Security Control List
Security controls are used to keep security of the organization and systems at an appropriate level relative to the need and cost. This security control list is based on NIST publications. A brief listing of security controls from NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
There are three levels of security controls defined by NIST SP800-53 which are:
This document shows "low", "moderate", or "high" after security controls. This indicates that the controls labeled in that fashion are required to support those security categories. If a control is labeled "low" it is required to support low, moderate, and high security needs. If labeled "moderate, is is required to support moderate and high security needs but not required if the system only has low security needs.
Security controls can be applied across many levels of a system. For example, access controls to the data can be applied to the computer system that supports an application along with the application program itself. The questions in the Security Assessment document on this web site attempts to break appropriate questions relating to security controls into various areas such as the application, the servers, and the overall system. This way, the experts can be found and these questions may be answered by the experts.
Management Controls (From NIST)
- Risk assessment (RA)- Determination of threats and risk and mitigation or management of those risks.
- Planning (PL) - Security included into the system life cycle
- System and Services Acquisition (SA)
- Certification, accreditation and security assessments (CA) - System security plan - System security plans should be developed and maintained. This will aid planning of future controls and documentation of current controls.
Operational Controls (From NIST)
- Personnel Security (PS)
- Physical and Environmental Protection (PE)
- Contingency Planning (CP)
- Configuration Management (CM)
- Hardware and systems software Maintenance (MA)
- System and Information integrity (SA)
- Media protection (MP)
- Incident response capability (IR)
- Security awareness, training, and education (AT)
Technical Controls (From NIST)
- Access control (AC)
- Identification and authentication (IA) - The ability to identify users and determine whether they are authorized to use resources.
- Audit and accountability (AU)
- System and communications protection (SC)