Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

From LIMSWiki
Jump to navigationJump to search
(Replaced content with "<div class="nonumtoc">__TOC__</div> {{ombox | type = notice | style = width: 960px; | text = This is sublevel24 of my sandbox, where I play with features and...")
Tag: Replaced
 
(59 intermediate revisions by the same user not shown)
Line 1: Line 1:
<div class="nonumtoc">__TOC__</div>
<div class="nonumtoc">__TOC__</div>
==1. What is a cybersecurity plan and why do you need it?==
{{ombox
[[File:Incidents Reported by Federal Agencies in Fiscal Years 2006-2012 (15400517077).jpg|right|400px]]From law firms<ref name="SobowaleLaw17">{{cite web |url=http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/ |title=Law firms must manage cybersecurity risks |author=Sobowale, J. |work=ABA Journal |publisher=American Bar Association |date=01 March 2017 |accessdate=14 December 2019}}</ref> to automotive manufacturers<ref name="WatneyAddress17">{{cite web |url=https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf |format=PDF |title=Addressing new challenges in automotive cybersecurity |author=Watney, C.; Draffin, C. |work=R Street Policy Study No. 118 |publisher=R Street Institute |date=November 2017 |accessdate=14 December 2019}}</ref>, the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year<ref name="LewisEcon18">{{cite web |url=https://www.csis.org/analysis/economic-impact-cybercrime |title=Economic Impact of Cybercrime |author=Lewis, J.A. |publisher=Center for Strategic & International Studies |date=21 February 2018 |accessdate=14 December 2019}}</ref>, though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses<ref name="SBDCC_BlogCost17">{{cite web |url=https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |title=BLOG: Cost of Cyber Crime to Small Businesses |work=Virginia SBDC Blog |publisher=Virginia SBDC |date=30 May 2017 |accessdate=14 December 2019}}</ref> In the end, businesses of all sizes average to about $200,000 in losses due to a cybersecurity incident<ref name=HiscoxHiscox19">{{cite web |url=https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf |format=PDF |title=Hiscox Cyber Readiness Report 2019 |publisher=Hiscox Ltd |date=April 2019 |accessdate=14 December 2019}}</ref>, and nearly 60 percent of small and midsized businesses go bankrupt within six months because of it.<ref name="Galvin60_18">{{cite web |url=https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html |title=60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself |author=Galvin, J. |work=Inc.com |date=07 May 2018 |accessdate=14 December 2019}}</ref>
| type      = notice
| style    = width: 960px;
| text      = This is sublevel24 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas|my discussion page]] instead.<p></p>
}}


It's not just large corporations at risk; small businesses of all types are also subject to cyber crimes, and they aren't doing enough to protect themselves. Juniper Research reports that despite small businesses making up over 99 percent of all companies, approximately 13 percent of overall cybersecurity spending came from those small businesses in 2018, amounting to about $500 per business.<ref name="JuniperCyber18">{{cite web |url=https://www.juniperresearch.com/press/press-releases/cybersecurity-breaches-to-result-in-over-146-bn |title=Cybersecurity Breaches to Result in over 146 Billion Records Being Stolen by 2023 |publisher=Juniper Research |date=08 August 2018 |accessdate=14 December 2019}}</ref>
==Sandbox begins below==
 
Even the tiniest of businesses face cybersecurity risks today. The independent contractor with a WordPress-based website advertising their knowledge and skills must still ensure all website plugins and themes are updated and install security plugins to close potential vulnerabilities in the software. Without these precautions, hackers could spread malware, steal user data, add the website to a bot network, or hack it just for fun and learning.<ref name="GrimaTop19">{{cite web |url=https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/ |title=Top reasons why WordPress websites get hacked (and how you can stop it) |author=Grima, M. |publisher=WP White Security |date=14 November 2019 |accessdate=14 December 2019}}</ref><ref name="MoenWhatHack16">{{cite web |url=https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/ |title=What Hackers Do With Compromised WordPress Sites |author=Moen, D. |work=Wordfence Blog |publisher=Defiant, Inc |date=19 April 2016 |accessdate=14 December 2019}}</ref><ref name="TalalevWebsite19" />
 
As for larger companies, a late 2018 audit of Fortune 500 companies found a mix of good and bad news: they're doing better at reducing the number of entry points for hackers to enter their systems, yet susceptibility to fraudulent email remains a major concern.<ref name="UchillFortune18">{{cite web |url=https://www.axios.com/fortune-500-cybersecurity-email-security-8cb4a3ee-0aa4-42b4-8ab4-da722d756379.html |title=Fortune 500 cybersecurity is better and worse than you'd think |author=Uchill, J. |publisher=Axios |date=11 December 2018 |accessdate=14 December 2019}}</ref>Additionally, Fortune 500 companies are still lagging behind in public transparency of showing a commitment to cybersecurity and protecting customer data.<ref name="StahieFortune19">{{cite web |url=https://securityboulevard.com/2019/10/fortune-500-companies-take-cyber-security-for-granted/ |title=Fortune 500 Companies Take Cyber Security for Granted |author=Stahie, S. |work=Security Boulevard |date=04 October 2019 |accessdate=14 December 2019}}</ref> More broadly, roughly 60 to 70 percent of all companies are still ill-prepared for cyber threats, either not having an up-to-date cybersecurity strategy or having no plan at all.<ref name="Galvin60_18" /><ref name="TalalevWebsite19">{{cite web |url=https://www.webarxsecurity.com/website-hacking-statistics-2018-february/ |title=Website Hacking Statistics (Updated 2019) |author=Talaleve, A. |publisher=WebARX |date=May 2019 |accessdate=14 December 2019}}</ref> By all appearances, businesses still aren't doing enough to protect themselves and their customer's data despite the fact that cybercrime appears to only be getting worse for everyone.
 
The most solid first steps any organization or individual can take to limit the potential effects of cybercrime is to learn more about the threat and to develop a cybersecurity strategy. For most organizations, this means developing a cybersecurity plan.
 
A cybersecurity plan is a developed, distributed, reviewed, updated, and protected collection of assessments, analyses, requirements, controls, goals, policies, performance indicators, and metrics that shapes how an organization protects against and responds to cybersecurity threats. Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
 
This guide attempts to assist organizations and individuals with overcoming the involved complexities of cybersecurity plan development and preventing becoming another cybersecurity statistic. It addresses the major standards and regulations affecting cybersecurity, in particular the National Institute of Standards and Technology's (NIST) Cybersecurity Framework and related controls. Also addressed is how to best incorporate a cybersecurity framework and controls into your plan development. At it's heart, this guide includes a comprehensive 10-step plan of attack for developing a cybersecurity plan, followed by closing comments. At the end of this guide, we include an appendix containing a slightly more simplified wording of NIST's most popular cybersecurity controls, as well as mappings to this wiki's own LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development.
 
Note that this guide has been written with the intent to broadly cover multiple industries. However, it does have a slight lean towards laboratories, particularly those implementing information systems. Despite that, there should be sufficient information contained herein to be helpful to most people attempting to navigate the challenges of consistently applying cybersecurity goals and policies to their organization.
 
==2. What are the major standards and regulations dictating cybersecurity action?==
To be fair, the question of which standards and regulations affect how an organization implements cybersecurity is a most difficult one to answer. Not only do related standards and regulations vary by industry, they also vary by geography, complexity, and ease of implementation. Let's turn to the relatively dramatic example of data retention. Consider this statement:
 
<blockquote>''The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.''</blockquote>
 
Through recent updates to LIMSpec, we've found the following national and international regulations, standards, and guidance (Table 1) that tie into data retention and the protection of that retained data (and that list will certainly continue to grow):
 
{|
| STYLE="vertical-align:top;"|
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="100%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="2"|'''Table 1.''' Regulations, standards, and guidance affecting data retention and the security of retained data
|-
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|
[https://www.law.cornell.edu/cfr/text/7/331.17 7 CFR Part 331.17 (c)]<br />
[https://www.law.cornell.edu/cfr/text/9/121.17 9 CFR Part 121.17 (c)]<br />
[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (c)]<br />
[https://www.law.cornell.edu/cfr/text/21/58.195 21 CFR Part 58.195]<br />
[https://www.law.cornell.edu/cfr/text/21/211.180 21 CFR Part 211.180]<br />
[https://www.law.cornell.edu/cfr/text/21/211.110 21 CFR Part 212.110 (c)]<br />
[https://www.law.cornell.edu/cfr/text/21/225.42 21 CFR Part 225.42 (b-8)]<br />
[https://www.law.cornell.edu/cfr/text/21/225.58 21 CFR Part 225.58 (c–d)]<br />
[https://www.law.cornell.edu/cfr/text/21/225.102 21 CFR Part 225.102]<br />
[https://www.law.cornell.edu/cfr/text/21/225.110 21 CFR Part 225.110]<br />
[https://www.law.cornell.edu/cfr/text/21/225.158 21 CFR Part 225.158]<br />
[https://www.law.cornell.edu/cfr/text/21/225.202 21 CFR Part 225.202]<br />
[https://www.law.cornell.edu/cfr/text/21/226.42 21 CFR Part 226.42 (a)]<br />
[https://www.law.cornell.edu/cfr/text/21/226.58 21 CFR Part 226.58 (f)]<br />
[https://www.law.cornell.edu/cfr/text/21/226.102 21 CFR Part 226.102]<br />
[https://www.law.cornell.edu/cfr/text/21/226.115 21 CFR Part 226.115]<br />
[https://www.law.cornell.edu/cfr/text/21/312.57 21 CFR Part 312.57]<br />
[https://www.law.cornell.edu/cfr/text/21/312.62 21 CFR Part 312.62]<br />
[https://www.law.cornell.edu/cfr/text/21/606.160 21 CFR Part 606.160 (d)]<br />
[https://www.law.cornell.edu/cfr/text/21/812.140 21 CFR Part 812.140 (d)]<br />
[https://www.law.cornell.edu/cfr/text/21/820.180 21 CFR Part 820.180 (b)]<br />
[https://www.law.cornell.edu/cfr/text/29/1910.1030 29 CFR Part 1910.1030 (h-2)]<br />
[https://www.law.cornell.edu/cfr/text/40/141.33 40 CFR Part 141.33]<br />
[https://www.law.cornell.edu/cfr/text/40/141.722 40 CFR Part 141.722]<br />
[https://www.law.cornell.edu/cfr/text/40/part-704/subpart-A 40 CFR Part 704 Subpart A]<br />
[https://www.law.cornell.edu/cfr/text/40/717.15 40 CFR Part 717.15 (d)]<br />
[https://www.law.cornell.edu/cfr/text/42/73.17 42 CFR Part 73.17 (c)]<br />
[https://www.law.cornell.edu/cfr/text/42/493.1105 42 CFR Part 493.1105]<br />
[https://www.law.cornell.edu/cfr/text/42/493.1283 42 CFR Part 493.1283]<br />
[https://www.law.cornell.edu/cfr/text/45/164.105 45 CFR Part 164.105]<br />
[https://www.law.cornell.edu/cfr/text/45/164.316 45 CFR Part 164.316]<br />
[https://www.law.cornell.edu/cfr/text/45/164.530 45 CFR Part 164.530]<br />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|
[https://www.aafco.org/Publications/QA-QC-Guidelines-for-Feed-Laboratories AAFCO QA/QC Guidelines for Feed Laboratories Sec. 2.4.4 or 3.1]<br />
[https://www.aavld.org/accreditation-requirements-page AAVLD Requirements for an AVMDL Sec. 4.10.1.2]<br />
[https://www.aavld.org/accreditation-requirements-page AAVLD Requirements for an AVMDL Sec. 4.10.2.1]<br />
[https://www.aavld.org/accreditation-requirements-page AAVLD Requirements for an AVMDL Sec. 5.4.3.2]<br />
[http://www.abft.org/files/ABFT_LAP_Standards_May_31_2013.pdf ABFT Accreditation Manual Sec. E-33]<br />
[https://www.aihaaccreditedlabs.org/Policies/Pages/default.aspx AIHA-LAP Policies 2018 2A.7.5.1]<br />
[http://des.wa.gov/sites/default/files/public/documents/About/1063/RFP/Add7_Item4ASCLD.pdf ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.14.1.2 and 4.15.1.2]<br />
[http://des.wa.gov/sites/default/files/public/documents/About/1063/RFP/Add7_Item4ASCLD.pdf ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.9.3.6 and 5.9.7]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 E-17-4]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.3.4]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.6–7]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.1]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-7.1]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-1/dir_2003_94/dir_2003_94_en.pdf E.U. Commission Directive 2003/94/EC Article 9.1]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-1/dir_2003_94/dir_2003_94_en.pdf E.U. Commission Directive 2003/94/EC Article 11.4]<br />
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. III, Sec. 15]<br />
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. IV, Sec. 8]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.18]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.11.17]<br />
[https://www.epa.gov/quality/guidance-quality-assurance-project-plans-epa-qag-5 EPA QA/G-5 2.1.9]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 4.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 8.4.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AT-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AU-11 and AU-11(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-12]<br />
[http://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Sampling Procedures for PDP 6.5]<br />
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.8–9]
|-
|}
|}
 
This example illustrates the complexity of making a complete and accurate list of regulations, standards, guidance, and other bodies of work demanding data protection from organizations. And this represents only one security control among many. As such, it's difficult to answer this question in full.
 
Regardless, we can confidently say a few things about the regulations and standards behind cybersecurity. First, the risks and consequences of poor security drive regulation and, more preferably<ref name="CiocoiuTheRole10">{{cite book |chapter=Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management |title=Advances in Risk Management |author=Ciocoui, C.N.; Dobrea, R.C. |editor=Nota, G. |publisher=IntechOpen |year=2010 |isbn=9789535159469 |doi=10.5772/9893}}</ref><ref name="JPMorganData18">{{cite web |url=https://www.jpmorganchase.com/corporate/news/document/call-to-action.pdf |format=PDF |title=Data Standardization: A Call to Action |publisher=JPMorgan Chase & Co |date=May 2018 |accessdate=14 December 2019}}</ref>, standardization, which in turn moves the "goalposts" of cybersecurity among organizations. In the case of regulations, organization that get caught not following them tend to suffer negative consequences, providing some incentive to improve organizational processes to conform to the regulations. But regulations can at times be "imprecise" or "disconnected"<ref name="JPMorganData18" /> from what actually occurs within the organization and its information systems. When adopted, cybersecurity standards may provide a clearer path of opportunity for organizations to improve their cybersecurity culture and outcomes, particularly since, at least in theory, the standards are developed with a broader consensus of interested individuals with expertise in the field.<ref name="CiocoiuTheRole10" /> In turn, the more organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of cybersecurity.
 
That's not to say that compliance with regulations and standards alone can stop critical risks in their tracks<ref name="KaplanManaging12">{{cite web |url=https://hbr.org/2012/06/managing-risks-a-new-framework |title=Managing Risks: A New Framework |author=Kaplan, R.S.; Mikes, A. |work=Harvard Business Review |date=June 2012 |accessdate=14 December 2019}}</ref>:
 
<blockquote>Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.</blockquote>
 
Second, modern cybersecurity frameworks and controls are typically harmonized with other standards and updated as business processes, technologies, cyber threats, and even regulations evolve. For example, the industry-specific ''Water Sector Cybersecurity Risk Management Guidance v3.0'', which contains a set of cybersecurity controls as they relate to the water and wastewater sectors, is harmonized with the NIST Cybersecurity Framework.<ref name="AWWACyber19">{{cite web |url=https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance |title=Water Sector Cybersecurity Risk Management Guidance |author=West Yost Associates |publisher=American Water Works Association |date=04 September 2019 |accessdate=14 December 2019}}</ref> And NIST's Special Publication 800-171, Revision 1: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'' has controls mapped to ISO/IEC 27001:2013 controls.<ref name=NISTSP800-171_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final |title=NIST SP 800-171, Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=07 June 2018 |accessdate=13 December 2019}}</ref> These and other signs point to some consolidation of thought on what constitutes relevant and necessary action towards preparing an organization to be more prepared for cyber threats and their potential consequences.
 
That said, according to at least one authority, the top four cybersecurity frameworks being leveraged by organizations are the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2013, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.<ref name="WatsonTopFour19">{{cite web |url=https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks |title=Top 4 cybersecurity frameworks |author=Watson, M. |work=IT Governance USA Blog |publisher=GRC International Group plc |date=17 January 2019 |accessdate=14 December 2019}}</ref> For the purposes of this guide, the NIST Cybersecurity Framework and its related control documents receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.<ref name="WatsonTopFour19" /> The NIST Cybersecurity Framework and related controls are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."<ref name="NISTNIST19">{{cite web |url=https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework |title=NIST Marks Fifth Anniversary of Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=12 February 2019 |accessdate=14 December 2019}}</ref><ref name="PerryExplain19">{{cite web |url=https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/ |title=Explaining the Breakout Success of the NIST Cybersecurity Framework |author=Perry, J. |work=Infosecurity Magazine |publisher=Reed Exhibitions Limited |date=16 April 2019 |accessdate=14 December 2019}}</ref>
 
==3. Fitting a cybersecurity framework into a cybersecurity plan==
 
 
==4. The NIST Cybersecurity Framework and its control families==
 
 
 
==5. Develop and create the cybersecurity plan==
https://www.limswiki.org/index.php/User:Shawndouglas/sandbox/sublevel28
 
==6. Closing remarks==
 
==Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec==
https://www.limswiki.org/index.php/User:Shawndouglas/sandbox/sublevel30
 
==References==
{{Reflist|colwidth=30em}}

Latest revision as of 20:22, 16 August 2023

Sandbox begins below