Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====AU-1 Audit and accountability policy and procedures====
====CA-1 Security assessment and authorization policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update audit and accountability policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of audit and accountability action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 60
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 60–61
* [https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Audit_Accountability.pdf State of North Carolina Audit and Accountability Policy]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 96–112
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====AU-2 Audit events====
====CA-2 Security assessments====
This control recommends the organization scrutinize the information system to ensure it's fully capable of auditing the events the organization requires to meet its business, cybersecurity, and regulatory goals. It also recommends the organization find common ground within other areas of the organization to improve selection of auditable events, provide rationale for their selection, and implement within the information system the selected auditable events at the recommended frequency or during a specific situation. NIST SP 800-53, Rev. 4 also notes: "Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems."
This control recommends the organization develop, document, disseminate, review, and update a security assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-92/final NIST Special Publications 800-92]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)


====AU-3 Content of audit reports====
====CA-2 (1) Security assessments: Independent assessors====
This control recommends the system be capable of generating audit records that, at a minimum, provide who enacted an event, when it was enacted, where it occurred, what occurred, and what the outcome was. Regulations and standards may dictate what must be recorded beyond those aspects.  
This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. that Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[o]rganizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2, 9.3, and 9.4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115], pages 6-5 and 6-6
* No LIMSpec comp (organizational policy rather than system specification)


====AU-4 Audit storage capacity====
====CA-3 System interconnections====
This control recommends the organization allocate sufficient resources to ensure the storage capacity of the system is sufficient to hold all its audit records. What that storage capacity should be will be most heavily dictated by data retention regulations and standards (see AU-11), followed by available organizational resources to commit to long-term storage. Additional safeguards such as sending warning messages to designated personnel or system roles when storage space reaches a critical minimum may be useful.
This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, at D-1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with any interconnections between the organizations' systems. However, NIST notes, "[i]f interconnecting systems have the same authorizing official, organizations do not need to develop interconnection security agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans."


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-47/final NIST Special Publications 800-47]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 46–58
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====AU-5 Response to audit processing failures====
====CA-5 Plan of action and milestones====
This control recommends the system be able to alert specific personnel or system roles when an audit processing failure occurs and take action as specified by the organization. This action includes shutting down the system, overwriting the oldest audit record (because storage capacity is maxed), or discontinuing the generation of audit records. The system should also allow the organization to specify action differently for various types of failures.  
This control recommends the organization develop and update a security authorization-related plan of action and milestones for the documentation of planned remedial actions and vulnerability resolutions. These key security authorization documents should be reviewed and updated at a defined frequency, based off the results of security control assessments, security impact analyses, and continuous monitoring results.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.8]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)


====AU-6 Audit review, analysis, and reporting====
====CA-6 Security authorization====
This control recommends the organization, as part of policy, review, analyze, and report on the results from generated system audit records at defined frequencies, focusing on inappropriate or unusual activity that may compromise the security of the system. The finding may be reported to designated individuals within the organization, designated departments within the organization, or even regulatory bodies outside the organization.
This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being an "inherently federal responsibility and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.7]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)


====AU-6 (1) Audit review, analysis, and reporting: Process integration====
====CA-7 Continuous monitoring====
This control enhancement recommends the organization implement some sort of automation into their system to better integrate audit review, analysis, and reporting processes with organizational investigation processes (e.g., incident response, continuous monitoring, etc.) in order to better and more quickly respond to cyber threats.  
This control recommends the organization develop a continuous monitoring program and implementation strategy. The program should define the metrics required for organizational performance indicators, as well as how often those metrics are applied and assessed for functionality and sufficiency. How the information is analyzed and correlated, how the organization responds to those activities, and how they are reported (who and when) must also be addressed. Metrics should follow the SMART principle of being specific, measurable, actionable, relevant, and focused on a timely nature.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)


====AU-8 Time stamps====
====CA-9 Internal system connections====
This control recommends the system use a reliable system clock for generating its audit records. The system clock should be able to generate time stamps in Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meet organizational requirements for granularity, all the way down to the millisecond level.
This control recommends the organization essentially create a systems map, documenting how the various parts of the system should interconnect—as well as the characteristics of the connection and the nature of the information transported through it—and explicitly authorizing the interconnection to occur. This includes connections through mobile devices, printers, computers, sensors, and servers. It may be useful to classify components of the system that have common characteristics or configurations to make authorizations (as classes) easier.


'''Additional resources''':
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.3] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.5]
* No LIMSpec comp (organizational policy rather than system specification)
 
====AU-9 Protection of audit information====
This control recommends the system be capable of logically protecting audit information (records, settings, and reports) and tools from unauthorized access, modification, and deletion.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.7]
 
====AU-11 Audit record retention====
This control recommends the organization, in tandem with the its overall record retention policy, retain audit records for a defined period of time.  That time period may be dictated by administrative, operational, or regulatory policy.
 
'''Additional resources''':
* [https://www.archives.gov/records-mgmt/grs.html National Archives Federal Records Management and General Records Schedules]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.4]
 
====AU-11 (1) Audit record retention:Long-term retrieval capability====
This control enhancement recommends the organization ensure the availability and retrievability of audit information stored long-term. This assurance can be made in several ways, including verifying the information system is correctly providing access to the information to authorized individuals; ensuring records in old, difficult-to-read formats get updated; and retaining the necessary documentation and hardware to read and interpret older record systems.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.4]
 
====AU-12 Audit generation====
This control aligns with AU-2 and AU-3, in as much as it recommends the system be capable of generating audit records for the auditable events defined in AU-2 at various organization-defined points in the information system. This control also recommends the system to allow authorized users to assign which auditable events are to be audited by which points in the system. And of course, the system should be capable of generating the audit records with the content as defined in AU-3.
 
'''Additional resources''':
 
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.7]

Revision as of 20:41, 16 February 2022

CA-1 Security assessment and authorization policy and procedures

This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

CA-2 Security assessments

This control recommends the organization develop, document, disseminate, review, and update a security assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.

Additional resources:

CA-2 (1) Security assessments: Independent assessors

This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. that Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[o]rganizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."

Additional resources:

CA-3 System interconnections

This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, at D-1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with any interconnections between the organizations' systems. However, NIST notes, "[i]f interconnecting systems have the same authorizing official, organizations do not need to develop interconnection security agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans."

Additional resources:

CA-5 Plan of action and milestones

This control recommends the organization develop and update a security authorization-related plan of action and milestones for the documentation of planned remedial actions and vulnerability resolutions. These key security authorization documents should be reviewed and updated at a defined frequency, based off the results of security control assessments, security impact analyses, and continuous monitoring results.

Additional resources:

CA-6 Security authorization

This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being an "inherently federal responsibility and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.

Additional resources:

CA-7 Continuous monitoring

This control recommends the organization develop a continuous monitoring program and implementation strategy. The program should define the metrics required for organizational performance indicators, as well as how often those metrics are applied and assessed for functionality and sufficiency. How the information is analyzed and correlated, how the organization responds to those activities, and how they are reported (who and when) must also be addressed. Metrics should follow the SMART principle of being specific, measurable, actionable, relevant, and focused on a timely nature.

Additional resources:

CA-9 Internal system connections

This control recommends the organization essentially create a systems map, documenting how the various parts of the system should interconnect—as well as the characteristics of the connection and the nature of the information transported through it—and explicitly authorizing the interconnection to occur. This includes connections through mobile devices, printers, computers, sensors, and servers. It may be useful to classify components of the system that have common characteristics or configurations to make authorizations (as classes) easier.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)