NIST Cybersecurity Framework Based Written Information Security Program (WISP)

Size: px

Start display at page:

Download "NIST Cybersecurity Framework Based Written Information Security Program (WISP)"

Solomon Wade
5 years ago
Views:

1 Cybersecurity Governance (GOV) Title A.622 GOV 1 Publishing Cybersecurity Policies & s ID.GV A.622(2)(d) GOV 2 Periodic Review & Update of Cybersecurity Documentation ID.GV 1 66A.622(2)(d) GOV 3 Assigned Cybersecurity Responsibilities ID.AM A.622(2)(d) GOV Measures of Performance PR.IP Asset (AST) AST 1 Asset Governance ID.AM 1 ID.AM 2 ID.AM AST 2 Asset Inventories ID.AM 1 ID.AM 2 ID.AM AST 3 Assigning Ownership of Assets ID.AM 1 ID.AM 2 ID.AM AST Network Diagrams ID.AM 3 AST 5 Secure Disposal or Re Use of Equipment PR.DS 3 AST 6 Removal of Assets PR.DS 3 AST 7 Security of Assets Off Premises PR.DS 1 PR.DS 3 BCP 1 Contingency Plan RC.RP 1 Business Continuity & Disaster Recovery (BCP) Capacity & Performance Planning (CAP) Change (CHG) Compliance (CPL) Configuration (CFG) Cotinuous Monitoring (MON) BCP 2 Contingency Training RC.RP 1 BCP 3 Contingency Plan Testing & Exercises RC.RP 1 BCP Contingency Plan Root Cause Analysis (RCA) & Lessons Learned RC.IM 1 BCP 5 Contingency Plan Update RC.IM 2 BCP 6 Information System Recovery & Reconstitution PR.IP CAP 1 Capacity PR.DS CAP 2 Resourcce Priority PR.DS CHG 1 Configuration Change Control PR.IP 3 CHG 2 Security Impact Analysis for Changes PR.IP 3 CHG 3 Security Functionality Verification PR.IP 3 CPL 1 Statutory, Regulatory & Contractual Compliance ID.GV 3 PR.IP 5 CPL 2 Security Controls Oversight DE.DP 5 PR.IP 7 66A.622(2)(d) CPL 3 Security Assessments PR.IP 8 66A.622(2)(d) CFG 1 System Hardening Through Baseline Configurations PR.IP 3 CFG 2 Least Functionality PR.IP CFG 3 Software Usage Restrictions PR.IP 3 MON 1 Continuous Monitoring DE.CM 1 DE.DP 1 DE.DP 2 DE.DP 3 10 DE.DP DE.DP 5 PR.PT 1 MON 2 Centralized Event Log Collection DE.CM 1 DE.DP 2 DE.DP 3 DE.DP DE.DP 5 PR.PT 1 MON 3 Content of Audit Records DE.CM 1 PR.PT 1 MON Monitoring Reporting DE.DP MON 5 Time Stamps DE.DP 2 1 of 6

2 Cryptographic Protections (CRY) MON 6 Anomalous Behavior Title DE.AE 1 DE.CM MON 7 Third Party Threats DE.CM 3 MON 8 Privileged Users DE.CM 6 MON 9 Unauthorized Activities DE.CM 7 CRY 1 Use of Cryptographic Protections PR.DS 1 PR.DS 2 PR.DS CRY 2 Transmission Confidentiality PR.DS CRY 3 Transmission Integrity PR.DS CRY Encrypting Data At Rest PR.DS A.622 DCH 1 Data Protection PR.DS 1 PR.DS 2 PR.DS 3 66A.622(2)(d) DCH 2 Data & Asset Classification ID.AM 5 DCH 3 Media Transportation PR.DS 3 DCH Media Sanitization & Disposal PR.IP A.622(2)(d) Data Classification & Handling (DCH) DCH 5 System Output Handling & Data Retention PR.IP DCH 6 Removable Media Security PR.PT 2 DCH 7 Use of External Information Systems PR.PT 2 PR.PT 3 PR.PT DCH 8 Information Sharing PR.IP 8 PR.PT 2 DCH 9 Publicly Accessible Content ID.GV 3 ID.GV DCH 10 Geographic Location of Data ID.AM END 1 Workstation Security DE.CM END 2 Endpoint Protection Measures DE.CM END 3 Malicious Code Protection (Antimalware) DE.CM 13 3 Endpoint Security (END) END Automatic Antimalware Updates DE.CM 1 END 5 Antimalware Always On Protection DE.CM 15 END 6 File Integrity Monitoring (FIM) PR.DS 6 END 7 Software Firewall DE.CM END 8 Phishing & Spam Protection DE.CM END 9 Mobile Code DE.CM 5 HRS 1 Human Resources Security 1 Human Resources Security (HRS) HRS 2 Position Categorization 1 HRS 3 Users With Elevated Privileges 1 HRS Roles & Responsibilities 1 HRS 5 Personnel Screening 1 HRS 6 Terms of Employment 1 HRS 7 Rules of Behavior 1 HRS 8 Access Agreements 1 HRS 9 Personnel Sanctions 1 HRS 10 Personnel Transfer 1 HRS 11 Personel Termination 1 HRS 12 Third Party Personnel Security 1 2 of 6

3 Identification & Authentication (IAC) Incident Response Operations (IRO) IAC 1 IAC 2 IAC 3 IAC IAC 5 IAC 6 IAC 7 IAC 8 IAC 9 IAC 10 Identification & Authentication Multifactor Authentication (MFA) Title User Provisioning & De Provisioning Role Based Access Control (RBAC) Identifier (User Names) Authenticator (Passwords) Password Authentication Account Periodic Reviews Least Privilege IRO 1 Incident Response Operations PR.IP 9 IRO 2 IRO 3 IRO IRO 5 IRO 6 Incident Handling Incident Response Plan (IRP) Incident Response Training Incident Response Testing Integrated Incident Response Team DE.AE 2 DE.AE DE.AE 5 RS.AN 1 RS.AN RS.MI 1 RS.MI 2 RS.AN RC.CO 1 RC.CO 2 RC.CO 3 RS.CO 1 RS.CO IRO 7 Chain of Custody & Forensics RS.AN IRO 8 Incident Monitoring DE.AE A.622 IRO 9 Incident Reporting RS.CO 2 RS.CO 3 RS.CO IRO 10 Root Cause Analysis (RCA) & Lessons Learned RS.IM IRO 11 IRP Update RS.IM MNT 1 Maintenance Operations PR. 1 Maintenance Operations (MNT) MNT 2 Controlled Maintenance PR. 1 MNT 3 Timely Maintenance PR. 1 PR. 2 MNT Remote Maintenance PR. 2 NET 1 Layered Defenses PR.PT 11 3 of 6

4 Title A.622 NET 2 Boundary Protections 66A.622(2)(d) NET 3 Data Flow Enforcement (Access Control Lists) NET Information System Connections Network Security (NET) NET 5 Security Function Isolation 11 NET 6 Virtual Local Area Network (VLAN) Separation 11 NET 7 Guest Networks 11 NET 8 Network Disconnect NET 9 Network Intrusion Detection & Prevention Systems (NIDS/NIPS) 11 NET 10 Safeguarding Data Over Open Networks NET 11 Remote Access PR.AC 3 Physical & Environmental Security (PES) PES 1 Physical & Environmental Protections PR.IP 5 DE.CM 2 66A.622(2)(d) PES 2 Physical Access Control PR.AC 2 8 PES 3 Monitoring Physical Access DE.CM 2 PES Visitor Control DE.CM 2 DE.CM 2 PES 5 Information Leakage Due To Electromagnetic Signals Emanations PR.DS 5 9 PRM 1 Allocation of Resources ID.BE 3 Project & Resource (PRM) Risk (RSK) Secure Engineering & Architecture (SEA) PRM 2 Security Requirements Definition ID.BE 3 ID.BE ID.BE 5 PRM 3 Security In Project ID.BE 2 ID.BE 3 ID.BE ID.BE 5 PRM System Development Life Cycle (SDLC) PR.IP 2 RSK 1 RSK 2 RSK 3 RSK Risk Program (RMP) Risk Identification Risk Assessment Risk Ranking ID.GV ID.RM 1 ID.RM 2 ID.RA ID.RA ID.RA ID.RA A.622(2)(d) RSK 5 Risk Remediation A.622(2)(d) RSK 6 SEA 1 Business Impact Assessments (BIAs) Security Engineering Principles ID.RA PR.PT SEA 2 Secure Configurations SEA 3 Least Functionality PR.PT 3 66A.622(2)(d) SEA Fail Secure In Known State PR.PT 5 SEA 5 Clock Synchronization Operations Security OPS 1 Operations Security RS.CO 1 of 6

5 (OPS) Security Awareness & Training (SAT) Technology Development & Acquisition (TDA) Third Party (TPM) OPS 2 SAT 1 SAT 2 SAT 3 SAT TDA 1 TDA 2 TDA 3 TDA TDA 5 TDA 6 TDA 7 TDA 8 Title ized Operating Procedures (SOPs) Security Minded Workforce Security Awareness Security Training Security Training Records Technology Development & Acquisition Security Requirements Design & Implementation of Security Controls Functional Properties of Security Controls Secure Development Secure Development Environments Separation of Development, Testing and Operational Environments Security Testing Throughout Development RS.CO 1 PR.AT PR.AT PR.AT PR.AT A A.622(2)(d) 66A.622(2)(d) 66A.622(2)(d) 66A.622(2)(d) TPM 1 Third Party ID.SC TPM 2 Third Party Criticality Assessments ID.BE 1 ID.SC TPM 3 Supply Chain Protection ID.SC TPM Third Party Services ID.SC 1 ID.SC 2 ID.SC 3 ID.SC ID.SC TPM 5 Written Contract Requirements ID.SC TPM 6 Review of Third Party Services ID.SC TPM 7 Third Party Deficiency Remediation ID.SC TPM 8 Managing Changes To Third Party Services ID.SC TPM 9 Third Party Incident Response & Recovery Capabilities ID.SC Threat (THR) Vulnerability & Patch THR 1 Threat Awareness Program ID.BE 2 THR 2 Threat Intelligence Feeds ID.RA 2 VPM 1 VPM 2 VPM 3 Vulnerability & Patch Program (VPMP) Vulnerability Ranking Vulnerability Remediation ID.RA 1 2 ID.RA 1 2 ID.RA 1 2 RS.MI 3 5 of 6

6 Title A.622 (VPM) VPM Software Patching 2 RS.MI 3 VPM 5 Vulnerability Scanning DE.CM 8 VPM 6 Penetration Testing DE.CM VPM 7 Red Team Exercises DE.DP 3 WEB 1 Use of Demilitarized Zones (DMZs) WEB 2 Cloud Providers WEB 3 Cloud Security Architecture Web Security (WEB) WEB Security Subnet WEB 5 Multi Tenant Environments WEB 6 Geolocation Requirements WEB 7 Sensitive Data In Public Cloud Providers 6 of 6

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a) 1 Information Security Program Policy 1.2 Management Direction for Information Security 5.1 1.2.8 1.2.1.1 Publishing An Information Security Policy 5.1.1 500.03 1.1.0 2.1.0-2.2.3 3.1.0-3.1.2 4.1.0-4.2.4