Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Planning
Appendix 1.12 Planning
PL-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, page 67
- NIST Special Publications 800-18, Rev. 1
- NIST Special Publications 800-100, pages 67–77
- LIMSpec 7.1, 7.2
PL-2 System security and privacy plans
This control recommends the organization develop, distribute, review, update, and protect security and privacy plans for its information system. The plans should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plans should be reviewed and approved by designated personnel, as well as protected from unauthorized access and modification.
Additional resources:
- NIST Special Publications 800-18, Rev. 1
- No LIMSpec comp (organizational policy rather than system specification)
PL-4 Rules of behavior
This control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.
Additional resources:
- NIST Special Publications 800-18, Rev. 1
- No LIMSpec comp (organizational policy rather than system specification)
