1. Home
  2. Lainnya

NIST security control assessment guidance

NIST security control assessment guidance

Under authority delegated by a provision of the Federal Information Security Management Act (FISMA), the NIST develops and publishes numerous stand- ards and guidance documents on information security and privacy management for use by federal government agencies. The security control framework mandated for use in agencies subject to FISMA is documented in Special Publication 800-

53 (SP 800-53) [29] , which specifies different sets of controls to be used to safe- guard federal information systems. NIST also publishes guidance for conducting security control assessments of information systems and the organizations that own or operate them in SP 800-53A [30] . As the similar document numbers imply, the assessment guidance in SP 800-53A matches the structure of the control framework defined in SP 800-53, making it an obvious choice for evaluating security con- trols in government agencies or other organizations that choose to adopt the NIST control framework. The security control assessment procedures in SP 800-53A are organized to match the 18 control families and 198 controls in the framework defined in SP 800-53. The SP 800-53 control families appear in Table 9.11 along with counts of the controls and control enhancements defined within each family.

NIST released the latest update to the framework in SP 800-53 in April 2013 with Revision 4, reflecting significant changes in some structural aspects as well as adding many controls and control enhancements and removing or consolidating some others. The most current version of the SP 800-53A assessment guidance was published in June 2010 and so aligns to Revision 3 of the security control framework. The 18 control fami- lies remain the same, but the set of controls within some families has changed in the latest revision to SP 800-53. From a practical perspective, federal agencies and other organizations using the framework as a control reference are unlikely to transition fully to the new version until an matching update to 800-53A occurs.

Not all controls and control enhancements addressed in SP 800-53A are required; the specific requirements for a given system under evaluation depend on its assigned security categorization, organizational policy, and the perceived risk to the system. For a system categorized at a “high” impact level, a full assess- ment using SP 800-53A would cover 167 controls and 161 control enhancements

192 CHAPTER 9 Methodologies and Frameworks

Table 9.11 NIST Controls and Control Enhancements by Control Family [29]

Number of Control Family

Number of

Enhancements Access Control

Controls

19 65 Awareness and Training

5 3 Audit and Accountability

14 29 Security Assessment and Authorization

6 7 Configuration Management

9 32 Contingency Planning

9 34 Identification and Authentication

8 25 Incident Response

8 14 Maintenance

6 17 Media Protection

6 13 Physical and Environmental Protection

19 29 Planning

5 3 Personnel Security

8 4 Risk Assessment

4 9 System and Services Acquisition

14 27 System and Communications Protection

34 61 System and Information Integrity

13 41 Program Management

or 328 discrete items to be assessed [30] . For each item to be assessed, NIST guidance specifies assessment methods (examine, interview, and test) and the subjects of those assessment methods (specifications, mechanisms, activities, indi- viduals, and groups). This guidance includes optional controls and control enhance- ments as well, with a total of over 600 assessment procedures documented in SP 800-53A [30] . The clear benefit to an IT auditor evaluating controls implemented according to NIST guidance is a detailed, prescriptive set of instructions intended to help assess the extent to which each security control effectively satisfies its control objectives.

Security control frameworks like ISO/IEC 27002 and SP 800-53 are incomplete if the goal is to assess all IT controls; security controls are vitally important to IT, but do not represent the full set of controls applicable to IT operations and governance. Security control frameworks remain both relevant and beneficial given the emphasis in many IT audits on evaluating the compliance or effective- ness of security controls, but they are insufficient foundation for comprehensive IT auditing.

Relevant Source Material 193

Dokumen yang terkait

Food and Nutritional Toxicology

0 1 308

POTENSI EKSTRAK DAUN PINUS (Pinus merkusii Jungh. et de Vriese) SEBAGAI BIOHERBISIDA PENGHAMBAT PERKECAMBAHAN Echinochloa colonum L. DAN Amaranthus viridis. ( Potencies of Pine leaf Extract (Pinus merkusii Jungh. et de Vriese) as Bioherbicides for Geminat

0 0 9

Chapter 4 The Study of Chemical Reactions

0 0 44

TUGAS 9 MATA KULIAH PENGEMBANGAN MEDIA PEMBELAJARAN FISIKA BERBASIS IT “CARA PENYUSUNAN INSTRUMEN EVALUASI MEDIA DAN CONTOH ANGKET MEDIA PEMBELAJARAN” OLEH VEFRA YULIANI (14175036) KELAS A DOSEN PEMBIMBING: PROF. DR. FESTIYED, MS DR. USMELDI, M.PD PENDIDI

0 0 14

TUGAS 3 MATA KULIAH PENGEMBANGAN MEDIA PEMBELAJARAN FISIKA BERBASIS IT “TEORI PEMBUATAN MEDIA PRESENTASI YANG KREATIF, EFEKTIF, EFISIEN, MENARIK SERTA INTERAKTIF UNTUK PEMBELAJARAN” OLEH KELOMPOK 5 VEFRA YULIANI (14175036) DOSEN PEMBIMBING: PROF. DR. FEST

0 1 25

TUGAS 2 MATA KULIAH PENGEMBANGAN MEDIA PEMBELAJARAN FISIKA BERBASIS ICT “PERKEMBANGAN PEMBELAJARAN BERBASIS IT TERKINI” OLEH KELOMPOK 4 VEFRA YULIANI (14175036) DOSEN PEMBIMBING: Prof. Dr. Festiyed, MS Dr. Usmeldi, M.Pd PENDIDIKAN FISIKA PROGRAM PASCA SAR

0 0 26

PUSAT PENELITIAN OSEANOGRAFI LIPI CORAL REEF REHABILITATION AND MANAGEMENT PROGRAM (COREMAP) Phase II Coral Reef Information and Training Centers (CRITC)

0 0 79

OPTIMALISASI JUMLAH PEMBERIAN KONSENTRAT PADA PROGRAM PENGGEMUKAN SAPI PERANAKAN ONGOLE (PO) The optimum amounts of concentrate applied on the feedlot program of the male Ongole Cattle (MOC) Hybrid

0 0 7

LOGICAL Type and Variables

0 0 48

The elements and principles of graphic design used in desktop publishing

0 0 65