Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.10 Media protection"
Shawndouglas (talk | contribs) (Created as needed.) |
Shawndouglas (talk | contribs) (Updated for 2023.) |
||
| Line 1: | Line 1: | ||
===Appendix 1.10 Media protection=== | ===Appendix 1.10 Media protection=== | ||
====MP-1 | ====MP-1 Policy and procedures==== | ||
This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. | This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. | ||
| Line 6: | Line 6: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 65 | * [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 65 | ||
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7. | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2] | ||
====MP-2 Media access==== | ====MP-2 Media access==== | ||
| Line 12: | Line 12: | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems | * [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7] | ||
====MP-6 Media sanitization==== | ====MP-6 Media sanitization==== | ||
| Line 21: | Line 21: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1] | ||
* [https://www.nsa.gov/ | * [https://www.nsa.gov/Resources/Media-Destruction-Guidance/ NSA/CSS Media Destruction Guidance] | ||
* No LIMSpec comp (organizational policy rather than system specification) | * No LIMSpec comp (organizational policy rather than system specification) | ||
====MP-7 Media use==== | ====MP-7 Media use==== | ||
This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, | This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on information systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems. | ||
'''Additional resources''': | '''Additional resources''': | ||
* No LIMSpec comp (organizational policy rather than system specification) | * No LIMSpec comp (organizational policy rather than system specification) | ||
Latest revision as of 15:57, 21 March 2023
Appendix 1.10 Media protection
MP-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, page 65
- NIST Special Publications 800-88, Rev. 1
- LIMSpec 7.1, 7.2
MP-2 Media access
This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.
Additional resources:
- LIMSpec 30.9 and 34.7
MP-6 Media sanitization
This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.
Additional resources:
- NIST Special Publications 800-60, Vol. 1, Rev. 1
- NIST Special Publications 800-60, Vol. 2, Rev. 1
- NIST Special Publications 800-88, Rev. 1
- NSA/CSS Media Destruction Guidance
- No LIMSpec comp (organizational policy rather than system specification)
MP-7 Media use
This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on information systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
