Joint task force transformation initiative
PM-14 TESTING, TRAINING, AND MONITORING
Download 5.8 Mb.
|
- Navigate this page:
- PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
- PM-16 THREAT AWARENESS PROGRAM
PM-14 TESTING, TRAINING, AND MONITORINGControl: The organization:
Supplemental Guidance: This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4. Control Enhancements: None. References: NIST Special Publications 800-16, 800-37, 800-53A, 800-137. PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONSControl: The organization establishes and institutionalizes contact with selected groups and associations within the security community:
Supplemental Guidance: Ongoing contact with security groups and associations is of paramount importance in an environment of rapidly changing technologies and threats. Security groups and associations include, for example, special interest groups, forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. Organizations select groups and associations based on organizational missions/business functions. Organizations share threat, vulnerability, and incident information consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related control: SI-5. Control Enhancements: None. References: None. PM-16 THREAT AWARENESS PROGRAMControl: The organization implements a threat awareness program that includes a cross-organization information-sharing capability. Supplemental Guidance: Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it is becoming more likely that adversaries may successfully breach or compromise organizational information systems. One of the best techniques to address this concern is for organizations to share threat information. This can include, for example, sharing threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, threat intelligence (i.e., indications and warnings about threats that are likely to occur). Threat information sharing may be bilateral (e.g., government-commercial cooperatives, government-government cooperatives), or multilateral (e.g., organizations taking part in threat-sharing consortia). Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. Related controls: PM-12, PM-16. Control Enhancements: None. References: None. appendix h international information security standardsSECURITY CONTROL MAPPINGS FOR ISO/IEC 27001 AND 15408 The mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001, Information technology–Security techniques–Information security management systems–Requirements113 and ISO/IEC 15408, Information technology -- Security techniques -- Evaluation criteria for IT security.114 ISO/IEC 27001 may be applied to all types of organizations and specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks. NIST Special Publication 800-39 includes guidance on managing risk at the organizational level, mission/business process level, and information system level, is consistent with ISO/IEC 27001, and provides additional implementation detail for the federal government and its contractors. ISO/IEC 15408 (also known as the Common Criteria) provides functionality and assurance requirements for developers of information systems and information system components (i.e., information technology products). Since many of the technical security controls defined in Appendix F are implemented in hardware, software, and firmware components of information systems, organizations can obtain significant benefit from the acquisition and employment of information technology products evaluated against the requirements of ISO/IEC 15408. The use of such products can provide evidence that certain security controls are implemented correctly, operating as intended, and producing the desired effect in satisfying stated security requirements. Previously, the ISO/IEC 27001 mappings were created by relating the primary security topic identified in each of the Special Publication 800-53 base controls to a similar security topic in the ISO/IEC standard. This methodology resulted in a mapping of security control relationships rather than a mapping of equivalent security control requirements. The ISO/IEC 27001:2013 update provided an opportunity to reassess whether the implementation of a security control from Special Publication 800-53 satisfied the intent of the mapped control from ISO/IEC 27001 and conversely, whether the implementation of a security control from ISO/IEC 27001 satisfied the intent of the mapped control from Special Publication 800-53. To successfully meet the mapping criteria, the implementation of the mapped controls should result in an equivalent information security posture. However, this does not mean that security control equivalency based solely on the mapping tables herein should be assumed by organizations. While the revised security control mappings are more accurate, there is still some degree of subjectivity in the mapping analysis because the mappings are not always one-to-one and may not be completely equivalent. The following examples illustrate some of the mapping issues:
In a few cases, an ISO/IEC 27001 security control could only be directly mapped to a Special Publication 800-53 control enhancement. In such cases, the relevant enhancement is specified in Table H-2 indicating that the corresponding ISO/IEC 27001 control satisfies only the intent of the specified enhancement and does not address the associated base control from Special Publication 800-53 or any other enhancements under that base control. Where no enhancement is specified, the ISO/IEC 27001 control is relevant only to the Special Publication 800-53 base control. And finally, the security controls from ISO/IEC 27002 were not considered in the mapping analysis since the standard is informative rather than normative. Table H-1 provides a mapping from the security controls in NIST Special Publication 800-53 to the security controls in ISO/IEC 27001. Please review the introductory text at the beginning of Appendix H before employing the mappings in Table H-1. TABLE H-1: MAPPING NIST SP 800-53 TO ISO/IEC 27001
Directory: publications publications -> Acm word Template for sig site publications -> Preparation of Papers for ieee transactions on medical imaging publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory publications -> Quantitative skills publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada publications -> 1. 2 Authority 1 3 Planning Area 1 publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson Download 5.8 Mb. Share with your friends:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||