Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"
Shawndouglas (talk | contribs) |
Shawndouglas (talk | contribs) |
||
Line 1: | Line 1: | ||
==== | ====MP-1 Media protection policy and procedures==== | ||
This control recommends the organization develop, document, disseminate, review, and update | This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page | * [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 65 | ||
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | |||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2] | ||
==== | ====MP-2 Media access==== | ||
This control recommends the organization | This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/ | * [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7] | ||
==== | ====MP-6 Media sanitization==== | ||
This control recommends the organization | This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800- | * [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1] | |||
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | ||
* [https://www. | * [https://www.nsa.gov/resources/everyone/media-destruction/ NSA/CSS Media Destruction Guidance] | ||
* No LIMSpec comp (organizational policy rather than system specification) | |||
==== | ====MP-7 Media use==== | ||
This control recommends the organization | This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems. | ||
'''Additional resources''': | '''Additional resources''': | ||
* No LIMSpec comp (organizational policy rather than system specification) | * No LIMSpec comp (organizational policy rather than system specification) | ||
Revision as of 20:54, 16 February 2022
MP-1 Media protection policy and procedures
This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, page 65
- NIST Special Publications 800-88, Rev. 1
- LIMSpec 7.1, 7.2
MP-2 Media access
This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.
Additional resources:
- LIMSpec30.9 and 34.7
MP-6 Media sanitization
This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.
Additional resources:
- NIST Special Publications 800-60, Vol. 1, Rev. 1
- NIST Special Publications 800-60, Vol. 2, Rev. 1
- NIST Special Publications 800-88, Rev. 1
- NSA/CSS Media Destruction Guidance
- No LIMSpec comp (organizational policy rather than system specification)
MP-7 Media use
This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)