Security Control Selection Phase 2 Q3

Now that we have finished classifying the system, the next step is to selected NIST recommended security controls that apply to the system’s classification (High, Moderate or Low).
NIST Publication
- FIPS 200-Minimum security requirement h t tp ://csr c .nist.g o v/publication s /fip s /fip s 200/F IP S –20 0 – fina l –ma r ch.pdf
- NIST SP 800-53 Rev4-NIST Recommended security controls (New version with the privacy family-Total of 26 families: Management, Operational, technical, and Privacy) h t tp ://n vlpub s .nist.g o v/ni s tpubs /Sp e cialP u blications /N I ST .S P .80 0-53 r 4 .pdf
SANS Top20 critical Security Control-SANS controls are mapped to NIST controls h t t p ://ww w .sa ns .o r g /critic a l –sec u ri t y –c on t r o ls
The security controls selected is termed System Security Control Baseline. This is usual in a form of a spread sheet.
The security controls (e.g., AC-2) prescribe specific security-related activities or actions to be carried out by organizations or by information systems.
The security control enhancements (e.g., AC-2 (7)) provides statements of security capability to: (i) add functionality/specificity to a control; and/or (ii) increase the strength of a control.

Quizzes