NIST SP 800-53: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
No edit summary
 
(One intermediate revision by the same user not shown)
Line 28: Line 28:
# SYSTEM AND INFORMATION INTEGRITY
# SYSTEM AND INFORMATION INTEGRITY
# SUPPLY CHAIN RISK MANAGEMENT
# SUPPLY CHAIN RISK MANAGEMENT
===IDENTIFICATION AND AUTHENTICATION'===
===IDENTIFICATION AND AUTHENTICATION===
* IA-1 POLICY AND PROCEDURES - must be documented
* IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - In scope for enterprises, but out-of-scope for regular users
* IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION - In scope for authentication
*
*
*
*
*
*
 
===PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY===
===PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY===


==References==
==References==
*[https://www.nist.gov/privacy-framework/nist-sp-800-53 Reference page page for all 800-53 with other NIST privacy documents]
*[https://www.nist.gov/privacy-framework/nist-sp-800-53 Reference page for 800-53 with other NIST '''privacy''' documents]


[[Category:Standards]]
[[Category:Standards]]

Latest revision as of 20:30, 17 March 2020

Full Title

Security and Privacy Controls for Information Systems and Organizations

Context

  • This page is addressed to the contexts of the evolving standard.
  • The final public draft of Revision 4 was published on 2020-03 - the most notable change is to broaden the scope from federal systems to systems in general. Another change was to merge privacy and security so that each was addressed in each section.

Contents

After the Introduction and discussion of the fundamentals the following set of controls was delineated in section 3. The bolded items are analysed in the sections betow.

  1. ACCESS CONTROL
  2. AWARENESS AND TRAINING
  3. AUDIT AND ACCOUNTABILITY
  4. ASSESSMENT, AUTHORIZATION, AND MONITORING
  5. CONFIGURATION MANAGEMENT
  6. CONTINGENCY PLANNING
  7. IDENTIFICATION AND AUTHENTICATION
  8. INCIDENT RESPONSE
  9. MAINTENANCE
  10. MEDIA PROTECTION
  11. PHYSICAL AND ENVIRONMENTAL PROTECTION
  12. PLANNING
  13. PROGRAM MANAGEMENT
  14. PERSONNEL SECURITY
  15. PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
  16. RISK ASSESSMENT
  17. SYSTEM AND SERVICES ACQUISITION
  18. SYSTEM AND COMMUNICATIONS PROTECTION
  19. SYSTEM AND INFORMATION INTEGRITY
  20. SUPPLY CHAIN RISK MANAGEMENT

IDENTIFICATION AND AUTHENTICATION

  • IA-1 POLICY AND PROCEDURES - must be documented
  • IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - In scope for enterprises, but out-of-scope for regular users
  • IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION - In scope for authentication

PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

References