THE NEED TO PROTECT INFORMATION AND INFORMATION SYSTEMS
The selection and implementation of security controls for information systems1 and organizations are important tasks that can have major implications on the operations2 and assets of organizations3 as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.4 There are several key questions that should be answered by organizations when addressing the information security considerations for information systems:
-
What security controls are needed to satisfy the security requirements and to adequately mitigate risk incurred by using information and information systems in the execution of organizational missions and business functions?
-
Have the security controls been implemented, or is there an implementation plan in place?
-
What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application? 5
The answers to these questions are not given in isolation but rather in the context of an effective risk management process for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks6 arising from its information and information systems. NIST Special Publication 800-39 provides guidance on managing information security risk at three distinct tiers—the organization level, mission/business process level, and information system level. The security controls defined in this publication and recommended for use by organizations to satisfy their information security requirements should be employed as part of a well-defined risk management process that supports organizational information security programs.7
It is of paramount importance that responsible officials understand the risks and other factors that could adversely affect organizational operations and assets, individuals, other organizations, and the Nation.8 These officials must also understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and accomplish the organization’s stated missions and business functions with what the OMB Circular A-130 defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.
The purpose of this publication is to provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components9 of an information system that process, store, or transmit federal information. The guidelines have been developed to achieve more secure information systems and effective risk management within the federal government by:
-
Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;
-
Providing a stable, yet flexible catalog of security controls to meet current information protection needs and the demands of future protection needs based on changing threats, requirements, and technologies;
-
Providing a recommendation for security controls for information systems categorized in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems;
-
Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness; and
-
Improving communication among organizations by providing a common lexicon that supports discussion of risk management concepts.
In addition to the security controls described above, this publication: (i) provides a set of information security program management (PM) controls that are typically implemented at the organization level and not directed at individual organizational information systems; (ii) provides a set of privacy controls based on international standards and best practices that help organizations enforce privacy requirements derived from federal legislation, directives, policies, regulations, and standards; and (iii) establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations. Standardized privacy controls provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those requirements. Incorporating the same concepts used in managing information security risk, helps organizations implement privacy controls in a more cost-effective, risked-based manner.
The guidelines in this special publication are applicable to all federal information systems10 other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.11 The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.12 State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.
Directory: publicationspublications -> Acm word Template for sig sitepublications -> Preparation of Papers for ieee transactions on medical imagingpublications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power lawpublications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratorypublications -> Quantitative skillspublications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inversepublications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinadapublications -> 1. 2 Authority 1 3 Planning Area 1publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson
Share with your friends: |