论文信息 - Control Baselines for Information Systems and Organizations

Control Baselines for Information Systems and Organizations

This publication provides security and privacy control baselines for the Federal Government. There are three security control baselines (one for each system impact level—low-impact, moderate-impact, and high-impact), as well as a privacy baseline that is applied to systems irrespective of impact level. In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.

Joint Task Force

[1] L. Johnson,et al. Minimum Security Requirements for Federal Information and Information Systems , 2006 .

[2] Richard Kissel,et al. SP 800-60 Rev. 1. Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories; Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories , 2008 .

[3] William C. Barker. Guideline for Identifying an Information System as a National Security System , 2003 .

[4] Ronald S. Ross,et al. Guide for Conducting Risk Assessments , 2012 .

[5] R. Ross. Managing Information Security Risk: Organization, Mission, and Information System View | NIST , 2011 .

[6] George Moore,et al. Automation Support for Security Control Assessments: Volume 1: Overview , 2016 .

[7] Joint Task Force. Security and Privacy Controls for Information Systems and Organizations , 2020 .

[8] Marianne Swanson,et al. SP 800-18 Rev. 1. Guide for Developing Security Plans for Federal Information Systems , 2006 .

[9] Joint Task Force Transformation Initiative,et al. Risk management framework for information systems and organizations:: a system life cycle approach for security and privacy , 2018 .

[10] Naomi B. Lefkovitz,et al. An Introduction to Privacy Engineering and Risk Management in Federal Systems , 2017 .

[11] Marianne M. Swanson,et al. Standards for Security Categorization of Federal Information and Information Systems , 2004 .