Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"
Shawndouglas (talk | contribs) |
Shawndouglas (talk | contribs) |
||
Line 8: | Line 8: | ||
==References== | ==References== | ||
{{Reflist | {{Reflist}} |
Revision as of 16:13, 16 February 2022
According to cybersecurity solutions company Tenable, 84 percent of U.S. organization turn to to at least one cybersecurity framework in their organization, and 44 percent work with more than one.[1] This is done in part to comply with a mix of regulations affecting organizations today, as well as provide a baseline of security policies and protocols, even for the smallest of organizations. In that regard, it makes sense to heavily involve cybersecurity frameworks and controls in the development of your cybersecurity plan.
For the purposes of this guide, the NIST control descriptions found in NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations are used. While this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Additionally, a simplified version of controls was derived from 800-53 in the form of NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. One of the benefits of this set of NIST controls is that it maps to both NIST SP 800-53 and the ISO/IEC 27001:2013 controls. And many of the cybersecurity groups and frameworks listed above have at their base—or are mapped to—those same two groups of controls.
You'll probably want to refer to Appendix 1 of this guide. There you'll find the "Low" baseline controls of NIST SP 800-53, as well as select "Moderate" and "High" baseline controls. For basic organizations working with non-federal data, these controls should prefer a perfectly useful baseline. The control descriptions have been simplified somewhat for quick reading, and any references or additional recommend reading is also added. Finally, you'll also see mapping to what's known as "LIMSpec," an evolving set of software requirements specifications for laboratory informatics systems. If you're not in the laboratory industry, you may not find that mapping entirely useful; however, LIMSpec still includes many specifications that could apply to a broad array of software systems.
Regardless of which frameworks and control groups you choose, you'll want to choose at least one and browse through the controls. Select the controls that map readily to the assessments, objectives, and policies you've already developed. You should even notice that some of the controls match to elements of the cybersecurity plan development steps found in this guide. The NIST control "IR-1 Incident response policy and procedures," for example, ties into step 5.8 of this guide, discussed later.
References
- ↑ Watson, M. (17 January 2019). "Top 4 cybersecurity frameworks". IT Governance USA Blog. GRC International Group plc. https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks. Retrieved 23 July 2020.