Joint task force transformation initiative


PM-14 TESTING, TRAINING, AND MONITORING



Download 5.8 Mb.
Page166/186
Date31.01.2017
Size5.8 Mb.
#13082
1   ...   162   163   164   165   166   167   168   169   ...   186

PM-14 TESTING, TRAINING, AND MONITORING


Control: The organization:

  1. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:

  1. Are developed and maintained; and

  2. Continue to be executed in a timely manner;

  1. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Supplemental Guidance: This control ensures that organizations provide oversight for the security testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security across the three tiers of the risk management hierarchy, and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of security controls. Security training activities, while typically focused on individual information systems and specific roles, also necessitate coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments. Related controls: AT-3, CA-7, CP-4, IR-3, SI-4.

Control Enhancements: None.

References: NIST Special Publications 800-16, 800-37, 800-53A, 800-137.

PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS


Control: The organization establishes and institutionalizes contact with selected groups and associations within the security community:

  1. To facilitate ongoing security education and training for organizational personnel;

  2. To maintain currency with recommended security practices, techniques, and technologies; and

  3. To share current security-related information including threats, vulnerabilities, and incidents.

Supplemental Guidance: Ongoing contact with security groups and associations is of paramount importance in an environment of rapidly changing technologies and threats. Security groups and associations include, for example, special interest groups, forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. Organizations select groups and associations based on organizational missions/business functions. Organizations share threat, vulnerability, and incident information consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related control: SI-5.

Control Enhancements: None.

References: None.

PM-16 THREAT AWARENESS PROGRAM


Control: The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

Supplemental Guidance: Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it is becoming more likely that adversaries may successfully breach or compromise organizational information systems. One of the best techniques to address this concern is for organizations to share threat information. This can include, for example, sharing threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, threat intelligence (i.e., indications and warnings about threats that are likely to occur). Threat information sharing may be bilateral (e.g., government-commercial cooperatives, government-government cooperatives), or multilateral (e.g., organizations taking part in threat-sharing consortia). Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared. Related controls: PM-12, PM-16.

Control Enhancements: None.

References: None.

appendix h

international information security standards


SECURITY CONTROL MAPPINGS FOR ISO/IEC 27001 AND 15408

The mapping tables in this appendix provide organizations with a general indication of security control coverage with respect to ISO/IEC 27001, Information technology–Security techniques–Information security management systems–Requirements113 and ISO/IEC 15408, Information technology -- Security techniques -- Evaluation criteria for IT security.114 ISO/IEC 27001 may be applied to all types of organizations and specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS) within the context of business risks. NIST Special Publication 800-39 includes guidance on managing risk at the organizational level, mission/business process level, and information system level, is consistent with ISO/IEC 27001, and provides additional implementation detail for the federal government and its contractors. ISO/IEC 15408 (also known as the Common Criteria) provides functionality and assurance requirements for developers of information systems and information system components (i.e., information technology products). Since many of the technical security controls defined in Appendix F are implemented in hardware, software, and firmware components of information systems, organizations can obtain significant benefit from the acquisition and employment of information technology products evaluated against the requirements of ISO/IEC 15408. The use of such products can provide evidence that certain security controls are implemented correctly, operating as intended, and producing the desired effect in satisfying stated security requirements.

Previously, the ISO/IEC 27001 mappings were created by relating the primary security topic identified in each of the Special Publication 800-53 base controls to a similar security topic in the ISO/IEC standard. This methodology resulted in a mapping of security control relationships rather than a mapping of equivalent security control requirements. The ISO/IEC 27001:2013 update provided an opportunity to reassess whether the implementation of a security control from Special Publication 800-53 satisfied the intent of the mapped control from ISO/IEC 27001 and conversely, whether the implementation of a security control from ISO/IEC 27001 satisfied the intent of the mapped control from Special Publication 800-53. To successfully meet the mapping criteria, the implementation of the mapped controls should result in an equivalent information security posture. However, this does not mean that security control equivalency based solely on the mapping tables herein should be assumed by organizations. While the revised security control mappings are more accurate, there is still some degree of subjectivity in the mapping analysis because the mappings are not always one-to-one and may not be completely equivalent. The following examples illustrate some of the mapping issues:



  • Example 1: Special Publication 800-53 contingency planning and ISO/IEC 27001 business continuity management were deemed to have similar, but not the same, functionality.

  • Example 2: In some cases, similar topics are addressed in the two security control sets but provide a different context, perspective, or scope. Special Publication 800-53 addresses information flow control broadly in terms of approved authorizations for controlling access between source and destination objects, whereas ISO/IEC 27001 addresses information flow more narrowly as it applies to interconnected network domains.

  • Example 3: Security control A.6.1.1, Information Security Roles and Responsibilities, in ISO/IEC 27001 states that “all information security responsibilities shall be defined and allocated” while security control PM-10, Security Authorization Process, in Special Publication 800-53 that is mapped to A.6.1.1, has three distinct parts. The first part states that the organization “designates individuals to fulfill specific roles and responsibilities…” If A.6.1.1 is mapped to PM-10 without providing any additional information, organizations might assume that if they implement A.6.1.1 (i.e., all responsibilities are defined and allocated), then the intent of PM-10 would also be fully satisfied. However, this would not be the case since the other two parts of PM-10 would not have been addressed. To resolve and clarify the security control mappings, when a security control in the right column of Tables H-1 and H-2 does not fully satisfy the intent of the security control in the left column of the tables, the control in the right column is designated with an asterisk (*).

In a few cases, an ISO/IEC 27001 security control could only be directly mapped to a Special Publication 800-53 control enhancement. In such cases, the relevant enhancement is specified in Table H-2 indicating that the corresponding ISO/IEC 27001 control satisfies only the intent of the specified enhancement and does not address the associated base control from Special Publication 800-53 or any other enhancements under that base control. Where no enhancement is specified, the ISO/IEC 27001 control is relevant only to the Special Publication 800-53 base control.

And finally, the security controls from ISO/IEC 27002 were not considered in the mapping analysis since the standard is informative rather than normative.


Table H-1 provides a mapping from the security controls in NIST Special Publication 800-53 to the security controls in ISO/IEC 27001. Please review the introductory text at the beginning of Appendix H before employing the mappings in Table H-1.

TABLE H-1: MAPPING NIST SP 800-53 TO ISO/IEC 27001

NIST SP 800-53 CONTROLS

ISO/IEC 27001 CONTROLS

Note: An asterisk (*) indicates that the ISO/IEC control does not fully satisfy the intent of the NIST control.

AC-1

Access Control Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

AC-2

Account Management

A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

AC-3

Access Enforcement

A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

AC-4

Information Flow Enforcement

A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3

AC-5

Separation of Duties

A.6.1.2

AC-6

Least Privilege

A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

AC-7

Unsuccessful Logon Attempts

A.9.4.2

AC-8

System Use Notification

A.9.4.2

AC-9

Previous Logon (Access) Notification

A.9.4.2

AC-10

Concurrent Session Control

None

AC-11

Session Lock

A.11.2.8, A.11.2.9

AC-12

Session Termination

None

AC-13

Withdrawn

---

AC-14

Permitted Actions without Identification or Authentication

None

AC-15

Withdrawn

---

AC-16

Security Attributes

None

AC-17

Remote Access

A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

AC-18

Wireless Access

A.6.2.1, A.13.1.1, A.13.2.1

AC-19

Access Control for Mobile Devices

A.6.2.1, A.11.2.6, A.13.2.1

AC-20

Use of External Information Systems

A.11.2.6, A.13.1.1, A.13.2.1

AC-21

Information Sharing

None

AC-22

Publicly Accessible Content

None

AC-23

Data Mining Protection

None

AC-24

Access Control Decisions

A.9.4.1*

AC-25

Reference Monitor

None

AT-1

Security Awareness and Training Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

AT-2

Security Awareness Training

A.7.2.2, A.12.2.1

AT-3

Role-Based Security Training

A.7.2.2*

AT-4

Security Training Records

None

AT-5

Withdrawn

---

AU-1

Audit and Accountability Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

AU-2

Audit Events

None

AU-3

Content of Audit Records

A.12.4.1*

AU-4

Audit Storage Capacity

A.12.1.3

AU-5

Response to Audit Processing Failures

None

AU-6

Audit Review, Analysis, and Reporting

A.12.4.1, A.16.1.2, A.16.1.4

AU-7

Audit Reduction and Report Generation

None

AU-8

Time Stamps

A.12.4.4

AU-9

Protection of Audit Information

A.12.4.2, A.12.4.3, A.18.1.3

AU-10

Non-repudiation

None

AU-11

Audit Record Retention

A.12.4.1, A.16.1.7

AU-12

Audit Generation

A.12.4.1, A.12.4.3

AU-13

Monitoring for Information Disclosure

None

AU-14

Session Audit

A.12.4.1*

AU-15

Alternate Audit Capability

None

AU-16

Cross-Organizational Auditing

None

CA-1

Security Assessment and Authorization Policies and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

CA-2

Security Assessments

A.14.2.8, A.18.2.2, A.18.2.3

CA-3

System Interconnections

A.13.1.2, A.13.2.1, A.13.2.2

CA-4

Withdrawn

---

CA-5

Plan of Action and Milestones

None

CA-6

Security Authorization

None

CA-7

Continuous Monitoring

None

CA-8

Penetration Testing

None

CA-9

Internal System Connections

None

CM-1

Configuration Management Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

CM-2

Baseline Configuration

None

CM-3

Configuration Change Control

A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4

CM-4

Security Impact Analysis

A.14.2.3

CM-5

Access Restrictions for Change

A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1

CM-6

Configuration Settings

None

CM-7

Least Functionality

A.12.5.1*

CM-8

Information System Component Inventory

A.8.1.1, A.8.1.2

CM-9

Configuration Management Plan

A.6.1.1*

CM-10

Software Usage Restrictions

A.18.1.2

CM-11

User-Installed Software

A.12.5.1, A.12.6.2

CP-1

Contingency Planning Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

CP-2

Contingency Plan

A.6.1.1, A.17.1.1, A.17.2.1

CP-3

Contingency Training

A.7.2.2*

CP-4

Contingency Plan Testing

A.17.1.3

CP-5

Withdrawn

---

CP-6

Alternate Storage Site

A.11.1.4, A.17.1.2, A.17.2.1

CP-7

Alternate Processing Site

A.11.1.4, A.17.1.2, A.17.2.1

CP-8

Telecommunications Services

A.11.2.2, A.17.1.2

CP-9

Information System Backup

A.12.3.1, A.17.1.2, A.18.1.3

CP-10

Information System Recovery and Reconstitution

A.17.1.2

CP-11

Alternate Communications Protocols

A.17.1.2*

CP-12

Safe Mode

None

CP-13

Alternative Security Mechanisms

A.17.1.2*

IA-1

Identification and Authentication Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

IA-2

Identification and Authentication (Organizational Users)

A.9.2.1

IA-3

Device Identification and Authentication

None

IA-4

Identifier Management

A.9.2.1

IA-5

Authenticator Management

A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

IA-6

Authenticator Feedback

A.9.4.2

IA-7

Cryptographic Module Authentication

A.18.1.5

IA-8

Identification and Authentication (Non-Organizational Users)

A.9.2.1

IA-9

Service Identification and Authentication

None

IA-10

Adaptive Identification and Authentication

None

IA-11

Re-authentication

None

IR-1

Incident Response Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2

IR-2

Incident Response Training

A.7.2.2*

IR-3

Incident Response Testing

None

IR-4

Incident Handling

A.16.1.4, A.16.1.5, A.16.1.6

IR-5

Incident Monitoring

None

IR-6

Incident Reporting

A.6.1.3, A.16.1.2

IR-7

Incident Response Assistance

None

IR-8

Incident Response Plan

A.16.1.1

IR-9

Information Spillage Response

None

IR-10

Integrated Information Security Analysis Team

None

MA-1

System Maintenance Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

MA-2

Controlled Maintenance

A.11.2.4*, A.11.2.5*

MA-3

Maintenance Tools

None

MA-4

Nonlocal Maintenance

None

MA-5

Maintenance Personnel

None

MA-6

Timely Maintenance

A.11.2.4

MP-1

Media Protection Policy and Procedures

A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

Directory: publications
publications -> Acm word Template for sig site
publications ->  Preparation of Papers for ieee transactions on medical imaging
publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law
publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory
publications -> Quantitative skills
publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse
publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada
publications -> 1. 2 Authority 1 3 Planning Area 1
publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson

Download 5.8 Mb.

Share with your friends:
1   ...   162   163   164   165   166   167   168   169   ...   186




The database is protected by copyright ©ininet.org 2024
send message

    Main page