Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
====RA-1 Risk assessment policy and procedures====
====SA-1 System and services acquisition policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk asssessment action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 68–69
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 69
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publication 800-100], pages 113–23
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publication 800-100], pages 84–95
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]


====RA-2 Security categorization====
====SA-2 Allocation of resources====
This control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon "the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability." Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.
This control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://web.archive.org/web/20170203203450/http://www.integritymc.com/blog/2015/06/why-cpic-matters-more-than-ever-to-cybersecurity/ Integrity Matters Why CPIC Matters More than Ever to Cybersecurity]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publication 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====RA-3 Risk assessment====
====SA-3 System development lifecycle====
This control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized "access, use, disclosure, disruption, modification, or destruction" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.
This control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency "with organizational risk management and information security strategies."


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publication 800-39]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====RA-5 Vulnerability scanning====
====SA-4 Acquisition process====
This control recommends the organization conduct vulnerability scanning of its system. "Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms." These scans should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system.
This control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.


'''Additional resources''':
'''Additional resources''':
* [https://nvd.nist.gov/ NIST National Vulnerability Database]
* [https://www.niap-ccevs.org/index.cfm? National Information Assurance Partnership]
* [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publication 800-40, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publication 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publication 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publication 800-115]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)
====SA-4 (1) Acquisition process: Functional properties of security controls====
This control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the security controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.4]
====SA-4 (2) Acquisition process: Design and implementation information for security controls====
This control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the security controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.2 and 33.4]
====SA-4 (3) Acquisition process: Development methods, techniques, and practices====
This control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.1]
====SA-5 Information system documentation====
This control recommends the organization require of an information system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission LIMSpec 33.4]
====SA-9 External information system services====
This control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====SA-16 Developer-provided training====
This control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.6]

Revision as of 21:06, 16 February 2022

SA-1 System and services acquisition policy and procedures

This control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

SA-2 Allocation of resources

This control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.

Additional resources:

SA-3 System development lifecycle

This control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency "with organizational risk management and information security strategies."

Additional resources:

SA-4 Acquisition process

This control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.

Additional resources:

SA-4 (1) Acquisition process: Functional properties of security controls

This control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the security controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ.

Additional resources:

SA-4 (2) Acquisition process: Design and implementation information for security controls

This control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the security controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.

Additional resources:

SA-4 (3) Acquisition process: Development methods, techniques, and practices

This control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.

Additional resources:

SA-5 Information system documentation

This control recommends the organization require of an information system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.

Additional resources:

SA-9 External information system services

This control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)

SA-16 Developer-provided training

This control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.

Additional resources: