{"ID":91711,"post_author":"26","post_date":"2020-07-24 16:11:41","post_date_gmt":"2020-07-24 20:11:41","post_content":"","post_title":"Comprehensive Guide to Developing and Implementing a Cybersecurity Plan","post_excerpt":"","post_status":"publish","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"comprehensive-guide-to-developing-and-implementing-a-cybersecurity-plan","to_ping":"","pinged":"","post_modified":"2023-03-21 15:19:05","post_modified_gmt":"2023-03-21 19:19:05","post_content_filtered":"","post_parent":0,"guid":"https:\/\/www.limsforum.com\/?post_type=ebook&p=91711","menu_order":0,"post_type":"ebook","post_mime_type":"","comment_count":"0","filter":"","holland":null,"_ebook_metadata":{"enabled":"on","private":"0","guid":"1749414C-C608-48F5-84B5-9982E455D86F","title":"Comprehensive Guide to Developing and Implementing a Cybersecurity Plan","subtitle":"Second Edition","cover_theme":"nico_3","cover_image":"https:\/\/www.limsforum.com\/wp-content\/plugins\/rdp-ebook-builder\/pl\/cover.php?cover_style=nico_3&subtitle=Second+Edition&editor=Shawn+Douglas&title=Comprehensive+Guide+to+Developing+and+Implementing+a+Cybersecurity+Plan&title_image=https%3A%2F%2Fs3.limsforum.com%2Fwww.limsforum.com%2Fwp-content%2Fuploads%2FInnovation__Research_Symposium_Cisco_and_Ecole_Polytechnique_9-10_April_2018_Artificial_Intelligence__Cybersecurity_40631791164-scaled.jpg&publisher=LabLynx+Press","editor":"Shawn Douglas","publisher":"LabLynx Press","author_id":"26","image_url":"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/7\/7d\/Innovation_%26_Research_Symposium_Cisco_and_Ecole_Polytechnique_9-10_April_2018_Artificial_Intelligence_%26_Cybersecurity_%2840631791164%29.jpg","items":{"a709d503ce594c5b97961e2a58bfa8ea_type":"article","a709d503ce594c5b97961e2a58bfa8ea_title":"Appendix 1.20 Supply chain risk management","a709d503ce594c5b97961e2a58bfa8ea_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Supply_chain_risk_management","a709d503ce594c5b97961e2a58bfa8ea_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Supply chain risk managementFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.20 Supply chain risk management \n\n1.1 SR-1 Policy and procedures \n\n\n2 References \n3 Citation information for this chapter \n\n\n\nAppendix 1.20 Supply chain risk management \nThe set of SR controls are largely aimed at the organization level and not directed at the information system. As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST notes that supply chain risk management (SCRM) activities \"include identifying and assessing risks\" based on the organization's \"dependence on products, systems, and services from external providers, as well\nas the nature of the relationships with those providers.\" SCRM activities also include \"determining appropriate risk response actions [to supply chain risk], developing SCRM plans to document response actions, and monitoring performance against plans.\" The first control, SR-1, is included here. For more on these controls, consult pages 363\u201373 of NIST SP 800-53, Rev. 5.\n\nSR-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update SCRM policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-30, Rev. 1\nNIST Special Publications 800-161, Rev. 1\nLIMSpec 7.1, 7.2\nReferences \n\n\nCitation information for this chapter \nChapter: Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\nTitle: Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\nEdition: Second\nAuthor for citation: Shawn E. Douglas\nLicense for content: Creative Commons Attribution-ShareAlike 4.0 International\nPublication date: March 2023\n\r\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Supply_chain_risk_management\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Supply_chain_risk_management<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 21 March 2023, at 19:01.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 4 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","a709d503ce594c5b97961e2a58bfa8ea_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Supply_chain_risk_management rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Supply_chain_risk_management skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Supply chain risk management<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.20_Supply_chain_risk_management\">Appendix 1.20 Supply chain risk management<\/span><\/h3>\n<p>The set of SR controls are largely aimed at the organization level and not directed at the information system. As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST notes that supply chain risk management (SCRM) activities \"include identifying and assessing risks\" based on the organization's \"dependence on products, systems, and services from external providers, as well\nas the nature of the relationships with those providers.\" SCRM activities also include \"determining appropriate risk response actions [to supply chain risk], developing SCRM plans to document response actions, and monitoring performance against plans.\" The first control, SR-1, is included here. For more on these controls, consult pages 363\u201373 of NIST SP 800-53, Rev. 5.\n<\/p>\n<h4><span class=\"mw-headline\" id=\"SR-1_Policy_and_procedures\">SR-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update SCRM policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-30, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-161\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-161, Rev. 1<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<h2><span class=\"mw-headline\" id=\"Citation_information_for_this_chapter\">Citation information for this chapter<\/span><\/h2>\n<p><b>Chapter<\/b>: Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\n<\/p><p><b>Title<\/b>: <i>Comprehensive Guide to Developing and Implementing a Cybersecurity Plan<\/i>\n<\/p><p><b>Edition<\/b>: Second\n<\/p><p><b>Author for citation<\/b>: Shawn E. Douglas\n<\/p><p><b>License for content<\/b>: <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/\" target=\"_blank\">Creative Commons Attribution-ShareAlike 4.0 International<\/a>\n<\/p><p><b>Publication date<\/b>: March 2023\n<\/p><p><br \/>\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20230321190155\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.025 seconds\nReal time usage: 0.033 seconds\nPreprocessor visited node count: 54\/1000000\nPost\u2010expand include size: 2188\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 22.449 1 -total\n 53.52% 12.014 1 Template:Reflist\n 45.59% 10.234 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.20_Supply_chain_risk_management\n 23.76% 5.333 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:14097-0!canonical and timestamp 20230321190157 and revision id 51697. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Supply_chain_risk_management\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Supply_chain_risk_management<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","a709d503ce594c5b97961e2a58bfa8ea_images":[],"a709d503ce594c5b97961e2a58bfa8ea_timestamp":1679426354,"4ca06ca4d95a2c83374488b548e563c9_type":"article","4ca06ca4d95a2c83374488b548e563c9_title":"Appendix 1.19 System and information integrity","4ca06ca4d95a2c83374488b548e563c9_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity","4ca06ca4d95a2c83374488b548e563c9_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and information integrityFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.19 System and information integrity \n\n1.1 SI-1 Policy and procedures \n1.2 SI-2 Flaw remediation \n1.3 SI-2 (5) Flaw remediation: Automatic software and firmware updates \n1.4 SI-3 Malicious code protection \n1.5 SI-4 System monitoring \n1.6 SI-4 (5) System monitoring: System-generated alerts \n1.7 SI-4 (7) System monitoring: Automated response to suspicious alerts \n1.8 SI-5 Security alerts, advisories, and directives \n1.9 SI-12 Information management and retention \n1.10 SI-16 Memory protection \n1.11 SI-19 De-identification \n1.12 SI-19 (7) De-identification: Validated algorithms and software \n\n\n2 References \n\n\n\nAppendix 1.19 System and information integrity \nSI-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, page 70\nLIMSpec 7.1, 7.2\nSI-2 Flaw remediation \nThis control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software or firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws within an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.\nAdditional resources:\n\nNIST Special Publications 800-40, Rev. 4\nNIST Special Publications 800-128\nLIMSpec 16.7 and 34.15\n SI-2 (5) Flaw remediation: Automatic software and firmware updates \nThis control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).\nAdditional resources:\n\nLIMSpec 34.10\nSI-3 Malicious code protection \nThis control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and\/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.\nAdditional resources:\n\nNIST Special Publications 800-83, Rev. 1\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSI-4 System monitoring \nThis control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ad hoc locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.\nAdditional resources:\n\nNIST Special Publications 800-61, Rev. 2\nNIST Special Publications 800-83, Rev. 1\nNIST Special Publications 800-92\nNIST Special Publications 800-94\nNIST Special Publications 800-137\nLIMSpec 16.7 and 31.8\n SI-4 (5) System monitoring: System-generated alerts \nThis control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.\nAdditional resources:\n\nLIMSpec 30.8\n SI-4 (7) System monitoring: Automated response to suspicious alerts \nThis control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.\nAdditional resources:\n\nLIMSpec 30.8\n SI-5 Security alerts, advisories, and directives \nThis control recommends the organization choose a source for system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.\nAdditional resources:\n\nNIST Special Publications 800-40, Rev. 4\nNo LIMSpec comp (organizational policy rather than system specification)\nSI-12 Information management and retention \nThis control recommends the organization manage and retain information stored and transmitted within the system according to law, regulation, standards, and operational requirements.\nAdditional resources:\n\nLIMSpec 31.2, 31.3, and 31.4\nSI-16 Memory protection \nThis control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.\nAdditional resources:\n\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSI-19 De-identification \nThis control recommends the system have a means of de-identifying personally identifiable information from datasets while also allowing for evaluation of the effectiveness of those means. NIST notes that \"[r]e-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics.\"\nAdditional resources:\n\nLIMSpec 36.3, 36.4\n SI-19 (7) De-identification: Validated algorithms and software \nThis control enhancement recommends that any de-identification algorithms, software, or software modules be validated to be working as intended.\nAdditional resources:\n\nLIMSpec 36.5\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 21 March 2023, at 19:00.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 529 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","4ca06ca4d95a2c83374488b548e563c9_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_information_integrity rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_information_integrity skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and information integrity<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.19_System_and_information_integrity\">Appendix 1.19 System and information integrity<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"SI-1_Policy_and_procedures\">SI-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 70<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-2_Flaw_remediation\">SI-2 Flaw remediation<\/span><\/h4>\n<p>This control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software or firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws within an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-4\/final\" target=\"_blank\">NIST Special Publications 800-40, Rev. 4<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-128\/final\" target=\"_blank\">NIST Special Publications 800-128<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management\" data-key=\"1ef9aa152f771b925b31c12cd68bba66\">LIMSpec 16.7<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.15<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SI-2_(5)_Flaw_remediation:_Automatic_software_and_firmware_updates\"><\/span><span class=\"mw-headline\" id=\"SI-2_.285.29_Flaw_remediation:_Automatic_software_and_firmware_updates\">SI-2 (5) Flaw remediation: Automatic software and firmware updates<\/span><\/h4>\n<p>This control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.10<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-3_Malicious_code_protection\">SI-3 Malicious code protection<\/span><\/h4>\n<p>This control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and\/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-83, Rev. 1<\/a><\/li>\n<li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-4_System_monitoring\">SI-4 System monitoring<\/span><\/h4>\n<p>This control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ad hoc locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-61\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-61, Rev. 2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-83, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-92\/final\" target=\"_blank\">NIST Special Publications 800-92<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-94\/final\" target=\"_blank\">NIST Special Publications 800-94<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-137\/final\" target=\"_blank\">NIST Special Publications 800-137<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management\" data-key=\"1ef9aa152f771b925b31c12cd68bba66\">LIMSpec 16.7<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity\" data-key=\"eedafbce6e4049ac527deb43a1e2311d\">31.8<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SI-4_(5)_System_monitoring:_System-generated_alerts\"><\/span><span class=\"mw-headline\" id=\"SI-4_.285.29_System_monitoring:_System-generated_alerts\">SI-4 (5) System monitoring: System-generated alerts<\/span><\/h4>\n<p>This control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.8<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SI-4_(7)_System_monitoring:_Automated_response_to_suspicious_alerts\"><\/span><span class=\"mw-headline\" id=\"SI-4_.287.29_System_monitoring:_Automated_response_to_suspicious_alerts\">SI-4 (7) System monitoring: Automated response to suspicious alerts<\/span><\/h4>\n<p>This control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.8<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SI-5_Security_alerts,_advisories,_and_directives\"><\/span><span class=\"mw-headline\" id=\"SI-5_Security_alerts.2C_advisories.2C_and_directives\">SI-5 Security alerts, advisories, and directives<\/span><\/h4>\n<p>This control recommends the organization choose a source for system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-4\/final\" target=\"_blank\">NIST Special Publications 800-40, Rev. 4<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-12_Information_management_and_retention\">SI-12 Information management and retention<\/span><\/h4>\n<p>This control recommends the organization manage and retain information stored and transmitted within the system according to law, regulation, standards, and operational requirements.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity\" data-key=\"eedafbce6e4049ac527deb43a1e2311d\">LIMSpec 31.2, 31.3, and 31.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-16_Memory_protection\">SI-16 Memory protection<\/span><\/h4>\n<p>This control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-19_De-identification\">SI-19 De-identification<\/span><\/h4>\n<p>This control recommends the system have a means of de-identifying personally identifiable information from datasets while also allowing for evaluation of the effectiveness of those means. NIST notes that \"[r]e-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy\" data-key=\"111b080aebf48e07f19c5b0f8f2b6a2e\">LIMSpec 36.3, 36.4<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SI-19_(7)_De-identification:_Validated_algorithms_and_software\"><\/span><span class=\"mw-headline\" id=\"SI-19_.287.29_De-identification:_Validated_algorithms_and_software\">SI-19 (7) De-identification: Validated algorithms and software<\/span><\/h4>\n<p>This control enhancement recommends that any de-identification algorithms, software, or software modules be validated to be working as intended.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy\" data-key=\"111b080aebf48e07f19c5b0f8f2b6a2e\">LIMSpec 36.5<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321190043\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.026 seconds\nReal time usage: 0.032 seconds\nPreprocessor visited node count: 60\/1000000\nPost\u2010expand include size: 9317\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 14.154 1 -total\n 55.14% 7.804 1 Template:Reflist\n 43.39% 6.141 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.17_System_and_information_integrity\n 24.54% 3.473 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12104-0!canonical and timestamp 20230321190049 and revision id 51696. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","4ca06ca4d95a2c83374488b548e563c9_images":[],"4ca06ca4d95a2c83374488b548e563c9_timestamp":1679426354,"0d4299503ffb7a3bc99899ce8f91b142_type":"article","0d4299503ffb7a3bc99899ce8f91b142_title":"Appendix 1.18 System and communications protection","0d4299503ffb7a3bc99899ce8f91b142_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection","0d4299503ffb7a3bc99899ce8f91b142_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and communications protectionFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.18 System and communications protection \n\n1.1 SC-1 Policy and procedures \n1.2 SC-5 Denial of service protection \n1.3 SC-7 Boundary protection \n1.4 SC-8 Transmission confidentiality and integrity \n1.5 SC-8 (1) Transmission confidentiality and integrity: Cryptographic protection \n1.6 SC-12 Cryptographic key establishment and management \n1.7 SC-13 Cryptographic protection \n1.8 SC-15 Collaborative computing devices and applications \n1.9 SC-20 Secure name-address resolution service (authoritative source) \n1.10 SC-21 Secure name-address resolution service (recursive or caching resolver) \n1.11 SC-22 Architecture and provisioning for name-address resolution service \n1.12 SC-28 Protection of information at rest \n1.13 SC-28 (1) Protection of information at rest: Cryptographic protection \n1.14 SC-39 Process isolation \n\n\n2 References \n\n\n\nAppendix 1.18 System and communications protection \nSC-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, pages 69\u201370\nLIMSpec 7.1, 7.2\nSC-5 Denial of service protection \nThis control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.\nAdditional resources:\n\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-7 Boundary protection \nThis control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.\nAdditional resources:\n\nNIST Special Publications 800-41, Rev. 1\nNIST Special Publications 800-77, Rev. 1\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-8 Transmission confidentiality and integrity \nThis control recommends the system have tools or methods of protecting the confidentiality and integrity of transmitted information. \"Logical protection can be achieved by employing encryption techniques,\" the NIST adds (see the next control enhancement).\nAdditional resources:\n\nLIMSpec 35.1\n SC-8 (1) Transmission confidentiality and integrity: Cryptographic protection \nThis control enhancement recommends that encryption methods be used to fulfill the requirements of SC-8. This includes the use of TLS and IPSec for information in motion, and cryptographic hash functions for maintaining integrity.\nAdditional resources:\n\nLIMSpec 35.1\nSC-12 Cryptographic key establishment and management \nThis control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.\nAdditional resources:\n\nNIST Special Publications 800-56A, Rev. 3\nNIST Special Publications 800-56B, Rev. 2\nNIST Special Publications 800-56C, Rev. 2\nNIST Special Publications 800-57, Part 1, Rev. 5\nNIST Special Publications 800-57, Part 2, Rev. 1\nNIST Special Publications 800-57, Part 3, Rev. 1\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-13 Cryptographic protection \nThis control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.\nAdditional resources:\n\nLIMSpec 21.12 and 35.2\nSC-15 Collaborative computing devices and applications \nThis control recommends the system prohibit remote activation of collaborative computing devices and applications such as attached cameras, microphones, and networked whiteboards, as well as remote meeting applications, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device or application is in-use to users physically present at the device.\nAdditional resources:\n\nLIMSpec 35.6\n SC-20 Secure name-address resolution service (authoritative source) \nThis control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)\nAdditional resources:\n\nNIST Special Publications 800-81-2\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\n SC-21 Secure name-address resolution service (recursive or caching resolver) \nThis control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)\nAdditional resources:\n\nNIST Special Publications 800-81-2\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-22 Architecture and provisioning for name-address resolution service \nThis control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)\nAdditional resources:\n\nNIST Special Publications 800-81-2\nNo LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-28 Protection of information at rest \nThis control recommends the system protect the confidentiality and\/or integrity of designated information at rest contained in the system. (\"Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.\")\nAdditional resources:\n\nNIST Special Publications 800-56A, Rev. 3\nNIST Special Publications 800-56B, Rev. 2\nNIST Special Publications 800-56C, Rev. 2\nNIST Special Publications 800-57, Part 1, Rev. 5\nNIST Special Publications 800-57, Part 2, Rev. 1\nNIST Special Publications 800-57, Part 3, Rev. 1\nNIST Special Publications 800-111\nLIMSpec 21.12\n SC-28 (1) Protection of information at rest: Cryptographic protection \nThis control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).\nAdditional resources:\n\nLIMSpec 21.12 and LIMSpec 35.2\nSC-39 Process isolation \nThis control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) \"so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.\"\nAdditional resources:\n\nLIMSpec 21.16\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:05.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 502 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","0d4299503ffb7a3bc99899ce8f91b142_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_communications_protection rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_communications_protection skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and communications protection<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.18_System_and_communications_protection\">Appendix 1.18 System and communications protection<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"SC-1_Policy_and_procedures\">SC-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, pages 69\u201370<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-5_Denial_of_service_protection\">SC-5 Denial of service protection<\/span><\/h4>\n<p>This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-7_Boundary_protection\">SC-7 Boundary protection<\/span><\/h4>\n<p>This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-41\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-41, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-77\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-77, Rev. 1<\/a><\/li>\n<li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-8_Transmission_confidentiality_and_integrity\">SC-8 Transmission confidentiality and integrity<\/span><\/h4>\n<p>This control recommends the system have tools or methods of protecting the confidentiality and integrity of transmitted information. \"Logical protection can be achieved by employing encryption techniques,\" the NIST adds (see the next control enhancement).\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">LIMSpec 35.1<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SC-8_(1)_Transmission_confidentiality_and_integrity:_Cryptographic_protection\"><\/span><span class=\"mw-headline\" id=\"SC-8_.281.29_Transmission_confidentiality_and_integrity:_Cryptographic_protection\">SC-8 (1) Transmission confidentiality and integrity: Cryptographic protection<\/span><\/h4>\n<p>This control enhancement recommends that encryption methods be used to fulfill the requirements of SC-8. This includes the use of TLS and IPSec for information in motion, and cryptographic hash functions for maintaining integrity.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">LIMSpec 35.1<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-12_Cryptographic_key_establishment_and_management\">SC-12 Cryptographic key establishment and management<\/span><\/h4>\n<p>This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56a\/rev-3\/final\" target=\"_blank\">NIST Special Publications 800-56A, Rev. 3<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56b\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-56B, Rev. 2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56c\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-56C, Rev. 2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-1\/rev-5\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 1, Rev. 5<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-2\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 2, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-3\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 3, Rev. 1<\/a><\/li>\n<li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-13_Cryptographic_protection\">SC-13 Cryptographic protection<\/span><\/h4>\n<p>This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.12<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">35.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-15_Collaborative_computing_devices_and_applications\">SC-15 Collaborative computing devices and applications<\/span><\/h4>\n<p>This control recommends the system prohibit remote activation of collaborative computing devices and applications such as attached cameras, microphones, and networked whiteboards, as well as remote meeting applications, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device or application is in-use to users physically present at the device.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">LIMSpec 35.6<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SC-20_Secure_name-address_resolution_service_(authoritative_source)\"><\/span><span class=\"mw-headline\" id=\"SC-20_Secure_name-address_resolution_service_.28authoritative_source.29\">SC-20 Secure name-address resolution service (authoritative source)<\/span><\/h4>\n<p>This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-81\/2\/final\" target=\"_blank\">NIST Special Publications 800-81-2<\/a><\/li>\n<li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span id=\"rdp-ebb-SC-21_Secure_name-address_resolution_service_(recursive_or_caching_resolver)\"><\/span><span class=\"mw-headline\" id=\"SC-21_Secure_name-address_resolution_service_.28recursive_or_caching_resolver.29\">SC-21 Secure name-address resolution service (recursive or caching resolver)<\/span><\/h4>\n<p>This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-81\/2\/final\" target=\"_blank\">NIST Special Publications 800-81-2<\/a><\/li>\n<li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-22_Architecture_and_provisioning_for_name-address_resolution_service\">SC-22 Architecture and provisioning for name-address resolution service<\/span><\/h4>\n<p>This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-81\/2\/final\" target=\"_blank\">NIST Special Publications 800-81-2<\/a><\/li>\n<li>No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-28_Protection_of_information_at_rest\">SC-28 Protection of information at rest<\/span><\/h4>\n<p>This control recommends the system protect the confidentiality and\/or integrity of designated information at rest contained in the system. (\"Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.\")\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56a\/rev-3\/final\" target=\"_blank\">NIST Special Publications 800-56A, Rev. 3<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56b\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-56B, Rev. 2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56c\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-56C, Rev. 2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-1\/rev-5\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 1, Rev. 5<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-2\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 2, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-3\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 3, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-111\/final\" target=\"_blank\">NIST Special Publications 800-111<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.12<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SC-28_(1)_Protection_of_information_at_rest:_Cryptographic_protection\"><\/span><span class=\"mw-headline\" id=\"SC-28_.281.29_Protection_of_information_at_rest:_Cryptographic_protection\">SC-28 (1) Protection of information at rest: Cryptographic protection<\/span><\/h4>\n<p>This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.12<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">LIMSpec 35.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-39_Process_isolation\">SC-39 Process isolation<\/span><\/h4>\n<p>This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) \"so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.16<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321191913\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.020 seconds\nReal time usage: 0.025 seconds\nPreprocessor visited node count: 62\/1000000\nPost\u2010expand include size: 10758\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 12.140 1 -total\n 49.82% 6.048 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.16_System_and_communications_protection\n 48.83% 5.928 1 Template:Reflist\n 20.76% 2.520 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12103-0!canonical and timestamp 20230321191913 and revision id 39905. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","0d4299503ffb7a3bc99899ce8f91b142_images":[],"0d4299503ffb7a3bc99899ce8f91b142_timestamp":1679426353,"05576c23306f3d9ae9feb07a299b6ad3_type":"article","05576c23306f3d9ae9feb07a299b6ad3_title":"Appendix 1.17 System and services acquisition","05576c23306f3d9ae9feb07a299b6ad3_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition","05576c23306f3d9ae9feb07a299b6ad3_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and services acquisitionFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.17 System and services acquisition \n\n1.1 SA-1 Policy and procedures \n1.2 SA-2 Allocation of resources \n1.3 SA-3 System development life cycle \n1.4 SA-4 Acquisition process \n1.5 SA-4 (1) Acquisition process: Functional properties of controls \n1.6 SA-4 (2) Acquisition process: Design and implementation information for controls \n1.7 SA-4 (3) Acquisition process: Development methods, techniques, and practices \n1.8 SA-5 System documentation \n1.9 SA-9 External system services \n1.10 SA-16 Developer-provided training \n\n\n2 References \n\n\n\nAppendix 1.17 System and services acquisition \nSA-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, page 69\nNIST Special Publication 800-100, pages 113\u201323\nLIMSpec 7.1, 7.2\nSA-2 Allocation of resources \nThis control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.\nAdditional resources:\n\nIntegrity Matters Why CPIC Matters More than Ever to Cybersecurity\nNo LIMSpec comp (organizational policy rather than system specification)\nSA-3 System development life cycle \nThis control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency \"with organizational risk management and information security strategies.\"\nAdditional resources:\n\nNIST Special Publications 800-37, Rev. 2\nNo LIMSpec comp (organizational policy rather than system specification)\nSA-4 Acquisition process \nThis control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; a description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.\nAdditional resources:\n\nNational Information Assurance Partnership\nNIST Special Publication 800-70, Rev. 4\nNo LIMSpec comp (organizational policy rather than system specification)\n SA-4 (1) Acquisition process: Functional properties of controls \nThis control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ. \nAdditional resources:\n\nLIMSpec 33.4\n SA-4 (2) Acquisition process: Design and implementation information for controls \nThis control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.\nAdditional resources:\n\nLIMSpec 33.2, 33.4\n SA-4 (3) Acquisition process: Development methods, techniques, and practices \nThis control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.\nAdditional resources:\n\nLIMSpec 33.1\nSA-5 System documentation \nThis control recommends the organization require of a system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.\nAdditional resources:\n\nLIMSpec 33.4\nSA-9 External system services \nThis control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nSA-16 Developer-provided training \nThis control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.\nAdditional resources:\n\nLIMSpec 34.6\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:04.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 469 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","05576c23306f3d9ae9feb07a299b6ad3_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_services_acquisition rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_services_acquisition skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and services acquisition<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.17_System_and_services_acquisition\">Appendix 1.17 System and services acquisition<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"SA-1_Policy_and_procedures\">SA-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 69<\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-100\/final\" target=\"_blank\">NIST Special Publication 800-100<\/a>, pages 113\u201323<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-2_Allocation_of_resources\">SA-2 Allocation of resources<\/span><\/h4>\n<p>This control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/web.archive.org\/web\/20170203203450\/http:\/\/www.integritymc.com\/blog\/2015\/06\/why-cpic-matters-more-than-ever-to-cybersecurity\/\" target=\"_blank\">Integrity Matters Why CPIC Matters More than Ever to Cybersecurity<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-3_System_development_life_cycle\">SA-3 System development life cycle<\/span><\/h4>\n<p>This control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency \"with organizational risk management and information security strategies.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-37\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-37, Rev. 2<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-4_Acquisition_process\">SA-4 Acquisition process<\/span><\/h4>\n<p>This control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; a description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.niap-ccevs.org\/index.cfm\" target=\"_blank\">National Information Assurance Partnership<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-70\/rev-4\/final\" target=\"_blank\">NIST Special Publication 800-70, Rev. 4<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span id=\"rdp-ebb-SA-4_(1)_Acquisition_process:_Functional_properties_of_controls\"><\/span><span class=\"mw-headline\" id=\"SA-4_.281.29_Acquisition_process:_Functional_properties_of_controls\">SA-4 (1) Acquisition process: Functional properties of controls<\/span><\/h4>\n<p>This control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.4<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SA-4_(2)_Acquisition_process:_Design_and_implementation_information_for_controls\"><\/span><span class=\"mw-headline\" id=\"SA-4_.282.29_Acquisition_process:_Design_and_implementation_information_for_controls\">SA-4 (2) Acquisition process: Design and implementation information for controls<\/span><\/h4>\n<p>This control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.2, 33.4<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-SA-4_(3)_Acquisition_process:_Development_methods,_techniques,_and_practices\"><\/span><span class=\"mw-headline\" id=\"SA-4_.283.29_Acquisition_process:_Development_methods.2C_techniques.2C_and_practices\">SA-4 (3) Acquisition process: Development methods, techniques, and practices<\/span><\/h4>\n<p>This control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.1<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-5_System_documentation\">SA-5 System documentation<\/span><\/h4>\n<p>This control recommends the organization require of a system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-9_External_system_services\">SA-9 External system services<\/span><\/h4>\n<p>This control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-16_Developer-provided_training\">SA-16 Developer-provided training<\/span><\/h4>\n<p>This control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.6<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321191913\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.017 seconds\nReal time usage: 0.022 seconds\nPreprocessor visited node count: 58\/1000000\nPost\u2010expand include size: 7587\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 9.990 1 -total\n 50.16% 5.011 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.15_System_and_services_acquisition\n 48.70% 4.865 1 Template:Reflist\n 19.99% 1.997 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12102-0!canonical and timestamp 20230321191913 and revision id 39904. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","05576c23306f3d9ae9feb07a299b6ad3_images":[],"05576c23306f3d9ae9feb07a299b6ad3_timestamp":1679426353,"c52661a1e1652b9775da10e9b68e417b_type":"article","c52661a1e1652b9775da10e9b68e417b_title":"Appendix 1.16 Risk assessment","c52661a1e1652b9775da10e9b68e417b_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment","c52661a1e1652b9775da10e9b68e417b_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Risk assessmentFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.16 Risk assessment \n\n1.1 RA-1 Policy and procedures \n1.2 RA-2 Security categorization \n1.3 RA-3 Risk assessment \n1.4 RA-5 Vulnerability monitoring and scanning \n\n\n2 References \n\n\n\nAppendix 1.16 Risk assessment \nRA-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk assessment action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, pages 68\u201369\nNIST Special Publication 800-30, Rev. 1\nNIST Special Publication 800-100, pages 84\u201395\nLIMSpec 7.1, 7.2\nRA-2 Security categorization \nThis control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon \"the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability.\" Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.\nAdditional resources:\n\nNIST Special Publication 800-30, Rev. 1\nNIST Special Publication 800-39\nNIST Special Publications 800-60, Vol. 1, Rev. 1\nNIST Special Publications 800-60, Vol. 2, Rev. 1\nNo LIMSpec comp (organizational policy rather than system specification)\nRA-3 Risk assessment \nThis control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized \"access, use, disclosure, disruption, modification, or destruction\" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.\nAdditional resources:\n\nNIST Special Publication 800-30, Rev. 1\nNIST Special Publication 800-39\nNo LIMSpec comp (organizational policy rather than system specification)\nRA-5 Vulnerability monitoring and scanning \nThis control recommends the organization conduct vulnerability monitoring and scanning of its system. \"Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.\" This scanning should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system. The organization may also wish to tap into security vulnerability reports from public entities as part of its monitoring.\nAdditional resources:\n\nNIST National Vulnerability Database\nNIST Special Publication 800-40, Rev. 4\nNIST Special Publication 800-70, Rev. 4\nNIST Special Publication 800-115\nNo LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:04.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 461 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","c52661a1e1652b9775da10e9b68e417b_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Risk_assessment rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Risk_assessment skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Risk assessment<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.16_Risk_assessment\">Appendix 1.16 Risk assessment<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"RA-1_Policy_and_procedures\">RA-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk assessment action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, pages 68\u201369<\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publication 800-30, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-100\/final\" target=\"_blank\">NIST Special Publication 800-100<\/a>, pages 84\u201395<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"RA-2_Security_categorization\">RA-2 Security categorization<\/span><\/h4>\n<p>This control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon \"the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability.\" Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publication 800-30, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-39\/final\" target=\"_blank\">NIST Special Publication 800-39<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-1-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 1, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-2-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 2, Rev. 1<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"RA-3_Risk_assessment\">RA-3 Risk assessment<\/span><\/h4>\n<p>This control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized \"access, use, disclosure, disruption, modification, or destruction\" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publication 800-30, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-39\/final\" target=\"_blank\">NIST Special Publication 800-39<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"RA-5_Vulnerability_monitoring_and_scanning\">RA-5 Vulnerability monitoring and scanning<\/span><\/h4>\n<p>This control recommends the organization conduct vulnerability monitoring and scanning of its system. \"Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.\" This scanning should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system. The organization may also wish to tap into security vulnerability reports from public entities as part of its monitoring.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/nvd.nist.gov\/\" target=\"_blank\">NIST National Vulnerability Database<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-4\/final\" target=\"_blank\">NIST Special Publication 800-40, Rev. 4<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-70\/rev-4\/final\" target=\"_blank\">NIST Special Publication 800-70, Rev. 4<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-115\/final\" target=\"_blank\">NIST Special Publication 800-115<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321190139\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.016 seconds\nReal time usage: 0.020 seconds\nPreprocessor visited node count: 52\/1000000\nPost\u2010expand include size: 5411\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 13.168 1 -total\n 51.66% 6.803 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.14_Risk_assessment\n 47.02% 6.192 1 Template:Reflist\n 20.87% 2.748 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12101-0!canonical and timestamp 20230321190139 and revision id 39903. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","c52661a1e1652b9775da10e9b68e417b_images":[],"c52661a1e1652b9775da10e9b68e417b_timestamp":1679426353,"2ba388984a0be489cca79d079346678f_type":"article","2ba388984a0be489cca79d079346678f_title":"Appendix 1.15 Personally identifiable information processing and transparency","2ba388984a0be489cca79d079346678f_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personally_identifiable_information_processing_and_transparency","2ba388984a0be489cca79d079346678f_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Personally identifiable information processing and transparencyFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.15 Personally identifiable information processing and transparency \n\n1.1 PT-1 Policy and procedures \n1.2 PT-2 Authority to process personally identifiable information \n1.3 PT-2 (2) Authority to process personally identifiable information: Automation \n1.4 PT-4 Consent \n1.5 PT-4 (3) Consent: Revocation \n\n\n2 References \n\n\n\nAppendix 1.15 Personally identifiable information processing and transparency \nPT-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update personally identifiable information processing and transparency policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personally identifiable information processing and transparency action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nCircular No. A-130 - Managing Information as a Strategic Resource\nLIMSpec 7.1, 7.2\nPT-2 Authority to process personally identifiable information \nThis control recommends the organization develop, document, and enact policy on who has access to what personally identifiable information, while ensuring restrictions in the system limit that access to only those authorized to do so. The NIST adds that \"[o]rganizations consider applicable requirements and organizational policies to determine how to document this authority.\"\nAdditional resources:\n\nLIMSpec 36.1, 36.2\n PT-2 (2) Authority to process personally identifiable information: Automation \nThis control enhancement recommends the system have automated mechanisms to enforce verification mechanisms that prevent personally identifiable information in the system from being compromised.\nAdditional resources:\n\nLIMSpec 36.1, 36.2\nPT-4 Consent \nThis control recommends the organization\u2014or the system\u2014have tools or mechanisms able to record the consent of individuals who wish to allow their personally identifiable information to be processed, stored, and otherwise managed. PT-4 adds that \"organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means.\"\nAdditional resources:\n\nLIMSpec 36.6\n PT-4 (3) Consent: Revocation \nThis control enhancement recommends that the organization or system also have tools or mechanisms able to revoke the consent of individuals who no longer wish to allow their personally identifiable information to be processed, stored, and otherwise managed.\nAdditional resources:\n\nLIMSpec 36.6\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personally_identifiable_information_processing_and_transparency\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personally_identifiable_information_processing_and_transparency<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 21 March 2023, at 19:00.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 3 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","2ba388984a0be489cca79d079346678f_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Personally_identifiable_information_processing_and_transparency rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Personally_identifiable_information_processing_and_transparency skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Personally identifiable information processing and transparency<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.15_Personally_identifiable_information_processing_and_transparency\">Appendix 1.15 Personally identifiable information processing and transparency<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PT-1_Policy_and_procedures\">PT-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update personally identifiable information processing and transparency policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personally identifiable information processing and transparency action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.cio.gov\/policies-and-priorities\/circular-a-130\/\" target=\"_blank\">Circular No. A-130 - Managing Information as a Strategic Resource<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PT-2_Authority_to_process_personally_identifiable_information\">PT-2 Authority to process personally identifiable information<\/span><\/h4>\n<p>This control recommends the organization develop, document, and enact policy on who has access to what personally identifiable information, while ensuring restrictions in the system limit that access to only those authorized to do so. The NIST adds that \"[o]rganizations consider applicable requirements and organizational policies to determine how to document this authority.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy\" data-key=\"111b080aebf48e07f19c5b0f8f2b6a2e\">LIMSpec 36.1, 36.2<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-PT-2_(2)_Authority_to_process_personally_identifiable_information:_Automation\"><\/span><span class=\"mw-headline\" id=\"PT-2_.282.29_Authority_to_process_personally_identifiable_information:_Automation\">PT-2 (2) Authority to process personally identifiable information: Automation<\/span><\/h4>\n<p>This control enhancement recommends the system have automated mechanisms to enforce verification mechanisms that prevent personally identifiable information in the system from being compromised.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy\" data-key=\"111b080aebf48e07f19c5b0f8f2b6a2e\">LIMSpec 36.1, 36.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PT-4_Consent\">PT-4 Consent<\/span><\/h4>\n<p>This control recommends the organization\u2014or the system\u2014have tools or mechanisms able to record the consent of individuals who wish to allow their personally identifiable information to be processed, stored, and otherwise managed. PT-4 adds that \"organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy\" data-key=\"111b080aebf48e07f19c5b0f8f2b6a2e\">LIMSpec 36.6<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-PT-4_(3)_Consent:_Revocation\"><\/span><span class=\"mw-headline\" id=\"PT-4_.283.29_Consent:_Revocation\">PT-4 (3) Consent: Revocation<\/span><\/h4>\n<p>This control enhancement recommends that the organization or system also have tools or mechanisms able to revoke the consent of individuals who no longer wish to allow their personally identifiable information to be processed, stored, and otherwise managed.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy\" data-key=\"111b080aebf48e07f19c5b0f8f2b6a2e\">LIMSpec 36.6<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321190006\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.018 seconds\nReal time usage: 0.023 seconds\nPreprocessor visited node count: 53\/1000000\nPost\u2010expand include size: 3742\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 14.072 1 -total\n 52.56% 7.396 1 Template:Reflist\n 46.50% 6.543 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.15_Personally_identifiable_information_processing_and_transparency\n 24.05% 3.384 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:14096-0!canonical and timestamp 20230321190012 and revision id 51695. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personally_identifiable_information_processing_and_transparency\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personally_identifiable_information_processing_and_transparency<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","2ba388984a0be489cca79d079346678f_images":[],"2ba388984a0be489cca79d079346678f_timestamp":1679426353,"7e23c5cb79442a7218e0ee49e2465122_type":"article","7e23c5cb79442a7218e0ee49e2465122_title":"Appendix 1.14 Personnel security","7e23c5cb79442a7218e0ee49e2465122_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security","7e23c5cb79442a7218e0ee49e2465122_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Personnel securityFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.14 Personnel security \n\n1.1 PS-1 Policy and procedures \n1.2 PS-2 Position risk designation \n1.3 PS-3 Personnel screening \n1.4 PS-4 Personnel termination \n1.5 PS-5 Personnel transfer \n1.6 PS-6 Access agreements \n1.7 PS-7 External personnel security \n1.8 PS-8 Personnel sanctions \n\n\n2 References \n\n\n\nAppendix 1.14 Personnel security \nPS-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, page 68\nLIMSpec 7.1, 7.2\nPS-2 Position risk designation \nThis control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations \"can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems.\" Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be \"determined by the position's potential for adverse impact to the efficiency or integrity of the service.\"[1] Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPS-3 Personnel screening \nThis control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.\nAdditional resources:\n\n5 CFR 731.106\nNIST Special Publications 800-60, Vol. 1, Rev. 1\nNIST Special Publications 800-60, Vol. 2, Rev. 1\nNIST Special Publications 800-73-4\nNIST Special Publications 800-76-2\nNIST Special Publications 800-78-4\nNo LIMSpec comp (organizational policy rather than system specification)\nPS-4 Personnel termination \nThis control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\nAdditional resources:\n\nLIMSpec 32.28 and 34.4\nPS-5 Personnel transfer \nThis control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\nAdditional resources:\n\nLIMSpec 34.4\nPS-6 Access agreements \nThis control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.\nAdditional resources:\n\nLIMSpec 7.1\nPS-7 External personnel security \nThis control recommends the organization establish a set of security requirements for external personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPS-8 Personnel sanctions \nThis control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\u2191 \"5 CFR \u00a7 731.106 - Designation of public trust positions and investigative requirements\". Legal Information Institute. Cornell. https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106 . Retrieved 21 March 2023 .   \n \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:04.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 454 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","7e23c5cb79442a7218e0ee49e2465122_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Personnel_security rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Personnel_security skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Personnel security<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.14_Personnel_security\">Appendix 1.14 Personnel security<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PS-1_Policy_and_procedures\">PS-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12<\/a>, page 68<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-2_Position_risk_designation\">PS-2 Position risk designation<\/span><\/h4>\n<p>This control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations \"can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems.\" Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be \"determined by the position's potential for adverse impact to the efficiency or integrity of the service.\"<sup id=\"rdp-ebb-cite_ref-LII5CFR_1-0\" class=\"reference\"><a href=\"#cite_note-LII5CFR-1\">[1]<\/a><\/sup> Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-3_Personnel_screening\">PS-3 Personnel screening<\/span><\/h4>\n<p>This control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106\" target=\"_blank\">5 CFR 731.106<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-1-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 1, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-2-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 2, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-73\/4\/final\" target=\"_blank\">NIST Special Publications 800-73-4<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-76\/2\/final\" target=\"_blank\">NIST Special Publications 800-76-2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-78\/4\/final\" target=\"_blank\">NIST Special Publications 800-78-4<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-4_Personnel_termination\">PS-4 Personnel termination<\/span><\/h4>\n<p>This control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management\" data-key=\"e972c3ebbff256d2241b0ba5e3831389\">LIMSpec 32.28<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-5_Personnel_transfer\">PS-5 Personnel transfer<\/span><\/h4>\n<p>This control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-6_Access_agreements\">PS-6 Access agreements<\/span><\/h4>\n<p>This control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-7_External_personnel_security\">PS-7 External personnel security<\/span><\/h4>\n<p>This control recommends the organization establish a set of security requirements for external personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-8_Personnel_sanctions\">PS-8 Personnel sanctions<\/span><\/h4>\n<p>This control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<div class=\"mw-references-wrap\"><ol class=\"references\">\n<li id=\"cite_note-LII5CFR-1\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-LII5CFR_1-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106\" target=\"_blank\">\"5 CFR \u00a7 731.106 - Designation of public trust positions and investigative requirements\"<\/a>. <i>Legal Information Institute<\/i>. Cornell<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106\" target=\"_blank\">https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 March 2023<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=5+CFR+%C2%A7+731.106+-+Designation+of+public+trust+positions+and+investigative+requirements&rft.atitle=Legal+Information+Institute&rft.pub=Cornell&rft_id=https%3A%2F%2Fwww.law.cornell.edu%2Fcfr%2Ftext%2F5%2F731.106&rfr_id=info:sid\/en.wikipedia.org:Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<\/ol><\/div><\/div>\n<!-- \nNewPP limit report\nCached time: 20230321185935\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.075 seconds\nReal time usage: 0.095 seconds\nPreprocessor visited node count: 655\/1000000\nPost\u2010expand include size: 11137\/2097152 bytes\nTemplate argument size: 1731\/2097152 bytes\nHighest expansion depth: 14\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 1552\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 79.490 1 -total\n 84.83% 67.435 1 Template:Reflist\n 68.61% 54.539 1 Template:Cite_web\n 59.50% 47.293 1 Template:Citation\/core\n 18.94% 15.058 2 Template:Citation\/make_link\n 14.99% 11.913 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.13_Personnel_security\n 5.39% 4.285 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12100-0!canonical and timestamp 20230321185935 and revision id 39902. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","7e23c5cb79442a7218e0ee49e2465122_images":[],"7e23c5cb79442a7218e0ee49e2465122_timestamp":1679426353,"3aa036155fc93e807eaee7fd9095c55b_type":"article","3aa036155fc93e807eaee7fd9095c55b_title":"Appendix 1.13 Program management","3aa036155fc93e807eaee7fd9095c55b_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Program_management","3aa036155fc93e807eaee7fd9095c55b_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Program managementFrom LIMSWikiJump to navigationJump to searchAppendix 1.13 Program management \nThe set of PM controls \"are implemented at the organization level and not directed at individual information systems.\" As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST describes the controls of PM as having \"been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards.\" The first control, PM-1, is included here. For more on these controls, consult pages 203\u201321 of NIST SP 800-53, Rev. 5.\n\nPM-1 Information security program plan \nThis control recommends the organization develop, document, disseminate, review, and update an organization-wide information security program plan. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of information security program planning but also to address how that plan will be implemented, reviewed, and updated. NIST adds that an information security program plan: \n\n\"provides an overview of the security requirements for an organization-wide information security program\";\n\"documents implementation details about program management and common controls\"; and\n\"provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended.\"\nAdditional resources:\n\nNIST Special Publications 800-37, Rev. 2\nNIST Special Publications 800-39\nNo LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Program_management\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Program_management<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 21 March 2023, at 18:59.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 3 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","3aa036155fc93e807eaee7fd9095c55b_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Program_management rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Program_management skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Program management<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\"><h3><span class=\"mw-headline\" id=\"Appendix_1.13_Program_management\">Appendix 1.13 Program management<\/span><\/h3>\n<p>The set of PM controls \"are implemented at the organization level and not directed at individual information systems.\" As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST describes the controls of PM as having \"been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards.\" The first control, PM-1, is included here. For more on these controls, consult pages 203\u201321 of NIST SP 800-53, Rev. 5.\n<\/p>\n<h4><span class=\"mw-headline\" id=\"PM-1_Information_security_program_plan\">PM-1 Information security program plan<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update an organization-wide information security program plan. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of information security program planning but also to address how that plan will be implemented, reviewed, and updated. NIST adds that an information security program plan: \n<\/p>\n<ul><li>\"provides an overview of the security requirements for an organization-wide information security program\";<\/li>\n<li>\"documents implementation details about program management and common controls\"; and<\/li>\n<li>\"provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended.\"<\/li><\/ul>\n<p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2\" target=\"_blank\">NIST Special Publications 800-37, Rev. 2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-39\" target=\"_blank\">NIST Special Publications 800-39<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321185901\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.011 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 49\/1000000\nPost\u2010expand include size: 2388\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 11.041 1 -total\n 57.67% 6.367 1 Template:Reflist\n 41.23% 4.552 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.13_Program_management\n 24.54% 2.709 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:14095-0!canonical and timestamp 20230321185907 and revision id 51694. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Program_management\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Program_management<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","3aa036155fc93e807eaee7fd9095c55b_images":[],"3aa036155fc93e807eaee7fd9095c55b_timestamp":1679426353,"de60c9a247b0afb6ba8006efee060baa_type":"article","de60c9a247b0afb6ba8006efee060baa_title":"Appendix 1.12 Planning","de60c9a247b0afb6ba8006efee060baa_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning","de60c9a247b0afb6ba8006efee060baa_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/PlanningFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.12 Planning \n\n1.1 PL-1 Policy and procedures \n1.2 PL-2 System security and privacy plans \n1.3 PL-4 Rules of behavior \n\n\n2 References \n\n\n\nAppendix 1.12 Planning \nPL-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, page 67\nNIST Special Publications 800-18, Rev. 1\nNIST Special Publications 800-100, pages 67\u201377\nLIMSpec 7.1, 7.2\nPL-2 System security and privacy plans \nThis control recommends the organization develop, distribute, review, update, and protect security and privacy plans for its information system. The plans should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plans should be reviewed and approved by designated personnel, as well as protected from unauthorized access and modification.\nAdditional resources:\n\nNIST Special Publications 800-18, Rev. 1\nNo LIMSpec comp (organizational policy rather than system specification)\nPL-4 Rules of behavior \nThis control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.\nAdditional resources:\n\nNIST Special Publications 800-18, Rev. 1\nNo LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:03.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 468 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","de60c9a247b0afb6ba8006efee060baa_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Planning rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Planning skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Planning<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.12_Planning\">Appendix 1.12 Planning<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PL-1_Policy_and_procedures\">PL-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 67<\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-18\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-18, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-100\/final\" target=\"_blank\">NIST Special Publications 800-100<\/a>, pages 67\u201377<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PL-2_System_security_and_privacy_plans\">PL-2 System security and privacy plans<\/span><\/h4>\n<p>This control recommends the organization develop, distribute, review, update, and protect security and privacy plans for its information system. The plans should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plans should be reviewed and approved by designated personnel, as well as protected from unauthorized access and modification.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-18\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-18, Rev. 1<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PL-4_Rules_of_behavior\">PL-4 Rules of behavior<\/span><\/h4>\n<p>This control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-18\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-18, Rev. 1<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321185823\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.012 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 51\/1000000\nPost\u2010expand include size: 3252\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 9.305 1 -total\n 62.89% 5.852 1 Template:Reflist\n 35.47% 3.301 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.12_Planning\n 28.25% 2.629 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12099-0!canonical and timestamp 20230321185823 and revision id 39901. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","de60c9a247b0afb6ba8006efee060baa_images":[],"de60c9a247b0afb6ba8006efee060baa_timestamp":1679426352,"de7c201aa1750a9acb655e663c6a96f6_type":"article","de7c201aa1750a9acb655e663c6a96f6_title":"Appendix 1.11 Physical and environmental protection","de7c201aa1750a9acb655e663c6a96f6_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection","de7c201aa1750a9acb655e663c6a96f6_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Physical and environmental protectionFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.11 Physical and environmental protection \n\n1.1 PE-1 Policy and procedures \n1.2 PE-2 Physical access authorizations \n1.3 PE-3 Physical access control \n1.4 PE-3 (1) Physical access control: System access \n1.5 PE-6 Monitoring physical access \n1.6 PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment \n1.7 PE-6 (4) Monitoring physical access: Monitoring physical access to systems \n1.8 PE-8 Visitor access records \n1.9 PE-12 Emergency lighting \n1.10 PE-13 Fire protection \n1.11 PE-14 Environmental controls \n1.12 PE-15 Water damage protection \n1.13 PE-16 Delivery and removal \n\n\n2 References \n\n\n\nAppendix 1.11 Physical and environmental protection \nPE-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, page 66\nLIMSpec 7.1, 7.2\nPE-2 Physical access authorizations \nThis control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPE-3 Physical access control \nThis control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.\nAdditional resources:\n\nGSA FIPS 201 Evaluation Program\nGSA Physical Access Control System Guide\nNIST Special Publications 800-73-4\nNIST Special Publications 800-76-2\nNIST Special Publications 800-78-4\nNIST Special Publications 800-116, Rev. 1\nLIMSpec 34.7\n PE-3 (1) Physical access control: System access \nThis control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.\nAdditional resources:\n\nLIMSpec 34.7\nPE-6 Monitoring physical access \nThis control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.\nAdditional resources:\n\nLIMSpec 34.7\n PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment \nThis control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.\nAdditional resources:\n\nLIMSpec 30.9 and 34.7\n PE-6 (4) Monitoring physical access: Monitoring physical access to systems \nThis control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical system components.\nAdditional resources:\n\nLIMSpec 34.7\nPE-8 Visitor access records \nThis control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPE-12 Emergency lighting \nThis control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPE-13 Fire protection \nThis control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPE-14 Environmental controls \nThis control recommends the organization maintain temperature, humidity, and other environmental conditions in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPE-15 Water damage protection \nThis control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nPE-16 Delivery and removal \nThis control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:03.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 482 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","de7c201aa1750a9acb655e663c6a96f6_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Physical_and_environmental_protection rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Physical_and_environmental_protection skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Physical and environmental protection<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.11_Physical_and_environmental_protection\">Appendix 1.11 Physical and environmental protection<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PE-1_Policy_and_procedures\">PE-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 66<\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-2_Physical_access_authorizations\">PE-2 Physical access authorizations<\/span><\/h4>\n<p>This control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-3_Physical_access_control\">PE-3 Physical access control<\/span><\/h4>\n<p>This control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.idmanagement.gov\/fips201\/\" target=\"_blank\">GSA FIPS 201 Evaluation Program<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/playbooks.idmanagement.gov\/pacs\/\" target=\"_blank\">GSA Physical Access Control System Guide<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-73\/4\/final\" target=\"_blank\">NIST Special Publications 800-73-4<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-76\/2\/final\" target=\"_blank\">NIST Special Publications 800-76-2<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-78\/4\/final\" target=\"_blank\">NIST Special Publications 800-78-4<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-116\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-116, Rev. 1<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-PE-3_(1)_Physical_access_control:_System_access\"><\/span><span class=\"mw-headline\" id=\"PE-3_.281.29_Physical_access_control:_System_access\">PE-3 (1) Physical access control: System access<\/span><\/h4>\n<p>This control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-6_Monitoring_physical_access\">PE-6 Monitoring physical access<\/span><\/h4>\n<p>This control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-PE-6_(1)_Monitoring_physical_access:_Intrusion_alarms_and_surveillance_equipment\"><\/span><span class=\"mw-headline\" id=\"PE-6_.281.29_Monitoring_physical_access:_Intrusion_alarms_and_surveillance_equipment\">PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment<\/span><\/h4>\n<p>This control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.9<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.7<\/a><\/li><\/ul>\n<h4><span id=\"rdp-ebb-PE-6_(4)_Monitoring_physical_access:_Monitoring_physical_access_to_systems\"><\/span><span class=\"mw-headline\" id=\"PE-6_.284.29_Monitoring_physical_access:_Monitoring_physical_access_to_systems\">PE-6 (4) Monitoring physical access: Monitoring physical access to systems<\/span><\/h4>\n<p>This control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical system components.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-8_Visitor_access_records\">PE-8 Visitor access records<\/span><\/h4>\n<p>This control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-12_Emergency_lighting\">PE-12 Emergency lighting<\/span><\/h4>\n<p>This control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-13_Fire_protection\">PE-13 Fire protection<\/span><\/h4>\n<p>This control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-14_Environmental_controls\">PE-14 Environmental controls<\/span><\/h4>\n<p>This control recommends the organization maintain temperature, humidity, and other environmental conditions in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-15_Water_damage_protection\">PE-15 Water damage protection<\/span><\/h4>\n<p>This control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-16_Delivery_and_removal\">PE-16 Delivery and removal<\/span><\/h4>\n<p>This control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321191912\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.016 seconds\nReal time usage: 0.019 seconds\nPreprocessor visited node count: 61\/1000000\nPost\u2010expand include size: 8144\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 8.378 1 -total\n 62.59% 5.244 1 Template:Reflist\n 35.99% 3.015 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.11_Physical_and_environmental_protection\n 25.42% 2.130 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12098-0!canonical and timestamp 20230321191912 and revision id 39900. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","de7c201aa1750a9acb655e663c6a96f6_images":[],"de7c201aa1750a9acb655e663c6a96f6_timestamp":1679426352,"84651314d463b0d69afac52a43fca149_type":"article","84651314d463b0d69afac52a43fca149_title":"Appendix 1.10 Media protection","84651314d463b0d69afac52a43fca149_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection","84651314d463b0d69afac52a43fca149_plaintext":"\n\nBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Media protectionFrom LIMSWikiJump to navigationJump to searchContents \n\n1 Appendix 1.10 Media protection \n\n1.1 MP-1 Policy and procedures \n1.2 MP-2 Media access \n1.3 MP-6 Media sanitization \n1.4 MP-7 Media use \n\n\n2 References \n\n\n\nAppendix 1.10 Media protection \nMP-1 Policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\nNIST Special Publications 800-12, Rev. 1, page 65\nNIST Special Publications 800-88, Rev. 1\nLIMSpec 7.1, 7.2\nMP-2 Media access \nThis control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.\nAdditional resources:\n\nLIMSpec 30.9 and 34.7\nMP-6 Media sanitization \nThis control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.\nAdditional resources:\n\nNIST Special Publications 800-60, Vol. 1, Rev. 1\nNIST Special Publications 800-60, Vol. 2, Rev. 1\nNIST Special Publications 800-88, Rev. 1\nNSA\/CSS Media Destruction Guidance\nNo LIMSpec comp (organizational policy rather than system specification)\nMP-7 Media use \nThis control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that \"[i]n contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on information systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives\" on the system or its subsystems.\nAdditional resources:\n\nNo LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageEncyclopedic articlesRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationPopular publications\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 24 July 2020, at 20:02.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 481 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","84651314d463b0d69afac52a43fca149_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Media_protection rootpage-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Media_protection skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Media protection<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.10_Media_protection\">Appendix 1.10 Media protection<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"MP-1_Policy_and_procedures\">MP-1 Policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 65<\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-88, Rev. 1<\/a><\/li>\n<li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management\" data-key=\"a764b39a539286107f8212ee654db87b\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MP-2_Media_access\">MP-2 Media access<\/span><\/h4>\n<p>This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.9<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MP-6_Media_sanitization\">MP-6 Media sanitization<\/span><\/h4>\n<p>This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-1-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 1, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-2-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 2, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-88, Rev. 1<\/a><\/li>\n<li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.nsa.gov\/Resources\/Media-Destruction-Guidance\/\" target=\"_blank\">NSA\/CSS Media Destruction Guidance<\/a><\/li>\n<li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MP-7_Media_use\">MP-7 Media use<\/span><\/h4>\n<p>This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that \"[i]n contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on information systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives\" on the system or its subsystems.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li>No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<!-- \nNewPP limit report\nCached time: 20230321191912\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.011 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 52\/1000000\nPost\u2010expand include size: 3585\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 7\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 0\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 8.519 1 -total\n 64.37% 5.484 1 Template:Reflist\n 34.21% 2.914 1 Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.10_Media_protection\n 28.61% 2.437 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12097-0!canonical and timestamp 20230321191912 and revision id 39899. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_s
