Information Security Governance Papers

Paper Title Minimum Security Controls
The Abstract of The Paper Security controls in the security control catalog (NIST SP 800-53, Appendix F) have a well-defined organization and structure. The security controls are organized into classes and families for ease of use in the control selection and specification process. There are three general classes of security controls (i.e., management, operational, and technical75). Each family contains security controls related to the security function of the family. A standardized, two-character identifier is assigned to uniquely identify each control family. Table 11-1 summarizes the classes and families in the security control catalog and the associated family identifiers. Security control class designations (i.e., management, operational, and technical) are defined below for clarification in preparation of system security plans.
Management controls focus on the management of the information system and the management of risk for a system. They are techniques and concerns that are normally addressed by management. Operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise and often rely upon management activities as well as technical controls. Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data.
Web Link http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

Back To Information Security Governance Papers List

Database Sections