Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.4 Security assessment and authorization"

From LIMSWiki
Jump to navigationJump to search
(Created as needed.)
 
(Updated for 2023.)
 
Line 1: Line 1:
===Appendix 1.4  Security assessment and authorization===
===Appendix 1.4  Assessment, authorization, and monitoring===
====CA-1 Security assessment and authorization policy and procedures====
====CA-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.  
This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.  


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 60–61
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 60–61
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final NIST Special Publications 800-53A, Rev. 5]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 96–112
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 96–112
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]


====CA-2 Security assessments====
====CA-2 Control assessments====
This control recommends the organization develop, document, disseminate, review, and update a security assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.
This control recommends the organization develop, document, disseminate, review, and update a control assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionaally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final NIST Special Publications 800-53A, Rev. 5]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-2 (1) Security assessments: Independent assessors====
====CA-2 (1) Control assessments: Independent assessors====
This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. that Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[o]rganizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."
This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[a]ssessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."


'''Additional resources''':
'''Additional resources''':
Line 28: Line 28:
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-3 System interconnections====
====CA-3 Information exchange====
This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, at D-1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with any interconnections between the organizations' systems. However, NIST notes, "[i]f interconnecting systems have the same authorizing official, organizations do not need to develop interconnection security agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans."
This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, Rev. 1, at 3.1.5.1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with establishing, operating, and maintaining any interconnections between the organizations' systems. However, NIST notes, "[i]f systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged, how the information is protected) are described in the respective security and privacy plans."


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-47/final NIST Special Publications 800-47]
* [https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final NIST Special Publications 800-47, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 46–58
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 46–58
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)
Line 40: Line 40:


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)


====CA-6 Security authorization====
====CA-6 Authorization====
This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being an "inherently federal responsibility and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.
This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being a "federal responsibility, and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
* No LIMSpec comp (organizational policy rather than system specification)
Line 55: Line 55:


'''Additional resources''':
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final NIST Special Publications 800-37, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final NIST Special Publications 800-53A, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final NIST Special Publications 800-53A, Rev. 5]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]

Latest revision as of 15:52, 21 March 2023

Appendix 1.4 Assessment, authorization, and monitoring

CA-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

CA-2 Control assessments

This control recommends the organization develop, document, disseminate, review, and update a control assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionaally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.

Additional resources:

CA-2 (1) Control assessments: Independent assessors

This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[a]ssessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."

Additional resources:

CA-3 Information exchange

This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, Rev. 1, at 3.1.5.1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with establishing, operating, and maintaining any interconnections between the organizations' systems. However, NIST notes, "[i]f systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged, how the information is protected) are described in the respective security and privacy plans."

Additional resources:

CA-5 Plan of action and milestones

This control recommends the organization develop and update a security authorization-related plan of action and milestones for the documentation of planned remedial actions and vulnerability resolutions. These key security authorization documents should be reviewed and updated at a defined frequency, based off the results of security control assessments, security impact analyses, and continuous monitoring results.

Additional resources:

CA-6 Authorization

This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being a "federal responsibility, and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.

Additional resources:

CA-7 Continuous monitoring

This control recommends the organization develop a continuous monitoring program and implementation strategy. The program should define the metrics required for organizational performance indicators, as well as how often those metrics are applied and assessed for functionality and sufficiency. How the information is analyzed and correlated, how the organization responds to those activities, and how they are reported (who and when) must also be addressed. Metrics should follow the SMART principle of being specific, measurable, actionable, relevant, and focused on a timely nature.

Additional resources:

CA-9 Internal system connections

This control recommends the organization essentially create a systems map, documenting how the various parts of the system should interconnect—as well as the characteristics of the connection and the nature of the information transported through it—and explicitly authorizing the interconnection to occur. This includes connections through mobile devices, printers, computers, sensors, and servers. It may be useful to classify components of the system that have common characteristics or configurations to make authorizations (as classes) easier.

Additional resources:

  • No LIMSpec comp (organizational policy rather than system specification)
Retrieved from "https://www.limswiki.org/index.php?title=Template:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec/Appendix_1.4_Security_assessment_and_authorization&oldid=51649"