Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====CA-1 Security assessment and authorization policy and procedures====
====CM-1 Configuration management policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update configuration management policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of configuration management action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 60–61
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 61
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 131–37
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 96–112
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====CA-2 Security assessments====
====CM-2 Baseline configuration====
This control recommends the organization develop, document, disseminate, review, and update a security assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.
This control recommends the organization develop, document, and maintain a baseline configuration of the information system and its components, including their network topology and logical placement within the system. The end result should fully reflect the existing enterprise architecture.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-2 (1) Security assessments: Independent assessors====
====CM-3 Configuration change control====
This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. that Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[o]rganizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."
This control recommends the organization develop a series of configuration change control steps to ensure that system upgrades and modifications cause little to no impact in the overall cybersecurity strength of the system. NIST specifically recommends the organization determine which system changes are linked to configuration control, review and approve proposed changes, document and retain those decisions, implement the approved changes, and audit and review the changes.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115], pages 6-5 and 6-6
* [https://www.us-cert.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf Carnegie Mellon University Configuration and Change Management]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-3 System interconnections====
====CM-3 (2) Configuration change control: Test, validate, and document changes====
This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, at D-1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with any interconnections between the organizations' systems. However, NIST notes, "[i]f interconnecting systems have the same authorizing official, organizations do not need to develop interconnection security agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans."
This control enhancement recommends the organization test, validate, and document changes to the system before actual implementation on the live system. Operational hardware systems may have to be taken offline or replicated as closely as feasible to test; software systems can often be tested in a separate test environment. In all cases, the organization seeks to minimize impact on active system operations.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-47/final NIST Special Publications 800-47]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.15]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 46–58
 
====CM-4 Security impact analysis====
This control recommends the organization perform security impact analysis on the system to determine the extent of potentially undesirable consequences upon implementing proposed changes. This typically requires one or more individuals explicitly familiar with the system, the organization's security plans, and the system's architecture documents. Some revelations may also come from enacting security control CM-3 (2).
 
'''Additional resources''':
* [https://www.us-cert.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf Carnegie Mellon University Configuration and Change Management]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-5 Plan of action and milestones====
====CM-5 Access restrictions for change====
This control recommends the organization develop and update a security authorization-related plan of action and milestones for the documentation of planned remedial actions and vulnerability resolutions. These key security authorization documents should be reviewed and updated at a defined frequency, based off the results of security control assessments, security impact analyses, and continuous monitoring results.
This control recommends the organization define, document, approve, and enforce all the physical and logical access restrictions associated with making changes to the system configuration. Doing so creates a base policy that helps ensure "only qualified and authorized individuals [can] access information systems for purposes of initiating changes, including upgrades and modifications."


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.22]
 
====CM-5 (1) Access restrictions for change: Automated access enforcement and auditing====
This control enhancement recommends the system allow for the configuration and automated enforcement of access restrictions, as well as the auditing of associated enforcement actions.
 
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.22, and 32.31]
 
====CM-6 Configuration settings====
This control recommends the organization develop and implement a complete set of configuration settings for the hardware, software, and firmware that make up the information system. Those settings should ultimately reflect restrictions consistent with operational requirements and organizational policy. Additionally, the organization should perform change control on the settings, such that suggested deviations are not detrimental to the system and overall cybersecurity goals.
 
'''Additional resources''':
* [https://nvd.nist.gov/ncp/repository NIST National Vulnerability Database's National Checklist Program Repository]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publications 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-6 Security authorization====
====CM-7 Least functionality====
This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being an "inherently federal responsibility and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.
This control recommends the organization configure the system to apply the principle of "least functionality." As Georgetown University describes it, "[t]he principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system."<ref name="UISO_UIS203">{{cite web |url=https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/ |title=UIS.203.7 Least Functionality Guidelines |work=UIS.203 Configuration Management Policy |publisher=University Information Security Office, Georgetown University |accessdate=23 July 2020}}</ref> NIST also notes that "[o]rganizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services."
 
'''Additional resources''':
* [https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/ Georgetown University UIS.203.7 Least Functionality Guidelines]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.18]
 
====CM-8 Information system component inventory====
This control recommends the organization develop and document a complete inventory of the various components within the authorization boundary of the system. That inventory should accurately portray the current system, have sufficient detail for accountability, and be detailed at a granular enough level for convenient tracking and reporting. The organization should also review and update the inventory in a defined frequency.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-7 Continuous monitoring====
====CM-10 Software usage restrictions====
This control recommends the organization develop a continuous monitoring program and implementation strategy. The program should define the metrics required for organizational performance indicators, as well as how often those metrics are applied and assessed for functionality and sufficiency. How the information is analyzed and correlated, how the organization responds to those activities, and how they are reported (who and when) must also be addressed. Metrics should follow the SMART principle of being specific, measurable, actionable, relevant, and focused on a timely nature.
This control recommends the organization make an effort to track the use of software and associated documentation to ensure both are being used legally and within contract agreements. The organization should also control against and document instances of software or documentation being copied, distributed, or used in an unauthorized fashion.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-9 Internal system connections====
====CM-11 User-installed software====
This control recommends the organization essentially create a systems map, documenting how the various parts of the system should interconnect—as well as the characteristics of the connection and the nature of the information transported through it—and explicitly authorizing the interconnection to occur. This includes connections through mobile devices, printers, computers, sensors, and servers. It may be useful to classify components of the system that have common characteristics or configurations to make authorizations (as classes) easier.
This control recommends the organization develop, document, and enforce policies governing if and when users may install software within the system. This includes monitoring for policy compliance at a defined frequency. Enforcement may be procedural, automated, or both.


'''Additional resources''':
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)
==References==
{{Reflist}}

Revision as of 20:43, 16 February 2022

CM-1 Configuration management policy and procedures

This control recommends the organization develop, document, disseminate, review, and update configuration management policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of configuration management action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

CM-2 Baseline configuration

This control recommends the organization develop, document, and maintain a baseline configuration of the information system and its components, including their network topology and logical placement within the system. The end result should fully reflect the existing enterprise architecture.

Additional resources:

CM-3 Configuration change control

This control recommends the organization develop a series of configuration change control steps to ensure that system upgrades and modifications cause little to no impact in the overall cybersecurity strength of the system. NIST specifically recommends the organization determine which system changes are linked to configuration control, review and approve proposed changes, document and retain those decisions, implement the approved changes, and audit and review the changes.

Additional resources:

CM-3 (2) Configuration change control: Test, validate, and document changes

This control enhancement recommends the organization test, validate, and document changes to the system before actual implementation on the live system. Operational hardware systems may have to be taken offline or replicated as closely as feasible to test; software systems can often be tested in a separate test environment. In all cases, the organization seeks to minimize impact on active system operations.

Additional resources:

CM-4 Security impact analysis

This control recommends the organization perform security impact analysis on the system to determine the extent of potentially undesirable consequences upon implementing proposed changes. This typically requires one or more individuals explicitly familiar with the system, the organization's security plans, and the system's architecture documents. Some revelations may also come from enacting security control CM-3 (2).

Additional resources:

CM-5 Access restrictions for change

This control recommends the organization define, document, approve, and enforce all the physical and logical access restrictions associated with making changes to the system configuration. Doing so creates a base policy that helps ensure "only qualified and authorized individuals [can] access information systems for purposes of initiating changes, including upgrades and modifications."

Additional resources:

CM-5 (1) Access restrictions for change: Automated access enforcement and auditing

This control enhancement recommends the system allow for the configuration and automated enforcement of access restrictions, as well as the auditing of associated enforcement actions.

Additional resources:

CM-6 Configuration settings

This control recommends the organization develop and implement a complete set of configuration settings for the hardware, software, and firmware that make up the information system. Those settings should ultimately reflect restrictions consistent with operational requirements and organizational policy. Additionally, the organization should perform change control on the settings, such that suggested deviations are not detrimental to the system and overall cybersecurity goals.

Additional resources:

CM-7 Least functionality

This control recommends the organization configure the system to apply the principle of "least functionality." As Georgetown University describes it, "[t]he principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system."[1] NIST also notes that "[o]rganizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services."

Additional resources:

CM-8 Information system component inventory

This control recommends the organization develop and document a complete inventory of the various components within the authorization boundary of the system. That inventory should accurately portray the current system, have sufficient detail for accountability, and be detailed at a granular enough level for convenient tracking and reporting. The organization should also review and update the inventory in a defined frequency.

Additional resources:

CM-10 Software usage restrictions

This control recommends the organization make an effort to track the use of software and associated documentation to ensure both are being used legally and within contract agreements. The organization should also control against and document instances of software or documentation being copied, distributed, or used in an unauthorized fashion.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

CM-11 User-installed software

This control recommends the organization develop, document, and enforce policies governing if and when users may install software within the system. This includes monitoring for policy compliance at a defined frequency. Enforcement may be procedural, automated, or both.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

References

  1. "UIS.203.7 Least Functionality Guidelines". UIS.203 Configuration Management Policy. University Information Security Office, Georgetown University. https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/. Retrieved 23 July 2020.