Transcription of NIST Cybersecurity Framework Policy Template Guide
1 Page 1 NIST Cybersecurity FrameworkPolicy Template Page i ContentsIntroduction 1 NIST Function: Identify 2 Identify: Asset Management ( ) 2 Identify: Risk Management Strategy ( ) 2 Identify: Supply Chain Risk Management ( ) 2 NIST Function: Protect 4 Protect: Identity Management and Access Control ( ) 4 Protect: Awareness and Training ( P R.)
2 AT ) 4 Protect: Data security ( ) 4 Protect: Information Protection Processes and Procedures ( ) 5 Protect: Maintenance ( ) 6 Protect: Protective Technology ( ) 6 NIST Function: Detect 7 Detect: Anomalies and Events ( ) 7 Detect: security Continuous Monitoring ( ) 7 Detect: Detection Processes ( ) 7 NIST Function: Respond 8 Respond: Response Planning ( ) 8 Respond: Communications ( ) 8 Respond: Analysis ( ) 9 Respond: Improvements ( ) 9 NIST Function.
3 Recover 10 Recover: Recovery Planning ( ) 10 Recover: Improvements ( ) 10 Recover: Communications ( ) Page 1 IntroductionThe Multi-State Information Sharing & Analysis Center (MS-ISAC) is offering this Guide to participants of the Nationwide Cybersecurity Review (NCSR) and MS-ISAC members, as a resource to assist with the application and advancement of Cybersecurity policies. The Policy templates are provided courtesy of the State of New York and the State of California.
4 The templates can be customized and used as an outline of an organizational Policy , with additional details to be added by the end user. The NCSR question set represents the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This Guide gives the correlation between 49 of the NIST CSF subcategories, and applicable Policy and standard templates. A NIST subcategory is represented by text, such as This represents the NIST function of Identify and the category of Asset additional information on services provided by the Multi-State Information Sharing & Analysis Center (MS-ISAC), please refer to the following page: These Policy templates are also mapped to the resources MS-ISAC and CIS provide, open source resources, and free FedVTE training: : These policies may not reference the most recent applicable NIST revision, however may be used as a baseline Template for end users.
5 These Policy templates are not to be used for profit or monetary gain by any Function: Identify Page 2 NIST FUNCTION: IdentifyIdentify: Asset Management ( ) Physical devices and systems within the organization are Use of Information Technology Resource PolicyAccess Control PolicyAccount Management/Access Control StandardIdentification and Authentication PolicyInformation security PolicySecurity Assessment and Authorization PolicySecurity Awareness and Training Policy Software platforms and applications within the organization are Use of Information Technology Resource PolicyAccess Control PolicyAccount Management/Access Control StandardIdentification and Authentication PolicyInformation security PolicySecurity Assessment and Authorization PolicySecurity Awareness and Training Policy External information systems are and Communications Protection Policy Resources ( , hardware, devices, data, time, and software)
6 Are prioritized based on their classification, criticality, and business value).Information Classification StandardInformation security Policy Cybersecurity roles and responsibilities for the entire workforces and third-party stakeholders ( suppliers, customers, partners) are Use of Information Technology Resource PolicyInformation security PolicySecurity Awareness and Training PolicyIdentify: Risk Management Strategy ( ) Risk management processes are established, managed, and agreed to by organizational security PolicyInformation security Risk Management StandardRisk Assessment PolicyIdentify: Supply Chain Risk Management ( ) Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment and Authentication PolicySecurity Assessment and Authorization PolicySystems and Services Acquisition Function: Identify Page 3 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual and Authentication PolicySecurity Assessment and Authorization PolicySystems and Services Acquisition Policy Response and recovery planning and testing are conducted with suppliers and third-party security Threat Response PolicyCyber Incident Response StandardIncident Response PolicySystems and Services Acquisition Function.
7 Protect Page 4 NIST FUNCTION: ProtectProtect: Identity Management and Access Control ( ) Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle Standard Remote access is Access Standard Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle Standard Network integrity is protected ( , network segregation, network segmentation).
8 Wireless Network security StandardMobile Device SecuritySystem and Information Integrity PolicyProtect: Awareness and Training ( PR . AT ) PR . AT-1 All users are informed and Use of Information Technology Resources PolicyInformation security PolicyPersonnel security PolicyPhysical and Environmental Protection Policy security Awareness and Training PolicyProtect: Data security ( ) Data-at-rest is protectedComputer security Threat Response PolicyCyber Incident Response StandardEncryption StandardIncident Response PolicyInformation security PolicyMaintenance PolicyMedia Protection PolicyMobile Device security Patch Management Function: Protect Page 5 Data-in-transit is security Threat Response PolicyCyber Incident Response StandardEncryption StandardIncident Response PolicyInformation security PolicyMaintenance PolicyMedia Protection PolicyMobile Device security Patch Management Standard Assets are formally managed throughout removal, transfers, and Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle Standard Integrity checking mechanisms are used to verify hardware and Information Integrity PolicyProtect.
9 Information Protection Processes and Procedures ( ) A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles ( concept of least functionality).Access Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle Standard Backups of information are conducted, maintained, and security Threat Response PolicyCyber Incident Response StandardEncryption StandardIncident Response PolicyInformation security PolicyMaintenance PolicyMedia Protection PolicyMobile Device security Patch Management Standard Data is destroyed according to PolicyMedia Protection PolicySanitization Secure Disposal Function.
10 Protect Page 6 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and security Threat Response PolicyCyber Incident Response StandardIncident Response PolicyPlanning Policy Response and recovery plans are security Threat Response PolicyCyber Incident Response StandardIncident Response PolicyPlanning PolicyProtect: Maintenance ( ) Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized PolicyRemote Access StandardSecurity Logging StandardProtect: Protective Technology ( ) PR .P T-1 Audit/log records are determined, documented, implemented, and reviewed in accordance with Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle StandardSecurity Logging Standard PR.
