WIXLIB

NIST Cybersecurity /

Contentscisecurity.org/ms-isac/Introduction1NIST Function: Identify2Identify: Asset Management (ID.AM)Identify: Supply Chain Risk Management (ID.SC)23NIST Function: Protect4Protect: Identity Management and Access Control (PR.AC)Protect: Data Security (PR.DS)Protect: Information Protection Processes and Procedures (PR.IP)Protect: Maintenance (PR.MA)Protect: Protective Technology (PR.PT)45677NIST Function: Detect9Detect: Anomalies and Events (DE.AE)Detect: Security Continuous Monitoring (DE.CM)99NIST Function: Respond11Respond: Response Planning (RS.RP)6Respond: Communications (RS.CO)Respond: Analysis (RS.AN)Respond: Improvements (RS.IM)11111212NIST Function: Recover13Recover: Recovery Planning (RC.RP)Recover: Improvements (RC.IM)Recover: Communications (RC.CO)131313Additional Policy Templates15GeneralNetworkServer SecurityApplication Security15151515

IntroductionThe Multi-State Information Sharing & Analysis Center (MS-ISAC) is offering this guide toparticipants of the Nationwide Cybersecurity Review (NCSR) and MS-ISAC members, as aresource to assist with the application and advancement of cybersecurity policies.The policy templates are provided courtesy of the SANS Institute (https://www.sans.org/), the State of New York, and the State of California. The templates can becustomized and used as an outline of an organizational policy, with additional details tobe added by the end user.The NCSR question set represents the National Institute of Standards and TechnologyCybersecurity Framework (NIST CSF). This guide gives the correlation between 49 ofthe NIST CSF subcategories, and applicable policy and standard templates. A NISTsubcategory is represented by text, such as “ID.AM-5.” This represents the NIST function ofIdentify and the category of Asset Management.For additional information on services provided by the Multi-State Information Sharing& Analysis Center (MS-ISAC), please refer to the following page: https://www.cisecurity.org/ms-isac/services/. These policy templates are also mapped to the resources MS-ISACand CIS provide, open source resources, and free FedVTE training: /11/Cybersecurity-Resources-Guide.pdf.Disclaimer: These policies may not reference the most recent applicable NIST revision,however may be used as a baseline template for end users.cisecurity.org/ms-isac/Page 1 of 15

NIST FUNCTION:IdentifyIdentify: Asset Management (ID.AM)ID.AM-1Physical devices and systems within the organization are inventoried. Acceptable Use of Information Technology Resource PolicyAccess Control PolicyAccount Management/Access Control StandardIdentification and Authentication PolicyInformation Security PolicySecurity Assessment and Authorization PolicySecurity Awareness and Training PolicyID.AM-2Software platforms and applications within the organization are inventoried.Acceptable Use of Information Technology Resource PolicyAccess Control PolicyAccount Management/Access Control StandardIdentification and Authentication PolicyInformation Security PolicySecurity Assessment and Authorization PolicySecurity Awareness and Training PolicyID.AM-4External information systems are catalogued.System and Communications Protection PolicyID.AM-5Resources (e.g., hardware, devices, data, time, and software) are prioritized basedon their classification, criticality, and business value).SANS Policy Template: Acquisition Assessment PolicyInformation Classification StandardInformation Security PolicyID.AM-6Cybersecurity roles and responsibilities for the entire workforces and third-partystakeholders (e.g. suppliers, customers, partners) are established.Acceptable Use of Information Technology Resource PolicyInformation Security PolicySecurity Awareness and Training Policycisecurity.org/ms-isac/Page 2 of 15

Identify: Risk Management Strategy (ID.RM)ID.RM-1Risk management processes are established, managed, and agreed to byorganizational stakeholders.Information Security PolicyInformation Security Risk Management StandardRisk Assessment PolicyIdentify: Supply Chain Risk Management (ID.SC)ID.SC-2Suppliers and third-party partners of information systems, components, andservices are identified, prioritized, and assessed using a cyber supply chain riskassessment process.SANS Policy Template: Acquisition Assessment PolicyIdentification and Authentication PolicySecurity Assessment and Authorization PolicySystems and Services Acquisition PolicyID.SC-4Suppliers and third-party partners are routinely assessed using audits, test results,or other forms of evaluations to confirm they are meeting their contractualobligations.SANS Policy Template: Acquisition Assessment PolicyIdentification and Authentication PolicySecurity Assessment and Authorization PolicySystems and Services Acquisition PolicyID.SC-5Response and recovery planning and testing are conducted with suppliers and thirdparty providers.SANS Policy Template: Security Response Plan PolicyComputer Security Threat Response PolicyCyber Incident Response StandardIncident Response PolicySystems and Services Acquisition Policycisecurity.org/ms-isac/Page 3 of 15

NIST FUNCTIONProtectProtect: Identity Management and Access Control (PR.AC)PR.AC-1Identities and credentials are issued, managed, verified, revoked, and audited forauthorized devices, users and processes.Access Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle StandardPR.AC-3Remote access is managed.SANS Policy Template: Remote Access PolicyRemote Access StandardPR.AC-4Access permissions and authorizations are managed, incorporating the principles ofleast privilege and separation of duties.Access Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle StandardPR.AC-5Network integrity is protected (e.g., network segregation, network segmentation).SANS Policy Template: Lab Security PolicySANS Policy Template: Router and Switch Security Policy802.11 Wireless Network Security StandardMobile Device SecuritySystem and Information Integrity Policycisecurity.org/ms-isac/Page 4 of 15

Protect: Awareness and Training (PR.AT)PR.AT-1All users are informed and trained.Acceptable Use of Information Technology Resources PolicyInformation Security PolicyPersonnel Security PolicyPhysical and Environmental Protection PolicySecurity Awareness and Training PolicyProtect: Data Security (PR.DS)PR.DS-1Data-at-rest is protectedComputer Security Threat Response PolicyCyber Incident Response StandardEncryption StandardIncident Response PolicyInformation Security PolicyMaintenance PolicyMedia Protection PolicyMobile Device SecurityPatch Management StandardPR.DS-2Data-in-transit is protected.Computer Security Threat Response PolicyCyber Incident Response StandardEncryption StandardIncident Response PolicyInformation Security PolicyMaintenance PolicyMedia Protection PolicyMobile Device SecurityPatch Management StandardPR.DS-3Assets are formally managed throughout removal, transfers, and disposition.SANS Policy Template: Acquisition Assessment PolicySANS Policy Template: Technology Equipment Disposal PolicyAccess Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle Standardcisecurity.org/ms-isac/Page 5 of 15

PR.DS-7The development and testing environment(s) are separate from the productionenvironment.SANS Policy Template: Lab Security PolicySANS Policy Template: Router and Switch Security PolicyPR.DS-8Integrity checking mechanisms are used to verify hardware integrity.SANS Policy Template: Acquisition Assessment PolicySystem and Information Integrity PolicyProtect: Information Protection Processes and Procedures (PR.IP)PR.IP-1A baseline configuration of information technology/industrial control systemsis created and maintained incorporating security principles (e.g. concept of leastfunctionality).Access Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle StandardPR.IP-4Backups of information are conducted, maintained, and tested.SANS Policy Template: Disaster Recovery Plan PolicyComputer Security Threat Response PolicyCyber Incident Response StandardEncryption StandardIncident Response PolicyInformation Security PolicyMaintenance PolicyMedia Protection PolicyMobile Device SecurityPatch Management StandardPR.IP-6Data is destroyed according to policy.SANS Policy Template: Technology Equipment Disposal PolicyMaintenance PolicyMedia Protection PolicySanitization Secure Disposal Standardcisecurity.org/ms-isac/Page 6 of 15

PR.IP-9Response plans (Incident Response and Business Continuity) and recovery plans(Incident Recovery and Disaster Recovery) are in place and managed.SANS Policy Template: Data Breach Response PolicySANS Policy Template: Disaster Recovery Plan PolicySANS Policy Template: Pandemic Response PlanningSANS Policy Template: Security Response Plan PolicyComputer Security Threat Response PolicyCyber Incident Response StandardIncident Response PolicyPlanning PolicyPR.IP-10Response and recovery plans are tested.SANS Policy Template: Data Breach Response PolicySANS Policy Template: Disaster Recovery Plan PolicySANS Policy Template: Pandemic Response PlanningSANS Policy Template: Security Response Plan PolicyComputer Security Threat Response PolicyCyber Incident Response StandardIncident Response PolicyPlanning PolicyProtect: Maintenance (PR.MA)PR.MA-2Remote maintenance of organizational assets is approved, logged, and performedin a manner that prevents unauthorized access.SANS Policy Template: Remote Access PolicySANS Policy Template: Remote Access Tools PolicyMaintenance PolicyRemote Access StandardSecurity Logging StandardProtect: Protective Technology (PR.PT)PR.PT-1Audit/log records are determined, documented, implemented, and reviewed inaccordance with policy.SANS Policy Template: Information Logging StandardAccess Control PolicyAccount Management/Access Control StandardAuthentication Tokens StandardConfiguration Management PolicyIdentification and Authentication PolicySanitization Secure Disposal StandardSecure Configuration StandardSecure System Development Life Cycle StandardSecurity Logging Standardcisecurity.org/ms-isac/Page 7 of 15

PR.PT-2Removable media is protected and its use restricted according to policy.SANS Policy Template: Acceptable Use PolicyAcceptable Use of Technology Resources PolicyMedia Protection PolicyMobile Device SecurityPR.PT-4Communications and control networks are protected.SANS Policy Template: Router and Switch Security PolicyEncryption StandardInformation Security PolicyMaintenance PolicyMedia Protection PolicyMobile Device SecuritySystem and Communications Protection PolicyPR.PT-5Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieveresilience requirements in normal and adverse situations.SANS Policy Template: Disaster Recovery Plan PolicySANS Policy Template: Security Response Plan Policycisecurity.org/ms-isac/Page 8 of 15