{"ID":91711,"post_author":"26","post_date":"2020-07-24 16:11:41","post_date_gmt":"2020-07-24 20:11:41","post_content":"","post_title":"Comprehensive Guide to Developing and Implementing a Cybersecurity Plan","post_excerpt":"","post_status":"publish","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"comprehensive-guide-to-developing-and-implementing-a-cybersecurity-plan","to_ping":"","pinged":"","post_modified":"2020-07-24 16:31:58","post_modified_gmt":"2020-07-24 20:31:58","post_content_filtered":"","post_parent":0,"guid":"https:\/\/www.limsforum.com\/?post_type=ebook&p=91711","menu_order":0,"post_type":"ebook","post_mime_type":"","comment_count":"0","filter":"","_ebook_metadata":{"enabled":"on","private":"0","guid":"1749414C-C608-48F5-84B5-9982E455D86F","title":"Comprehensive Guide to Developing and Implementing a Cybersecurity Plan","subtitle":"First Edition","cover_theme":"nico_3","cover_image":"https:\/\/www.limsforum.com\/wp-content\/plugins\/rdp-ebook-builder\/pl\/cover.php?cover_style=nico_3&subtitle=First+Edition&editor=Shawn+Douglas&title=Comprehensive+Guide+to+Developing+and+Implementing+a+Cybersecurity+Plan&title_image=https%3A%2F%2Fupload.wikimedia.org%2Fwikipedia%2Fcommons%2F7%2F7d%2FInnovation_%2526_Research_Symposium_Cisco_and_Ecole_Polytechnique_9-10_April_2018_Artificial_Intelligence_%2526_Cybersecurity_%252840631791164%2529.jpg&publisher=LIMSwiki.org","editor":"Shawn Douglas","publisher":"LIMSwiki.org","author_id":"26","image_url":"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/7\/7d\/Innovation_%26_Research_Symposium_Cisco_and_Ecole_Polytechnique_9-10_April_2018_Artificial_Intelligence_%26_Cybersecurity_%2840631791164%29.jpg","items":{"4ca06ca4d95a2c83374488b548e563c9_type":"article","4ca06ca4d95a2c83374488b548e563c9_title":"Appendix 1.17 System and information integrity","4ca06ca4d95a2c83374488b548e563c9_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity","4ca06ca4d95a2c83374488b548e563c9_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and information integrity\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.17 System and information integrity \n\n1.1 SI-1 System and information integrity policy and procedures \n1.2 SI-2 Flaw remediation \n1.3 SI-2 (5) Flaw remediation: Automatic software and firmware updates \n1.4 SI-3 Malicious code protection \n1.5 SI-4 Information system monitoring \n1.6 SI-4 (5) Information system monitoring: System-generated alerts \n1.7 SI-4 (7) Information system monitoring: Automated response to suspicious alerts \n1.8 SI-5 Security alerts, advisories, and directives \n1.9 SI-12 Information handling and retention \n1.10 SI-16 Memory protection \n\n\n2 References \n3 Citation information for this chapter \n\n\n\nAppendix 1.17 System and information integrity \nSI-1 System and information integrity policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 70\n LIMSpec 7.1, 7.2\nSI-2 Flaw remediation \nThis control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software of firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws withing an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.\nAdditional resources:\n\n NIST Special Publications 800-40, Rev. 3\n NIST Special Publications 800-128\n LIMSpec 16.7 and 34.15\nSI-2 (5) Flaw remediation: Automatic software and firmware updates \nThis control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).\nAdditional resources:\n\n LIMSpec 34.10\nSI-3 Malicious code protection \nThis control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and\/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.\nAdditional resources:\n\n NIST Special Publications 800-83, Rev. 1\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSI-4 Information system monitoring \nThis control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ad hoc locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.\nAdditional resources:\n\n NIST Special Publications 800-61, Rev. 2\n NIST Special Publications 800-83, Rev. 1\n NIST Special Publications 800-92\n NIST Special Publications 800-94\n NIST Special Publications 800-137\n LIMSpec 16.7 and 31.8\nSI-4 (5) Information system monitoring: System-generated alerts \nThis control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.\nAdditional resources:\n\n LIMSpec 30.8\nSI-4 (7) Information system monitoring: Automated response to suspicious alerts \nThis control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.\nAdditional resources:\n\n LIMSpec 30.8\nSI-5 Security alerts, advisories, and directives \nThis control recommends the organization choose a source for information system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.\nAdditional resources:\n\n NIST Special Publications 800-40, Rev. 3\n No LIMSpec comp (organizational policy rather than system specification)\nSI-12 Information handling and retention \nThis control recommends the organization manage and retain information stored and transmitted within the system according law, regulation, standards, and operational requirements.\nAdditional resources:\n\n LIMSpec 31.2, 31.3, and 31.4\nSI-16 Memory protection \nThis control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.\nAdditional resources:\n\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nReferences \n\n\n\r\n\n\nCitation information for this chapter \nChapter: Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\nTitle: Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\nEdition: First\nAuthor for citation: Shawn E. Douglas\nLicense for content: Creative Commons Attribution-ShareAlike 4.0 International\nPublication date: July 2020\n\r\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:07.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 5 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","4ca06ca4d95a2c83374488b548e563c9_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_information_integrity skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and information integrity<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.17_System_and_information_integrity\">Appendix 1.17 System and information integrity<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"SI-1_System_and_information_integrity_policy_and_procedures\">SI-1 System and information integrity policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 70<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-2_Flaw_remediation\">SI-2 Flaw remediation<\/span><\/h4>\n<p>This control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software of firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws withing an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-3\/final\" target=\"_blank\">NIST Special Publications 800-40, Rev. 3<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-128\/final\" target=\"_blank\">NIST Special Publications 800-128<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management\" data-key=\"1ef9aa152f771b925b31c12cd68bba66\">LIMSpec 16.7<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.15<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-2_.285.29_Flaw_remediation:_Automatic_software_and_firmware_updates\">SI-2 (5) Flaw remediation: Automatic software and firmware updates<\/span><\/h4>\n<p>This control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.10<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-3_Malicious_code_protection\">SI-3 Malicious code protection<\/span><\/h4>\n<p>This control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and\/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-83, Rev. 1<\/a><\/li>\n<li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-4_Information_system_monitoring\">SI-4 Information system monitoring<\/span><\/h4>\n<p>This control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at <i>ad hoc<\/i> locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-61\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-61, Rev. 2<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-83, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-92\/final\" target=\"_blank\">NIST Special Publications 800-92<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-94\/final\" target=\"_blank\">NIST Special Publications 800-94<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-137\/final\" target=\"_blank\">NIST Special Publications 800-137<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management\" data-key=\"1ef9aa152f771b925b31c12cd68bba66\">LIMSpec 16.7<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity\" data-key=\"eedafbce6e4049ac527deb43a1e2311d\">31.8<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-4_.285.29_Information_system_monitoring:_System-generated_alerts\">SI-4 (5) Information system monitoring: System-generated alerts<\/span><\/h4>\n<p>This control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.8<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-4_.287.29_Information_system_monitoring:_Automated_response_to_suspicious_alerts\">SI-4 (7) Information system monitoring: Automated response to suspicious alerts<\/span><\/h4>\n<p>This control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.8<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-5_Security_alerts.2C_advisories.2C_and_directives\">SI-5 Security alerts, advisories, and directives<\/span><\/h4>\n<p>This control recommends the organization choose a source for information system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-3\/final\" target=\"_blank\">NIST Special Publications 800-40, Rev. 3<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-12_Information_handling_and_retention\">SI-12 Information handling and retention<\/span><\/h4>\n<p>This control recommends the organization manage and retain information stored and transmitted within the system according law, regulation, standards, and operational requirements.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity\" data-key=\"eedafbce6e4049ac527deb43a1e2311d\">LIMSpec 31.2, 31.3, and 31.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SI-16_Memory_protection\">SI-16 Memory protection<\/span><\/h4>\n<p>This control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n<p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Citation_information_for_this_chapter\">Citation information for this chapter<\/span><\/h2>\n<p><b>Chapter<\/b>: Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\n<\/p><p><b>Title<\/b>: <i>Comprehensive Guide to Developing and Implementing a Cybersecurity Plan<\/i>\n<\/p><p><b>Edition<\/b>: First\n<\/p><p><b>Author for citation<\/b>: Shawn E. Douglas\n<\/p><p><b>License for content<\/b>: <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/\" target=\"_blank\">Creative Commons Attribution-ShareAlike 4.0 International<\/a>\n<\/p><p><b>Publication date<\/b>: July 2020\n<\/p><p><br \/>\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.012 seconds\nPreprocessor visited node count: 64\/1000000\nPreprocessor generated node count: 385\/1000000\nPost\u2010expand include size: 8292\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 4.950 1 - -total\n 58.65% 2.903 1 - Template:Reflist\n 39.01% 1.931 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.17_System_and_information_integrity\n 20.52% 1.016 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12104-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39907\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_information_integrity<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","4ca06ca4d95a2c83374488b548e563c9_images":[],"4ca06ca4d95a2c83374488b548e563c9_timestamp":1595622735,"0d4299503ffb7a3bc99899ce8f91b142_type":"article","0d4299503ffb7a3bc99899ce8f91b142_title":"Appendix 1.16 System and communications protection","0d4299503ffb7a3bc99899ce8f91b142_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection","0d4299503ffb7a3bc99899ce8f91b142_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and communications protection\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.16 System and communications protection \n\n1.1 SC-1 System and communications protection policy and procedures \n1.2 SC-5 Denial of service protection \n1.3 SC-7 Boundary protection \n1.4 SC-12 Cryptographic key establishment and management \n1.5 SC-13 Cryptographic protection \n1.6 SC-15 Collaborative computing devices \n1.7 SC-20 Secure name-address resolutions service and use of an authoritative source \n1.8 SC-21 Secure name-address resolutions service and use of a recursive or caching resolver \n1.9 SC-22 Architecture and provision for name-address resolution service \n1.10 SC-28 Protection of information at rest \n1.11 SC-28 (1) Protection of information at rest: Cryptographic protection \n1.12 SC-39 Process isolation \n\n\n2 References \n\n\n\nAppendix 1.16 System and communications protection \nSC-1 System and communications protection policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, pages 69\u201370\n LIMSpec 7.1, 7.2\nSC-5 Denial of service protection \nThis control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.\nAdditional resources:\n\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-7 Boundary protection \nThis control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.\nAdditional resources:\n\n NIST Special Publications 800-41, Rev. 1\n NIST Special Publications 800-77\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-12 Cryptographic key establishment and management \nThis control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.\nAdditional resources:\n\n NIST Special Publications 800-56A, Rev. 3\n NIST Special Publications 800-56B, Rev. 2\n NIST Special Publications 800-56C, Rev. 1\n NIST Special Publications 800-57, Part 1, Rev. 4\n NIST Special Publications 800-57, Part 2, Rev. 1\n NIST Special Publications 800-57, Part 3, Rev. 1\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-13 Cryptographic protection \nThis control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.\nAdditional resources:\n\n LIMSpec 21.12 and 35.2\nSC-15 Collaborative computing devices \nThis control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device.\nAdditional resources:\n\n LIMSpec 35.6\nSC-20 Secure name-address resolutions service and use of an authoritative source \nThis control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)\nAdditional resources:\n\n NIST Special Publications 800-81-2\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-21 Secure name-address resolutions service and use of a recursive or caching resolver \nThis control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)\nAdditional resources:\n\n NIST Special Publications 800-81-2\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-22 Architecture and provision for name-address resolution service \nThis control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)\nAdditional resources:\n\n NIST Special Publications 800-81-2\n No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)\nSC-28 Protection of information at rest \nThis control recommends the system protect the confidentiality and\/or integrity of designated information at rest contained in the system. (\" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.\")\nAdditional resources:\n\n NIST Special Publications 800-56A, Rev. 3\n NIST Special Publications 800-56B, Rev. 2\n NIST Special Publications 800-56C, Rev. 1\n NIST Special Publications 800-57, Part 1, Rev. 4\n NIST Special Publications 800-57, Part 2, Rev. 1\n NIST Special Publications 800-57, Part 3, Rev. 1\n NIST Special Publications 800-111\n LIMSpec 21.12\nSC-28 (1) Protection of information at rest: Cryptographic protection \nThis control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).\nAdditional resources:\n\n LIMSpec 21.12 and LIMSpec 35.2\nSC-39 Process isolation \nThis control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) \"so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.\"\nAdditional resources:\n\n LIMSpec 21.16\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:05.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","0d4299503ffb7a3bc99899ce8f91b142_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_communications_protection skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and communications protection<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.16_System_and_communications_protection\">Appendix 1.16 System and communications protection<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"SC-1_System_and_communications_protection_policy_and_procedures\">SC-1 System and communications protection policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, pages 69\u201370<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-5_Denial_of_service_protection\">SC-5 Denial of service protection<\/span><\/h4>\n<p>This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-7_Boundary_protection\">SC-7 Boundary protection<\/span><\/h4>\n<p>This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-41\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-41, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-77\/final\" target=\"_blank\">NIST Special Publications 800-77<\/a><\/li>\n<li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-12_Cryptographic_key_establishment_and_management\">SC-12 Cryptographic key establishment and management<\/span><\/h4>\n<p>This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56a\/rev-3\/final\" target=\"_blank\">NIST Special Publications 800-56A, Rev. 3<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56b\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-56B, Rev. 2<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56c\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-56C, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-1\/rev-4\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 1, Rev. 4<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-2\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 2, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-3\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 3, Rev. 1<\/a><\/li>\n<li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-13_Cryptographic_protection\">SC-13 Cryptographic protection<\/span><\/h4>\n<p>This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.12<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">35.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-15_Collaborative_computing_devices\">SC-15 Collaborative computing devices<\/span><\/h4>\n<p>This control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">LIMSpec 35.6<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-20_Secure_name-address_resolutions_service_and_use_of_an_authoritative_source\">SC-20 Secure name-address resolutions service and use of an authoritative source<\/span><\/h4>\n<p>This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-81\/2\/final\" target=\"_blank\">NIST Special Publications 800-81-2<\/a><\/li>\n<li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-21_Secure_name-address_resolutions_service_and_use_of_a_recursive_or_caching_resolver\">SC-21 Secure name-address resolutions service and use of a recursive or caching resolver<\/span><\/h4>\n<p>This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-81\/2\/final\" target=\"_blank\">NIST Special Publications 800-81-2<\/a><\/li>\n<li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-22_Architecture_and_provision_for_name-address_resolution_service\">SC-22 Architecture and provision for name-address resolution service<\/span><\/h4>\n<p>This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-81\/2\/final\" target=\"_blank\">NIST Special Publications 800-81-2<\/a><\/li>\n<li> No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-28_Protection_of_information_at_rest\">SC-28 Protection of information at rest<\/span><\/h4>\n<p>This control recommends the system protect the confidentiality and\/or integrity of designated information at rest contained in the system. (\" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.\")\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56a\/rev-3\/final\" target=\"_blank\">NIST Special Publications 800-56A, Rev. 3<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56b\/rev-2\/final\" target=\"_blank\">NIST Special Publications 800-56B, Rev. 2<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-56c\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-56C, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-1\/rev-4\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 1, Rev. 4<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-2\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 2, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-3\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-57, Part 3, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-111\/final\" target=\"_blank\">NIST Special Publications 800-111<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.12<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-28_.281.29_Protection_of_information_at_rest:_Cryptographic_protection\">SC-28 (1) Protection of information at rest: Cryptographic protection<\/span><\/h4>\n<p>This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.12<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">LIMSpec 35.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SC-39_Process_isolation\">SC-39 Process isolation<\/span><\/h4>\n<p>This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) \"so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management\" data-key=\"5f931466bb9436d113fc17a04bc496cf\">LIMSpec 21.16<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 60\/1000000\nPreprocessor generated node count: 381\/1000000\nPost\u2010expand include size: 9614\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 6.370 1 - -total\n 61.71% 3.931 1 - Template:Reflist\n 36.83% 2.346 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.16_System_and_communications_protection\n 23.80% 1.516 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12103-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39905\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_communications_protection<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","0d4299503ffb7a3bc99899ce8f91b142_images":[],"0d4299503ffb7a3bc99899ce8f91b142_timestamp":1595622735,"05576c23306f3d9ae9feb07a299b6ad3_type":"article","05576c23306f3d9ae9feb07a299b6ad3_title":"Appendix 1.15 System and services acquisition","05576c23306f3d9ae9feb07a299b6ad3_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition","05576c23306f3d9ae9feb07a299b6ad3_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and services acquisition\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.15 System and services acquisition \n\n1.1 SA-1 System and services acquisition policy and procedures \n1.2 SA-2 Allocation of resources \n1.3 SA-3 System development lifecycle \n1.4 SA-4 Acquisition process \n1.5 SA-4 (1) Acquisition process: Functional properties of security controls \n1.6 SA-4 (2) Acquisition process: Design and implementation information for security controls \n1.7 SA-4 (3) Acquisition process: Development methods, techniques, and practices \n1.8 SA-5 Information system documentation \n1.9 SA-9 External information system services \n1.10 SA-16 Developer-provided training \n\n\n2 References \n\n\n\nAppendix 1.15 System and services acquisition \nSA-1 System and services acquisition policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 69\n NIST Special Publication 800-100, pages 113\u201323\n LIMSpec 7.1, 7.2\nSA-2 Allocation of resources \nThis control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.\nAdditional resources:\n\n Integrity Matters Why CPIC Matters More than Ever to Cybersecurity\n No LIMSpec comp (organizational policy rather than system specification)\nSA-3 System development lifecycle \nThis control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency \"with organizational risk management and information security strategies.\"\nAdditional resources:\n\n NIST Special Publications 800-37, Rev. 1\n No LIMSpec comp (organizational policy rather than system specification)\nSA-4 Acquisition process \nThis control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.\nAdditional resources:\n\n National Information Assurance Partnership\n NIST Special Publication 800-70, Rev. 4\n No LIMSpec comp (organizational policy rather than system specification)\nSA-4 (1) Acquisition process: Functional properties of security controls \nThis control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the security controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ. \nAdditional resources:\n\n LIMSpec 33.4\nSA-4 (2) Acquisition process: Design and implementation information for security controls \nThis control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the security controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.\nAdditional resources:\n\n LIMSpec 33.2 and 33.4\nSA-4 (3) Acquisition process: Development methods, techniques, and practices \nThis control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.\nAdditional resources:\n\n LIMSpec 33.1\nSA-5 Information system documentation \nThis control recommends the organization require of an information system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.\nAdditional resources:\n\n LIMSpec 33.4\nSA-9 External information system services \nThis control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nSA-16 Developer-provided training \nThis control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.\nAdditional resources:\n\n LIMSpec 34.6\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:04.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","05576c23306f3d9ae9feb07a299b6ad3_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_System_and_services_acquisition skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/System and services acquisition<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.15_System_and_services_acquisition\">Appendix 1.15 System and services acquisition<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"SA-1_System_and_services_acquisition_policy_and_procedures\">SA-1 System and services acquisition policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system and services acquisition policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and services acquisition action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 69<\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-100\/final\" target=\"_blank\">NIST Special Publication 800-100<\/a>, pages 113\u201323<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-2_Allocation_of_resources\">SA-2 Allocation of resources<\/span><\/h4>\n<p>This control recommends the organization determine, document, and allocate the resources required to protect the information system and its service as part of business process planning, capital planning, and cybersecurity planning. Those associated plans should have a discrete line item pertaining to information security.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/web.archive.org\/web\/20170203203450\/http:\/\/www.integritymc.com\/blog\/2015\/06\/why-cpic-matters-more-than-ever-to-cybersecurity\/\" target=\"_blank\">Integrity Matters Why CPIC Matters More than Ever to Cybersecurity<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-3_System_development_lifecycle\">SA-3 System development lifecycle<\/span><\/h4>\n<p>This control recommends the organization use a system development life cycle in the management of its information system. As part of this approach, the organization should define and document security roles and responsibilities for the phases of the life cycle, identify the key individuals involved, and ensure the organization's security risk management process is integrated into development life cycle activities. As such, the development life cycle benefits from consistency \"with organizational risk management and information security strategies.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-37\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-37, Rev. 1<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-4_Acquisition_process\">SA-4 Acquisition process<\/span><\/h4>\n<p>This control recommends the organization, as part of the acquisition process, include security functional, strength, and assurance requirements; requirements for security documentation and its protection; description of the developmental and operational system environments; and acceptance criteria in the acquisition contracts for the information system, its components, and its services.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.niap-ccevs.org\/index.cfm\" target=\"_blank\">National Information Assurance Partnership<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-70\/rev-4\/final\" target=\"_blank\">NIST Special Publication 800-70, Rev. 4<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-4_.281.29_Acquisition_process:_Functional_properties_of_security_controls\">SA-4 (1) Acquisition process: Functional properties of security controls<\/span><\/h4>\n<p>This control enhancement recommends the organization require of an information system, system component, or software developer a description of the functional properties of the security controls (i.e., the functionality visible at the interfaces of the security controls) the system, component, or software will employ. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-4_.282.29_Acquisition_process:_Design_and_implementation_information_for_security_controls\">SA-4 (2) Acquisition process: Design and implementation information for security controls<\/span><\/h4>\n<p>This control enhancement recommends the organization require of an information system, system component, or software developer information on the design and implementation of the security controls inherent to the system, component, or software. This could include security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.2 and 33.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-4_.283.29_Acquisition_process:_Development_methods.2C_techniques.2C_and_practices\">SA-4 (3) Acquisition process: Development methods, techniques, and practices<\/span><\/h4>\n<p>This control enhancement recommends the organization require of an information system, system component, or software developer proof of using a development life cycle that includes current and relevant system and security engineering methods, software development methods, testing and validation techniques, and quality control procedures.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.1<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-5_Information_system_documentation\">SA-5 Information system documentation<\/span><\/h4>\n<p>This control recommends the organization require of an information system, system component, or software developer administrator documentation that describes configuration, installation, and operation; effective use and maintenance of security mechanisms; known vulnerabilities of privileged functions; best user practices to ensure system security; and administrator and user responsibilities for maintaining the security. The organization should document any attempts (and failures) to acquire such administrator documentation, protect that documentation internally, and distribute it to the appropriate personnel or roles.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#33._System_validation_and_commission\" data-key=\"962b522f454655e6db263e82dc72efff\">LIMSpec 33.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-9_External_information_system_services\">SA-9 External information system services<\/span><\/h4>\n<p>This control recommends the organization hold providers of external information system services accountable to organizational security requirements, as well as defined security controls. The organization should also document government oversight and user roles and responsibilities associated with the services. The organization should also monitor the external information system services provider for compliance with organizational security requirements and security controls.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"SA-16_Developer-provided_training\">SA-16 Developer-provided training<\/span><\/h4>\n<p>This control recommends the organization require of an information system, system component, or software developer specific training on the correct operation of the security functions, controls, and mechanisms of the system, system component, or software.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.6<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.008 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 58\/1000000\nPreprocessor generated node count: 377\/1000000\nPost\u2010expand include size: 7602\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 6.131 1 - -total\n 63.40% 3.887 1 - Template:Reflist\n 35.00% 2.146 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.15_System_and_services_acquisition\n 24.08% 1.476 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12102-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39904\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/System_and_services_acquisition<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","05576c23306f3d9ae9feb07a299b6ad3_images":[],"05576c23306f3d9ae9feb07a299b6ad3_timestamp":1595622735,"c52661a1e1652b9775da10e9b68e417b_type":"article","c52661a1e1652b9775da10e9b68e417b_title":"Appendix 1.14 Risk assessment","c52661a1e1652b9775da10e9b68e417b_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment","c52661a1e1652b9775da10e9b68e417b_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Risk assessment\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.14 Risk assessment \n\n1.1 RA-1 Risk assessment policy and procedures \n1.2 RA-2 Security categorization \n1.3 RA-3 Risk assessment \n1.4 RA-5 Vulnerability scanning \n\n\n2 References \n\n\n\nAppendix 1.14 Risk assessment \nRA-1 Risk assessment policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk asssessment action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, pages 68\u201369\n NIST Special Publication 800-30, Rev. 1\n NIST Special Publication 800-100, pages 84\u201395\n LIMSpec 7.1, 7.2\nRA-2 Security categorization \nThis control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon \"the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability.\" Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.\nAdditional resources:\n\n NIST Special Publication 800-30, Rev. 1\n NIST Special Publication 800-39\n NIST Special Publications 800-60, Vol. 1, Rev. 1\n NIST Special Publications 800-60, Vol. 2, Rev. 1\n No LIMSpec comp (organizational policy rather than system specification)\nRA-3 Risk assessment \nThis control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized \"access, use, disclosure, disruption, modification, or destruction\" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.\nAdditional resources:\n\n NIST Special Publication 800-30, Rev. 1\n NIST Special Publication 800-39\n No LIMSpec comp (organizational policy rather than system specification)\nRA-5 Vulnerability scanning \nThis control recommends the organization conduct vulnerability scanning of its system. \"Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms.\" These scans should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system.\nAdditional resources:\n\n NIST National Vulnerability Database\n NIST Special Publication 800-40, Rev. 3\n NIST Special Publication 800-70, Rev. 4\n NIST Special Publication 800-115\n No LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:04.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","c52661a1e1652b9775da10e9b68e417b_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Risk_assessment skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Risk assessment<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.14_Risk_assessment\">Appendix 1.14 Risk assessment<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"RA-1_Risk_assessment_policy_and_procedures\">RA-1 Risk assessment policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk asssessment action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, pages 68\u201369<\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publication 800-30, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-100\/final\" target=\"_blank\">NIST Special Publication 800-100<\/a>, pages 84\u201395<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"RA-2_Security_categorization\">RA-2 Security categorization<\/span><\/h4>\n<p>This control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon \"the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability.\" Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publication 800-30, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-39\/final\" target=\"_blank\">NIST Special Publication 800-39<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-1-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 1, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-2-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 2, Rev. 1<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"RA-3_Risk_assessment\">RA-3 Risk assessment<\/span><\/h4>\n<p>This control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized \"access, use, disclosure, disruption, modification, or destruction\" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-30\/rev-1\/final\" target=\"_blank\">NIST Special Publication 800-30, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-39\/final\" target=\"_blank\">NIST Special Publication 800-39<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"RA-5_Vulnerability_scanning\">RA-5 Vulnerability scanning<\/span><\/h4>\n<p>This control recommends the organization conduct vulnerability scanning of its system. \"Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms.\" These scans should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/nvd.nist.gov\/\" target=\"_blank\">NIST National Vulnerability Database<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-40\/rev-3\/final\" target=\"_blank\">NIST Special Publication 800-40, Rev. 3<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-70\/rev-4\/final\" target=\"_blank\">NIST Special Publication 800-70, Rev. 4<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-115\/final\" target=\"_blank\">NIST Special Publication 800-115<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.007 seconds\nReal time usage: 0.012 seconds\nPreprocessor visited node count: 52\/1000000\nPreprocessor generated node count: 365\/1000000\nPost\u2010expand include size: 5235\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 5.910 1 - -total\n 65.20% 3.853 1 - Template:Reflist\n 33.10% 1.956 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.14_Risk_assessment\n 24.32% 1.437 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12101-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39903\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Risk_assessment<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","c52661a1e1652b9775da10e9b68e417b_images":[],"c52661a1e1652b9775da10e9b68e417b_timestamp":1595622735,"7e23c5cb79442a7218e0ee49e2465122_type":"article","7e23c5cb79442a7218e0ee49e2465122_title":"Appendix 1.13 Personnel security","7e23c5cb79442a7218e0ee49e2465122_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security","7e23c5cb79442a7218e0ee49e2465122_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Personnel security\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.13 Personnel security \n\n1.1 PS-1 Personnel security policy and procedures \n1.2 PS-2 Position risk designation \n1.3 PS-3 Personnel screening \n1.4 PS-4 Personnel termination \n1.5 PS-5 Personnel transfer \n1.6 PS-6 Access agreements \n1.7 PS-7 Third-part personnel security \n1.8 PS-8 Personnel sanctions \n\n\n2 References \n\n\n\nAppendix 1.13 Personnel security \nPS-1 Personnel security policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, page 68\n LIMSpec 7.1, 7.2\nPS-2 Position risk designation \nThis control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations \"can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems.\" Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be \"determined by the position's potential for adverse impact to the efficiency or integrity of the service.\"[1] Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPS-3 Personnel screening \nThis control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.\nAdditional resources:\n\n 5 CFR 731.106\n NIST Special Publications 800-60, Vol. 1, Rev. 1\n NIST Special Publications 800-60, Vol. 2, Rev. 1\n NIST Special Publications 800-73-4\n NIST Special Publications 800-76-2\n NIST Special Publications 800-78-4\n No LIMSpec comp (organizational policy rather than system specification)\nPS-4 Personnel termination \nThis control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\nAdditional resources:\n\n LIMSpec 32.28 and 34.4\nPS-5 Personnel transfer \nThis control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\nAdditional resources:\n\n LIMSpec 34.4\nPS-6 Access agreements \nThis control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPS-7 Third-part personnel security \nThis control recommends the organization establish a set of security requirements for third-party personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPS-8 Personnel sanctions \nThis control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\u2191 \"5 CFR \u00a7 731.106 - Designation of public trust positions and investigative requirements\". Legal Information Institute. Cornell. https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106 . Retrieved 23 July 2020 .   \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:04.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","7e23c5cb79442a7218e0ee49e2465122_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Personnel_security skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Personnel security<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.13_Personnel_security\">Appendix 1.13 Personnel security<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PS-1_Personnel_security_policy_and_procedures\">PS-1 Personnel security policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12<\/a>, page 68<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-2_Position_risk_designation\">PS-2 Position risk designation<\/span><\/h4>\n<p>This control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations \"can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems.\" Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be \"determined by the position's potential for adverse impact to the efficiency or integrity of the service.\"<sup id=\"rdp-ebb-cite_ref-LII5CFR_1-0\" class=\"reference\"><a href=\"#cite_note-LII5CFR-1\">[1]<\/a><\/sup> Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-3_Personnel_screening\">PS-3 Personnel screening<\/span><\/h4>\n<p>This control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106\" target=\"_blank\">5 CFR 731.106<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-1-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 1, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-2-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 2, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-73\/4\/final\" target=\"_blank\">NIST Special Publications 800-73-4<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-76\/2\/final\" target=\"_blank\">NIST Special Publications 800-76-2<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-78\/4\/final\" target=\"_blank\">NIST Special Publications 800-78-4<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-4_Personnel_termination\">PS-4 Personnel termination<\/span><\/h4>\n<p>This control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management\" data-key=\"e972c3ebbff256d2241b0ba5e3831389\">LIMSpec 32.28<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-5_Personnel_transfer\">PS-5 Personnel transfer<\/span><\/h4>\n<p>This control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.4<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-6_Access_agreements\">PS-6 Access agreements<\/span><\/h4>\n<p>This control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-7_Third-part_personnel_security\">PS-7 Third-part personnel security<\/span><\/h4>\n<p>This control recommends the organization establish a set of security requirements for third-party personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PS-8_Personnel_sanctions\">PS-8 Personnel sanctions<\/span><\/h4>\n<p>This control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<ol class=\"references\">\n<li id=\"cite_note-LII5CFR-1\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-LII5CFR_1-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106\" target=\"_blank\">\"5 CFR \u00a7 731.106 - Designation of public trust positions and investigative requirements\"<\/a>. <i>Legal Information Institute<\/i>. Cornell<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106\" target=\"_blank\">https:\/\/www.law.cornell.edu\/cfr\/text\/5\/731.106<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 23 July 2020<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=5+CFR+%C2%A7+731.106+-+Designation+of+public+trust+positions+and+investigative+requirements&rft.atitle=Legal+Information+Institute&rft.pub=Cornell&rft_id=https%3A%2F%2Fwww.law.cornell.edu%2Fcfr%2Ftext%2F5%2F731.106&rfr_id=info:sid\/en.wikipedia.org:Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security\"><span style=\"display: none;\"> <\/span><\/span><\/span>\n<\/li>\n<\/ol><\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.025 seconds\nReal time usage: 0.034 seconds\nPreprocessor visited node count: 640\/1000000\nPreprocessor generated node count: 11572\/1000000\nPost\u2010expand include size: 10927\/2097152 bytes\nTemplate argument size: 1715\/2097152 bytes\nHighest expansion depth: 12\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 29.642 1 - -total\n 76.92% 22.801 1 - Template:Reflist\n 55.11% 16.336 1 - Template:Cite_web\n 47.73% 14.149 1 - Template:Citation\/core\n 22.73% 6.738 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.13_Personnel_security\n 7.37% 2.186 2 - Template:Citation\/make_link\n 4.64% 1.374 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12100-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39902\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Personnel_security<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","7e23c5cb79442a7218e0ee49e2465122_images":[],"7e23c5cb79442a7218e0ee49e2465122_timestamp":1595622735,"de60c9a247b0afb6ba8006efee060baa_type":"article","de60c9a247b0afb6ba8006efee060baa_title":"Appendix 1.12 Planning","de60c9a247b0afb6ba8006efee060baa_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning","de60c9a247b0afb6ba8006efee060baa_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Planning\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.12 Planning \n\n1.1 PL-1 Security planning policy and procedures \n1.2 PL-2 System security plan \n1.3 PL-4 Rules of behavior \n\n\n2 References \n\n\n\nAppendix 1.12 Planning \nPL-1 Security planning policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 67\n NIST Special Publications 800-18, Rev. 1\n NIST Special Publications 800-100, pages 67\u201377\n LIMSpec 7.1, 7.2\nPL-2 System security plan \nThis control recommends the organization develop, distribute, review, update, and protect a security plan for its information system. The plan should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plan should be reviewed and approved by designated personnel.\nAdditional resources:\n\n NIST Special Publications 800-18, Rev. 1\n No LIMSpec comp (organizational policy rather than system specification)\nPL-4 Rules of behavior \nThis control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.\nAdditional resources:\n\n NIST Special Publications 800-18, Rev. 1\n No LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:03.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","de60c9a247b0afb6ba8006efee060baa_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Planning skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Planning<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.12_Planning\">Appendix 1.12 Planning<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PL-1_Security_planning_policy_and_procedures\">PL-1 Security planning policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 67<\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-18\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-18, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-100\/final\" target=\"_blank\">NIST Special Publications 800-100<\/a>, pages 67\u201377<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PL-2_System_security_plan\">PL-2 System security plan<\/span><\/h4>\n<p>This control recommends the organization develop, distribute, review, update, and protect a security plan for its information system. The plan should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plan should be reviewed and approved by designated personnel.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-18\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-18, Rev. 1<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PL-4_Rules_of_behavior\">PL-4 Rules of behavior<\/span><\/h4>\n<p>This control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-18\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-18, Rev. 1<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.006 seconds\nReal time usage: 0.008 seconds\nPreprocessor visited node count: 51\/1000000\nPreprocessor generated node count: 363\/1000000\nPost\u2010expand include size: 3132\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 4.642 1 - -total\n 62.97% 2.923 1 - Template:Reflist\n 34.75% 1.613 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.12_Planning\n 19.93% 0.925 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12099-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39901\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Planning<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","de60c9a247b0afb6ba8006efee060baa_images":[],"de60c9a247b0afb6ba8006efee060baa_timestamp":1595622735,"de7c201aa1750a9acb655e663c6a96f6_type":"article","de7c201aa1750a9acb655e663c6a96f6_title":"Appendix 1.11 Physical and environmental protection","de7c201aa1750a9acb655e663c6a96f6_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection","de7c201aa1750a9acb655e663c6a96f6_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Physical and environmental protection\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.11 Physical and environmental protection \n\n1.1 PE-1 Physical and environmental protection policy and procedures \n1.2 PE-2 Physical access authorizations \n1.3 PE-3 Physical access control \n1.4 PE-3 (1) Physical access control: Information system access \n1.5 PE-6 Monitoring physical access \n1.6 PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment \n1.7 PE-6 (4) Monitoring physical access: Monitoring physical access to information systems \n1.8 PE-8 Visitor access recorded \n1.9 PE-12 Emergency lighting \n1.10 PE-13 Fire protection \n1.11 PE-14 Temperature and humidity controls \n1.12 PE-15 Water damage protection \n1.13 PE-16 Delivery and removal \n\n\n2 References \n\n\n\nAppendix 1.11 Physical and environmental protection \nPE-1 Physical and environmental protection policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 66\n LIMSpec 7.1, 7.2\nPE-2 Physical access authorizations \nThis control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPE-3 Physical access control \nThis control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.\nAdditional resources:\n\n GSA FIPS 201 Evaluation Program\n GSA Physical Access Control System Guide\n NIST Special Publications 800-73-4\n NIST Special Publications 800-76-2\n NIST Special Publications 800-78-4\n NIST Special Publications 800-116, Rev. 1\n LIMSpec 34.7\nPE-3 (1) Physical access control: Information system access \nThis control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.\nAdditional resources:\n\n LIMSpec 34.7\nPE-6 Monitoring physical access \nThis control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.\nAdditional resources:\n\n LIMSpec 34.7\nPE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment \nThis control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.\nAdditional resources:\n\n LIMSpec 30.9 and 34.7\nPE-6 (4) Monitoring physical access: Monitoring physical access to information systems \nThis control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical information system components.\nAdditional resources:\n\n LIMSpec 34.7\nPE-8 Visitor access recorded \nThis control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPE-12 Emergency lighting \nThis control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPE-13 Fire protection \nThis control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPE-14 Temperature and humidity controls \nThis control recommends the organization maintain temperature and humidity in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPE-15 Water damage protection \nThis control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nPE-16 Delivery and removal \nThis control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:03.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","de7c201aa1750a9acb655e663c6a96f6_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Physical_and_environmental_protection skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Physical and environmental protection<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.11_Physical_and_environmental_protection\">Appendix 1.11 Physical and environmental protection<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"PE-1_Physical_and_environmental_protection_policy_and_procedures\">PE-1 Physical and environmental protection policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 66<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-2_Physical_access_authorizations\">PE-2 Physical access authorizations<\/span><\/h4>\n<p>This control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-3_Physical_access_control\">PE-3 Physical access control<\/span><\/h4>\n<p>This control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.idmanagement.gov\/sell\/fips201\/\" target=\"_blank\">GSA FIPS 201 Evaluation Program<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/pacs.idmanagement.gov\/\" target=\"_blank\">GSA Physical Access Control System Guide<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-73\/4\/final\" target=\"_blank\">NIST Special Publications 800-73-4<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-76\/2\/final\" target=\"_blank\">NIST Special Publications 800-76-2<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-78\/4\/final\" target=\"_blank\">NIST Special Publications 800-78-4<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-116\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-116, Rev. 1<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-3_.281.29_Physical_access_control:_Information_system_access\">PE-3 (1) Physical access control: Information system access<\/span><\/h4>\n<p>This control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-6_Monitoring_physical_access\">PE-6 Monitoring physical access<\/span><\/h4>\n<p>This control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-6_.281.29_Monitoring_physical_access:_Intrusion_alarms_and_surveillance_equipment\">PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment<\/span><\/h4>\n<p>This control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.9<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-6_.284.29_Monitoring_physical_access:_Monitoring_physical_access_to_information_systems\">PE-6 (4) Monitoring physical access: Monitoring physical access to information systems<\/span><\/h4>\n<p>This control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical information system components.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-8_Visitor_access_recorded\">PE-8 Visitor access recorded<\/span><\/h4>\n<p>This control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-12_Emergency_lighting\">PE-12 Emergency lighting<\/span><\/h4>\n<p>This control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-13_Fire_protection\">PE-13 Fire protection<\/span><\/h4>\n<p>This control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-14_Temperature_and_humidity_controls\">PE-14 Temperature and humidity controls<\/span><\/h4>\n<p>This control recommends the organization maintain temperature and humidity in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-15_Water_damage_protection\">PE-15 Water damage protection<\/span><\/h4>\n<p>This control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"PE-16_Delivery_and_removal\">PE-16 Delivery and removal<\/span><\/h4>\n<p>This control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203215\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.012 seconds\nPreprocessor visited node count: 61\/1000000\nPreprocessor generated node count: 383\/1000000\nPost\u2010expand include size: 8084\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 5.620 1 - -total\n 61.99% 3.484 1 - Template:Reflist\n 35.98% 2.022 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.11_Physical_and_environmental_protection\n 17.36% 0.976 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12098-0!*!*!!en!*!* and timestamp 20200724203215 and revision id 39900\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Physical_and_environmental_protection<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","de7c201aa1750a9acb655e663c6a96f6_images":[],"de7c201aa1750a9acb655e663c6a96f6_timestamp":1595622734,"84651314d463b0d69afac52a43fca149_type":"article","84651314d463b0d69afac52a43fca149_title":"Appendix 1.10 Media protection","84651314d463b0d69afac52a43fca149_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection","84651314d463b0d69afac52a43fca149_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Media protection\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.10 Media protection \n\n1.1 MP-1 Media protection policy and procedures \n1.2 MP-2 Media access \n1.3 MP-6 Media sanitization \n1.4 MP-7 Media use \n\n\n2 References \n\n\n\nAppendix 1.10 Media protection \nMP-1 Media protection policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 65\n NIST Special Publications 800-88, Rev. 1\n LIMSpec 7.1, 7.2\nMP-2 Media access \nThis control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.\nAdditional resources:\n\n LIMSpec30.9 and 34.7\nMP-6 Media sanitization \nThis control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.\nAdditional resources:\n\n NIST Special Publications 800-60, Vol. 1, Rev. 1\n NIST Special Publications 800-60, Vol. 2, Rev. 1\n NIST Special Publications 800-88, Rev. 1\n NSA\/CSS Media Destruction Guidance\n No LIMSpec comp (organizational policy rather than system specification)\nMP-7 Media use \nThis control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that \"[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives\" on the system or its subsystems.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:02.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 4 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","84651314d463b0d69afac52a43fca149_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Media_protection skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Media protection<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.10_Media_protection\">Appendix 1.10 Media protection<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"MP-1_Media_protection_policy_and_procedures\">MP-1 Media protection policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 65<\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-88, Rev. 1<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MP-2_Media_access\">MP-2 Media access<\/span><\/h4>\n<p>This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec30.9<\/a> and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MP-6_Media_sanitization\">MP-6 Media sanitization<\/span><\/h4>\n<p>This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-1-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 1, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-60\/vol-2-rev-1\/final\" target=\"_blank\">NIST Special Publications 800-60, Vol. 2, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-88, Rev. 1<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction\/\" target=\"_blank\">NSA\/CSS Media Destruction Guidance<\/a><\/li>\n<li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MP-7_Media_use\">MP-7 Media use<\/span><\/h4>\n<p>This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that \"[i]n contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives\" on the system or its subsystems.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203214\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.006 seconds\nReal time usage: 0.011 seconds\nPreprocessor visited node count: 52\/1000000\nPreprocessor generated node count: 365\/1000000\nPost\u2010expand include size: 3552\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 5.731 1 - -total\n 65.26% 3.740 1 - Template:Reflist\n 33.03% 1.893 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.10_Media_protection\n 25.18% 1.443 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12097-0!*!*!!en!*!* and timestamp 20200724203214 and revision id 39899\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Media_protection<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","84651314d463b0d69afac52a43fca149_images":[],"84651314d463b0d69afac52a43fca149_timestamp":1595622734,"5f8a3d8c562fa4abe9299c262e8679f0_type":"article","5f8a3d8c562fa4abe9299c262e8679f0_title":"Appendix 1.9 Maintenance","5f8a3d8c562fa4abe9299c262e8679f0_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Maintenance","5f8a3d8c562fa4abe9299c262e8679f0_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Maintenance\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.9 Maintenance \n\n1.1 MA-1 System maintenance policy and procedures \n1.2 MA-2 Controlled maintenance \n1.3 MA-2 (2) Controlled maintenance: Automated maintenance activities \n1.4 MA-4 Non-local maintenance \n1.5 MA-5 Maintenance personnel \n1.6 MA-6 Timely maintenance \n1.7 MA-6 (1) Timely maintenance: Preventative maintenance \n1.8 MA-6 (2) Timely maintenance: Predictive maintenance \n\n\n2 References \n\n\n\nAppendix 1.9 Maintenance \nMA-1 System maintenance policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 50\n LIMSpec 7.1, 7.2\nMA-2 Controlled maintenance \nThis control recommends the organization apply a \"controlled maintenance\" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.\nAdditional resources:\n\n NIST Special Publications 800-88, Rev. 1\n LIMSpec 10.7, 10.10, and 10.15\nMA-2 (2) Controlled maintenance: Automated maintenance activities \nThis control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and\/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.\nAdditional resources:\n\n LIMSpec 10.7, 10.10, and 10.15\nMA-4 Non-local maintenance \nThis control recommends the organization place strong controls on non-local maintenance and diagnostics of the system or its components. \"Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network.\" Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.\nAdditional resources:\n\n NIST Special Publications 800-63-3\n NIST Special Publications 800-88, Rev. 1\n LIMSpec 10.15, 32.25, 34.4, and 35.3\nMA-5 Maintenance personnel \nThis control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site.\nAdditional resources:\n\n LIMSpec 34.7\nMA-6 Timely maintenance \nThis control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals. \nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nMA-6 (1) Timely maintenance: Preventative maintenance \nThis control enhancement recommends the organization take a preventative maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.\nAdditional resources:\n\n LIMSpec 10.10\nMA-6 (2) Timely maintenance: Predictive maintenance \nThis control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using \"principles of statistical process control to determine at what point in the future maintenance activities will be appropriate,\" particularly \"when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold.\"\nAdditional resources:\n\n LIMSpec 30.5\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Maintenance\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Maintenance<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:01.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","5f8a3d8c562fa4abe9299c262e8679f0_html":"<body class=\"mediawiki ltr sitedir-ltr ns-208 ns-subject page-Book_Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan_A_simplified_description_of_NIST_Special_Publication_800-53_controls_with_ties_to_LIMSpec_Maintenance skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Maintenance<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\">\n\n<h3><span class=\"mw-headline\" id=\"Appendix_1.9_Maintenance\">Appendix 1.9 Maintenance<\/span><\/h3>\n<h4><span class=\"mw-headline\" id=\"MA-1_System_maintenance_policy_and_procedures\">MA-1 System maintenance policy and procedures<\/span><\/h4>\n<p>This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-12\/rev-1\/final\" target=\"_blank\">NIST Special Publications 800-12, Rev. 1<\/a>, page 50<\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management\" data-key=\"bcf5a1a7889d790ddf235128d9a8e317\">LIMSpec 7.1, 7.2<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-2_Controlled_maintenance\">MA-2 Controlled maintenance<\/span><\/h4>\n<p>This control recommends the organization apply a \"controlled maintenance\" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-88, Rev. 1<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management\" data-key=\"bff44fcebcd26459117e31bbd8c99ea1\">LIMSpec 10.7, 10.10, and 10.15<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-2_.282.29_Controlled_maintenance:_Automated_maintenance_activities\">MA-2 (2) Controlled maintenance: Automated maintenance activities<\/span><\/h4>\n<p>This control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and\/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management\" data-key=\"bff44fcebcd26459117e31bbd8c99ea1\">LIMSpec 10.7, 10.10, and 10.15<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-4_Non-local_maintenance\">MA-4 Non-local maintenance<\/span><\/h4>\n<p>This control recommends the organization place strong controls on non-local maintenance and diagnostics of the system or its components. \"Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network.\" Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-63-3<\/a><\/li>\n<li> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-63\/3\/final\" target=\"_blank\">NIST Special Publications 800-88, Rev. 1<\/a><\/li>\n<li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management\" data-key=\"bff44fcebcd26459117e31bbd8c99ea1\">LIMSpec 10.15<\/a>, <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management\" data-key=\"e972c3ebbff256d2241b0ba5e3831389\">32.25<\/a>, <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">34.4<\/a>, and <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity\" data-key=\"46f38a22c13a626b571bac684fbf12ae\">35.3<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-5_Maintenance_personnel\">MA-5 Maintenance personnel<\/span><\/h4>\n<p>This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Security_and_Integrity_of_Systems_and_Operations#34._System_administration\" data-key=\"4e61932b867065094a0b64f809b55574\">LIMSpec 34.7<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-6_Timely_maintenance\">MA-6 Timely maintenance<\/span><\/h4>\n<p>This control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals. \n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> No LIMSpec comp (organizational policy rather than system specification)<\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-6_.281.29_Timely_maintenance:_Preventative_maintenance\">MA-6 (1) Timely maintenance: Preventative maintenance<\/span><\/h4>\n<p>This control enhancement recommends the organization take a preventative maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management\" data-key=\"bff44fcebcd26459117e31bbd8c99ea1\">LIMSpec 10.10<\/a><\/li><\/ul>\n<h4><span class=\"mw-headline\" id=\"MA-6_.282.29_Timely_maintenance:_Predictive_maintenance\">MA-6 (2) Timely maintenance: Predictive maintenance<\/span><\/h4>\n<p>This control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using \"principles of statistical process control to determine at what point in the future maintenance activities will be appropriate,\" particularly \"when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold.\"\n<\/p><p><b>Additional resources<\/b>:\n<\/p>\n<ul><li> <a rel=\"nofollow\" class=\"external text wiki-link\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:LIMSpec\/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems\" data-key=\"8ebbeb8bfec6319a409d1d0afffa6cbf\">LIMSpec 30.5<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<\/div>\n\n<!-- \nNewPP limit report\nCached time: 20200724203214\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.008 seconds\nReal time usage: 0.012 seconds\nPreprocessor visited node count: 56\/1000000\nPreprocessor generated node count: 373\/1000000\nPost\u2010expand include size: 6582\/2097152 bytes\nTemplate argument size: 24\/2097152 bytes\nHighest expansion depth: 6\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 5.763 1 - -total\n 63.89% 3.682 1 - Template:Reflist\n 34.44% 1.985 1 - Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Appendix_1.9_Maintenance\n 23.79% 1.371 1 - Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12096-0!*!*!!en!*!* and timestamp 20200724203214 and revision id 39898\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Maintenance\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Maintenance<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","5f8a3d8c562fa4abe9299c262e8679f0_images":[],"5f8a3d8c562fa4abe9299c262e8679f0_timestamp":1595622734,"7fa975e8927c31389b4124da08625ca9_type":"article","7fa975e8927c31389b4124da08625ca9_title":"Appendix 1.8 Incident response","7fa975e8927c31389b4124da08625ca9_url":"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Incident_response","7fa975e8927c31389b4124da08625ca9_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tBook:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan\/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec\/Incident response\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tContents\n\n1 Appendix 1.8 Incident response \n\n1.1 IR-1 Incident response policy and procedures \n1.2 IR-2 Incident response training \n1.3 IR-4 Incident handling \n1.4 IR-4 (1) Incident handling: Automated incident handling processes \n1.5 IR-5 Incident monitoring \n1.6 IR-6 Incident reporting \n1.7 IR-6 (1) Incident reporting: Automated reporting \n1.8 IR-7 Incident response assistance \n1.9 IR-8 Incident response plan \n\n\n2 References \n\n\n\nAppendix 1.8 Incident response \nIR-1 Incident response policy and procedures \nThis control recommends the organization develop, document, disseminate, review, and update incident response policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of incident response action but also to address how those policies and procedures will be implemented, reviewed, and updated. \nAdditional resources:\n\n NIST Special Publications 800-12, Rev. 1, page 64\n NIST Special Publications 800-61, Rev. 2\n NIST Special Publications 800-83, Rev. 1\n NIST Special Publications 800-100 124\u201330\n LIMSpec 7.1, 7.2\nIR-2 Incident response training \nThis control recommends the organization provide incident response training to those system users with roles and responsibilities tied to incident response and, more broadly, business continuity planning. That training should occur initially, within an organization-defined period of time upon taking on a related role or responsibility, and when required by major changes to the system. Follow-up training should be conducted at a defined frequency afterwards.\nAdditional resources:\n\n NIST Special Publications 800-16\n NIST Special Publications 800-50\n LIMSpec 8.3, 8.5, and 8.7\nIR-4 Incident handling \nThis control recommends the organization, as part of their incident response planning (see IR-8), address how it will engage in preparation, detection and analysis, containment, eradication, and recovery from a security incident. That organization will also link its incident handling with its contingency planning activities and update its incident and business continuity plans, as well as affected training regiments, with \"lessons learned\" from internal and external events.\nAdditional resources:\n\n NIST Special Publications 800-61, Rev. 2\n No LIMSpec comp (organizational policy rather than system specification)\nIR-4 (1) Incident handling: Automated incident handling processes \nThis control enhancement recommends the organization employ automated mechanisms to better handle incident response initiatives. NIST gives the example of online incident management systems as a possible automated tool to use.\nAdditional resources:\n\n LIMSpec 16.7\nIR-5 Incident monitoring \nThis control recommends the organization track and document security incidents affecting the system. For these purposes, the organization may consider pulling information from \"incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.\"\nAdditional resources:\n\n NIST Special Publications 800-61, Rev. 2\n LIMSpec 16.6 and 16.7\nIR-6 Incident reporting \nThis control recommends the organization require security incidents, suspected and real, and any relevant information to be reported to the appropriate organizational personnel within a certain period of time.\nAdditional resources:\n\n NIST Special Publications 800-61, Rev. 2\n LIMSpec 6.8\nIR-6 (1) Incident reporting: Automated reporting \nThis control enhancement recommends the the organization employ automated mechanisms to better handle reporting of security incidents. These automated mechanisms would likely be tied to existing monitoring controls.\nAdditional resources:\n\n LIMSpec 6.8\nIR-7 Incident response assistance \nThis control recommends the organization provide support resources that offer advice and assistance to system users confronted with handling and reporting security incidents. Those support resources could come in the form of help desk, a responsible individual designated in the incident response plan, ot in-house or third-party forensic services.\nAdditional resources:\n\n No LIMSpec comp (organizational policy rather than system specification)\nIR-8 Incident response plan \nThis control recommends the organization develop, document, disseminate, review, update, and protect an organizational incident response plan. That plan should be sophisticated enough to contain an incident response roadmap for implementing the developed plan, which should include how the overall plan meshes with business and cybersecurity goals, the resources and responsible individuals that are part of the plan, what should be reportable, and what the associated metrics will be for measuring incident response and its aftermath. The plan should be reviewed and approved by one or more designated personnel, usually leadership or management. Any changes to the plan should be communicated to appropriate personnel, and any affected training should be updated.\nAdditional resources:\n\n NIST Special Publications 800-61, Rev. 2\n No LIMSpec comp (organizational policy rather than system specification)\nReferences \n\n\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Incident_response\">https:\/\/www.limswiki.org\/index.php\/Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan\/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec\/Incident_response<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tBook\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \n\t\r\n\n\t\n\t\r\n\n \n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 24 July 2020, at 20:01.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 3 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","7fa975e8927c31389b4124da08625ca9_html":"<body class=\"mediawiki ltr sitedir-ltr ns