NIST SP800-53-r2:联邦信息系统推荐安全控制指南

需积分: 10 1 下载量 75 浏览量 更新于2024-07-16 收藏 1.42MB PDF 举报
NIST SP800-53(修订版2)是美国国家标准与技术研究所(NIST)发布的一份重要文档,它提供了针对联邦信息安全系统的推荐安全控制措施。这份特别出版物针对组织在保护其信息和信息系统时应考虑的关键问题进行了深入探讨,包括对信息系统的有效保护、所选安全控制措施的实施计划以及所需的安全保障水平。 首要任务是确定为了支持组织运营和资产,以及实现其使命所需的适当安全控制。这涉及到保护信息系统的机密性、完整性和可用性。组织管理层需回答一系列关于信息安全的问题,例如: 1. 如何选择并实施足以保护组织关键业务系统和资产的安全控制措施,同时确保法律义务的履行、日常功能的维持和个人隐私的保护? 2. 所选的安全控制是否已经到位,或者有一个现实可行的实施计划? 3. 对于实施的安全控制,组织希望或要求达到什么样的信心保障(即有效性),以证明这些控制措施在实际应用中的有效性? NIST SP800-53的推荐旨在与一个有效的信息安全程序相结合,该程序包括定期的风险评估,分析未经授权访问、使用、泄露、干扰、修改或破坏信息及信息系统可能带来的潜在危害。此外,信息安全政策和程序应基于风险评估结果,以成本效益的方式将风险降低到可接受的水平,并覆盖组织信息系统的全生命周期。 该特别出版物还强调了技术领导力的重要性,由NIST的计算机安全分部(Computer Security Division, CSD)和信息技术实验室(Information Technology Laboratory, ITL)共同制定,以促进美国经济和公共福利。NIST通过测试、测试方法、参考数据、概念验证实施和技术分析,推动国家测量和标准基础设施的发展,为信息安全提供技术指导。 NIST SP800-53修订版2为联邦机构提供了一套全面的框架,帮助他们构建和管理信息安全策略,确保敏感信息的安全,同时适应不断变化的威胁环境。通过遵循这份指南,组织可以更好地保护其关键信息资产,提升整体的信息安全保障水平。
2020-02-18 上传
INTRODUCTION THE NEED TO ASSESS SECURITY CONTROL EFFECTIVENESS IN INFORMATION SYSTEMS T T oday’s information systems9 are complex assemblages of technology (i.e., hardware, software, and firmware), processes, and people, working together to provide organizations with the capability to process, store, and transmit information in a timely manner to support various missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine, important, and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals.10 Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system and its environment of operation is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the Nation resulting from the use of the system.