Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Planning

From LIMSWiki
Jump to navigationJump to search

Appendix 1.12 Planning

PL-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

PL-2 System security and privacy plans

This control recommends the organization develop, distribute, review, update, and protect security and privacy plans for its information system. The plans should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plans should be reviewed and approved by designated personnel, as well as protected from unauthorized access and modification.

Additional resources:

PL-4 Rules of behavior

This control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.

Additional resources: