Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
<blockquote>Cybersecurity is much more than a matter of IT.<br />&nbsp;<br />- Stéphane Nappo, CISO of Société Générale</blockquote>
What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final NIST Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations''. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final NIST Special Publication 800-171, Revision 2]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."<ref name="ISO27001_19">{{cite web |url=https://www.iso.org/standard/54534.html |title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements |publisher=International Organization for Standardization |date=03 June 2019 |accessdate=23 July 2020}}</ref> For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the [https://www.nist.gov/cyberframework/framework NIST Cybersecurity Framework], which is suitable for those without a technical background.


After working through this guide, the quote of Stéphane Nappo should ring true; there's more to cybersecurity than focusing on information technology and technological expertise. Yes, those remain important elements of the recipe for cybersecurity success, but more ingredients are involved. First, the organization needs to not only want to improve cybersecurity, but it also needs enthusiastic support of that goal from leadership. Without support and encouragement from the higher levels in the form of active participation and financial buy-in, it's difficult to change the organizational culture. Second, the cybersecurity strategy isn't going to simply coalesce; it requires strong project management and a clearly defined plan. Without them, implementation of any cybersecurity measures will be, at best, haphazard and minimally effective. Third, effective communication, training, response, and monitoring plans are required to get full buy-in from personnel and associated third parties, as well as to ensure cyber attacks are held to a minimum and, when they do happen, they are addressed rapidly and efficiently. Without those elements, any implemented cybersecurity plan will lack potency over the long term, leaving the organization more prone to cyber attacks and financial consequence.
The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.


This guide has hopefully provided you with all the considerations required to develop an effective, living cybersecurity plan for your organization. As part of that development effort, this guide has also addressed the benefits and uses of cybersecurity standards frameworks. The decision of which frameworks to choose isn't to be taken lightly; however, when chosen and implemented well, they have the potential to assist the organization with developing their overall cybersecurity strategy. The frameworks' security control, program development, and risk management elements can help deduce gaps between current system state and desired system state, as well as gaps in internal expertise, hardware, and policy. Most frameworks are also build on or mapped to other existing standards and frameworks, which have been developed by a broad consensus of interested individuals with expertise in cybersecurity and the fields requiring it. Regulatory bodies have also shaped those standards and frameworks, meaning that the organization that effectively uses cybersecurity standards frameworks in their plan development will be prepared at go-live for conformance to regulations.
Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to [[Book:LIMSpec 2019 R1|LIMSpec]] in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."


Finally, this guide has also included an appendix of NIST SP 800-53 controls with slightly more simplified language, as well as additional resources to give the controls a clearer context. Additionally, they are linked to the LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development. For those outside the laboratory industry, that inclusion will likely not mean much; however, you've hopefully still gained insight from the contents of this guide. For those working in laboratories, particularly those with laboratory informatics solutions or seeking to purchase them, the mappings to LIMSpec provide additional value in ensuring those informatics solutions are providing the cybersecurity functionality critical to your laboratory's success.
In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand ''aids the organization'' in conforming to the NIST controls specifying policies be created and managed.


Regardless of what industry you work in, how many people make up your organization, or what technology you're using, remind yourself that ignoring cyber threats has consequences. Even if your primary cyber asset is only your business website, that asset can still be compromised. It takes awareness, planning, and dedication to fighting the growing body of cyber threats, but given tools such as this guide, you'll succeed in your organizational goals towards being more security-aware and cyber-prepared.
'''NOTE''': Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post ''should not'' be considered an endorsement for the company that published it.


 
==References==
==Citation information for this chapter==
{{Reflist|colwidth=30em}}
'''Chapter''': 6. Closing remarks
 
'''Title''': ''Comprehensive Guide to Developing and Implementing a Cybersecurity Plan''
 
'''Edition''': First
 
'''Author for citation''': Shawn E. Douglas
 
'''License for content''': [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International]
 
'''Publication date''': July 2020
 
<!--Place all category tags here-->

Revision as of 20:32, 16 February 2022

What follows is essentially a simplification of the NIST control descriptions found in NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."[1] For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the NIST Cybersecurity Framework, which is suitable for those without a technical background.

The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.

Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to LIMSpec in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."

In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand aids the organization in conforming to the NIST controls specifying policies be created and managed.

NOTE: Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post should not be considered an endorsement for the company that published it.

References