NIST SP800-53-rev2-final.pdf下载

INTRODUCTION THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION SYSTEMS he selection and employment of appropriate security controls for an information system3 are important tasks that can have major implications on the operations4 and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: T • What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order for that organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals? • Have the selected security controls been implemented or is there a realistic plan for their implementation? • What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective5 in their application? The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, controls, and mitigates risks to its information and information systems.6 The security controls defined in Special Publication 800-53 (as amended) and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. An effective information security program should include: • Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization; • Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level and address information security throughout the life cycle of each organizational information system;