Joint task force transformation initiative
Download 5.8 Mb.
|
- Navigate this page:
- 1.1 purpose and applicability
introductionTHE NEED TO PROTECT INFORMATION AND INFORMATION SYSTEMS The selection and implementation of security controls for information systems1 and organizations are important tasks that can have major implications on the operations2 and assets of organizations3 as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.4 There are several key questions that should be answered by organizations when addressing the information security considerations for information systems:
The answers to these questions are not given in isolation but rather in the context of an effective risk management process for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks6 arising from its information and information systems. NIST Special Publication 800-39 provides guidance on managing information security risk at three distinct tiers—the organization level, mission/business process level, and information system level. The security controls defined in this publication and recommended for use by organizations to satisfy their information security requirements should be employed as part of a well-defined risk management process that supports organizational information security programs.7 It is of paramount importance that responsible officials understand the risks and other factors that could adversely affect organizational operations and assets, individuals, other organizations, and the Nation.8 These officials must also understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and accomplish the organization’s stated missions and business functions with what the OMB Circular A-130 defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. 1.1 purpose and applicabilityThe purpose of this publication is to provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components9 of an information system that process, store, or transmit federal information. The guidelines have been developed to achieve more secure information systems and effective risk management within the federal government by:
In addition to the security controls described above, this publication: (i) provides a set of information security program management (PM) controls that are typically implemented at the organization level and not directed at individual organizational information systems; (ii) provides a set of privacy controls based on international standards and best practices that help organizations enforce privacy requirements derived from federal legislation, directives, policies, regulations, and standards; and (iii) establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations. Standardized privacy controls provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those requirements. Incorporating the same concepts used in managing information security risk, helps organizations implement privacy controls in a more cost-effective, risked-based manner. The guidelines in this special publication are applicable to all federal information systems10 other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.11 The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.12 State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate. Directory: publications publications -> Acm word Template for sig site publications -> Preparation of Papers for ieee transactions on medical imaging publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory publications -> Quantitative skills publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada publications -> 1. 2 Authority 1 3 Planning Area 1 publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson Download 5.8 Mb. Share with your friends:
|