This publication is intended to serve a diverse audience of information system and information security professionals including:
-
Individuals with information system, security, and/or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, senior information security officers,13 information system managers, information security managers);
-
Individuals with information system development responsibilities (e.g., program managers, system designers and developers, information security engineers, systems integrators);
-
Individuals with information security implementation and operational responsibilities (e.g., mission/business owners, information system owners, common control providers, information owners/stewards, system administrators, information system security officers);
-
Individuals with information security assessment and monitoring responsibilities (e.g., auditors, Inspectors General, system evaluators, assessors, independent verifiers/validators, analysts, information system owners); and
-
Commercial companies producing information technology products and systems, creating information security-related technologies, or providing information security services.
1.3 relationship to other security control publications
To create a technically sound and broadly applicable set of security controls for information systems and organizations, a variety of sources were considered during the development of this special publication. The sources included security controls from the defense, audit, financial, healthcare, industrial/process control, and intelligence communities as well as controls defined by national and international standards organizations. The objective of NIST Special Publication 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security requirements14 levied on organizations, mission/business processes, and information systems and that is consistent with and complementary to other established information security standards.
The catalog of security controls in Special Publication 800-53 can be effectively used to protect information and information systems from traditional and advanced persistent threats in varied operational, environmental, and technical scenarios. The controls can also be used to demonstrate compliance with a variety of governmental, organizational, or institutional security requirements. Organizations have the responsibility to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying established security requirements.15 The security controls facilitate the development of assessment methods and procedures that can be used to demonstrate control effectiveness in a consistent/repeatable manner—thus contributing to the organization’s confidence that security requirements continue to be satisfied on an ongoing basis. In addition, security controls can be used in developing overlays for specialized information systems, information technologies, environments of operation, or communities of interest (see Appendix I).
1.4 organizational responsibilities
Organizations use FIPS Publication 199 to categorize their information and information systems. Security categorization is accomplished as an organization-wide activity16 with the involvement of senior-level organizational personnel including, for example, authorizing officials, chief information officers, senior information security officers, information owners and/or stewards, information system owners, and risk executive (function).17 Information is categorized at Tier 1 (organization level) and at Tier 2 (mission/business process level). In accordance with FIPS Publication 200, organizations use the security categorization results from Tiers 1 and 2 to designate organizational information systems at Tier 3 (information system level) as low-impact, moderate-impact, or high-impact systems. For each organizational information system at Tier 3, the recommendation for security controls from the baseline controls defined in Appendix D is the starting point for the security control tailoring process. While the security control selection process is generally focused on information systems at Tier 3, the process is generally applicable across all three tiers of risk management.
FIPS Publication 199 security categorization associates information and the operation and use of information systems with the potential worst-case adverse impact on organizational operations and assets, individuals, other organizations, and the Nation.18 Organizational assessments of risk, including the use of specific and credible threat information, vulnerability information, and the likelihood of such threats exploiting vulnerabilities to cause adverse impacts, guide and inform the tailoring process and the final selection of security controls.19 The final, agreed-upon set of security controls addressing specific organizational mission/business needs and tolerance for risk is documented with appropriate rationale in the security plan for the information system.20 The use of security controls from Special Publication 800-53 (including the baseline controls as a starting point in the control selection process), facilitates a more consistent level of security for federal information systems and organizations, while simultaneously preserving the flexibility and agility organizations need to address an increasingly sophisticated and hostile threat space, specific organizational missions/business functions, rapidly changing technologies, and in some cases, unique environments of operation.
Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires:
-
Clearly articulated security requirements and security specifications;
-
Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes;
-
Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems;
-
Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;
-
Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;21 and
-
Information security planning and system development life cycle management.22
From an engineering viewpoint, information security is just one of many required operational capabilities for information systems that support organizational mission/business processes—capabilities that must be funded by organizations throughout the system development life cycle in order to achieve mission/business success. It is important that organizations realistically assess the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from mission/business processes and by placing information systems into operation or continuing operations. Realistic assessment of risk requires an understanding of threats to and vulnerabilities within organizations and the likelihood and potential adverse impacts of successful exploitations of such vulnerabilities by those threats.23 Finally, information security requirements must be satisfied with the full knowledge and consideration of the risk management strategy of the organization, in light of the potential cost, schedule, and performance issues associated with the acquisition, deployment, and operation of organizational information systems.24
Directory: publicationspublications -> Acm word Template for sig sitepublications -> Preparation of Papers for ieee transactions on medical imagingpublications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power lawpublications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratorypublications -> Quantitative skillspublications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inversepublications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinadapublications -> 1. 2 Authority 1 3 Planning Area 1publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson
Share with your friends: |