Difference between revisions of "Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan"

From LIMSWiki
Jump to navigationJump to search
(Created as needed.)
 
(Updated for 2023.)
 
Line 1: Line 1:
{{Saved book
{{Saved book
  |title=Comprehensive Guide to Developing and Implementing a Cybersecurity Plan, Edition 1.0
  |title=Comprehensive Guide to Developing and Implementing a Cybersecurity Plan, Second Edition
  |subtitle=By Shawn E. Douglas
  |subtitle=By Shawn E. Douglas
  |cover-image=Innovation & Research Symposium Cisco and Ecole Polytechnique 9-10 April 2018 Artificial Intelligence & Cybersecurity (40631791164).jpg
  |cover-image=Innovation & Research Symposium Cisco and Ecole Polytechnique 9-10 April 2018 Artificial Intelligence & Cybersecurity (40631791164).jpg
Line 11: Line 11:
'''Title''': ''Comprehensive Guide to Developing and Implementing a Cybersecurity Plan''
'''Title''': ''Comprehensive Guide to Developing and Implementing a Cybersecurity Plan''


'''Edition''': First
'''Edition''': Second


'''Author for citation''': Shawn E. Douglas
'''Author for citation''': Shawn E. Douglas
Line 17: Line 17:
'''License for content''': [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International]
'''License for content''': [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International]


'''Publication date''': July 2020
'''Publication date''': March 2023




Look across the internet and you will find a wealth of [[information]] about [[cybersecurity]] and the cybersecurity plan. However, much of that information is either disparate or, if comprehensive, difficult to access or expensive to acquire. In particular, a walk-through of the various steps involved with how an organization or individual develops, enforces, and maintains a cybersecurity plan is difficult to come by. This guide attempts to fill that gap, including not only a 10-step walk-through but also insight into regulations, standards, and cybersecurity standards frameworks, as well as how they all fit together with cybersecurity planning. Additionally, this document provides access to ''[[:File:An Example Cybersecurity Plan - Shawn Douglas - v1.0.pdf|An Example Cybersecurity Plan]]'', a companion document that provides a representative example of the 10-step walk-through put to use. This guide also includes a slightly simplified version of many of the security controls found in the National Institute of Standards and Technology's (NIST) Special Publication 800-53, Rev. 4, with additional resources to provide context, and mappings to [[Book:LIMSpec 2019 R1|LIMSpec]], an evolving set of specifications for laboratory informatics solutions and their development. The guide attempts to be helpful to most any organization attempting to navigate the challenges of cybersecurity planning, with a slight bias towards [[Laboratory|laboratories]] implementing and updating information systems.
Look across the internet and you will find a wealth of [[information]] about [[cybersecurity]] and the cybersecurity plan. However, much of that information is either disparate or, if comprehensive, difficult to access or expensive to acquire. In particular, a walk-through of the various steps involved with how an organization or individual develops, enforces, and maintains a cybersecurity plan is difficult to come by. This guide attempts to fill that gap, including not only a 10-step walk-through but also insight into regulations, standards, and cybersecurity standards frameworks, as well as how they all fit together with cybersecurity planning. Additionally, this document provides access to ''[[:File:An Example Cybersecurity Plan - Shawn Douglas - v1.1.pdf|An Example Cybersecurity Plan]]'', a companion document that provides a representative example of the 10-step walk-through put to use. This guide also includes a slightly simplified version of many of the security controls found in the National Institute of Standards and Technology's (NIST) Special Publication 800-53, Rev. 5, with additional resources to provide context, and mappings to [[Book:LIMSpec 2019 R1|LIMSpec]], an evolving set of specifications for laboratory informatics solutions and their development. The guide attempts to be helpful to most any organization attempting to navigate the challenges of cybersecurity planning, with a slight bias towards [[Laboratory|laboratories]] implementing and updating information systems.
 
The second edition updates citations and statistics, as well as grammar. The first edition was released months prior to the NIST 800-53 update from Rev. 4 to 5; this edition is updated throughout to address the changes in that framework to Rev. 5, including Appendix 1.


(NOTE: The PDF output of this guide fails to properly list the references. To see the original document, with references, see [[LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan|here]].)
(NOTE: The PDF output of this guide fails to properly list the references. To see the original document, with references, see [[LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan|here]].)
Line 32: Line 34:
;3. Fitting a cybersecurity standards framework into a cybersecurity plan
;3. Fitting a cybersecurity standards framework into a cybersecurity plan
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Fitting a cybersecurity standards framework into a cybersecurity plan/How do cybersecurity controls and frameworks guide plan development?|3.1 How do cybersecurity controls and frameworks guide plan development?]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Fitting a cybersecurity standards framework into a cybersecurity plan/How do cybersecurity controls and frameworks guide plan development?|3.1 How do cybersecurity controls and frameworks guide plan development?]]
;4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework
;4. NIST Special Publication 800-53, Revision 5 and the NIST Cybersecurity Framework
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework/NIST Cybersecurity Framework|4.1 NIST Cybersecurity Framework]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/NIST Special Publication 800-53, Revision 5 and the NIST Cybersecurity Framework/NIST Cybersecurity Framework|4.1 NIST Cybersecurity Framework]]
;5. Develop and create the cybersecurity plan
;5. Develop and create the cybersecurity plan
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Develop and create the cybersecurity plan/Develop strategic cybersecurity goals and define success|5.1 Develop strategic cybersecurity goals and define success]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Develop and create the cybersecurity plan/Develop strategic cybersecurity goals and define success|5.1 Develop strategic cybersecurity goals and define success]]
Line 51: Line 53:
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Awareness and training|Appendix 1.2 Awareness and training]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Awareness and training|Appendix 1.2 Awareness and training]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Audit and accountability|Appendix 1.3 Audit and accountability]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Audit and accountability|Appendix 1.3 Audit and accountability]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Security assessment and authorization|Appendix 1.4 Security assessment and authorization]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Assessment, authorization, and monitoring|Appendix 1.4 Assessment, authorization, and monitoring]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Configuration management|Appendix 1.5 Configuration management]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Configuration management|Appendix 1.5 Configuration management]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Contingency planning|Appendix 1.6 Contingency planning]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Contingency planning|Appendix 1.6 Contingency planning]]
Line 60: Line 62:
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Physical and environmental protection|Appendix 1.11 Physical and environmental protection]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Physical and environmental protection|Appendix 1.11 Physical and environmental protection]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Planning|Appendix 1.12 Planning]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Planning|Appendix 1.12 Planning]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Personnel security|Appendix 1.13 Personnel security]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Program management|Appendix 1.13 Program management]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Risk assessment|Appendix 1.14 Risk assessment]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Personnel security|Appendix 1.14 Personnel security]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and services acquisition|Appendix 1.15 System and services acquisition]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Personally identifiable information processing and transparency|Appendix 1.15 Personally identifiable information processing and transparency]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and communications protection|Appendix 1.16 System and communications protection]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Risk assessment|Appendix 1.16 Risk assessment]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and information integrity|Appendix 1.17 System and information integrity]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and services acquisition|Appendix 1.17 System and services acquisition]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and communications protection|Appendix 1.18 System and communications protection]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/System and information integrity|Appendix 1.19 System and information integrity]]
:[[Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Supply chain risk management|Appendix 1.20 Supply chain risk management]]

Latest revision as of 19:02, 21 March 2023

Comprehensive Guide to Developing and Implementing a Cybersecurity Plan, Second Edition
By Shawn E. Douglas
Innovation & Research Symposium Cisco and Ecole Polytechnique 9-10 April 2018 Artificial Intelligence & Cybersecurity (40631791164).jpg
This is a LIMSwiki book, a collection of LIMSwiki articles that can be easily saved, rendered electronically, and ordered as a printed book.

Edit this book: Book Creator · Wikitext
Select format to download:

PDF (A4) · PDF (Letter)

Order a printed copy from these publishers: PediaPress
Start ] [ FAQ ] [ Basic help ] [ Advanced help ] [ Feedback ] [ Recent Changes ]


Title: Comprehensive Guide to Developing and Implementing a Cybersecurity Plan

Edition: Second

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: March 2023


Look across the internet and you will find a wealth of information about cybersecurity and the cybersecurity plan. However, much of that information is either disparate or, if comprehensive, difficult to access or expensive to acquire. In particular, a walk-through of the various steps involved with how an organization or individual develops, enforces, and maintains a cybersecurity plan is difficult to come by. This guide attempts to fill that gap, including not only a 10-step walk-through but also insight into regulations, standards, and cybersecurity standards frameworks, as well as how they all fit together with cybersecurity planning. Additionally, this document provides access to An Example Cybersecurity Plan, a companion document that provides a representative example of the 10-step walk-through put to use. This guide also includes a slightly simplified version of many of the security controls found in the National Institute of Standards and Technology's (NIST) Special Publication 800-53, Rev. 5, with additional resources to provide context, and mappings to LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development. The guide attempts to be helpful to most any organization attempting to navigate the challenges of cybersecurity planning, with a slight bias towards laboratories implementing and updating information systems.

The second edition updates citations and statistics, as well as grammar. The first edition was released months prior to the NIST 800-53 update from Rev. 4 to 5; this edition is updated throughout to address the changes in that framework to Rev. 5, including Appendix 1.

(NOTE: The PDF output of this guide fails to properly list the references. To see the original document, with references, see here.)

About this book
Introduction
1. What is a cybersecurity plan and why do you need it?
1.1 Cybersecurity planning and its value
2. What are the major regulations and standards dictating cybersecurity action?
2.1 Cybersecurity standards frameworks
3. Fitting a cybersecurity standards framework into a cybersecurity plan
3.1 How do cybersecurity controls and frameworks guide plan development?
4. NIST Special Publication 800-53, Revision 5 and the NIST Cybersecurity Framework
4.1 NIST Cybersecurity Framework
5. Develop and create the cybersecurity plan
5.1 Develop strategic cybersecurity goals and define success
5.2 Define scope and responsibilities
5.3 Identify cybersecurity requirements and objectives
5.4 Establish performance indicators and associated time frames
5.5 Identify key stakeholders
5.6 Determine resource needs
5.7 Develop a communications plan
5.8 Develop a response and continuity plan
5.9 Establish how the overall cybersecurity plan will be implemented
5.10 Review progress
6. Closing remarks
6.1 Recap and closing
Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec
Appendix 1.1 Access control
Appendix 1.2 Awareness and training
Appendix 1.3 Audit and accountability
Appendix 1.4 Assessment, authorization, and monitoring
Appendix 1.5 Configuration management
Appendix 1.6 Contingency planning
Appendix 1.7 Identification and authentication
Appendix 1.8 Incident response
Appendix 1.9 Maintenance
Appendix 1.10 Media protection
Appendix 1.11 Physical and environmental protection
Appendix 1.12 Planning
Appendix 1.13 Program management
Appendix 1.14 Personnel security
Appendix 1.15 Personally identifiable information processing and transparency
Appendix 1.16 Risk assessment
Appendix 1.17 System and services acquisition
Appendix 1.18 System and communications protection
Appendix 1.19 System and information integrity
Appendix 1.20 Supply chain risk management