Interdependency indicator -
NIST Cybersecurity Framework Description EXAMPLE OF IMPLEMENTATION
A System Development Life Cycle to manage systems is implemented
Function:
PRProtect
Category:
PR.IPInformation Protection Processes and Procedures
Subcategory:
PR.IP-2A System Development Life Cycle to manage systems is implemented
Informative references
 CIS CSC 18
COBIT 5 APO13.01, BAI03.01, BAI03.02, BAI03.03
ISA 62443-2-1:2009 4.3.4.3.3
ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-12, SI-13, SI-14, SI-16, SI-17

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

An SDLC implementation may lead to the identification and localisation of redundancy of services
Organisational communication and data flows are mapped
Function:
IDIdentify
Category:
ID.AMAsset Management
Subcategory:
ID.AM-3Organisational communication and data flows are mapped
Informative references
CIS CSC 12
COBIT 5 DSS05.02
ISA 62443-2-1:2009 4.2.3.4
ISO/IEC 27001:2013 A.13.2.1, A.13.2.2
NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation’s risk strategy.

Mapping data flow may lead to the identification and localisation of redundancy of services
Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
Function:
IDIdentify
Category:
ID.AMAsset Management
Subcategory:
ID.AM-5Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
Informative references
 CIS CSC 13, 14
COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02
ISA 62443-2-1:2009 4.2.3.6
ISO/IEC 27001:2013 A.8.2.1
NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6

The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation’s risk strategy.

Classify resources according to their criticality and value will enable to localise redundancy of services
A baseline configuration of information technology/industrial control systems is created and maintained
Function:
PRProtect
Category:
PR.IPInformation Protection Processes and Procedures
Subcategory:
PR.IP-1A baseline configuration of information technology/industrial control systems is created and maintained
Informative references
 CIS CSC 3, 9, 11
COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
ISA 62443-3-3:2013 SR 7.6
ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

A baseline configuration of IT may lead to the identification and localisation of redundancy of services

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information