Difference between revisions of "User:Shawndouglas/sandbox/sublevel11"

From LIMSWiki
Jump to navigationJump to search
Tag: Reverted
 
(22 intermediate revisions by the same user not shown)
Line 7: Line 7:


==Sandbox begins below==
==Sandbox begins below==
<div class="nonumtoc">__TOC__</div>
In their 1974 multi-volume series ''Systematic Materials Analysis'', Richardson and Peterson say the following about the then state of materials testing<ref>{{Cite book |last=Richardson |first=James H. |last2=Peterson |first2=Ronald V. |date= |year=1974 |title=Systematic Materials Analysis, Part 1 |url=https://books.google.com/books?id=BNocpYI8gJkC&printsec=frontcover&dq=Systematic+Materials+analysis&hl=en&newbks=1&newbks_redir=0&sa=X&ved=2ahUKEwjB1OeQx-aAAxWnmmoFHSV2BSsQ6AF6BAgMEAI#v=onepage&q=Systematic%20Materials%20analysis&f=false |chapter=Preface |series=Materials science series |publisher=Academic Press |place=New York |page=xiii |isbn=978-0-12-587801-2 |doi=10.1016/B978-0-12-587801-2.X5001-0}}</ref>:
==4. NIST Special Publication 800-53, Revision 5 and the NIST Cybersecurity Framework==
[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Special Publication 800-53, Revision 5]: ''Security and Privacy Controls for Information Systems and Organizations'' has since gone through five revisions. The SP 800-53 [[cybersecurity]] standards framework is largely a control framework that "provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final |title=NIST SP 800-53, Rev. 5 Security and Privacy Controls for Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=10 December 2020 |accessdate=03 March 2023}}</ref>  


The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's [[information]]—are classified by the complexity of and risks associated with the information system, using impact value classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.
<blockquote>It is both exciting and dismaying to observe the parade of new and refined instrumental methods available for the analysis of materials—exciting because these instruments provide opportunities for faster and more reliable answers to material analysis problems, dismaying because one is hard pressed to evaluate these various instruments for a given task. Materials analysis often involves the complete characterization of a material, including structural and textural analyses in addition to chemical analysis ... These volumes not only comprise a brief, comprehensive reference for the materials analyst but also provides a source of information for the engineer or researcher who must select the appropriate instrument for his immediate needs.</blockquote>
 
The controls are organized into 20 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable accounts" is a control enhancement that further stipulates the system be able to automatically disable certain accounts after a designated period of time.
 
This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.
 
===4.1 NIST Cybersecurity Framework===
The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web |url=https://www.cisa.gov/resources-tools/resources/fact-sheet-eo-13636-improving-critical-infrastructure-cybersecurity-and |title=Fact Sheet: EO 13636 Improving Critical Infrastructure Cybersecurity and PPD 21 Critical Infrastructure Security and Resilience |publisher=Cybersecurity & Infrastructure Security Agency |date=17 December 2020 |accessdate=04 March 2023}}</ref> Building off the frameworks of NIST Special Publication 800-53 (Revision 5), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web |url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53/ |title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 |author=Chang-Gu, A. |work=Praetorian Security Blog |publisher=Praetorian Security, Inc |date=02 March 2015 |accessdate=04 March 2023}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=04 March 2023}}</ref>
 
Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web |url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds |title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds |author=Dark Reading Staff |work=Dark Reading - Attacks/Breaches |publisher=Informa PLC Informa UK Limited |date=30 March 2016 |accessdate=04 March 2023}}</ref>:
 
* Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
* Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.
 
However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web |url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity |title=Why a Risk-Based Approach Leads to Effective Cybersecurity |author=BizTech Staff |work=BizTech |publisher=CDW LLC |date=20 December 2017 |accessdate=04 March 2023}}</ref><ref name="DanielSmarter18">{{cite web |url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ |title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds |author=Daniel, M. |work=Cyber Threat Alliance Blog |date=25 January 2018 |accessdate=04 March 2023}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web |url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework |title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=16 April 2018 |accessdate=04 March 2023}}</ref> As of March 2023, the NIST continues to update the Cybersecurity Framework, publishing a version 2.0 concept paper in January "to seek additional input on the structure and direction of the Cybersecurity Framework (CSF or Framework) before crafting a draft of CSF 2.0." The authors note the potential for significant changes from version 1.1, including scoping the document to organizations of all sizes, types, and sectors, while also increasing international collaboration and engagement and better reflecting changes in cybersecurity practices.<ref name="NISTCyber2.0_23">{{cite web |url=https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf |format=PDF |title=NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=19 January 2023 |accessdate=04 March 2023}}</ref> Since the framework is:
 
* already based upon NIST SP 800-53 and other solid frameworks, with plans to further relate the framework to other NIST frameworks for version 2.0<ref name="NISTCyber2.0_23" />;
* developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders"<ref name="NISTNewTo19">{{cite web |url=https://www.nist.gov/cyberframework/getting-started |title=Getting Started |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=14 April 2022 |accessdate=04 March 2023}}</ref>; and
* potentially going to see greater international collaboration and engagement among foreign governments and industry for upcoming revisions<ref name="NISTCyber2.0_23" />;
 
... the framework is likely to be further embraced in some form worldwide.
 
It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Latest revision as of 17:40, 20 September 2023

Sandbox begins below

In their 1974 multi-volume series Systematic Materials Analysis, Richardson and Peterson say the following about the then state of materials testing[1]:

It is both exciting and dismaying to observe the parade of new and refined instrumental methods available for the analysis of materials—exciting because these instruments provide opportunities for faster and more reliable answers to material analysis problems, dismaying because one is hard pressed to evaluate these various instruments for a given task. Materials analysis often involves the complete characterization of a material, including structural and textural analyses in addition to chemical analysis ... These volumes not only comprise a brief, comprehensive reference for the materials analyst but also provides a source of information for the engineer or researcher who must select the appropriate instrument for his immediate needs.

References