Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and information integrity
Appendix 1.19 System and information integrity
SI-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
SI-2 Flaw remediation
This control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software or firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws within an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.
Additional resources:
SI-2 (5) Flaw remediation: Automatic software and firmware updates
This control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).
Additional resources:
SI-3 Malicious code protection
This control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.
Additional resources:
- NIST Special Publications 800-83, Rev. 1
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SI-4 System monitoring
This control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ad hoc locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.
Additional resources:
- NIST Special Publications 800-61, Rev. 2
- NIST Special Publications 800-83, Rev. 1
- NIST Special Publications 800-92
- NIST Special Publications 800-94
- NIST Special Publications 800-137
- LIMSpec 16.7 and 31.8
SI-4 (5) System monitoring: System-generated alerts
This control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.
Additional resources:
SI-4 (7) System monitoring: Automated response to suspicious alerts
This control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.
Additional resources:
SI-5 Security alerts, advisories, and directives
This control recommends the organization choose a source for system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.
Additional resources:
- NIST Special Publications 800-40, Rev. 4
- No LIMSpec comp (organizational policy rather than system specification)
SI-12 Information management and retention
This control recommends the organization manage and retain information stored and transmitted within the system according to law, regulation, standards, and operational requirements.
Additional resources:
SI-16 Memory protection
This control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.
Additional resources:
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SI-19 De-identification
This control recommends the system have a means of de-identifying personally identifiable information from datasets while also allowing for evaluation of the effectiveness of those means. NIST notes that "[r]e-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics."
Additional resources:
SI-19 (7) De-identification: Validated algorithms and software
This control enhancement recommends that any de-identification algorithms, software, or software modules be validated to be working as intended.
Additional resources: