Appendix A

Cybersecurity Program Resources

National Institute of Standards and Technology (NIST) Cybersecurity Framework

NIST Cybersecurity Framework: https://www.nist.gov/cyberframework

NIST Special Publications

https://csrc.nist.gov/publications/sp

  • SP 1800-4: “Mobile Device Security: Cloud and Hybrid Builds”

  • SP 1800-2: “Identity and Access Management for Electric Utilities”

  • SP 1800-1: “Securing Electronic Health Records on Mobile Devices”

  • SP 800-192: “Verification and Test Methods for Access Control Policies/Models”

  • SP 800-190: “Application Container Security Guide”

  • SP 800-185: “SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash”

  • SP 800-184: “Guide for Cybersecurity Event Recovery”

  • SP 800-183: “Networks of ‘Things’”

  • SP 800-181: “National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework”

  • SP 800-180: “NIST Definition of Microservices, Application Containers and System Virtual Machines”

  • SP 800-175B: “Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms”

  • SP 800-167: “Guide to Application Whitelisting”

  • SP 800-164: “Guidelines on Hardware-Rooted Security in Mobile Devices”

  • SP 800-163: “Vetting the Security of Mobile Applications”

  • SP 800-162: “Guide to Attribute Based Access Control (ABAC) Definition and Considerations”

  • SP 800-161: “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”

  • SP 800-160 Vol. 2: “Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems”

  • SP 800-160 Vol. 1: “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”

  • SP 800-157: “Guidelines for Derived Personal Identity Verification (PIV) Credentials”

  • SP 800-156: “Representation of PIV Chain-of-Trust for Import and Export”

  • SP 800-155: “BIOS Integrity Measurement Guidelines”

  • SP 800-154: “Guide to Data-Centric System Threat Modeling”

  • SP 800-153: “Guidelines for Securing Wireless Local Area Networks (WLANs)”

  • SP 800-152: “A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)”

  • SP 800-150: “Guide to Cyber Threat Information Sharing”

  • SP 800-147B: “BIOS Protection Guidelines for Servers”

  • SP 800-147: “BIOS Protection Guidelines”

  • SP 800-146: “Cloud Computing Synopsis and Recommendations”

  • SP 800-145: “The NIST Definition of Cloud Computing”

  • SP 800-144: “Guidelines on Security and Privacy in Public Cloud Computing”

  • SP 800-142: “Practical Combinatorial Testing”

  • SP 800-137: “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”

  • SP 800-135 Rev. 1: “Recommendation for Existing Application-Specific Key Derivation Functions”

  • SP 800-133: “Recommendation for Cryptographic Key Generation”

  • SP 800-132: “Recommendation for Password-Based Key Derivation: Part 1: Storage Applications”

  • SP 800-131A Rev. 1: “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths”

  • SP 800-130: “A Framework for Designing Cryptographic Key Management Systems”

  • SP 800-128: “Guide for Security-Focused Configuration Management of Information Systems”

  • SP 800-127: “Guide to Securing WiMAX Wireless Communications”

  • SP 800-126 Rev. 3: “The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3”

  • SP 800-125B: “Secure Virtual Network Configuration for Virtual Machine (VM) Protection”

  • SP 800-125A: “Security Recommendations for Hypervisor Deployment on Servers”

  • SP 800-125: “Guide to Security for Full Virtualization Technologies”

  • SP 800-124 Rev. 1: “Guidelines for Managing the Security of Mobile Devices in the Enterprise”

  • SP 800-123: “Guide to General Server Security”

  • SP 800-122: “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)”

  • SP 800-121 Rev. 2: “Guide to Bluetooth Security”

  • SP 800-120: “Recommendation for EAP Methods Used in Wireless Network Access Authentication”

  • SP 800-119: “Guidelines for the Secure Deployment of IPv6”

  • SP 800-117 Rev. 1: “Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2”

  • SP 800-117: “Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0”

  • SP 800-116 Rev. 1: “A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)”

  • SP 800-116: “A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)”

  • SP 800-115: “Technical Guide to Information Security Testing and Assessment”

  • SP 800-114 Rev. 1: “User’s Guide to Telework and Bring Your Own Device (BYOD) Security”

  • SP 800-113: “Guide to SSL VPNs”

  • SP 800-111: “Guide to Storage Encryption Technologies for End User Devices”

  • SP 800-108: “Recommendation for Key Derivation Using Pseudorandom Functions (Revised)”

  • SP 800-107 Rev. 1: “Recommendation for Applications Using Approved Hash Algorithms”

  • SP 800-102: “Recommendation for Digital Signature Timeliness”

  • SP 800-101 Rev. 1: “Guidelines on Mobile Device Forensics”

  • SP 800-100: “Information Security Handbook: A Guide for Managers”

  • SP 800-98: “Guidelines for Securing Radio Frequency Identification (RFID) Systems”

  • SP 800-97: “Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i”

  • SP 800-96: “PIV Card to Reader Interoperability Guidelines”

  • SP 800-95: “Guide to Secure Web Services”

  • SP 800-94 Rev. 1: “Guide to Intrusion Detection and Prevention Systems (IDPS)”

  • SP 800-92: “Guide to Computer Security Log Management”

  • SP 800-88 Rev. 1: “Guidelines for Media Sanitization”

  • SP 800-86: “Guide to Integrating Forensic Techniques into Incident Response”

  • SP 800-85B-4: “PIV Data Model Test Guidelines”

  • SP 800-85A-4: “PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)”

  • SP 800-84: “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities”

  • SP 800-83 Rev. 1: “Guide to Malware Incident Prevention and Handling for Desktops and Laptops”

  • SP 800-82 Rev. 2: “Guide to Industrial Control Systems (ICS) Security”

  • SP 800-81-2: “Secure Domain Name System (DNS) Deployment Guide”

  • SP 800-79-2: “Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)”

  • SP 800-77: “Guide to IPsec VPNs”

  • SP 800-76-2: “Biometric Specifications for Personal Identity Verification”

  • SP 800-73-4: “Interfaces for Personal Identity Verification”

  • SP 800-64 Rev. 2: “Security Considerations in the System Development Life Cycle”

  • SP 800-63C: “Digital Identity Guidelines: Federation and Assertions”

  • SP 800-63B: “Digital Identity Guidelines: Authentication and Life Cycle Management”

  • SP 800-61 Rev. 2: “Computer Security Incident Handling Guide”

  • SP 800-53 Rev. 5: “Security and Privacy Controls for Information Systems and Organizations”

  • SP 800-53A Rev. 4: “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans”

  • SP 800-52: “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations”

  • SP 800-51 Rev. 1: “Guide to Using Vulnerability Naming Schemes”

  • SP 800-50: “Building an Information Technology Security Awareness and Training Program”

  • SP 800-48 Rev. 1: “Guide to Securing Legacy IEEE 802.11 Wireless Networks”

  • SP 800-47: “Security Guide for Interconnecting Information Technology Systems”

  • SP 800-46 Rev. 2: “Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security”

  • SP 800-45 Version 2: “Guidelines on Electronic Mail Security”

  • SP 800-44 Version 2: “Guidelines on Securing Public Web Servers”

  • SP 800-41 Rev. 1: “Guidelines on Firewalls and Firewall Policy”

  • SP 800-40 Rev. 3: “Guide to Enterprise Patch Management Technologies”

  • SP 800-37 Rev. 2: “Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach”

  • SP 800-36: “Guide to Selecting Information Technology Security Products”

  • SP 800-35: “Guide to Information Technology Security Services”

  • SP 800-34 Rev. 1: “Contingency Planning Guide for Federal Information Systems”

  • SP 800-33: “Underlying Technical Models for Information Technology Security”

  • SP 800-32: “Introduction to Public Key Technology and the Federal PKI Infrastructure”

  • SP 800-30 Rev. 1: “Guide for Conducting Risk Assessments”

  • SP 800-25: “Federal Agency Use of Public Key Technology for Digital Signatures and Authentication”

  • SP 800-23: “Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products”

  • SP 800-19: “Mobile Agent Security”

  • SP 800-18 Rev. 1: “Guide for Developing Security Plans for Federal Information Systems”

  • SP 800-17: “Modes of Operation Validation System (MOVS): Requirements and Procedures”

  • SP 800-16 Rev. 1: “A Role-Based Model for Federal Information Technology/Cybersecurity Training”

  • SP 800-15: “MISPC Minimum Interoperability Specification for PKI Components, Version 1”

  • SP 800-13: “Telecommunications Security Guidelines for Telecommunications Management Network”

  • SP 800-12 Rev. 1: “An Introduction to Information Security”

  • SP 500-320: “Report of the Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities (SwMM-RSV)”

  • SP 500-299: “NIST Cloud Computing Security Reference Architecture”

Federal Financial Institutions Examination Council (FFIEC) IT Handbooks

https://ithandbook.ffiec.gov/it-booklets.aspx

  • Audit

  • Business Continuity Planning

  • Development and Acquisition

  • E-Banking

  • Information Security

  • Management

  • Operations

  • Outsourcing Technology Services

  • Retail Payment Systems

  • Supervision of Technology Service Providers

  • Wholesale Payment Systems

Department of Health and Human Services HIPAA Security Series

https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

  • Security 101 for Covered Entities

  • Administrative Safeguards

  • Physical Safeguards

  • Technical Safeguards

  • Organizational, Policies and Procedures and Documentation Requirements

  • Basics of Risk Analysis and Risk Management

  • Security Standards: Implementation for the Small Provider

  • HIPAA Security Guidance

  • Risk Analysis

  • HHS Security Risk Assessment Tool

  • NIST HIPAA Security Rule Toolkit Application

  • Remote Use

  • Mobile Device

  • Ransomware

  • Federal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic Modules

  • NIST HIPAA Security Rule Toolkit Application

  • NIST Cybersecurity Framework to HIPAA Security Rule Crosswalk

  • FTC HIPAA-related Guidance: “Security Risks to Electronic Health Information from Peer-to-Peer File Sharing Applications”

  • FTC HIPAA-related Guidance: “Safeguarding Electronic Protected Health Information on Digital Copiers”

  • FTC HIPAA-related Guidance: “Medical Identity Theft”

  • OCR Cyber Awareness Newsletters

Payment Security Standards Council Documents Library

https://www.pcisecuritystandards.org/document_library

  • PCI DSS v3.2

  • Glossary of Terms, Abbreviations, and Acronyms v3.2

  • PCI DSS Summary of Changes v3.1 to v3.2

  • Prioritized Approach for PCI DSS v3.2

  • Prioritized Approach Summary of Changes Version 3.1 to 3.2

  • Prioritized Approach Tool

  • PCI DSS Quick Reference Guide v3.2

  • Small Merchant Reference Guide Order Form

  • PCI Quick Reference Order Form

  • ROC Reporting Template v3.2

  • PCI DSS AOC - Merchants v3.2

  • PCI DSS AOC - Service Providers v3.2

  • AOC Extra Form for Service Providers

  • Supplemental Report on Compliance—Designated Entities v3.2

  • Supplemental AOC for Onsite Assessments—Designated Entities v3.2

  • Frequently Asked Questions (FAQs) for use with PCI DSS ROC Reporting Template v3.x

  • FAQs for Designated Entities Supplemental Validation

SANS Information Security Policy Templates

https://www.sans.org/security-resources/policies

  • Acceptable Encryption Policy

  • Acceptable Use Policy

  • Clean Desk Policy

  • Data Breach Response Policy

  • Disaster Recovery Plan Policy

  • Digital Signature Acceptance Policy

  • Email Policy

  • Ethics Policy

  • Pandemic Response Planning Policy

  • Password Construction Guidelines

  • Password Protection Policy

  • Security Response Plan Policy

  • End User Encryption Key Protection Policy

  • Acquisition Assessment Policy

  • Bluetooth Baseline Requirements Policy

  • Remote Access Policy

  • Remote Access Tools Policy

  • Router and Switch Security Policy

  • Wireless Communication Policy

  • Wireless Communication Standard

  • Database Credentials Policy

  • Technology Equipment Disposal Policy

  • Information Logging Standard

  • Lab Security Policy

  • Server Security Policy

  • Software Installation Policy

  • Workstation Security (For HIPAA) Policy

  • Web Application Security Policy

Information Security Professional Development and Certification Organizations

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset