Recommended Security Controls for Federal Information Systems, Minimum Security Controls, Moderate Baseline. Annex 2 to NIST Special Publication 800-53

摘要

The selection and employment of appropriate security controls for an information system1 is an important task that can have major implications on the operations and assets of an organization. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems: What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Have the selected security controls been implemented or is there a realistic plan for their implementation, and What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective in their application.