Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

From LIMSWiki
Jump to navigationJump to search
Line 270: Line 270:
Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed but in the works.<ref name="MillerOMB19">{{cite web |url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ |title=OMB’s regulatory review is creating a backlog of cyber standards |author=Miller, J. |work=Federal News Network - Reporter's Notebook |publisher=Hubbard Radio Washington DC, LLC |date=03 September 2019 |accessdate=19 December 2019}}</ref> The cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=19 December 2019}}</ref>  
Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed but in the works.<ref name="MillerOMB19">{{cite web |url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ |title=OMB’s regulatory review is creating a backlog of cyber standards |author=Miller, J. |work=Federal News Network - Reporter's Notebook |publisher=Hubbard Radio Washington DC, LLC |date=03 September 2019 |accessdate=19 December 2019}}</ref> The cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=19 December 2019}}</ref>  


The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classifications, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals. The controls are also split out into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family "Access control" has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements or functionality to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.
The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classifications, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals. The controls are also split out into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.
 
You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some forethought, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of 800-53 with mappings to both NIST SP 800-53 and the ISO/IEC 27001:2013 controls.
 
This guide leans heavily on SP 800-53 despite its complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.


===NIST Cybersecurity Framework===
===NIST Cybersecurity Framework===

Revision as of 21:48, 19 December 2019

1. What is a cybersecurity plan and why do you need it?

Incidents Reported by Federal Agencies in Fiscal Years 2006-2012 (15400517077).jpg

From law firms[1] to automotive manufacturers[2], the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year[3], though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses[4] In the end, businesses of all sizes average to about $200,000 in losses due to a cybersecurity incident[5], and nearly 60 percent of small and midsized businesses go bankrupt within six months because of it.[6]

It's not just large corporations at risk; small businesses of all types are also subject to cyber crimes, and they aren't doing enough to protect themselves. Juniper Research reports that despite small businesses making up over 99 percent of all companies, approximately 13 percent of overall cybersecurity spending came from those small businesses in 2018, amounting to about $500 per business.[7]

Even the tiniest of businesses face cybersecurity risks today. The independent contractor with a WordPress-based website advertising their knowledge and skills must still ensure all website plugins and themes are updated and install security plugins to close potential vulnerabilities in the software. Without these precautions, hackers could spread malware, steal user data, add the website to a bot network, or hack it just for fun and learning.[8][9][10]

As for larger companies, a late 2018 audit of Fortune 500 companies found a mix of good and bad news: they're doing better at reducing the number of entry points for hackers to enter their systems, yet susceptibility to fraudulent email remains a major concern.[11]Additionally, Fortune 500 companies are still lagging behind in public transparency of showing a commitment to cybersecurity and protecting customer data.[12] More broadly, roughly 60 to 70 percent of all companies are still ill-prepared for cyber threats, either not having an up-to-date cybersecurity strategy or having no plan at all.[6][10] By all appearances, businesses still aren't doing enough to protect themselves and their customer's data despite the fact that cybercrime appears to only be getting worse for everyone.

The most solid first steps any organization or individual can take to limit the potential effects of cybercrime is to learn more about the threat and to develop a cybersecurity strategy. For most organizations, this means developing a cybersecurity plan.

A cybersecurity plan is a developed, distributed, reviewed, updated, and protected collection of assessments, analyses, requirements, controls, goals, policies, performance indicators, and metrics that shapes how an organization protects against and responds to cybersecurity threats. Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.[13]

This guide attempts to assist organizations and individuals with overcoming the involved complexities of cybersecurity plan development and preventing becoming another cybersecurity statistic. It addresses the major regulations, standards, and standards frameworks related to cybersecurity, with a focus in particular on the National Institute of Standards and Technology's (NIST) Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. Also addressed is how to best incorporate a cybersecurity framework and controls into your plan development. At it's heart, this guide includes a comprehensive 10-step plan of attack for developing a cybersecurity plan, followed by closing comments. At the end of this guide, we include an appendix containing a slightly more simplified wording of NIST's most popular cybersecurity controls, as well as mappings to this wiki's own LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development.

Note that this guide has been written with the intent to broadly cover multiple industries. However, it does have a slight lean towards laboratories, particularly those implementing information systems. Despite that, there should be sufficient information contained herein to be helpful to most people attempting to navigate the challenges of consistently applying cybersecurity goals and policies to their organization.

2. What are the major regulations and standards dictating cybersecurity action?

To be fair, the question of which regulations and standards affect how an organization implements cybersecurity is a most difficult one to answer. Not only do related regulations and standards vary by industry, they also vary by geography, complexity, and ease of implementation. Let's turn to the relatively dramatic example of data retention. Consider this statement:

The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.

Through recent updates to LIMSpec, we've found the following national and international regulations, standards, and guidance (Table 1) that tie into data retention and the protection of that retained data (and that list will certainly continue to grow):

Table 1. Regulations, standards, and guidance affecting data retention and the security of retained data

7 CFR Part 331.17 (c)
9 CFR Part 121.17 (c)
21 CFR Part 11.10 (c)
21 CFR Part 58.195
21 CFR Part 211.180
21 CFR Part 212.110 (c)
21 CFR Part 225.42 (b-8)
21 CFR Part 225.58 (c–d)
21 CFR Part 225.102
21 CFR Part 225.110
21 CFR Part 225.158
21 CFR Part 225.202
21 CFR Part 226.42 (a)
21 CFR Part 226.58 (f)
21 CFR Part 226.102
21 CFR Part 226.115
21 CFR Part 312.57
21 CFR Part 312.62
21 CFR Part 606.160 (d)
21 CFR Part 812.140 (d)
21 CFR Part 820.180 (b)
29 CFR Part 1910.1030 (h-2)
40 CFR Part 141.33
40 CFR Part 141.722
40 CFR Part 704 Subpart A
40 CFR Part 717.15 (d)
42 CFR Part 73.17 (c)
42 CFR Part 493.1105
42 CFR Part 493.1283
45 CFR Part 164.105
45 CFR Part 164.316
45 CFR Part 164.530

AAFCO QA/QC Guidelines for Feed Laboratories Sec. 2.4.4 or 3.1
AAVLD Requirements for an AVMDL Sec. 4.10.1.2
AAVLD Requirements for an AVMDL Sec. 4.10.2.1
AAVLD Requirements for an AVMDL Sec. 5.4.3.2
ABFT Accreditation Manual Sec. E-33
AIHA-LAP Policies 2018 2A.7.5.1
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.14.1.2 and 4.15.1.2
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.9.3.6 and 5.9.7
ASTM E1578-18 E-17-4
CJIS Security Policy 5.3.4
CJIS Security Policy 5.4.6–7
CJIS Security Policy 5.5.2.1
E.U. Annex 11-7.1
E.U. Commission Directive 2003/94/EC Article 9.1
E.U. Commission Directive 2003/94/EC Article 11.4
EPA 815-R-05-004 Chap. III, Sec. 15
EPA 815-R-05-004 Chap. IV, Sec. 8
EPA ERLN Laboratory Requirements 4.9.18
EPA ERLN Laboratory Requirements 4.11.17
EPA QA/G-5 2.1.9
ISO 15189:2012 4.3
ISO/IEC 17025:2017 8.4.2
NIST 800-53, Rev. 4, AT-4
NIST 800-53, Rev. 4, AU-11 and AU-11(1)
NIST 800-53, Rev. 4, SI-12
OECD GLP Principles 10
USDA Administrative Procedures for the PDP 5.4
USDA Sampling Procedures for PDP 6.5
WHO Technical Report Series, #986, Annex 2, 15.8–9

This example illustrates the complexity of making a complete and accurate list of regulations, standards, guidance, and other bodies of work demanding data protection from organizations. And this represents only one security control among many. Other legislation that mandates cybersecurity action includes 23 NYCRR 500, Federal Information Systems Management Act (FISMA), General Data Protection Regulation (GDPR), Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), IC Directive 503, Personal Information Protection and Electronic Documents Act (PIPEDA), and Sarbanes Oxley Act.[14] Of standards not mentioned in Table 1, ANSI UL 2900-2-1 for networked medical devices, IEEE 1686-2013 for intelligent electronic devices, and ISO/IEC 27032:2012 for cybersecurity are also representative of efforts to improve cybersecurity in numerous industries.[15] Overall, however, it remains difficult to answer this question in full.

Regardless, we can confidently say a few things about the regulations and standards behind cybersecurity. First, the risks and consequences of poor security drive regulation and, more preferably[16][17], standardization, which in turn moves the "goalposts" of cybersecurity among organizations. In the case of regulations, organization that get caught not following them tend to suffer negative consequences, providing some incentive to improve organizational processes to conform to the regulations. But regulations can at times be "imprecise" or "disconnected"[17] from what actually occurs within the organization and its information systems. When adopted, cybersecurity standards may provide a clearer path of opportunity for organizations to improve their cybersecurity culture and outcomes, particularly since, at least in theory, the standards are developed with a broader consensus of interested individuals with expertise in the field.[16] In turn, the more organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of cybersecurity.

That's not to say that compliance with regulations and standards alone can stop critical risks in their tracks[18]:

Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.

Second, modern cybersecurity frameworks and controls are typically harmonized with other standards and updated as business processes, technologies, cyber threats, and even regulations evolve. For example, the industry-specific Water Sector Cybersecurity Risk Management Guidance v3.0, which contains a set of cybersecurity controls as they relate to the water and wastewater sectors, is harmonized with the NIST Cybersecurity Framework.[19] And NIST's Special Publication 800-171, Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations has controls mapped to ISO/IEC 27001:2013 controls.[20] These and other signs point to some consolidation of thought on what constitutes relevant and necessary action towards preparing an organization to be more prepared for cyber threats and their potential consequences.

Third, when it comes to the question of what regulations are driving an organization to embrace cybersecurity, the general answer is "it's specific to each organization." While it's true that industries have their own regulations, and organizations in those industries often share the same set of challenges, additional factors such as regional requirements (e.g., the European Union General Data Protection Regulations [GDPR] and California Consumer Privacy Act [CCPA]) and even local requirements (e.g., privacy rules and guidelines, banning of specific technology in a city[21]) will affect how the organization must operate. This information gathering process is a unique aspect of organizational cybersecurity planning; in the end it's up to the organization to "identify all obligatory cybersecurity requirements and controls with which it must comply."[22] Armed with that information, the organization can integrate those identified requirements and controls with an existing baseline framework of broad and industry-specific cybersecurity controls, as well as any internal standards and control objectives specific to the organization and its policy requirements.[22]

2.1 Cybersecurity standards frameworks

What are cybersecurity standards? CGI, Inc. calls them "critical means by which the direction described in an enterprise’s cybersecurity strategy and policies are translated into actionable and measurable criteria." They contain a set of statements about what processes must be followed to achieve the security outcomes expected by the organization.[22] Sometimes those standards get placed within a framework, which adds additional policy, procedure, and process to the set of statements laid out in the standards. This resulting cybersecurity standards framework acts as a defined, collective approach to how the information system, data, and services are managed within the organization.

Some experts further differentiate between frameworks. Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, splits frameworks into three categories: control, program, and risk frameworks. Control frameworks provide a baseline set of controls for assessing technical capability, prioritizing implementation, and developing a cybersecurity plan. Program frameworks offer a more program-based approach, allowing organizations to broadly assess the current state of their cybersecurity program and further develop it. Risk frameworks "allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities."[23] Data communications and security specialist Robert Slade does something similar using slightly different terminology. Checklist frameworks are the equivalent of Kim's control frameworks, governance frameworks appear to be Kim's program frameworks, and risk management frameworks represent Kim's risk frameworks. Slade adds a fourth category, however: audit and assurance.[24]

Numerous cybersecurity standards frameworks exist, some based in specific countries, others based on specific industries. According to at least one authority, the top four cybersecurity standards frameworks being leveraged by organizations are the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2013, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.[25] These and a selection of additional cybersecurity standards frameworks and standards are shown in Table 2:

Table 2. Examples of cybersecurity standards frameworks and standards
Name Developer Framework type Industry
ANSI/ISA 62443 Standards[26] ISA Control and Program Industrial automation and control systems
Baseline Cyber Security Controls for Small and Medium Organizations[27] Canadian Centre for Cyber Security Control Industry-neutral; small and medium organizations
Center for Internet Security (CIS) Controls[28] Center for Internet Security Control Industry-neutral
Cloud Controls Matrix[29] Cloud Security Alliance Control Cloud services and implementation
Code Quality Standards[30] Consortium for Information & Software Quality Control Software development
Control Objectives for Information and Related Technologies (COBIT)[31] Information Systems Audit and Control Association Program Industry-neutral
Critical Infrastructure Protection (CIP) Standards[32] North American Electric Reliability Corporation Control Utilities
Cybersecurity Assessment Tool[33] Federal Financial Institutions Examination Council Control Financial services
Essential Cybersecurity Controls (ECC - 1: 2018)[34] National Cybersecurity Authority of Saudi Arabia Control Industry-neutral
ETSI TR 103 305 V1.1.1[35] European Telecommunications Standards Institute Control Telecommunications
Federal Information Processing Standards (FIPS)[36] National Institute of Standards and Technology Control Industry-neutral
HISO 10029:2015 Health Information Security Framework[37] New Zealand Ministry of Health Control Healthcare
HITRUST CSF[38] HITRUST Alliance Risk Industry-neutral
ISO/IEC 15408-1:2009[39] International Organization for Standardization Program Industry-neutral
ISO/IEC 27001:2013[40] International Organization for Standardization Program Industry-neutral
NIST Cybersecurity Framework[41] National Institute of Standards and Technology Program Industry-neutral
NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations[42] National Institute of Standards and Technology Control Industry-neutral; U.S. federal information systems and organizations
NIST SP 800-171, Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations[20] National Institute of Standards and Technology Control Industry-neutral; U.S. non-federal information systems and organizations
OCTAVE Allegro[43] Software Engineering Institute Risk Industry-Neutral
Payment Card Industry Data Security Standards (PCI DSS) V3.2.1[44] PCI Security Standards Council, LLC Control "All entities involved in payment card processing"
Protective Security Requirements[45] New Zealand Security Intelligence Service Program Industry-neutral
Secure Controls Framework[46] Secure Controls Framework Council, LLC Control Industry-neutral
Sherwood Applied Business Security Architecture (SABSA)[47] The SABSA Institute C.I.C. Program and Risk Enterprise-level business
Standard of Good Practice for Information Security 2018[48] Information Security Forum Ltd. Control Industry-neutral
System and Organization Controls for Cybersecurity (SOC-C)[49] Association of International Certified Professional Accountants Control Industry-neutral
Water Sector Cybersecurity Risk Management Guidance v3.0[19] American Water Works Association Risk Water and wastewater

Choosing the appropriate frameworks requires consideration and research. For the purposes of this guide, NIST SP 800-53, Rev. 4 and, to a lesser degree, the NIST Cybersecurity Framework receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.[25] NIST SP 800-53, Rev. 4 and the NIST Cybersecurity Framework are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."[50][51]

3. Fitting a cybersecurity framework into a cybersecurity plan

4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework

Originally released in 2005, NIST's Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations has since gone through four revisions, with a fifth delayed but in the works.[52] The cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."[42]

The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classifications, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals. The controls are also split out into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family Access control has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some forethought, NIST also developed NIST Special Publication 800-171, Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is a somewhat simplified version of 800-53 with mappings to both NIST SP 800-53 and the ISO/IEC 27001:2013 controls.

This guide leans heavily on SP 800-53 despite its complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. Executive Order 13636: Improving Critical Infrastructure Cybersecurity.[53] Building off the frameworks of NIST Special Publication 800-53, Revision 4; COBIT 5; and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.[54][55]

Version 1.0 of the framework was introduced in 2014, and by 2016[56]:

  • Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
  • Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
  • Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.

However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement.[56][57][58] Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.[59] Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"[60] the framework is likely to be further embraced in some form worldwide.

It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.[55] At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.[55]

5. Develop and create the cybersecurity plan

https://www.limswiki.org/index.php/User:Shawndouglas/sandbox/sublevel28

6. Closing remarks

Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec

https://www.limswiki.org/index.php/User:Shawndouglas/sandbox/sublevel30

References

  1. Sobowale, J. (1 March 2017). "Law firms must manage cybersecurity risks". ABA Journal. American Bar Association. http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/. Retrieved 14 December 2019. 
  2. Watney, C.; Draffin, C. (November 2017). "Addressing new challenges in automotive cybersecurity" (PDF). R Street Policy Study No. 118. R Street Institute. https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf. Retrieved 14 December 2019. 
  3. Lewis, J.A. (21 February 2018). "Economic Impact of Cybercrime". Center for Strategic & International Studies. https://www.csis.org/analysis/economic-impact-cybercrime. Retrieved 14 December 2019. 
  4. "BLOG: Cost of Cyber Crime to Small Businesses". Virginia SBDC Blog. Virginia SBDC. 30 May 2017. https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/. Retrieved 14 December 2019. 
  5. "Hiscox Cyber Readiness Report 2019" (PDF). Hiscox Ltd. April 2019. https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf. Retrieved 14 December 2019. 
  6. 6.0 6.1 Galvin, J. (7 May 2018). "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself". Inc.com. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html. Retrieved 14 December 2019. 
  7. "Cybersecurity Breaches to Result in over 146 Billion Records Being Stolen by 2023". Juniper Research. 8 August 2018. https://www.juniperresearch.com/press/press-releases/cybersecurity-breaches-to-result-in-over-146-bn. Retrieved 14 December 2019. 
  8. Grima, M. (14 November 2019). "Top reasons why WordPress websites get hacked (and how you can stop it)". WP White Security. https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/. Retrieved 14 December 2019. 
  9. Moen, D. (19 April 2016). "What Hackers Do With Compromised WordPress Sites". Wordfence Blog. Defiant, Inc. https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/. Retrieved 14 December 2019. 
  10. 10.0 10.1 Talaleve, A. (May 2019). "Website Hacking Statistics (Updated 2019)". WebARX. https://www.webarxsecurity.com/website-hacking-statistics-2018-february/. Retrieved 14 December 2019. 
  11. Uchill, J. (11 December 2018). "Fortune 500 cybersecurity is better and worse than you'd think". Axios. https://www.axios.com/fortune-500-cybersecurity-email-security-8cb4a3ee-0aa4-42b4-8ab4-da722d756379.html. Retrieved 14 December 2019. 
  12. Stahie, S. (4 October 2019). "Fortune 500 Companies Take Cyber Security for Granted". Security Boulevard. https://securityboulevard.com/2019/10/fortune-500-companies-take-cyber-security-for-granted/. Retrieved 14 December 2019. 
  13. Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 29 November 2019. 
  14. Aulakh, M. (25 February 2019). "CISOS Ultimate Guide for Top 30 Security Control Frameworks - 2019". Ignyte Assurance Platform. Mafazo LLC. https://ignyteplatform.com/top-30-security-frameworks-2019/. Retrieved 19 December 2019. 
  15. Cleaveland, P. (24 September 2018). "10 key private-sector cybersecurity standards". Enterprise IOT Insights - Fundamentals. Arden Media Company, LLC. https://enterpriseiotinsights.com/20180924/fundamentals/10-key-private-sector-cybersecurity-standards. Retrieved 19 December 2019. 
  16. 16.0 16.1 Ciocoui, C.N.; Dobrea, R.C. (2010). "Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management". In Nota, G.. Advances in Risk Management. IntechOpen. doi:10.5772/9893. ISBN 9789535159469. 
  17. 17.0 17.1 "Data Standardization: A Call to Action" (PDF). JPMorgan Chase & Co. May 2018. https://www.jpmorganchase.com/corporate/news/document/call-to-action.pdf. Retrieved 14 December 2019. 
  18. Kaplan, R.S.; Mikes, A. (June 2012). "Managing Risks: A New Framework". Harvard Business Review. https://hbr.org/2012/06/managing-risks-a-new-framework. Retrieved 14 December 2019. 
  19. 19.0 19.1 West Yost Associates (4 September 2019). "Water Sector Cybersecurity Risk Management Guidance". American Water Works Association. https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance. Retrieved 14 December 2019. 
  20. 20.0 20.1 "NIST SP 800-171, Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 7 June 2018. https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final. Retrieved 13 December 2019. 
  21. Waddell, K. (29 June 2019). "Cities are writing privacy policies". Axios. https://www.axios.com/cities-data-privacy-laws-fa0be8cb-234f-4237-b670-10ad042a772e.html. Retrieved 15 December 2019. 
  22. 22.0 22.1 22.2 "Understanding Cybersecurity Standards" (PDF). CGI, Inc. April 2019. https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf. Retrieved 15 December 2019. 
  23. Rayome, A.D. (7 March 2019). "How to choose the right cybersecurity framework". TechRepublic. CBS Interactive. https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/. Retrieved 15 December 2019. 
  24. Slade, R.M. (2011). "Security Frameworks" (PDF). Illinois Institute of Technology. http://itm.iit.edu/netsecure11/RobertSlade_SecFrameworks.pdf. Retrieved 15 December 2019. 
  25. 25.0 25.1 Watson, M. (17 January 2019). "Top 4 cybersecurity frameworks". IT Governance USA Blog. GRC International Group plc. https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks. Retrieved 14 December 2019. 
  26. "The 62443 series of standards" (PDF). ISA. December 2016. https://cdn2.hubspot.net/hubfs/3415072/Resources/The%2062443%20Series%20of%20Standards.pdf. Retrieved 15 December 2019. 
  27. "Baseline Cyber Security Controls for Small and Medium Organizations". Canadian Centre for Cyber Security. 20 November 2019. https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations. Retrieved 13 December 2019. 
  28. "The 20 CIS Controls & Resources". CIS Controls. 2019. https://www.cisecurity.org/controls/cis-controls-list/. Retrieved 13 December 2019. 
  29. "Cloud Controls Matrix (CCM)". Cloud Security Alliance. https://cloudsecurityalliance.org/research/cloud-controls-matrix/. Retrieved 19 December 2019. 
  30. "Code Quality Standards". Consortium for Information & Software Quality. 2019. https://www.it-cisq.org/standards/code-quality-standards/index.htm. Retrieved 15 December 2019. 
  31. "COBIT 4.1: Framework for IT Governance and Control". Information Systems Audit and Control Association. 2019. http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx. Retrieved 13 December 2019. 
  32. "CIP Standards". North American Electric Reliability Corporation. 2017. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx. Retrieved 15 December 2019. 
  33. "Cybersecurity Assessment Tool". Federal Financial Institutions Examination Council. May 2017. https://www.ffiec.gov/cyberassessmenttool.htm. Retrieved 19 December 2019. 
  34. "Essential Cybersecurity Controls (ECC - 1: 2018)" (PDF). National Cybersecurity Authority of Saudi Arabia. 2018. https://itig-iraq.iq/wp-content/uploads/2019/08/Essential-Cybersecurity-Controls-2018.pdf. Retrieved 13 December 2019. 
  35. "Critical Security Controls for Effective Cyber Defence" (PDF). European Telecommunications Standards Institute. May 2015. https://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf. Retrieved 15 December 2019. 
  36. "Compliance FAQs: Federal Information Processing Standards (FIPS)". Standards.gov. National Institute of Standards and Technology. 15 November 2019. https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips. Retrieved 15 December 2019. 
  37. "HISO 10029:2015 Health Information Security Framework". New Zealand Ministry of Health. 21 June 2019. https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework. Retrieved 15 December 2019. 
  38. "HITRUST CSF". HITRUST Alliance. 2019. https://hitrustalliance.net/hitrust-csf/. Retrieved 15 December 2019. 
  39. "ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model". International Organization for Standardization. January 2014. https://www.iso.org/standard/50341.html. Retrieved 15 December 2019. 
  40. "ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements". International Organization for Standardization. 3 June 2019. https://www.iso.org/standard/54534.html. Retrieved 13 December 2019. 
  41. "Cybersecurity Framework". Cybersecurity Framework. National Institute of Standards and Technology. 2019. https://www.nist.gov/cyberframework. Retrieved 19 December 2019. 
  42. 42.0 42.1 "NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 22 January 2015. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. Retrieved 13 December 2019.  Cite error: Invalid <ref> tag; name "NISTSP800-53_18"" defined multiple times with different content
  43. Caralli, R.A.; Stevens, J.F.; Young, L.R. et al. (2007). "Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process". Software Engineering Institute. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419. Retrieved 15 December 2019. 
  44. "Payment Card Industry Data Security Standard - Requirements and Security Assessment Procedures". PCI Security Standards Council, LLC. May 2018. https://www.pcisecuritystandards.org/document_library. Retrieved 13 December 2019. 
  45. "Protective Security Requirements". New Zealand Security Intelligence Service. August 2019. https://www.protectivesecurity.govt.nz/. Retrieved 15 December 2019. 
  46. "Secure Controls Framework (SCF)". Secure Controls Framework Council, LLC. 2019. https://www.securecontrolsframework.com/secure-controls-framework. Retrieved 19 December 2019. 
  47. "SABSA Executive Summary". The SABSA Institute C.I.C. 2018. https://sabsa.org/sabsa-executive-summary/. Retrieved 19 December 2019. 
  48. "The ISF Standard of Good Practice for Information Security 2018". Information Security Forum Ltd. 2018. https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/. Retrieved 15 December 2019. 
  49. "SOC for Cybersecurity". Association of International Certified Professional Accountants. 2019. https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.html. Retrieved 13 December 2019. 
  50. "NIST Marks Fifth Anniversary of Popular Cybersecurity Framework". National Institute of Standards and Technology. 12 February 2019. https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework. Retrieved 14 December 2019. 
  51. Perry, J. (16 April 2019). "Explaining the Breakout Success of the NIST Cybersecurity Framework". Infosecurity Magazine. Reed Exhibitions Limited. https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/. Retrieved 14 December 2019. 
  52. Miller, J. (3 September 2019). "OMB’s regulatory review is creating a backlog of cyber standards". Federal News Network - Reporter's Notebook. Hubbard Radio Washington DC, LLC. https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/. Retrieved 19 December 2019. 
  53. "Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience". U.S. Deapartment of Homeland Security. March 2013. https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet. Retrieved 19 December 2019. 
  54. Chang-Gu, A. (2 March 2015). "NIST Cybersecurity Framework vs. NIST Special Publication 800-53". Praetorian Security Blog. Praetorian Security, Inc. https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53. Retrieved 19 December 2019. 
  55. 55.0 55.1 55.2 Morgan, J. (4 April 2018). "How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett". Security. BNP Media. https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework. Retrieved 19 December 2019. 
  56. 56.0 56.1 Dark Reading Staff (30 March 2016). "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Dark Reading - Attacks/Breaches. Informa PLC Informa UK Limited. https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901. Retrieved 19 December 2019. 
  57. BizTech Staff (20 December 2017). "Why a Risk-Based Approach Leads to Effective Cybersecurity". BizTech. CDW LLC. https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity. Retrieved 19 December 2019. 
  58. Daniel, M. (25 January 2018). "Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds". Cyber Threat Alliance Blog. https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/. Retrieved 19 December 2019. 
  59. "NIST Releases Version 1.1 of its Popular Cybersecurity Framework". National Institute of Standards and Technology. 16 April 2018. https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework. Retrieved 19 December 2019. 
  60. "New to Framework". Cybersecurity Framework. National Institute of Standards and Technology. 18 November 2019. https://www.nist.gov/cyberframework/new-framework. Retrieved 19 December 2019. 
Retrieved from "https://www.limswiki.org/index.php?title=User:Shawndouglas/sandbox/sublevel24&oldid=37195"