1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls

System and communications protection (from NIST)

This System and communications protection list and description are meant to tie System and communications protection to activities and behaviors. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • System and communications protection policy and procedures - Wireless use policy, password policy, remote access policy, internet connection policy,
  • Application partitioning - The database is stored on a server, operating system instance, network address, or some appropriate method to keep it separate from the web or application server functionality. User functionality is separate from system management functionality.
  • Security function isolation - Security functions and functions that do not relate to security are isolated using some method to keep access control to the software or hardware used for security separate from access control to software or hardware used for functions not security related.
  • Information remnants - This function provides some assurance that information is not left available for users who should not normally have access to it. Caching of web pages on the client computers would be included in this category, along with not caching user login information or letting a user page back to login pages and hit refresh to login to web sites.
  • Denial of service protection - Network packets are filtered by devices such as network perimeter devices in a manner to prevent denial of service attacks. Also web servers may only allow so many requests from a specific IP address within a certain period of time.
  • Resource priority - Prevents a process with a lower priority from interfering with the ability of a higher priority process from accessing resources.
  • Boundary protection - Connections from or to the internet or other networks are controlled and monitored using equipment such as firewalls, routers, proxies, or gateways. (low)
  • Transmission integrity - Mechanisms are used to be sure that information transmitted to another computer is not modified. Cryptographic mechanisms may be used to preserve the data integrity. (moderate)
  • Transmission confidentiality - Data encryption may be used to prevent transmitted data from being revealed to third parties. (moderate)
  • Network disconnect - Network connections are terminated after the session is finished or after a timeout period of session inactivity. (moderate)
  • Trusted path - A trusted path of communications is established between the system security function and the user. (none)
  • Cryptographic key establishment and management - Automated methods are used to provide cryptographic key establishment and management. (moderate)
  • Use of validated cryptography - Validated cryptographic modules are used to employ cryptography when it is required. (low)
  • Public access protections - Information integrity and application integrity are protected when information systems are publically accessible. (low)
  • Collaborative computing - Systems and equipment used for collaborative computing such as conferencing equipment cannot be remotely activated. (moderate)
  • Transmission of security parameters - Security labels are associated reliably associated with the information sent between computer systems. (none)
  • Public key infrastructure certificates - There is a certificate policy and practice statement for issuing public key certificated used in information systems managed by the organization. The certificate must be issued by a responsible persone and issued securely to the correct party with assurance that it is issued by the authorized person. (moderate)
  • Mobile code - Use of mobile code such as ActiveX, Java, JavaScript, flash, VBScript, shockwave, and others is restricted based on its ability to damage information systems or compromise data. Use on both servers and workstations is restricted or guidance is provided where it is helpful and effective. A policy may be created to help control its use on both servers and workstations. (moderate)
  • Voice over internet protocol - Use is regulated based on the potential for damage to the organization through compromise of information or information systems. The use of VOIP is monitored and regulated. VOIP information may be compromised by attackers in the same way network traffic can be eavesdropped on so unless controls are in place to ensure that VOIP transmissions are confidential, they should not be considered confidential.