'''Additional resources''':
'''Additional resources''':
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
* [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publications 800-40, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.15]


====SC-7 Boundary protection====
====SI-2 (5) Flaw remediation: Automatic software and firmware updates====
This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.
This control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final NIST Special Publications 800-41, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.10]
* [https://csrc.nist.gov/publications/detail/sp/800-77/final NIST Special Publications 800-77]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)


====SC-12 Cryptographic key establishment and management====
====SI-3 Malicious code protection====
This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.
This control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final NIST Special Publications 800-83, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final NIST Special Publications 800-56C, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-4/final NIST Special Publications 800-57, Part 1, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)


====SC-13 Cryptographic protection====
====SI-4 Information system monitoring====
This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.
This control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ''ad hoc'' locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.2]
* [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final NIST Special Publications 800-83, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-92/final NIST Special Publications 800-92]
* [https://csrc.nist.gov/publications/detail/sp/800-94/final NIST Special Publications 800-94]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.8]


====SC-15 Collaborative computing devices====
====SI-4 (5) Information system monitoring: System-generated alerts====
This control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device.
This control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.6]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.8]
 
====SC-20 Secure name-address resolutions service and use of an authoritative source====
This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)


'''Additional resources''':
====SI-4 (7) Information system monitoring: Automated response to suspicious alerts====
* [https://csrc.nist.gov/publications/detail/sp/800-81/2/final NIST Special Publications 800-81-2]
This control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
====SC-21 Secure name-address resolutions service and use of a recursive or caching resolver====
This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-81/2/final NIST Special Publications 800-81-2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.8]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)


====SC-22 Architecture and provision for name-address resolution service====
====SI-5 Security alerts, advisories, and directives====
This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)
This control recommends the organization choose a source for information system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-81/2/final NIST Special Publications 800-81-2]
* [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publications 800-40, Rev. 3]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
* No LIMSpec comp (organizational policy rather than system specification)


====SC-28 Protection of information at rest====
====SI-12 Information handling and retention====
This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. (" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.")
This control recommends the organization manage and retain information stored and transmitted within the system according law, regulation, standards, and operational requirements.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.2, 31.3, and 31.4]
* [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final NIST Special Publications 800-56C, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-4/final NIST Special Publications 800-57, Part 1, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-111/final NIST Special Publications 800-111]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12]


====SC-28 (1) Protection of information at rest: Cryptographic protection====
====SI-16 Memory protection====
This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).
This control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.2]
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
 
====SC-39 Process isolation====
This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) "so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process."
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.16]

Revision as of 21:09, 16 February 2022

SI-1 System and information integrity policy and procedures

This control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

SI-2 Flaw remediation

This control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software of firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws withing an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.

Additional resources:

SI-2 (5) Flaw remediation: Automatic software and firmware updates

This control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).

Additional resources:

SI-3 Malicious code protection

This control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.

Additional resources:

SI-4 Information system monitoring

This control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ad hoc locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.

Additional resources:

SI-4 (5) Information system monitoring: System-generated alerts

This control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.

Additional resources:

SI-4 (7) Information system monitoring: Automated response to suspicious alerts

This control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.

Additional resources:

SI-5 Security alerts, advisories, and directives

This control recommends the organization choose a source for information system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.

Additional resources:

SI-12 Information handling and retention

This control recommends the organization manage and retain information stored and transmitted within the system according law, regulation, standards, and operational requirements.

Additional resources:

SI-16 Memory protection

This control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.

Additional resources:

  • No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)