Crosswalk: A USG IT Handbook Companion Guide

CROSSWALK: A USG IT HANDBOOK COMPANION GUIDE

VERSION 2.0 9/30/2020

PUBLIC

Abstract: The purpose of this companion guideline is to complement the USG IT Handbook by providing a NIST Cybersecurity Framework (CSF) centered perspective with the corresponding standards and regulations cross-walked to the CSF.

REVISION & SIGN-OFF

Change Record

Date 20200722

Author Alfred Barker

20200805 20201003

Alfred Barker Alfred Barker

Version 1.0

1.0 2.0

Change Reference Reviewed ? Added NIST 800-171 ? and ? Updated PCI V3 to V3.2.1. Reviewed for Harmful Language. Reordered and minor editing to improve usage.

Document Properties

Item Document Title Document Type Author Document Manager Creation Date Last Updated Document Classification

Details Crosswalk: A USG IT Handbook Companion Guide Guideline (Internal Use Only) Alfred Barker Alfred Barker 20200224 20200930 Public

Public

Page | 2

Public

TABLE OF CONTENTS

CrOSSWALK: A USG IT Handbook Companion Guide ....................................................................................... 1

Revision & Sign-off ........................................................................................................................................ 2

Table of Contents.......................................................................................................................................... 3

Introduction .................................................................................................................................................. 9

USG IT Handbook Crosswalk to NIST Cybersecurity Framework (CSF)/Privacy Framework (PF) ............... 10

Section 1. Information Technology (IT) Governance .............................................................................. 10

1.4.3: Development and Acquisition Standards ............................................................................. 10 1.5: Resource Management ............................................................................................................ 10

Section 2. Project and Service Administration........................................................................................ 10

2.1.3 Service Support ...................................................................................................................... 10

Section rmation Technology Management ................................................................................... 10

3.1.1: Information System User Account Management ................................................................. 10 3.1.1.1 Information System User Account Management Procedures ............................................ 11 3.1.2: Managing Multifactor Authentication .................................................................................. 11 3.2: Log Management ..................................................................................................................... 11 3.3.1: USG Continuity of Operations Planning Standard ................................................................ 11 3.4.1: Network Services Standard................................................................................................... 12

Section 5. Cybersecurity ......................................................................................................................... 12

5.0: Charter ..................................................................................................................................... 12 5.1: USG Cybersecurity Program..................................................................................................... 12 5.1.3 Policy, Standards, Processes, and Procedure Management Requirements .......................... 12 5.1.4: Appropriate Usage Policy (AUP) Guidelines ......................................................................... 13 5.2.1: Cybersecurity Organization................................................................................................... 14 5.2.2: Information Security Officer (ISO) ........................................................................................ 14 5.3: Incident Management.............................................................................................................. 14 5.3.1 Cybersecurity Incident Response Plan Requirements ........................................................... 14 5.3.2: Cybersecurity Incident Reporting Requirements.................................................................. 15 5.3.3: Incident Follow-up Report .................................................................................................... 16 5.3.4: Incidents Involving Personal Information ............................................................................. 16 5.3.5: USG Computer Security Incident Management Requirements ............................................ 16 5.3.6: USG Incident Response and Reporting Requirements ......................................................... 16 5.4: USG Information Asset Management and Protection ............................................................. 16 5.4.1: USG Information Asset Management Requirements ........................................................... 16 5.4.2: USG Information Asset Protection Requirements ................................................................ 17 5.5.1: USG Organizations Responsibilities ...................................................................................... 17 5.5.2: Risk Assessment and Analysis ............................................................................................... 17 5.5.3: USG Organizations Risk Management Programs .................................................................. 18 5.5.4: USG Risk Management Requirements .................................................................................. 18

Public

Page | 3

Public

5.5.5: USG Cybersecurity Risk Management Process ..................................................................... 18 5.6: USG Information System Categorization ................................................................................. 19 5.6.1: Security Categories ............................................................................................................... 19 5.6.2: Requirements........................................................................................................................ 19 5.7: USG Classification of Information ............................................................................................ 19 5.8: Endpoint Security ..................................................................................................................... 20 5.8.1: Purpose ................................................................................................................................. 20 5.8.2: Discovery and Inventory ....................................................................................................... 20 5.8.3: Anti-virus, Anti-malware, Anti-spyware Controls ................................................................. 20 5.8.4: Operating System (OS) / Application Patch Management ................................................... 20 5.8.5 Maintenance .......................................................................................................................... 20 5.9: Security Awareness, Training and Education........................................................................... 20 5.9.1 Roles and Responsibilities...................................................................................................... 21 5.9.2: Security Awareness, Training and Education Requirements ................................................ 21 5.10: Required Reporting................................................................................................................ 21 5.10.1: Required Reporting Activities ............................................................................................. 21 5.10.2: Cybersecurity Program Review........................................................................................... 22 5.11.2: Anti-virus, Anti-spam, and Anti-phishing Software ............................................................ 22 5.11.3: Host-based Firewall or Host-based Intrusion Prevention Software ................................... 22 5.11.4: Passwords ........................................................................................................................... 22 5.11.5: Encrypted Authentication................................................................................................... 22 5.11.6: Physical Security.................................................................................................................. 22 5.11.7: Unnecessary Services.......................................................................................................... 23 5.11.8: Integrity and Segmentation ................................................................................................ 23 5.12.1: User Access Controls........................................................................................................... 23 5.12.2: USG Password Authentication Standard ............................................................................ 23 5.12.3: USG Password Security and Composition Requirement..................................................... 23 5.14: Information Protection Management.................................................................................... 23 5.14.5: Protecting Personal Information ........................................................................................ 24 5.15: Email Use and Protection....................................................................................................... 24

Section 6. Data Privacy............................................................................................................................ 24

6.1: USG Data Privacy Standard ...................................................................................................... 24

Section 8. Bring Your Own Device (BYOD) Standard .............................................................................. 24

8.3: Bring your own device (BYOD) Standard ................................................................................. 25

NIST Cybersecurity Framework Crosswalk to References .......................................................................... 26

Identify (ID) ............................................................................................................................................. 26

Asset Management (ID.AM)................................................................................................................ 26

Physical Inventory (ID.AM-1) .......................................................................................................... 26 Software Inventory (ID.AM-2)......................................................................................................... 26 Data Flow Diagram (ID.AM-3) ......................................................................................................... 26 Systems Catalogue (ID.AM-4) ......................................................................................................... 27 Prioritize Resource (ID.AM-5) ......................................................................................................... 27

Public

Page | 4

Public

Role and Responsibility (ID.AM-6) .................................................................................................. 27

Business Environment (ID.BE)............................................................................................................. 28

Supply Chain Role (ID.BE-1) ............................................................................................................ 28 Critical Infrastructure (ID.BE-2)....................................................................................................... 28 Mission, Objectives and Activities (ID.BE-3) ................................................................................... 28 Dependencies (ID.BE-4) .................................................................................................................. 29 Contingency Planning (ID.BE-5) ...................................................................................................... 29

Governance (ID.GV) ............................................................................................................................ 29

Policy, Plans and Procedures (ID.GV-1) .......................................................................................... 29 Roles and Responsibilities (ID.GV-2) ............................................................................................... 30 Compliance Management (ID.GV-3) ............................................................................................... 30 Risk Management Plan (ID.GV-4).................................................................................................... 30

Risk Assessment (ID.RA)...................................................................................................................... 31

Vulnerability Assessment (ID.RA-1) ................................................................................................ 31 Information Sharing (ID.RA-2)......................................................................................................... 31 Threat Assessment (ID.RA-3) .......................................................................................................... 31 Impact and Likelihood Assessment (ID.RA-4) ................................................................................. 32 Risk Assessment (ID.RA-5) .............................................................................................................. 32 Response Assessment (ID.RA-6) ..................................................................................................... 32

Risk Management Strategy (ID.RM).................................................................................................... 33

Risk Management Procedures (ID.RM-1) ....................................................................................... 33 Risk Tolerance (ID.RM-2) ................................................................................................................ 33 Strategic Analysis (ID.RM-3)............................................................................................................ 33

Protect (PR) ............................................................................................................................................. 34

Access Control (PR.AC)........................................................................................................................ 34

Identities and Credentials (PR.AC-1)............................................................................................... 34 Physical Access (PR.AC-2)................................................................................................................ 34 Remote Access (PR.AC-3)................................................................................................................ 35 Access Permissions (PR.AC-4) ......................................................................................................... 35 Segregation and Segmentation (PR.AC-5) ...................................................................................... 35 Identity Proofing (PR.AC-6) ............................................................................................................. 36 User and Device Authentication (PR.AC-7) ..................................................................................... 36

Awareness and Training (PR.AT) ......................................................................................................... 36

Awareness Training (PR.AT-1)......................................................................................................... 36 Roles-Based Training ? Privilege Users (PR.AT-2) ........................................................................... 37 Roles-Based Training ? 3rd Party Stakeholders (PR.AT-3) .............................................................. 37 Roles-Based Training ? Senior Executives (PR.AT-4)....................................................................... 38 Roles-Based Training ? Cybersecurity (PR.AT-5)............................................................................. 38

Data Security (PR.DS) .......................................................................................................................... 38

Public

Page | 5

Public

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download