DOD Specific Security Controls
The purpose of this document is to provide guidelines for selecting and identifying security controls for information systems supporting the Department of Defense (DoD). These guidelines have been established to help complete a secure system within the agency. Guidelines provided in the NIST Special Publication 800-53 are relevant to all federal information systems and have been mostly established from a technical view to supplement related guidelines for national security systems.
The security controls in Special Publication 800-53 have been established using sources from DoD Policy 8500, Director of Central Intelligence Directive (DCID) 6/3, ISO/IEC Standard 17799, General Accounting Office (GAO) Federal
…show more content…
The information provided in this report has been gathered and compiled from the National Institute of Standards and Technology (NIST) Special Publication 800-53a, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. Publication 800-53a is a comprehensive manual which provides in depth information on the requirements of IT security in the interest of maintaining the security triad or CIA (confidentiality, integrity, and availability).
Some of the more critical controls defined in Publication 800-53a include Access Control Policy and Procedures AC-1.1, Information Flow Enforcement AC-4.1, Unsuccessful Login Attempts AC-7.1, Remote Access AC-17, Security Awareness and Training Policy and Procedures AT-1.
• AC-1.1, Access Control Policy and Procedures determines the level of access, the responsible parties who grant and manage this access, and defines the procedures and requirements of access.
• AC-4.1 Information Flow Enforcement determines the methods by which information is transmitted. This would include policies and procedures which outline the methods the organization uses to transmit and receive data, i.e. encryption, packet filtering, the use of firewalls.
• AC-7.1 Unsuccessful Login Attempts, this is determined by the individual organization and is a highly recommended security control. A maximum number of consecutive login attempts before the
| The security controls for the information system should be documented in the security plan. The security controls implementation must align with the corporate objectives and information security architecture. The security architecture provides a resource to allocate security controls. The selected security controls for the IS must be defined and
Question 1.1. (TCO 1) Security policy contains three kinds of rules as policy clauses. What are they? (Points : 5)
• Prepare a 5 to 10 minute PowerPoint assisted presentation on important access control infrastructure, and
C1 - Discretionary Security Protection: In this sub division Access Control Lists (ACLs) security which protect User/Group/World. Security will protect following Users who are all on the same security level, Username and Password protection and secure authorisations database (ADB), Protected operating system and system operations mode, Periodic integrity checking of TCB, Tested security mechanisms with no obvious bypasses, Documentation for User Security, Documentation for Systems Administration Security, Documentation for Security Testing, TCB design documentation and Typically for users on the same security level.
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
The OIG 2011 FISAM Assessment indicates that “FISMA Section 3544 requires establishing policies and procedures to ensure information security is addressed throughout the life cycle of each agency information system” (VA Office of Inspector General, 2012, p. 9). Based on the lack of consistency in use of SDLC and change control, major security risks may go unnoticed.
19. Which of the following is a purely damaging attack, meant to render a system unusable?
mandatory and discretionary access control policies. ACM Transactions on Information and System Security, Vol. 3, No. 2.
An information security benchmark model (CIA) an acronym for information Confidentiality, Integrity and Availability can be used to evaluate the solution
Access control rules and procedures are required to regulate who can access IDI information resources or systems and the associated access privileges. This
FISMA requires federal agencies to implement a required set of processes and system controls designed to guarantee the confidentiality, integrity, and availability of system-related information. To facilitate FISMA compliance, Princeton University maintains a formal program for information security management focused on FISMA requirements, protecting the Universities IT resources. Princeton University continues to address weaknesses identified in its Plan of Action and Milestones.
The definition of Information Security can be put in simple and understandable words; it is a system or a process that people may use in order to ensure the safety of their information or many other properties. Specialized measures, for example, passwords, biometrics, and firewalls alone are not sufficient in relieving dangers to data. A mixture of measures is obliged to secure frameworks and ensure data against mischief. Confidentiality, integrity and availability are every now and then referred to as the CIA Triangle of information security.
Access policies may be tied to just authentication and endpoint compliance criteria, or they may be determined based on a combination of these and other criteria such as the identity or role of a user or device, physical location in the network, connection method (wired or wireless), time of day and other factors. These capabilities vary widely among different solutions.
Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which
The requirements of information security within an organization have undergone two major changes in the last several decades. Before the widespread use of data processing equipment , the security of information felt to be valuable was provided primarily by physical and administrative