Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Actions and Security Control List

This page ties computer security related actions to specific NIST security controls. A brief listing of security controls from NIST publication SP800-53 at NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

Abbreviations for NIST security controls are shown below

ActionRAPLSACAPSPECPCMMASIMPIRATACIAAUSC
Server updatesSI-2
System hardeningCM-7
System lockdown policyCM-7
Anti-virus managementSI-3
SPAM blockingSI-8
Spyware and adware managementSI-8
Mail server (Blocking viruses/dangerous attachments)SI-3
Server Intrusion detectionSI-4
System monitoringAU-6,7
System Auditing configurationAU-2,3,4,5,8,9,10,11
Server monitoring policyAU-1
Network intrusion detectionSI-4
System scanningRA-5
Review security alertsSI-5
Security assessmentRA-1
Risk assessmentRA-1
Password policyAC-1
Login policyAC-1
Remote access policyAC-17
Internet connection policySC-7
Approved application policySA-6
Equipment and media disposal policyMP-7
Mobile computer policyAC-19
Computer training policyAT-1
IT resource acceptable use policyAC-8
Wireless use policyAC-18
Anti-virus and malware policyAC-1
System update policyAC-1
User privilege policyAC-2
Incident response planIR-1
Intrusion detection policySI-1
Disaster recoveryCP-1
Network documentation???
Mobile computer security (FW,A/V,updates)AC-19
Desktop security (A/V,updates)SI-2,3,8
Firewall managementSC-7
User trainingAT-2,3,4
Technical trainingAT-2,3,4
Wireless access point managementAC-18
Secondary connection to internet control (modem)SC-7
BackupsCP-9,10
Failure tolerent technology (RAID, redundant PS)SA-4
Backup power (UPS, generator)PE-11

Management Controls (From NIST)

  • RA - Risk assessment
  • PL - Planning
  • SA - System and Services Acquisition
  • CA - Certification, accreditation and security assessments

Operational Controls (From NIST)

  • PS - Personnel Security
  • PE - Physical and Environmental Protection
  • CP - Contingency Planning
  • CM - Configuration Management
  • MA - Hardware and systems software Maintenance
  • SI - System and Information integrity
  • MP - Media protection
  • IR - Incident response capability
  • AT - Security awareness, training, and education

Technical Controls (From NIST)

  • AC - Access control
  • IA - Identification and authentication
  • AU - Audit and accountability
  • SC - System and communications protection