NIST SP 800-53A: 联邦信息系统中安全控制评价指南

所需积分/C币:43 2015-04-16 15:54:57 4.31MB PDF
收藏 收藏 1
举报

NIST SP 800-53A: 联邦信息系统中安全控制评价指南,与NIST SP 800-53配套
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately Such identification is not intended to imply recommendation or endorsement by nist, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication including concepts, practices, and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines and procedures, where they exist, remain operative For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST Organizations are encouraged to review draft publications during the designated public comment periods and provide feedback to NIST computer Security Division publications are available at http://csrc.nistgov/publications Appendix J, Privacy Assessment Procedures, is a new addition to NIsT Special Publication 800- 53A. The appendix, when completed will provide a complete set of assessment procedures for the privacy controls in NIST Special Publication 800-53, Appendix J. The new privacy control assessment procedures are under development and will be added to the appendix after a thorough public review and vetting process. The terminology throughout this publication has been updated to include references to privacy in all aspects of the assessment process to include mirroring the artifacts that are essential inputs to the current security authorization process. Each organization employing these guidelines has the flexibility to address the privacy assessment process and the integration of privacy-related artifacts into the organization's risk management processes in the manner that best supports the organizational missions and business objectives consist with Office of Management and Budget policies Standardized assessment procedures for privacy controls provide a more disciplined and structured approach for determining compliance to federal privacy requirements and also promote more cost-effective methods to determine such compliance. There will be a strong similarity in the structure of the assessment procedures for privacy controls in Appendix j and the assessment procedures for security controls in Appendix f. This similarity will promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, directives, policies, regulations, standards, and guidance Finally, it should be noted that as the assessment procedures for privacy controls are added to Appendix certain terminology traditionally associated with security controls and security control assessments contained in earlier versions of this publication is being modified where appropriate to include references to privacy However there are some security-related terms (e.g, security categorization, security control baseline tailored security control baseline) that are unique to security controls and do not have direct analogs in the privacy arena. In such cases, the equivalent privacy-related terminology has not been added to the publication Privacy officials, at their discretion, may choose to adopt any or all of the security-related terms in this publication in support of privacy control assessments A new format for assessment procedures is introduced in this revision to Special Publication 800-53A. The format reflects the decomposition of assessment objectives into more granular determination statements wherever possible-thus providing the capability to identify and assess specific parts of security and privacy controls. The changes have been initiated to: (Q) help improve the readability of assessment procedures; (ii) provide a better format and structure for automated tools when assessment information is imported into such tools; (iii) provide greater flexibility in conducting assessments by giving organizations the capability to target certain aspects of security controls and privacy controls(high lighting the particular weaknesses and/or deficiencies in controls); (iv) improve the efficiency of security and privacy assessments; and(v) support continuous monitoring and ongoing authorization programs by providing a greater number of component parts of security and privacy controls that can be assessed at organization-defined frequencies and degrees of rigor having the ability to apply assessment and monitoring resources in a targeted and precise manner and simultaneously aximize the use of automation technologies can result in more timely and cost-effective assessment processes for organizations. Note: Special Publication 800-53 will be updated accordingly to ensure that the numbering scheme for all security and privacy controls is consistent with the new format introduced in this publication Revision numbers between NIST Special Publications 800-53 and 800-53A were misaligned from the start because the initial publication of SP 800-53A did not occur until after the publication of SP 800-53, Revision 2. When SP 800-53, Revision 3 was published, SP 800-53A was updated to Revision 1 for consistency with the updates to SP 800-53. This revision number mismatch created ongoing uncertainty and confusion regarding which revision of SP 800-53 was consistent with which revision of SP 800-53A. To reduce this uncertainty going forward revision numbers 2 and 3 have been skipped for SP 800-53A, and this version of Sp 800-53A has been given revision number 4 since this version is consistent with the updates to SP 800 53. Revision 4. Future revisions of sps 800-53 and 800-53A will maintain the revision number consistency In developing standards and guidelines required by Fisma, Nist consults with other federal agencies and offices as well as the private sector entities to improve information security void unnecessary and costly duplication of effort and ensure that nist publications are complementary with the standards and guidelines employed for the protection of national security systems. In addition to its comprehensive public review and vetting process, NIST is collaborating with the Office of the Director of National Intelligence(oDNl), the Department of Defense(DoD), and the Committee on National Security Systems(CNSS)to establish a unified framework and common foundation for information security across the federal government. a common foundation and framework for information security will provide the intelligence Defense, and civilian sectors of the federal government and their contractors, more uniform and consistent ways to manage the risk to organizational operations and assets, individuals, other organizations, and the Nation that results from the operation and use of information systems. a common foundation and framework will also provide a strong basis for reciproca acceptance of security authorization decisions and facilitate information sharing. NIST is also working with public and private sector entities to establish specific mappings and relationships between the security standards and guidelines developed by nist and the international Organization for Standardization(ISO)and the International Electrotechnical Commission(IEC

...展开详情
试读 127P NIST SP 800-53A: 联邦信息系统中安全控制评价指南
立即下载 低至0.43元/次 身份认证VIP会员低至7折
    一个资源只可评论一次,评论内容不能少于5个字
    magicwww 还不错,找到了我需要的信息
    2019-09-10
    回复
    海边白杨 还不错,找到了我需要的信息
    2017-09-11
    回复
    关注 私信 TA的资源
    上传资源赚积分,得勋章
    最新推荐
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南 43积分/C币 立即下载
    1/127
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第1页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第2页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第3页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第4页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第5页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第6页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第7页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第8页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第9页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第10页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第11页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第12页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第13页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第14页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第15页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第16页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第17页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第18页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第19页
    NIST SP 800-53A: 联邦信息系统中安全控制评价指南第20页

    试读已结束,剩余107页未读...

    43积分/C币 立即下载 >