User:Shawndouglas/sandbox/sublevel3
What follows is essentially a simplification of the NIST control descriptions found in NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. As mentioned earlier, while this framework of security and privacy controls is tailored to federal systems and organizations, most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are still worthy of consideration for non-federal systems and organizations. Also worth noting again is that if the NIST SP 800-53 controls and framework is too technical for your tastes, a simplified version was derived from 800-53 by NIST in the form of NIST Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In addition to making the controls and methodology a bit easier to understand, NIST includes a mapping table in Appendix D of 800-171 which maps its security requirements to both NIST SP 800-53 and ISO/IEC 27001. As such, you're able to not only see how it connects to the more advanced document but also to the International Organization for Standardization's international standard "for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization."[1] For an even broader, more simplified NIST approach to 800-53, you may rather want to turn to the NIST Cybersecurity Framework, which is suitable for those without a technical background.
The general format used in Appendix 1 is to first separate the control descriptions by their NIST family, then their control name. Then, a simplified description—with occasional outside references—is added, based on the original text. Finally, additional resources are included, where applicable. Those resources are typically based on references NIST used in making its framework, or additional resources that help you, the reader, gain additional context.
Finally, if you are implementing or have implemented information management software in your laboratory, you may also find links to LIMSpec in the additional resources. The LIMSpec has seen a handful of iterations over the years, but its primary goal remains the same: to provide software requirements specifications for the ever-evolving array of laboratory informatics systems being developed. We attempted to link NIST's security and privacy controls to specific software requirements specifications in LIMSpec. It should be noted that some 40+ NIST controls could not be directly linked to a software specification in LIMSpec. In almost every single case, those items reflect as organizational policy rather than an actual software specification. If a LIMSpec comparison was made, you'll find a link to the relevant section. If no LIMSpec comparison could be made, you'll see something like "No LIMSpec comp (organizational policy rather than system specification)."
In some cases the comparison may seem slightly confusing. For example, all NIST controls encouraging the establishment of policy and procedure are linked to LIMSpec 7.1 and 7.2. LIMSpec 7.1 states "the system shall be capable of creating, managing, and securely holding a variety of document types, while also allowing for the review and approval of those documents using version and release controls." To be clear, it's not that any particular software system itself conforms to the NIST controls specifying policies be created and managed. Rather, this particular software specification ensures that any software system built to meet the specification will provide the means for creating and managing policies and procedures, which in hand aids the organization in conforming to the NIST controls specifying policies be created and managed.
NOTE: Under "Additional resources," occasionally a guide, brochure, or blog post from a particular company will appear. That guide or brochure is added solely because it provides contextual information about the specific NIST control. The inclusion as a resource of such a guide, brochure, or blog post should not be considered an endorsement for the company that published it.
References
- ↑ "SO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements". International Organization for Standardization. 3 June 2019. https://www.iso.org/standard/54534.html. Retrieved 23 July 2020.
