Control: The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3.
Control Enhancements: None.
References: None.
Priority and Baseline Allocation:
-
P1 | LOW Not Selected | MOD SI-16 | HIGH SI-16 |
Control: The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].
Supplemental Guidance: Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). Related controls: CP-12, CP-13, SC-24, SI-13.
Control Enhancements: None.
References: None.
Priority and Baseline Allocation:
-
P0 | LOW Not Selected | MOD Not Selected | HIGH Not Selected |
appendix g
ORGANIZATION-WIDE INFORMATION SECURITY PROGRAM MANAGEMENT CONTROLS
The Federal Information Security Management Act (FISMA) requires organizations to develop and implement an organization-wide information security program to address information security for the information and information systems that support the operations and assets of the organization, including those provided or managed by another organization, contractor, or other source. The information security program management (PM) controls described in this appendix are typically implemented at the organization level and not directed at individual organizational information systems. The program management controls have been designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. The controls are independent of any FIPS Publication 200 impact levels and therefore, are not directly associated with any of the security control baselines described in Appendix D. The program management controls do, however, complement the security controls in Appendix F and focus on the programmatic, organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs. Tailoring guidance can be applied to the program management controls in a manner similar to how the guidance is applied to security controls in Appendix F. Organizations specify the individual or individuals responsible and accountable for the development, implementation, assessment, authorization, and monitoring of the program management controls. Organizations document program management controls in the information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system. Together, the security plans for the individual information systems and the information security program cover the totality of security controls employed by the organization.
In addition to documenting the information security program management controls, the security program plan provides a vehicle for the organization, in a central repository, to document all security controls from Appendix F that have been designated as common controls (i.e., security controls inheritable by organizational information systems).111 The information security program management controls and common controls contained in the information security program plan are implemented, assessed for effectiveness,112 and authorized by a senior organizational official, with the same or similar authority and responsibility for managing risk as the authorization officials for information systems. Plans of action and milestones are developed and maintained for the program management and common controls that are deemed through assessment to be less than effective. Information security program management and common controls are also subject to the same continuous monitoring requirements as security controls employed in individual organizational information systems.
Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.
TABLE G-1: PROGRAM MANAGEMENT CONTROLS
CNTL
NO.
|
control name
|
priority
|
initial control baselines
|
LOW
|
MOD
|
HIGH
|
PM-1
|
Information Security Program Plan
|
P1
|
Deployed organization-wide.
Supporting information security program.
Not associated with security control baselines.
Independent of any system impact level.
|
PM-2
|
Senior Information Security Officer
|
P1
|
PM-3
|
Information Security Resources
|
P1
|
PM-4
|
Plan of Action and Milestones Process
|
P1
|
PM-5
|
Information System Inventory
|
P1
|
PM-6
|
Information Security Measures of Performance
|
P1
|
PM-7
|
Enterprise Architecture
|
P1
|
PM-8
|
Critical Infrastructure Plan
|
P1
|
PM-9
|
Risk Management Strategy
|
P1
|
PM-10
|
Security Authorization Process
|
P1
|
PM-11
|
Mission/Business Process Definition
|
P1
|
PM-12
|
Insider Threat Program
|
P1
|
PM-13
|
Information Security Workforce
|
P1
|
PM-14
|
Testing, Training, and Monitoring
|
P1
|
PM-15
|
Contacts with Security Groups and Associations
|
P3
|
PM-16
|
Threat Awareness Program
|
P1
|
Cautionary Note
Organizations are required to implement security program management controls to provide a foundation for the organizational information security program. The successful implementation of security controls for organizational information systems depends on the successful implementation of organization-wide program management controls. However, the manner in which organizations implement the program management controls depends on specific organizational characteristics including, for example, the size, complexity, and mission/business requirements of the respective organizations.
Directory: publicationspublications -> Acm word Template for sig sitepublications -> Preparation of Papers for ieee transactions on medical imagingpublications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power lawpublications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratorypublications -> Quantitative skillspublications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inversepublications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinadapublications -> 1. 2 Authority 1 3 Planning Area 1publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson
Share with your friends: |