|
|
| Line 1: |
Line 1: |
| ====SI-1 System and information integrity policy and procedures====
| |
| This control recommends the organization develop, document, disseminate, review, and update system and information integrity policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and information integrity action but also to address how those policies and procedures will be implemented, reviewed, and updated.
| |
|
| |
|
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 70
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]
| |
|
| |
| ====SI-2 Flaw remediation====
| |
| This control recommends the organization identify, report, and correct flaws in the information system. When attempting to correct a flaw with a software of firmware update, the organization should first test the effectiveness and potential side effects of the update before installing on the operational system. The organization should agree to update flaws withing an organization-defined time period after the release of the update, and incorporate flaw remediation into the organization's existing configuration management processes and procedures.
| |
|
| |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publications 800-40, Rev. 3]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128]
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.15]
| |
|
| |
| ====SI-2 (5) Flaw remediation: Automatic software and firmware updates====
| |
| This control enhancement recommends the organization selectively employ automatic mechanisms for the installation of specified security-relevant software and firmware updates to specified system components (or across the entire system).
| |
|
| |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.10]
| |
|
| |
| ====SI-3 Malicious code protection====
| |
| This control recommends the organization employ, configure, and regularly update malicious code protection mechanisms at information system entry and exit points. The configuration of these mechanisms should allow for periodic scans of the system at a defined frequency, as well as real-time scans of external files, and should also block malicious code, quarantine it, and/or send alerts to an administrator or specific organizational role. The mechanisms should also allow the organization to manage false positives and their potential impact on the system.
| |
|
| |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final NIST Special Publications 800-83, Rev. 1]
| |
| * No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
| |
|
| |
| ====SI-4 Information system monitoring====
| |
| This control recommends the organization employ various forms of monitoring on the system in order to detect attacks, unauthorized local, network, and remote connections; and unauthorized processes, either actual or indications of. The forms of monitoring used should deployed strategically with the system and at ''ad hoc'' locations, and those forms of monitoring should be vetted with legal opinion in regard to their adherence to laws and regulations. The organization should protect protect information gained from monitoring the system and heighten the level of monitoring when indications exist of increased risk to the system. Finally, the organization should disseminate monitoring information to designated personnel or roles as needed or at a defined frequency.
| |
|
| |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final NIST Special Publications 800-61, Rev. 2]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final NIST Special Publications 800-83, Rev. 1]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-92/final NIST Special Publications 800-92]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-94/final NIST Special Publications 800-94]
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-137/final NIST Special Publications 800-137]
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#16._Investigation_management LIMSpec 16.7] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity 31.8]
| |
|
| |
| ====SI-4 (5) Information system monitoring: System-generated alerts====
| |
| This control enhancement recommends the system send alerts to designated personnel or roles when any of a list of organization-defined indications of compromise or potential compromise occur.
| |
|
| |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.8]
| |
|
| |
| ====SI-4 (7) Information system monitoring: Automated response to suspicious alerts====
| |
| This control enhancement recommends the system send alerts to designated personnel or roles when a suspicious event is detected and then take the least-disruptive action from a list of organizational-defined actions in order to terminate the suspicious event.
| |
|
| |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Technology_and_Performance_Improvements#30._Artificial_intelligence_and_smart_systems LIMSpec 30.8]
| |
|
| |
| ====SI-5 Security alerts, advisories, and directives====
| |
| This control recommends the organization choose a source for information system security alerts, advisories, and directives and receive regular updates from the source. Additionally, the organization should generate their own internal security alerts, advisories, and directives when necessary. In all cases, this received and generated information should be disseminated to defined personnel, roles, groups, external organizations, etc. Of course, the organization should also act upon the information received, implementing a fix within an established time frame, notifying a designated individual or role of any degree of noncompliance.
| |
|
| |
| '''Additional resources''':
| |
| * [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publications 800-40, Rev. 3]
| |
| * No LIMSpec comp (organizational policy rather than system specification)
| |
|
| |
| ====SI-12 Information handling and retention====
| |
| This control recommends the organization manage and retain information stored and transmitted within the system according law, regulation, standards, and operational requirements.
| |
|
| |
| '''Additional resources''':
| |
| * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#31._Data_integrity LIMSpec 31.2, 31.3, and 31.4]
| |
|
| |
| ====SI-16 Memory protection====
| |
| This control recommends the organization choose and employ hardware- or software-enforced security safeguards into the system that protect its memory from unauthorized code execution. Safeguards might include methods such as data execution prevention and address space layout randomization.
| |
|
| |
| '''Additional resources''':
| |
| * No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
| |
|
| |
|
| |
| ==Citation information for this chapter==
| |
| '''Chapter''': Appendix 1. A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec
| |
|
| |
| '''Title''': ''Comprehensive Guide to Developing and Implementing a Cybersecurity Plan''
| |
|
| |
| '''Edition''': First
| |
|
| |
| '''Author for citation''': Shawn E. Douglas
| |
|
| |
| '''License for content''': [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International]
| |
|
| |
| '''Publication date''': July 2020
| |
|
| |
| <!--Place all category tags here-->
| |
