Difference between revisions of "User:Shawndouglas/sandbox/sublevel14"

From LIMSWiki
Jump to navigationJump to search
(Blanked the page)
Tag: Blanking
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
<div class="nonumtoc">__TOC__</div>
{{ombox
| type      = notice
| style    = width: 960px;
| text      = This is sublevel14 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas|my discussion page]] instead.<p></p>
}}


==Sandbox begins below==
==Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec==
What follows is essentially a simplification of the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53, Revision 5]: ''Security and Privacy Controls for Information Systems and Organizations''. As mentioned earlier, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are worthy of consideration for most any systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final NIST Special Publication 800-171, Revision 2]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 (Revision 4, with plans to update it to Revision 5) and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the [[International Organization for Standardization]]'s international standard "for establishing, implementing, maintaining and continually improving an [[information security]] management system within the context of the organization."<ref name="ISO27001_19">{{cite web |url=https://www.iso.org/standard/54534.html |title=SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements |publisher=International Organization for Standardization |date=03 June 2019 |accessdate=23 July 2020}}</ref> For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the [https://www.nist.gov/cyberframework/framework NIST Cybersecurity Framework], which is suitable for those without a technical background.
The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Occasionally, you will also see selected NIST control enhancements in the form of NIST family, the control enhancement number in parentheses, the control name, and then the control enhancement name. Then, a simplified description—with occasional outside references—is added, based on the original text. Additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.
Finally, if you are implementing or have implemented [[information management]] software in your [[laboratory]], you may also find links to [[LII:LIMSpec 2022 R2|LIMSpec]] in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of [[laboratory informatics]] systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those non-linked items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)." (Note that the selected control enhancements largely appear in this appendix because they both have a comp to LIMSpec and don't have a tight relation to another NIST control.)
In some cases the LIMSpec comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand ''aids the organization'' in conforming to the NIST controls specifying policies be created and managed.
'''NOTE''': Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post ''should not'' be considered an endorsement for the company that published it.
===Appendix 1.1 Access control===
====AC-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update an access control policy. Taking into account regulations, standards, policy, guidance, and law, this policy essentially details the security controls and enhancements "that specify how access is managed and who may access information under what circumstances."<ref name="NISTAccess18">{{cite web |url=https://csrc.nist.gov/Projects/Access-Control-Policy-and-Implementation-Guides |title=Access Control Policy and Implementation Guides |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=27 January 2023 |accessdate=13 March 2023}}</ref>
'''Additional resources''':
* [https://csrc.nist.gov/Projects/Access-Control-Policy-and-Implementation-Guides NIST Access Control Policy and Implementation Guides]
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 59
* [https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html OWASP Authorization Cheat Sheet]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====AC-2 Account management====
This control recommends the organization develop a series of account management steps for its information systems. Among its many recommendations, it asks the organization to clearly define account types (e.g., individual, group, vendor, temporary, etc.), their associated membership requirements, and policy dictating how accounts should be managed; appoint one or more individuals to be in charge of account creation, approval, modification, compliance review, and removal; and provide proper communication to those account managers when an account needs to be modified, disabled, or removed.
'''Additional resources''':
* [https://www.scribd.com/document/14275780/Sample-Account-Management-Policy AAA Technical Writing LLC Sample Account Management Policy]
* [https://csrc.nist.gov/publications/detail/sp/1800-18/archive/2018-09-28 NIST Special Publication 1800-18 (Draft)]
* No LIMSpec comp (organizational policy rather than system specification)
====AC-2 (3) Account management: Disable accounts====
This control enhancement recommends the system have the ability to automatically disable specific accounts (i.e., expired, unassociated, in-violation, and inactive) after a designated period of time.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.28]
====AC-2 (4) Account management: Automated audit actions====
This control enhancement recommends the system have the ability to automatically audit creation, modification, enabling, disabling, and removal actions performed on accounts, as well as notify designated individuals or roles of those actions.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2]
====AC-2 (7) Account management: Privileged user accounts====
This control enhancement recommends the organization take additional action in regards to accounts with privileged roles. AC-2 (7) defines privileged roles as "organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform." The organization should not only use a role-based mechanism for assigning privileges to an account, but also the organization should monitor the activities of privileged accounts and manage those accounts when the role is no longer appropriate.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.35] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4]
====AC-2 (11) Account management: Usage conditions====
This control enhancement recommends the system allow for the configuration of specific usage conditions or circumstances under which an account type can be used. Conditions or circumstances for account activity may include physical location, logical location, network address, or chronometric criterion (time of day, day of week/month).
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.23]
====AC-3 Access enforcement====
This control recommends the system be capable of enforcing system access based upon the configured access controls (policies and mechanisms) put into place by the organization. This enforcement could occur at the overall information system level, or be more granular at the application and service levels.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
====AC-3 (7) Access enforcement: Role-based access control====
This control enhancement recommends the system be able to effectively monitor and enforce a role-based access control policy to objects and system functions, as well users of a defined role. However, this requires system administrators and organizational managers work together to ensure only those permissions critical to supporting "organizational missions or business functions" are enacted upon the assignable roles, and that those assigned roles are appropriate for the user account.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.23]
====AC-6 Least privilege====
This control recommends the organization use the principle of "least privilege" when implementing and managing accounts in the system. The concept of least privilege essentially "requires giving each user, service, and application only the permissions needed to perform their work and no more."<ref name="NetwrixBestPrac19">{{cite web |url=https://www.netwrix.com/guide_to_implementing_the_least_privilege_principle |title=Best Practice Guide to Implementing the Least Privilege Principle |publisher=Netwrix Corporation |date=05 April 2019 |accessdate=13 March 2023}}</ref>
'''Additional resources''':
* [https://web.archive.org/web/20220925085909/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege CISA Least Privilege (archived)]
* [https://www.netwrix.com/guide_to_implementing_the_least_privilege_principle Netwrix ''Best Practice Guide to Implementing the Least Privilege Principle'']
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy LIMSpec 36.4]
====AC-6 (1) Least privilege: Authorize access to security functions====
This control enhancement recommends the organization provide access to specific security-related functions and information in the system to explicitly authorized personnel. In other words, one or more specific system administrators, network administrators, security officers, etc. should be given access to configure security permissions, monitoring, cryptographic keys, services, etc. required to ensure the system is correctly protected.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.18]
====AC-6 (4) Least privilege: Separate processing domains====
This control enhancement recommends the system provide separate processing domains in order to make user privilege allocation more granular. This essentially means that through using virtualization, domain separation mechanisms, or separate physical domains, the overall information system can create additional fine layers of access control for a particular domain.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.16]
====AC-6 (9) Least privilege: Log use of privileged functions====
This control enhancement recommends the system perform auditing functions on any privileged functions that get executed in the system. This allows organizations to review audit records to ensure the effects of intentional or unintentional misuse of privileged functions is caught early and mitigated effectively.
'''Additional resources''':
* [https://web.archive.org/web/20191210160713/https://www.centrify.com/resources/privileged-user-activity-auditing-the-missing-link-for-enterprise-compliance-and-security/ Centrify ''Privileged User Activity Auditing'' (archived)]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2]
====AC-7 Unsuccessful logon attempts====
This control recommends the system be capable of not only enforcing a specific number of failed logon attempts in a given period of time, but also automatically locking or disabling an account until released by the system after a designated period of time, or manually by an administrator.
'''Additional resources''':
* [https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold Microsoft "Account lockout threshold"] (Specific to Windows 10 and 11, but information still broadly useful)
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.32]
====AC-8 System use notification====
This control recommends the system be configurable to allow the creation of a system-wide notification message or banner before logon that provides vital privacy, security, and authorized use information related to the system. The message or banner should remain on the screen until acknowledged by the user and the user logs on. Note that the wording of such message or banner may require legal review and approval before implementation.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.30]
====AC-10 Concurrent session control====
This control recommends the system be able to limit the number of concurrent (running at the same time) sessions (log ins) globally, for a given account type, for a given a user, or by using a combination of such limiters. NIST gives the example of wanting to tighten security by limiting the number of concurrent sessions for system administrators or users working in domains containing sensitive data.
'''Additional resources''':
* [https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html OWASP Session Management Cheat Sheet]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.29]
====AC-11 Device lock====
This control recommends the system be able to prevent further access to a system using a device lock, which activates after a defined period of inactivity or upon a user request. AC-11 defines a device lock as "temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences." The device lock must be able to remain in place until the user associated with the session again goes through the system's identification and authentication process.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.1]
====AC-12 Session termination====
This control recommends the system be able to automatically terminate a user session after a defined period of time or pre-defined events (e.g., time-of-day restriction) occur.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.1]
====AC-14 Permitted actions without identification or authentication====
This control recommends the organization develop a list of user actions, if any, that can be performed on the system without going through the system's identification and authentication process. Any such list should be documented and provide supporting rationale as to why the authentication can be bypassed. This may largely pertain to public websites or other publicly accessible systems.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====AC-17 Remote access====
This control recommends the organization develop and document a remote access policy that addresses each type of remote access allowed into the system. Remote access involves communicating with the system through an external network, usually the internet. The policy should address the usage restrictions, configuration requirements, connection requirements, and implementation rules for the approved methods (e.g., wireless, broadband, Bluetooth, etc.). Some sort of access enforcement process should take place prior to allowing remote access (see AC-3 for said access enforcement).
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final NIST Special Publications 800-46, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-113/final NIST Special Publications 800-113]
* [https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final NIST Special Publications 800-114, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-121/rev-2/final NIST Special Publications 800-121, Rev. 2]
* No LIMSpec comp (organizational policy rather than system specification)
====AC-17 (1) Remote access: Monitoring and control====
This control enhancement recommends the system have the ability to automatically monitor and control remote access methods. By enabling the automatic auditing of the connection activity of remote users, compliance with remote access policies (see AC-17) can be ensured and cyber attacks caught early.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.9]
====AC-17 (2) Remote access: Protection of confidentiality and integrity using encryption====
This control enhancement recommends the system have the ability to implement encryption mechanisms for remote access. This involves using "encryption to protect communications between the access device and the institution," using encryption "to protect sensitive data residing on the access device," or both.<ref name="RBIGuidelines">{{cite web |url=https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf |format=PDF |title=Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds |publisher=Reserve Bank of India |page=46 |accessdate=13 March 2023}}</ref>
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.1]
====AC-18 Wireless access====
This control recommends the organization develop and document a wireless access policy, probably best done in conjunction with AC-17. NIST gives examples of wireless technologies such as microwave, packet radio, 802.11x, and Bluetooth. The policy should address the usage restrictions, configuration requirements, connection requirements, and implementation rules for the approved wireless technologies. Some sort of access enforcement process should take place prior to allowing a wireless connection to the system (see AC-3 for said access enforcement). In most cases this will be a built-in authentication protocol for the wireless network.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-97/final NIST Special Publications 800-97]
* [https://csrc.nist.gov/publications/detail/sp/800-121/rev-2/final NIST Special Publications 800-121, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-97/final NIST Special Publications 800-187]
* No LIMSpec comp (organizational policy rather than system specification)
====AC-19 Access control for mobile devices====
This control recommends the organization develop and document a mobile device (e.g., smart phone, tablet, e-reader) use and access policy. The policy should address the usage restrictions, configuration requirements, connection requirements, and implementation rules for the approved wireless technologies. Some sort of access enforcement process should take place prior to allowing a mobile connection to the system (see AC-3 for said access enforcement).
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final NIST Special Publications 800-114, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-124/rev-1/final NIST Special Publications 800-124, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-164/draft NIST Special Publications 800-164, Draft]
* No LIMSpec comp (organizational policy rather than system specification)
====AC-20 Use of external systems====
This control recommends the organization develop and document a policy concerning the use of external systems to access, process, store, and transmit data from the organization's system. External systems include (but are not limited to) personal devices, private or public computing devices in commercial or public facilities, non-federal government systems, and federal systems not operated or owned by the organization. This includes the use of cloud-based service providers. The organization should consider the trust relationships already established with internal business divisions, as well as contractors and other third parties when developing this policy.
* No LIMSpec comp (organizational policy rather than system specification)
====AC-22 Publicly accessible content====
This control recommend the organization develop and document policy on the use and management of public-facing components of the system, typically the public website. This control ensures that sensitive, protected, or classified information is not accessible by the general public. The organizational policy should address who's responsible for posting information to the public-facing system; how to verify the information being posted does not contain sensitive, protected, or classified information; and how to monitor the public-facing system to ensure any non-public information is removed upon discovery.
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.2  Awareness and training===
====AT-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 59–60
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 26–34
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====AT-2 Literacy training and awareness====
This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.4, 8.5, and 8.7]
====AT-3 Role-based training====
This control recommends the organization provide the necessary role-specific security and privacy training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control. Ideally, the training and awareness efforts will also be updated periodically and incorporate internal and external "lessons learned."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-16/final NIST Special Publications 800-16]
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.4, 8.5, and 8.7]
====AT-4 Training records====
This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.1, 8.5], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.4]
===Appendix 1.3  Audit and accountability===
====AU-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update audit and accountability policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of audit and accountability action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 60
* [https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Audit_Accountability.pdf State of North Carolina Audit and Accountability Policy]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====AU-2 Event logging====
This control recommends the organization scrutinize the information system to ensure it's fully capable of logging the events the organization requires to meet its business, cybersecurity, and regulatory goals. It also recommends the organization find common ground within other areas of the organization to improve selection of loggable events, provide rationale for their selection, and implement within the information system the selected loggable events at the recommended frequency or during a specific situation. NIST SP 800-53, Rev. 5 also notes: "Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-92/final NIST Special Publications 800-92]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2, 9.3, and 9.4]
====AU-3 Content of audit records====
This control recommends the system be capable of generating audit records that, at a minimum, provide the source of an event, who enacted an event, when it was enacted, where it occurred, what occurred, and what the outcome was. Regulations and standards may dictate what must be recorded beyond those aspects.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2, 9.3, and 9.4]
====AU-4 Audit log storage capacity====
This control recommends the organization allocate sufficient resources to ensure the storage capacity of the system is sufficient to hold all its audit logging records. What that storage capacity should be will be most heavily dictated by data retention regulations and standards (see AU-11), followed by available organizational resources to commit to long-term storage. Additional safeguards such as sending warning messages to designated personnel or system roles when storage space reaches a critical minimum may be useful.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====AU-5 Response to audit logging processes failures====
This control recommends the system be able to alert specific personnel or system roles when an audit logging process fails and take action as specified by the organization. This action includes shutting down the system, overwriting the oldest audit record (because storage capacity is maxed), or discontinuing the generation of audit records. The system should also allow the organization to specify action differently for various types of failures.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.8]
====AU-6 Audit record review, analysis, and reporting====
This control recommends the organization—as part of policy—review, analyze, and report on the results from generated system audit records at defined frequencies, focusing on inappropriate or unusual activity that may compromise the security of the system. The finding may be reported to designated individuals within the organization, designated departments within the organization, or even regulatory bodies outside the organization.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.7]
====AU-6 (1) Audit record review, analysis, and reporting: Automated process integration====
This control enhancement recommends the organization implement some sort of automation into their system to better integrate audit review, analysis, and reporting processes with organizational investigation processes (e.g., incident response, continuous monitoring, etc.) in order to better and more quickly respond to cyber threats.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_and_quality_management LIMSpec 16.7]
====AU-8 Time stamps====
This control recommends the system use a reliable system clock for generating its audit records. The system clock should be able to generate time stamps in Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meet organizational requirements for granularity, all the way down to the millisecond level.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.3] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.5]
====AU-9 Protection of audit information====
This control recommends the system be capable of logically protecting audit information (records, settings, and reports) and tools from unauthorized access, modification, and deletion.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.7]
====AU-10 Non-repudiation====
This control recommends the system provide an irrefutable means of linking specific system actions or processes (e.g., signing a report or approving a sample) to a specific individual. This can include the use of digital signatures or other specific means of associating identity with action.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.5, 9.6]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.7, 32.36, 32.37]
====AU-10 (3) Non-repudiation: Chain of custody====
This control enhancement recommends that a system maintaining chain of custody information also accurately maintain the credentials of reviewers and releasers of information related to that chain of custody, or in the case of automated process, that only approved review and release functions are used by the system.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Primary_Laboratory_Workflow#1._Sample_and_experiment_registration LIMSpec 1.18]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Primary_Laboratory_Workflow#4._Results_review_and_verification LIMSpec 4.4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.36, 32.37]
====AU-11 Audit record retention====
This control recommends the organization, in tandem with the its overall record retention policy, retain audit records for a defined period of time. That time period may be dictated by administrative, operational, or regulatory policy.
'''Additional resources''':
* [https://www.archives.gov/records-mgmt/grs.html National Archives Federal Records Management and General Records Schedules]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.4]
====AU-11 (1) Audit record retention: Long-term retrieval capability====
This control enhancement recommends the organization ensure the availability and retrievability of audit information stored long-term. This assurance can be made in several ways, including verifying the information system is correctly providing access to the information to authorized individuals; ensuring records in old, difficult-to-read formats get updated; and retaining the necessary documentation and hardware to read and interpret older record systems.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.4]
====AU-12 Audit record generation====
This control aligns with AU-2 and AU-3, in as much as it recommends the system be capable of generating audit records for the auditable events defined in AU-2 at various organization-defined points in the information system. This control also recommends the system to allow authorized users to assign which auditable events are to be audited by which points in the system. And of course, the system should be capable of generating the audit records with the content as defined in AU-3.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.7]
===Appendix 1.4  Assessment, authorization, and monitoring===
====CA-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update security assessment and authorization policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security assessment and authorization action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 60–61
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final NIST Special Publications 800-53A, Rev. 5]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 96–112
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====CA-2 Control assessments====
This control recommends the organization develop, document, disseminate, review, and update a control assessment plan. This plan is focused on helping the organization ensure the assessment procedures, environment, team, roles, and responsibilities are defined and the security controls are correctly implemented, operating as intended, and meeting the established security requirements. The assessments should happen at defined frequency. Additionaally, the organization is encouraged to report on the results of the implemented plan and corresponding assessments, disseminating the results to authorized personnel or roles.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final NIST Special Publications 800-53A, Rev. 5]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
====CA-2 (1) Control assessments: Independent assessors====
This control enhancement recommends the organization employ some type of independent assessment team with a predetermined level of required independence to conduct security control assessments. Ensuring the team is free from perceived or actual conflict of interest is important, and NIST adds that "[a]ssessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115], pages 6-5 and 6-6
* No LIMSpec comp (organizational policy rather than system specification)
====CA-3 Information exchange====
This control recommends the organization should explicitly authorize, document, review, and update interconnection security agreements (ISA) or system-based security plans, as they relate to the interconnection of information systems in the organization. Separately, in NIST SP 800-47, Rev. 1, at 3.1.5.1, NIST defines an ISA an an established agreement between owner-operators of connected IT systems to document and agree to the technical requirements associated with establishing, operating, and maintaining any interconnections between the organizations' systems. However, NIST notes, "[i]f systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged, how the information is protected) are described in the respective security and privacy plans."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final NIST Special Publications 800-47, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 46–58
* No LIMSpec comp (organizational policy rather than system specification)
====CA-5 Plan of action and milestones====
This control recommends the organization develop and update a security authorization-related plan of action and milestones for the documentation of planned remedial actions and vulnerability resolutions. These key security authorization documents should be reviewed and updated at a defined frequency, based off the results of security control assessments, security impact analyses, and continuous monitoring results.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* No LIMSpec comp (organizational policy rather than system specification)
====CA-6 Authorization====
This control recommends the organization assign a manager or member of senior leadership as an "authorizing official" that essentially approves the system to be put into operation based on the results of security assessments and accepts responsibility for the risks associated with operation. The authorization should also be updated at a defined frequency. It's important to note that this control is described by NIST as being a "federal responsibility, and therefore, authorizing officials must be federal employees." If applying this control to non-federal systems, there is still plenty of sense in designating a key individual in the organization as responsible for making the call post-security assessment of allowing the system to go live, as well as accepting the risks of putting the system into operation. The same principle can be applied to major security upgrades and reconfiguration of existing systems.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
====CA-7 Continuous monitoring====
This control recommends the organization develop a continuous monitoring program and implementation strategy. The program should define the metrics required for organizational performance indicators, as well as how often those metrics are applied and assessed for functionality and sufficiency. How the information is analyzed and correlated, how the organization responds to those activities, and how they are reported (who and when) must also be addressed. Metrics should follow the SMART principle of being specific, measurable, actionable, relevant, and focused on a timely nature.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final NIST Special Publications 800-37, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publications 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final NIST Special Publications 800-53A, Rev. 5]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publications 800-115]
* [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
* No LIMSpec comp (organizational policy rather than system specification)
====CA-9 Internal system connections====
This control recommends the organization essentially create a systems map, documenting how the various parts of the system should interconnect—as well as the characteristics of the connection and the nature of the information transported through it—and explicitly authorizing the interconnection to occur. This includes connections through mobile devices, printers, computers, sensors, and servers. It may be useful to classify components of the system that have common characteristics or configurations to make authorizations (as classes) easier.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.5  Configuration management===
====CM-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update configuration management policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of configuration management action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 61
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 131–37
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====CM-2 Baseline configuration====
This control recommends the organization develop, document, and maintain a baseline configuration of the information system and its components, including their network topology and logical placement within the system. The end result should fully reflect the existing enterprise architecture.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
====CM-3 Configuration change control====
This control recommends the organization develop a series of configuration change control steps to ensure that system upgrades and modifications cause little to no impact in the overall cybersecurity strength of the system. NIST specifically recommends the organization determine which system changes are linked to configuration control, review and approve proposed changes, document and retain those decisions, implement the approved changes, and audit and review the changes.
'''Additional resources''':
* [https://www.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf Carnegie Mellon University Configuration and Change Management]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
====CM-3 (2) Configuration change control: Testing, validation, and documentation of changes====
This control enhancement recommends the organization test, validate, and document changes to the system before actual implementation on the live system. Operational hardware systems may have to be taken offline or replicated as closely as feasible to test; software systems can often be tested in a separate test environment. In all cases, the organization seeks to minimize impact on active system operations.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.15]
====CM-4 Impact analyses====
This control recommends the organization perform impact analyses on the system to determine the extent of potentially undesirable consequences upon implementing proposed changes. This typically requires one or more individuals explicitly familiar with the system, the organization's security plans, and the system's architecture documents. Some revelations may also come from enacting security control CM-3 (2).
'''Additional resources''':
* [https://www.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf Carnegie Mellon University Configuration and Change Management]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
====CM-5 Access restrictions for change====
This control recommends the organization define, document, approve, and enforce all the physical and logical access restrictions associated with making changes to the system configuration. Doing so creates a base policy that helps ensure "only qualified and authorized individuals [can] access information systems for purposes of initiating changes, including upgrades and modifications."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.22]
====CM-5 (1) Access restrictions for change: Automated access enforcement and audit records====
This control enhancement recommends the system allow for the configuration and automated enforcement of access restrictions, as well as the creation of audit records for the associated enforcement actions.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.22, 32.31]
====CM-6 Configuration settings====
This control recommends the organization develop and implement a complete set of configuration settings for the hardware, software, and firmware that make up the information system. Those settings should ultimately reflect restrictions consistent with operational requirements and organizational policy. Additionally, the organization should perform change control on the settings, such that suggested deviations are not detrimental to the system and overall cybersecurity goals.
'''Additional resources''':
* [https://ncp.nist.gov/repository NIST's National Checklist Program Repository]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publications 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
====CM-7 Least functionality====
This control recommends the organization configure the system to apply the principle of "least functionality." As Georgetown University describes it, "[t]he principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system."<ref name="UISO_UIS203">{{cite web |url=https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/ |title=UIS.203.7 Least Functionality Guidelines |work=UIS.203 Configuration Management Policy |publisher=University Information Security Office, Georgetown University |accessdate=14 March 2023}}</ref> NIST also notes that organizations can "employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services."
'''Additional resources''':
* [https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/ Georgetown University UIS.203.7 Least Functionality Guidelines]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.18]
====CM-8 System component inventory====
This control recommends the organization develop and document a complete inventory of the various components within the authorization boundary of the system. That inventory should accurately portray the current system, have sufficient detail for accountability, and be detailed at a granular enough level for convenient tracking and reporting. The organization should also review and update the inventory in a defined frequency.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
* No LIMSpec comp (organizational policy rather than system specification)
====CM-10 Software usage restrictions====
This control recommends the organization make an effort to track the use of software and associated documentation to ensure both are being used legally and within contract agreements. The organization should also control against and document instances of software or documentation being copied, distributed, or used in an unauthorized fashion.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====CM-11 User-installed software====
This control recommends the organization develop, document, and enforce policies governing if and when users may install software within the system. This includes monitoring for policy compliance at a defined frequency. Enforcement may be procedural, automated, or both.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.6 Contingency planning===
====CP-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update contingency planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of contingency planning action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 61–62
* [https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final NIST Special Publications 800-34, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 78–83
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====CP-2 Contingency plan====
This control recommends the organization develop, document, disseminate, review, and update a contingency plan for the system. As part of this process, the organization should identify its business and cybersecurity goals, as well as its processes, particularly goals and processes that have been marked as critical or essential to overall operations. The plan should also address the importance of keeping those goals and processes intact despite any disruption, as well as any recovery objectives, restoration priorities, and responsible parties (including their roles and contact information). The plan should be reviewed and approved by key personnel, and reviewed again at a determined frequency, with any changes resulting in updating, communicating, and protecting the revised plan.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final NIST Special Publications 800-34, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)
====CP-3 Contingency training====
This control recommends the organization supply the appropriate training concerning contingency plan enactment to the relevant system users at a defined frequency, when the system changes significantly, or when a user takes on a contingency role or responsibility.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-16/final NIST Special Publications 800-16]
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.5, and 8.7]
====CP-4 Contingency plan testing====
This control recommends the organization develop and regularly use testing methods to test the system contingency plan for its effectiveness, as well as how well prepared system users are to execute the plan. The organization should review the results of such tests and apply corrective action, if needed.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final NIST Special Publications 800-34, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-84/final NIST Special Publications 800-84]
* No LIMSpec comp (organizational policy rather than system specification)
====CP-9 System backup====
This control recommends the organization back up the system's user-level and system-level information, as well as system documentation, at defined frequencies. The organization should make efforts to protect the confidentiality, integrity, and availability of any data backups.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final NIST Special Publications 800-34, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#27._Systems_integration LIMSpec 27.11]
====CP-9 (8) System backup: Cryptographic protection====
This control enhancement recommends that the system provide cryptographic mechanisms for protecting the integrity and confidentiality of backed up data and information.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#27._Systems_integration LIMSpec 27.11]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.2]
====CP-10 System recovery and reconstitution====
This control recommends the organization retain the capability of recovering and reconstituting the system to a recent known state in the wake of a system disruption, compromise, or failure. This may be done in an automatic or manual fashion.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final NIST Special Publications 800-34, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#27._Systems_integration LIMSpec 27.11]
===Appendix 1.7  Identification and authentication===
====IA-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update identification and authentication policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of identification and authentication action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 62–63
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====IA-2 Identification and authentication (organizational users)====
This control recommends the system be able to identify and authenticate a user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on "something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
====IA-2 (1) Identification and authentication (organizational users): Multi-factor authentication to privileged accounts====
This control enhancement recommends the system be able to implement multifactor authentication to privileged accounts being accessed. "Multi-factor authentication requires the use of two or more different factors to achieve authentication." NIST adds that "[r]egardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.3]
====IA-2 (2) Identification and authentication (organizational users): Multi-factor authentication to non-privileged accounts====
This control enhancement recommends the system be able to implement multifactor authentication to non-privileged accounts being accessed. "Multi-factor authentication requires the use of two or more different factors to achieve authentication." NIST adds that "[r]egardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.3]
====IA-2 (10) Identification and authentication (organizational users): Single sign-on====
This control enhancement recommends the system be configurable to allow, if desired, single sign-on to specified system accounts and services, such that a user can log in once and gain access to multiple system resources.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.24]
====IA-2 (12) Identification and authentication (organizational users): Acceptance of [personal identity verification] credentials====
This control enhancement recommends the system be capable of accepting and electronically verifying personal identity verification (PIV) credentials. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."<ref name="GSA_IntroPIV">{{cite web |url=https://playbooks.idmanagement.gov/piv/ |title=Introduction - PIV Guides |work=PIV Usage Guides |publisher=General Services Administration |accessdate=14 March 2023}}</ref> These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.17]
====IA-4 Identifier management====
This control recommends the organization ensure the individual, group, role, and device identifiers in the system be selected, assigned, and disabled by authorized individuals or roles only. Those same individuals or roles will be responsible for both preventing the reuse of those identifiers for and disabling those identifiers after a specified period of time (including "never").
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.26, 32.28]
====IA-5 Authenticator management====
This control recommends the organization ensure the individual, group, role, and device receiving a new authenticator has their identity verified, while also ensuring those new authenticators are properly defined, are sufficiently strong, and are backed by administrative and cybersecurity policy and procedure. That policy and procedure should address how authenticators are managed if lost, compromised, or damaged, as well as how to revoke the authenticators. Policy and procedure should also address use and reuse restrictions, refreshing rules, protection recommendations, personnel and device safeguards, and membership/role changes for authenticators.
'''Additional resources''':
* [https://playbooks.idmanagement.gov/arch/ FICAM Architecture Guide]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.26, 32.27, 32.34, and 32.35]
====IA-5 (1) Authenticator management: Password-based authentication====
This control enhancement recommends the system's password-based authentication be configurable to allow specific password-related rules set by the organization. This includes rules related to password complexity (i.e., case sensitivity, number of characters by type, uppercase-lowercase mix, numbers and special characters), minimum and maximum password lifetime rules, changed and updated password rules, and password reuse rules. The system should also be capable of allowing for the creation of temporary passwords and the storage and transmittal of passwords in an encrypted fashion.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.10]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.27, 32.28, and 32.40]
====IA-6 Authentication feedback====
This control recommends the system obscure how authentication information, such as passwords, is entered, using mechanisms such as showing asterisks instead of the password characters or limiting visual feedback of each password character to an extremely brief period of time.
'''Additional resources''':
[https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.41]
====IA-7 Cryptographic module verification====
This control recommends the system be capable of authenticating access to a cryptographic module, ensuring the user is authorized to assume the requested role and perform role-based actions within that module.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.5]
====IA-8 Identification and authentication (non-organizational users)====
This control recommends the system be able to identify and authenticate a non-organizational user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on "something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)."
'''Additional resources''':
* [https://playbooks.idmanagement.gov/pacs/ GSA Physical Access Control System Guide]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final NIST Special Publications 800-116, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
====IA-8 (1) Identification and authentication (non-organizational users): Acceptance of [personal identity verification] credentials from other agencies====
This control enhancement recommends the system be capable of accepting and electronically verifying PIV credentials from more than just the primary organization or agency. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."<ref name="GSA_IntroPIV" /> These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.17]
====IA-8 (2) Identification and authentication (non-organizational users): Acceptance of external authenticators====
This control enhancement recommends the system be capable of accepting and electronically verifying NIST-compliant external authenticators (compliant with NIST SP 800-63B).
'''Additional resources''':
* [https://doi.org/10.6028/NIST.SP.800-63b NIST Special Publications 800-63B]
* No LIMSpec comp (LIMSpec currently doesn't address external authenticators)
====IA-8 (4) Identification and authentication (non-organizational users): Use of defined profiles====
This control enhancement recommends a system that accepts and electronically verifies identity conform to open identity management standards.
'''Additional resources''':
* [https://www.okta.com/blog/2022/08/exploration-of-open-identity-standards/ Okta's "An Exploration of Open Identity Standards"]
* No LIMSpec comp (LIMSpec currently doesn't address FICAM requirements)
===Appendix 1.8  Incident response===
====IR-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update incident response policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of incident response action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 64
* [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
* [https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final NIST Special Publications 800-83, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100] 124–30
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====IR-2 Incident response training====
This control recommends the organization provide incident response training to those system users with roles and responsibilities tied to incident response and, more broadly, business continuity planning. That training should occur initially, within an organization-defined period of time upon taking on a related role or responsibility, and when required by major changes to the system. Follow-up training should be conducted at a defined frequency afterwards.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-16/final NIST Special Publications 800-16]
* [https://csrc.nist.gov/publications/detail/sp/800-50/final NIST Special Publications 800-50]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#8._Resource_management LIMSpec 8.3, 8.5, and 8.7]
====IR-4 Incident handling====
This control recommends the organization, as part of its incident response planning (see IR-8), address how it will engage in preparation, detection and analysis, containment, eradication, and recovery from a security incident. That organization will also link its incident handling with its contingency planning activities and update its incident and business continuity plans, as well as affected training regiments, with "lessons learned" from internal and external events.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
* No LIMSpec comp (organizational policy rather than system specification)
====IR-4 (1) Incident handling: Automated incident handling processes====
This control enhancement recommends the organization employ automated mechanisms to better handle incident response initiatives. NIST gives the example of online incident management systems as a possible automated tool to use.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7]
====IR-5 Incident monitoring====
This control recommends the organization track and document security incidents affecting the system. For these purposes, the organization may consider pulling information from "incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports."
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.6, 16.7]
====IR-6 Incident reporting====
This control recommends the organization require security incidents, suspected and real, and any relevant information to be reported to the appropriate organizational personnel within a certain period of time.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Primary_Laboratory_Workflow#6._Reporting LIMSpec 6.8]
====IR-6 (1) Incident reporting: Automated reporting====
This control enhancement recommends the the organization employ automated mechanisms to better handle reporting of security incidents. These automated mechanisms would likely be tied to existing monitoring controls.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Primary_Laboratory_Workflow#6._Reporting LIMSpec 6.8]
====IR-7 Incident response assistance====
This control recommends the organization provide support resources that offer advice and assistance to system users confronted with handling and reporting security incidents. Those support resources could come in the form of help desk, a responsible individual designated in the incident response plan, or in-house or third-party forensic services.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====IR-8 Incident response plan====
This control recommends the organization develop, document, disseminate, review, update, and protect an organizational incident response plan. That plan should be sophisticated enough to contain an incident response roadmap for implementing the developed plan, which should include how the overall plan meshes with business and cybersecurity goals, the resources and responsible individuals that are part of the plan, what should be reportable, and what the associated metrics will be for measuring incident response and its aftermath. The plan should be reviewed and approved by one or more designated personnel, usually leadership or management. Any changes to the plan should be communicated to appropriate personnel, and any affected training should be updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.9  Maintenance===
====MA-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 50
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====MA-2 Controlled maintenance====
This control recommends the organization apply a "controlled maintenance" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.7, 10.10, and 10.15]
====MA-2 (2) Controlled maintenance: Automated maintenance activities====
This control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.7, 10.10, and 10.15]
====MA-4 Nonlocal maintenance====
This control recommends the organization place strong controls on nonlocal maintenance and diagnostics of the system or its components. "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3]
* [https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.15],  [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.25], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3]
====MA-4 (6) Nonlocal maintenance: Cryptographic protection====
This control enhancement recommends the system provides appropriate cryptographic mechanisms for ensuring the confidentiality and integrity of nonlocally accessed maintenance and diagnostic data and information.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.1]
====MA-5 Maintenance personnel====
This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site is asked for.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
====MA-6 Timely maintenance====
This control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====MA-6 (1) Timely maintenance: Preventive maintenance====
This control enhancement recommends the organization take a preventive maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#10._Instrument_and_equipment_management LIMSpec 10.10]
====MA-6 (2) Timely maintenance: Predictive maintenance====
This control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using "principles of statistical process control to determine at what point in the future maintenance activities will be appropriate," particularly "when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.5]
===Appendix 1.10  Media protection===
====MP-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update media protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of media protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 65
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====MP-2 Media access====
This control recommends the organization implement and enforce restrictions on specified digital and non-digital media, limiting access to only authorized personnel or roles within the organization. This will likely relate to controls on media containing sensitive, protected, or confidential data contained on the media.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7]
====MP-6 Media sanitization====
This control recommends the organization sanitize specified system media using authorized techniques prior to being disposed, released out of organizational control, or released for reuse. The techniques used should match the security or classification level assigned to the information contained on the media.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-88, Rev. 1]
* [https://www.nsa.gov/Resources/Media-Destruction-Guidance/ NSA/CSS Media Destruction Guidance]
* No LIMSpec comp (organizational policy rather than system specification)
====MP-7 Media use====
This control recommends the organization determine which, if any, digital and non-digital media should be prohibited from being used on which systems or system components. Note that "[i]n contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on information systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives" on the system or its subsystems.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.11  Physical and environmental protection===
====PE-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update physical and environmental protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of physical and environmental protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 66
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====PE-2 Physical access authorizations====
This control recommends the organization develop, approve, and maintain a list of individuals who are vetted and authorized to access the facilities where the system physically resides. Those individuals should be issued credentials to access the facility, and those credentials should be reviewed at a defined frequency. Those individuals who no longer require access to the facility should be removed from the physical access list promptly.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PE-3 Physical access control====
This control recommends the organization enact physical access controls through the facility where the system physically resides. Those controls include verifying individual access authorization before allowing admittance, using access control devices or personnel, maintaining physical access audit logs, providing security safeguards for accessing controlled areas from public areas, escorting visitors, monitoring visitor activity, securing keys and passwords controls, inventorying physical access devices regularly, and changing keys and password controls when circumstances require.
'''Additional resources''':
* [https://www.idmanagement.gov/fips201/ GSA FIPS 201 Evaluation Program]
* [https://playbooks.idmanagement.gov/pacs/ GSA Physical Access Control System Guide]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* [https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final NIST Special Publications 800-116, Rev. 1]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
====PE-3 (1) Physical access control: System access====
This control enhancement recommends the organization provide, in addition to overall facility access control, a mechanism for physically securing areas within the facility that house critical information system components.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
====PE-6 Monitoring physical access====
This control recommends the organization monitor the areas within the facility that house critical information system components for detecting and responding to physical security incidents. The organization should also review physical access logs at a determined frequency or when a security event (or possibility of a security event) is identified. Individuals with responsibility for monitoring the system's physical locations should also coordinate with the incident response team in reviews and investigations.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
====PE-6 (1) Monitoring physical access: Intrusion alarms and surveillance equipment====
This control enhancement recommends the organization monitor physical intrusion alarms and surveillance equipment.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.9] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.7]
====PE-6 (4) Monitoring physical access: Monitoring physical access to systems====
This control enhancement recommends the organization provide, in addition to overall facility monitoring, a means of monitoring areas within the facility that house critical system components.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.7]
====PE-8 Visitor access records====
This control recommends the organization retain visitor access records to the facility housing the physical information system for a designated period of time, reviewing those records at a defined frequency.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PE-12 Emergency lighting====
This control recommends the organization ensure the facility housing the physical information system employs and maintains automatic emergency lighting capable of activating off of its own independent power supply during a power outage or other type of disruption.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PE-13 Fire protection====
This control recommends the organization ensure the facility housing the physical information system employs and maintains fire suppression and detection systems capable of activating off of its own independent power supply during a fire incident.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PE-14 Environmental controls====
This control recommends the organization maintain temperature, humidity, and other environmental conditions in the facility housing the physical information system at a defined set of acceptable levels, monitoring those levels at a defined frequency.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PE-15 Water damage protection====
This control recommends the organization ensure the facility housing the physical information system has emergency water shutoff or isolation valves that are accessible, functional, and clearly marked and known to personnel, with the goal of protecting the system components from water leakage.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PE-16 Delivery and removal====
This control recommends the organization ensure any pick-up or drop-off activities of information system components at the facility housing the physical information system are authorized, monitored, and controlled, preferably isolating such activities outside of areas where critical system components or media are located.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.12  Planning===
====PL-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 67
* [https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final NIST Special Publications 800-18, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 67–77
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====PL-2 System security and privacy plans====
This control recommends the organization develop, distribute, review, update, and protect security and privacy plans for its information system. The plans should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plans should be reviewed and approved by designated personnel, as well as protected from unauthorized access and modification.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final NIST Special Publications 800-18, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)
====PL-4 Rules of behavior====
This control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final NIST Special Publications 800-18, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.13  Program management===
The set of PM controls "are implemented at the organization level and not directed at individual information systems." As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST describes the controls of PM as having "been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards." The first control, PM-1, is included here. For more on these controls, consult pages 203–21 of NIST SP 800-53, Rev. 5.
====PM-1 Information security program plan====
This control recommends the organization develop, document, disseminate, review, and update an organization-wide information security program plan. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of information security program planning but also to address how that plan will be implemented, reviewed, and updated. NIST adds that an information security program plan:
* "provides an overview of the security requirements for an organization-wide information security program";
* "documents implementation details about program management and common controls"; and
* "provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended."
'''Additional resources''':
* [https://doi.org/10.6028/NIST.SP.800-37r2 NIST Special Publications 800-37, Rev. 2]
* [https://doi.org/10.6028/NIST.SP.800-39 NIST Special Publications 800-39]
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.14  Personnel security===
====PS-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update personnel security policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personnel security action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12], page 68
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====PS-2 Position risk designation====
This control recommends the organization assign risk designations to all organizational positions. NIST states that risk designations "can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems." Deciding on the appropriate risk level designation (e.g., high, moderate, or low) for a position may be "determined by the position's potential for adverse impact to the efficiency or integrity of the service."<ref name="LII5CFR">{{cite web |url=https://www.law.cornell.edu/cfr/text/5/731.106 |title=5 CFR § 731.106 - Designation of public trust positions and investigative requirements |work=Legal Information Institute |publisher=Cornell |accessdate=14 March 2023}}</ref> Those authorizations should be created only after screening criteria for the position have been met. Additionally, the organization should review and updated their risk designations at a defined frequency.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PS-3 Personnel screening====
This control recommends the organization perform a security screening of individuals before authorizing them to access the information system, as well as rescreen those individuals based on organization-defined conditions and frequencies.
'''Additional resources''':
* [https://www.law.cornell.edu/cfr/text/5/731.106 5 CFR 731.106]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4]
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2]
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4]
* No LIMSpec comp (organizational policy rather than system specification)
====PS-4 Personnel termination====
This control recommends the organization conduct a series of security steps upon termination of personnel. Those steps include disabling system access within an organization-defined period of time, revoking the individual's authenticators or credentials, having an exit interview with the individual about system security topics, retrieving any organizational information and property related to the information system controlled by the individual, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.28] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4]
====PS-5 Personnel transfer====
This control recommends the organization conduct a series of security steps upon the reassignment or transfer of personnel. Those steps include reviewing and confirming the ongoing need for the individual's current access authorizations, initiating any necessary access modification or other types of action within an organization-defined period of time, and notifying the appropriate staff within an organization-defined period of time upon completion of these security steps.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.4]
====PS-6 Access agreements====
This control recommends the organization develop, document, review, and update access agreements for organizational information systems, ensuring that individuals requiring access to the system sign the agreement before accessing the system and resign the agreement upon the agreement being updated by the organization, or at a designated frequency.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1]
====PS-7 External personnel security====
This control recommends the organization establish a set of security requirements for external personnel. Those requirements should elaborate on third-party personnel security roles, responsibilities, and requirements; require said personnel to comply with organizational personnel security policy and procedures; require prompt notification from third-party providers when associated personnel possessing authenticators or credentials and who have access to the system transfer or leave; and compel the organization to monitor provider compliance.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
====PS-8 Personnel sanctions====
This control recommends the organization put into place a formal sanctions process for individuals who fail to comply with organizational information security policies and procedures. When a formal sanction process is initiated, the organization will notify designated personnel or roles within an organization-defined period of time of the sanctions, including who is affected and the reasoning behind the sanctions.
'''Additional resources''':
* No LIMSpec comp (organizational policy rather than system specification)
===Appendix 1.15  Personally identifiable information processing and transparency===
====PT-1 Policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update personally identifiable information processing and transparency policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personally identifiable information processing and transparency action but also to address how those policies and procedures will be implemented, reviewed, and updated.
'''Additional resources''':
* [https://www.cio.gov/policies-and-priorities/circular-a-130/ Circular No. A-130 - Managing Information as a Strategic Resource]
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2]
====PT-2 Authority to process personally identifiable information====
This control recommends the organization develop, document, and enact policy on who has access to what personally identifiable information, while ensuring restrictions in the system limit that access to only those authorized to do so. The NIST adds that "[o]rganizations consider applicable requirements and organizational policies to determine how to document this authority."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy LIMSpec 36.1, 36.2]
====PT-2 (2) Authority to process personally identifiable information: Automation====
This control enhancement recommends the system have automated mechanisms to enforce verification mechanisms that prevent personally identifiable information in the system from being compromised.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy LIMSpec 36.1, 36.2]
====PT-4 Consent====
This control recommends the organization—or the system—have tools or mechanisms able to record the consent of individuals who wish to allow their personally identifiable information to be processed, stored, and otherwise managed. PT-4 adds that "organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means."
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy LIMSpec 36.6]
====PT-4 (3) Consent: Revocation====
This control enhancement recommends that the organization or system also have tools or mechanisms able to revoke the consent of individuals who no longer wish to allow their personally identifiable information to be processed, stored, and otherwise managed.
'''Additional resources''':
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#36._Information_privacy LIMSpec 36.6]

Revision as of 22:19, 16 May 2023